CVE-2025-48595
Android Framework integer-overflow flaw (CVSS 8.4) enabling local elevation of privilege across Android 14, 15 and 16.
Last refreshed: 7 June 2026 · Appears in 1 active topic
How does CVE-2025-48595 let a malicious Android app take full device control?
Timeline for CVE-2025-48595
Old Linux container bug back in the wild
Cybersecurity: Threats and Defences- What does CVE-2025-48595 do to an Android phone?
- CVE-2025-48595 allows a malicious app already installed on an Android 14, 15 or 16 device to silently elevate its own privileges to administrator level. It exploits an integer overflow in the Android Framework's permission-boundary code, bypassing the checks that normally prevent apps from accessing calls, messages, camera and location data without explicit user permission.Source: CISA KEV advisory, BleepingComputer
- Which Android versions are affected by CVE-2025-48595?
- Android versions 14, 15 and 16 are confirmed affected. Android 13 and earlier are not in scope for this flaw. Apply the June 2026 Android security update to be protected.Source: CISA KEV catalogue
- Do I need to update my Android phone because of CVE-2025-48595?
- Yes, if your device runs Android 14, 15 or 16. CISA confirmed active exploitation in the wild on 2 June 2026. Go to Settings, Security, and apply any pending Android security updates. Avoid installing apps from outside Google Play until the update is applied.Source: CISA BOD 22-01 guidance
Background
CVE-2025-48595 is an integer-overflow elevation-of-privilege vulnerability in the Android Framework, the Java-based abstraction layer above the Linux kernel that manages application permissions and inter-process communication on Android devices. The flaw affects Android versions 14, 15 and 16 and carries a CVSS score of 8.4 (High). An attacker with an app already installed on the device can trigger the integer overflow in a permission-boundary calculation, silently claiming capabilities not granted at install time and bypassing both Google Play Protect attestation and Android's mandatory access control (SELinux) where the overflow corrupts a capability index. CISA added it to the Known Exploited Vulnerabilities catalogue on 2 June 2026 with a 5 June federal deadline.
The specific malicious app or apps used in confirmed exploitation cases have not been publicly identified; it is unknown whether exploitation required sideloaded apps or whether Google Play Protect was bypassed. Android Enterprise Recommended (AER) fleet operators face policy-compliance exposure: KEV-listed Android elevation-of-privilege flaws may trigger Mobile Device Management (MDM) quarantine policies that lock out unpatched devices. Google's standard monthly Android Security Bulletin process applies; affected users should install any pending security updates immediately.
CVE-2025-48595 was listed alongside CVE-2022-0492, a Linux container-escape flaw, in the same 2 June CISA batch, a pairing that reflects CISA's move toward OS-agnostic KEV batching. The combination compresses patch-resource contention for enterprise security teams managing both server and mobile fleets simultaneously, a structural pressure amplified for organisations that have not separated their Android Enterprise and server patching cycles.