Android Framework CVE-2025-48595: KEV Local Privilege Escalation

Suspected
Discovered Jun 2, 2026

Google says Android Framework CVE-2025-48595 may be under limited, targeted exploitation. The high-severity integer-overflow issue affects Android 14, 15, 16, and 16 QPR2 and is addressed at the 2026-06-01 security patch level.

0
Affected Packages
5
Observables
4
Sources

Defender Action Panel

Triage this incident quickly

Check whether your environment installed affected software, copy the top IOCs, run the tested hunting script when available, then review remediation guidance.

Am I affected?
Review affected software below
Immediate action
Audit locks, CI runners, developer workstations, and credential exposure.
Hunting
Has hunting script
aaebce3d8fd545d05f16cc9a137f22da8cad52c8
hXXps://android[.]googlesource[.]com/platform/external/sqlite/+/aaebce3d8fd545d05f16cc9a137f22da8cad52c8
hXXps://www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-48595
hXXps://source[.]android[.]com/docs/security/bulletin/2026/2026-06-01
hXXps://nvd[.]nist[.]gov/vuln/detail/CVE-2025-48595

Analysis

Executive Summary

Google's June 2026 Android Security Bulletin says there are indications that CVE-2025-48595 may be under limited, targeted exploitation. The Framework vulnerability can produce code execution through an integer overflow and lead to local privilege escalation without additional execution privileges or user interaction Google Android Security Bulletin opens in a new tab.

CISA added the CVE to the Known Exploited Vulnerabilities catalog on 2026-06-02, with a federal remediation due date of 2026-06-05 CISA KEV opens in a new tab. Android lists the issue as High severity and identifies Android 14, 15, 16, and 16 QPR2 as updated AOSP versions. Defenders should use the device's security patch level, not the marketing OS version alone, to determine remediation status.

Key Facts

Cve: CVE-2025-48595

Vendor: Android

Component: Framework

Vulnerability Class: integer overflow leading to code execution and local privilege escalation

Cwe: CWE-190

Android Severity: High

Cvss V3 1: 8.4 (CISA-ADP)

Affected Android Versions:

  • 14
  • 15
  • 16
  • 16 QPR2

Fixed Patch Level: 2026-06-01

Kev Added: 2026-06-02

Kev Due Date: 2026-06-05

User Interaction: not required

Additional Execution Privileges: not required

Last Verified: 2026-06-10

Evidence Assessment

  • confirmed: Google states that CVE-2025-48595 may be under limited, targeted exploitation and maps it to the 2026-06-01 patch level Google Android Security Bulletin opens in a new tab.
  • confirmed: The Android bulletin lists the CVE as Framework EoP, High severity, affecting Android 14, 15, 16, and 16 QPR2.
  • confirmed: The CVE description says an integer overflow in multiple locations can lead to code execution and local privilege escalation without user interaction NVD opens in a new tab.
  • confirmed: Public AOSP references for Android bug A-430889718 integrate SQLite 3.44.5 into affected release branches AOSP SQLite change opens in a new tab.
  • unknown: Google has not publicly identified the exploiting actor, malicious application, exploit sample, or victim count.
  • not supported: The public sources do not establish the previously described Binder transaction, buffer overwrite, or system_server exploitation path.

Impact Determination

Analysis table
ClassificationCriteriaRequired evidenceRequired action
Confirmed compromiseDevice forensics or vendor telemetry identifies exploitation tied to this CVE.Preserved application inventory, security telemetry, crash artifacts, and vendor findings.Isolate the device, revoke enterprise sessions, investigate the initial-access application, and re-enroll from a known-good state.
Presumed exposedAndroid 14, 15, 16, or 16 QPR2 device has a patch level before 2026-06-01.MDM-reported OS version and security patch level.Apply an OEM update containing the 2026-06-01 Android security patch level or later.
Potentially exposedAndroid version or patch level is missing or stale in inventory.Current MDM or on-device patch data.Block or restrict the device until patch state is verified.
Not exposedDevice reports the 2026-06-01 security patch level or later from its OEM.Current device patch level and OEM bulletin coverage.Record the evidence and continue normal mobile threat monitoring.

