Android
Google's open-source mobile OS; majority of global smartphones; versions 14-16 hit by CVE-2025-48595.
Last refreshed: 7 June 2026
How quickly does a CVE-2025-48595 Android patch actually reach most users' phones?
Timeline for Android
Exposed versions 14, 15 and 16 to integer-overflow elevation-of-privilege exploitation
Cybersecurity: Threats and Defences: Old Linux container bug back in the wildMentioned in: WebLogic flaw revived as ransomware vector
Cybersecurity: Threats and Defences- How do I check which Android security update my phone has installed?
- Go to Settings, then About phone (or About device), then Android version or Security update. This shows the date of your most recent Android security patch. Compare it against the current month's Android Security Bulletin to see whether critical patches including CVE-2025-48595 have been applied.Source: Google Android documentation
- Why do some Android phones get security updates slower than others?
- Android's patch process goes from Google to device manufacturers (Samsung, Xiaomi, etc.) who must adapt the patch for their hardware variants, and then often to mobile carriers for network compatibility testing. This process can ADD weeks to months of delay beyond Google's Pixel reference timeline. Older devices may stop receiving patches entirely when manufacturers end support.Source: Android Open Source Project documentation, device manufacturer support policies
- What Android versions are affected by CVE-2025-48595?
- Android versions 14, 15 and 16 are affected. Android 13 and earlier are not in scope for this particular flaw. CISA confirmed active exploitation on 2 June 2026 and set a 5 June federal deadline for agencies. Users on affected versions should apply the June 2026 Android security update immediately.Source: CISA KEV catalogue, Android Security Bulletin June 2026
Background
Android is the open-source mobile operating system developed by Google, built on the Linux kernel and licensed under the Apache 2.0 and GPL licences. It is the world's most widely deployed mobile operating system, running on an estimated 72 per cent of global smartphones, spanning devices from Google's own Pixel range through major manufacturers including Samsung, Xiaomi, Oppo and others. Android's architecture layers the Linux kernel, hardware abstraction layer (HAL), Android Runtime (ART, successor to Dalvik), and the Android Framework (a Java-based API layer managing application permissions, inter-process communication and hardware access). Applications are sandboxed via SELinux mandatory access control and the Android permission model, which requires explicit user grant for sensitive capabilities.
In this briefing, Android versions 14, 15 and 16 are affected by CVE-2025-48595, an integer-overflow elevation-of-privilege flaw in the Android Framework layer that allows a malicious app to claim capabilities not granted at install time. CISA listed the flaw as actively exploited on 2 June 2026 with a 5 June federal deadline. Google's standard remediation PATH is the monthly Android Security Bulletin, through which the patch is distributed to Pixel devices directly and to other manufacturers via Android's Open Source Project.
Android's fragmentation across device manufacturers and carriers means security update timelines vary significantly from the Pixel reference track. Enterprise deployments using Android Enterprise Recommended (AER) programme devices receive monthly security patches as a programme requirement, but the broader consumer Android ecosystem includes many devices that receive delayed or no updates. The KEV listing of CVE-2025-48595 specifically creates a mandatory patch obligation for US federal agencies operating Android device fleets, and may trigger Mobile Device Management (MDM) quarantine policies that lock out unpatched devices.