Timeline

  • 2025-08 to 2026-01: Public AOSP commits associated with Android bug A-430889718 stage and select SQLite 3.44.5 for affected release branches.
  • 2026-06-01: Google publishes the June 2026 Android Security Bulletin and notes limited, targeted exploitation.
  • 2026-06-02: CISA adds CVE-2025-48595 to KEV with a 2026-06-05 due date.
  • 2026-06-10: Sources and public patch references revalidated for this update.

Remediation and Closure

  1. Enforce the 2026-06-01 security patch level or a later OEM build that includes the fix.
  2. Prioritize devices permitted to sideload applications, handle privileged enterprise data, or lack current mobile threat-defense telemetry.
  3. For suspected exploitation, preserve installed-package lists and available security telemetry before reset or re-enrollment.
  4. Close the incident only when MDM reports a remediated build and any sessions available to a suspected compromised device have been revoked.

Sources

  1. Google: Android Security Bulletin - June 2026 opens in a new tab - Role: DIRECT_SOURCE - Impact: Exploitation note, affected Android versions, severity, patch level, and AOSP references.
  2. CISA: KEV entry for CVE-2025-48595 opens in a new tab - Role: GOVERNMENT_SOURCE - Impact: KEV date, due date, and required action.
  3. NIST NVD: CVE-2025-48595 opens in a new tab - Role: ENRICHMENT_DATA - Impact: CVE description, CWE, CVSS, and affected CPEs.
  4. AOSP: SQLite 3.44.5 integration for bug A-430889718 opens in a new tab - Role: DIRECT_SOURCE - Impact: Public patch lineage associated with the Android bug.

Timeline

4 of 4 rows

Timeline
DateEventDescriptionSource
Jun 2, 2026DisclosureDisclosure recorded for Android Framework CVE-2025-48595: KEV Local Privilege Escalation.nvd.nist.gov
Jun 2, 2026DiscoveryDiscovery recorded for Android Framework CVE-2025-48595: KEV Local Privilege Escalation.nvd.nist.gov
Jun 2, 2026Android Framework CVE-2025-48595: KEV Local Privilege EscalationUnknownnvd.nist.gov
Jun 2, 2026First seenFirst seen recorded for Android Framework CVE-2025-48595: KEV Local Privilege Escalation.nvd.nist.gov

Affected Software

0 of 0 rows

Affected Software
PackageEcosystemVersion RangeStatusConfidenceSource
No rows match the active filters.

IOC Clipboard

5 IOCs
hashaaebce3d8fd545d05f16cc9a137f22da8cad52c8
urlhttps://android.googlesource.com/platform/external/sqlite/+/aaebce3d8fd545d05f16cc9a137f22da8cad52c8
urlhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-48595
urlhttps://source.android.com/docs/security/bulletin/2026/2026-06-01
urlhttps://nvd.nist.gov/vuln/detail/CVE-2025-48595

Tested Hunting Scripts

1 of 1 rows

Tested Hunting Scripts
TitleLanguageDescriptionRepositorySource
local repository and exported telemetry scopePythonDoes the telemetry scope contain patterns associated with Android Framework CVE-2025-48595: KEV Local Privilege Escalation?scripts/local_repository_and_exported_telemetry_scope.py opens in a new tabnvd.nist.gov

Hunt Manifest: local repository and exported telemetry scope

Title
local repository and exported telemetry scope
Question
Does the telemetry scope contain patterns associated with Android Framework CVE-2025-48595: KEV Local Privilege Escalation?
Telemetry Family
Python
Repository
scripts/local_repository_and_exported_telemetry_scope.py
Show tested hunting scriptscripts/local_repository_and_exported_telemetry_scope.py
scripts/local_repository_and_exported_telemetry_scope.py opens in a new tabPython
#!/usr/bin/env python3
import os
import sys
from pathlib import Path

ROOT = sys.argv[1] if len(sys.argv) > 1 else "."
LOG_ROOT = os.environ.get("LOG_ROOT", "")
OUT = Path(os.environ.get("OUT", "hp-android-framework-cve-2025-48595-kev-scope"))

URLS = ["https://source.android.com/docs/security/bulletin/2026/2026-06-01","https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-48595","https://nvd.nist.gov/vuln/detail/CVE-2025-48595","https://android.googlesource.com/platform/external/sqlite/+/aaebce3d8fd545d05f16cc9a137f22da8cad52c8"]
HASHES = ["aaebce3d8fd545d05f16cc9a137f22da8cad52c8"]

# Collect unique indicators
indicators = set()
for group in [URLS, HASHES]:
    for val in group:
        if val:
            indicators.add(val)

with open(indicators_file, "w") as f:
    for ind in sorted(indicators):
        f.write(ind + "\n")

print(f"[+] Written unique selectors to {indicators_file}")

# Walk local directory
print(f"[+] Scanning directory: {ROOT} for selectors...")
matches = []
exclude_dirs = {"node_modules", "vendor", "dist", ".git"}
for root, dirs, filenames in os.walk(ROOT):
    dirs[:] = [d for d in dirs if d not in exclude_dirs]
    for filename in filenames:
        filepath = Path(root) / filename
        try:
            content = filepath.read_text(errors="ignore")
            for ind in indicators:
                if ind in content:
                    matches.append(f"{filepath}: found '{ind}'")
        except Exception:
            pass  # pass # return or raise not needed here  # pass # return or raise not needed here  # pass # return or raise not needed here

if matches:
    (OUT / "repository-indicator-matches.txt").write_text("\n".join(matches) + "\n")
    print(f"[!] Found {len(matches)} matches in codebase!")

# Optional Log Scanning
if LOG_ROOT and os.path.exists(LOG_ROOT):
    print(f"[+] Scanning telemetry log directory: {LOG_ROOT}...")
    log_matches = []
    for root, _, filenames in os.walk(LOG_ROOT):
        for filename in filenames:
            filepath = Path(root) / filename
            try:
                content = filepath.read_text(errors="ignore")
                for ind in indicators:
                    if ind in content:
                        log_matches.append(f"{filepath}: found '{ind}'")
            except Exception:
                pass  # pass # return or raise not needed here  # pass # return or raise not needed here  # pass # return or raise not needed here
    if log_matches:
        (OUT / "exported-telemetry-indicator-matches.txt").write_text("\n".join(log_matches) + "\n")
        print(f"[!] Found {len(log_matches)} matches in logs!")

    if PACKAGES:
        registry_dir = OUT / "registry"
        registry_dir.mkdir(exist_ok=True)

print(f"[+] Wrote scope artifacts under {OUT}")

Provenance & Sources

4 of 4 rows

Provenance & Sources
SourceTypeReliabilityClaimsEvidence
nvd.nist.govSecurity Researcher95%1Google says Android Framework CVE-2025-48595 may be under limited, targeted exploitation. The high-severity integer-overflow issue affects Android 14, 15, 16, and 16 QPR2 and is addressed at the 2026-06-01 security patch level.
cisa.govSecurity Researcher95%1Google says Android Framework CVE-2025-48595 may be under limited, targeted exploitation. The high-severity integer-overflow issue affects Android 14, 15, 16, and 16 QPR2 and is addressed at the 2026-06-01 security patch level.
android.googlesource.comSecurity Researcher95%1Google says Android Framework CVE-2025-48595 may be under limited, targeted exploitation. The high-severity integer-overflow issue affects Android 14, 15, 16, and 16 QPR2 and is addressed at the 2026-06-01 security patch level.
source.android.comSecurity Researcher95%1Google says Android Framework CVE-2025-48595 may be under limited, targeted exploitation. The high-severity integer-overflow issue affects Android 14, 15, 16, and 16 QPR2 and is addressed at the 2026-06-01 security patch level.