CVE-2025-48595 · In multiple locations, there is a possible way to achieve code execution due to an integer overflow.

01 · The Real Story

This is a master-key flaw that only matters after someone is already standing in the hallway

CVE-2025-48595 is an Android Framework integer overflow that can be turned into code execution and local privilege escalation with no extra privileges and no user interaction once the attacker has code running on the device. Google lists affected AOSP versions as Android 14, 15, 16, and 16-qpr2, and the fix is included in the June 1, 2026 Android security patch level or later.

The vendor's HIGH 8.4 is directionally right, but the raw CVSS still overstates broad enterprise blast radius because AV:L means this is not an internet-reachable initial-access bug. The thing that keeps it firmly important is not the math bug itself; it is the combination of KEV listing, Google's note of limited targeted exploitation, and Android's long-tail patch lag across OEM fleets.

"Real-world risk is high because it's exploited, but local-only keeps this out of CRITICAL territory."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Land code execution on the device

The attacker first needs code running locally on the Android handset or tablet. In practice that usually means a malicious APK, a prior browser/app sandbox escape, or a spyware-style foothold delivered through another vulnerability chain; there is no evidence this CVE alone gives remote entry.

Conditions required:

Target is running affected Android 14/15/16 builds
Attacker can execute local code on the device
Enterprise controls allow sideloading, a malicious app, or another local foothold

Where this breaks in practice:

This is post-initial-access by definition because the attacker needs a local execution context first
Managed Play Store allowlists, Play Protect, MDM app controls, and mobile threat defense reduce reachable population
Corporate Android fleets are often a minority platform compared with Windows/macOS endpoints

Detection/coverage: Traditional network scanners will miss this step entirely. Coverage is best through MDM/mobile threat defense telemetry, Play Protect alerts, and app-install/sideload event monitoring.

STEP 02

Trigger the Framework integer overflow

From the local foothold, the attacker interacts with vulnerable Android Framework code and drives the integer overflow into a useful memory-corruption state. No user click is required at exploitation time, which removes one common break in the chain once the attacker already has a process on-device.

Conditions required:

The local process can reach the vulnerable Framework code path
Target build has not received the June 2026 fix
Exploit is compatible with the OEM's shipping build

Where this breaks in practice:

Android exploit reliability varies by OEM customization, build fingerprint, and hardening state
The bulletin does not publish a public technical root-cause write-up or patch diff for easy weaponization
No broadly circulating public PoC was found in the reviewed sources

Detection/coverage: Exploit-attempt detection is weak unless you have mobile EDR or forensic telemetry. Vulnerability scanners mostly fall back to OS/security patch level checks.

STEP 03

Escalate privileges and break containment

Successful exploitation yields local privilege escalation, letting the attacker escape the original app/process trust boundary and gain broader control of the device. That materially increases access to enterprise mail, chat, tokens, stored credentials, and work profile data resident on the handset.

Conditions required:

Overflow is exploited successfully on the specific device build
Relevant secrets or enterprise apps are present on the handset
Attacker can operate post-exploitation without immediate containment

Where this breaks in practice:

Work profile separation, hardware-backed keystores, and MDM policy still constrain some post-exploitation paths
The blast radius is one device at a time, not an internet-scale service compromise
Stolen value depends on whether the device actually holds corporate data and active sessions

Detection/coverage: Look for device compromise indicators from mobile threat defense, unusual app privilege behavior, credential reuse from mobile-origin IPs, and anomalous access from Android-managed identities.

STEP 04

Use the device as an enterprise access broker

Once elevated, the attacker can pivot from endpoint control into identity abuse: session theft, MFA prompt interception, mailbox access, chat data collection, and VPN or SSO token replay where mobile apps cache credentials. This is where a 'local Android bug' becomes a real enterprise incident.

Conditions required:

Compromised device is enrolled for work or used for corporate access
Tokens, cookies, or app secrets are accessible after escalation
Conditional access does not fully bind sessions to healthy device state

Where this breaks in practice:

Zero Trust and device-compliance checks can reduce post-exploitation usefulness
Per-app VPN, certificate auth, and re-auth requirements can slow the attacker
Many organizations can remotely wipe or quarantine unhealthy devices quickly

Detection/coverage: Identity telemetry helps more than vuln telemetry here: impossible travel, new Android device posture changes, token replay anomalies, and MDM non-compliance transitions.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	Yes. Google says there are indications of limited, targeted exploitation in the June 1, 2026 Android bulletin.
KEV status	Listed in CISA KEV on 2026-06-02 as Android Framework Integer Overflow Vulnerability; NVD shows a due date of 2026-06-05 for federal action.
Proof-of-concept availability	No broad public PoC or weaponized GitHub exploit was found in the reviewed sources. That lowers opportunistic abuse, but KEV means somebody already has working tradecraft.
EPSS	Supplied intel gives 0.00006, which is extremely low and highlights how EPSS can underweight local/mobile zero-days that are used in targeted operations.
CVSS meaning	`CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` means local, low-complexity exploitation with no privileges or user action once code is on the device; the biggest downward pressure is the local-only precondition.
Affected versions	Google lists affected AOSP versions as Android 14, 15, 16, and 16-qpr2.
Fixed version	Addressed by Android security patch level 2026-06-01 or later; devices on 2026-06-05 also include all earlier June bulletin fixes.
Scanning / exposure reality	This is not an externally scannable network service flaw. Internet exposure tools like Shodan/Censys/GreyNoise are the wrong lens; exposure tracking should be done from MDM inventory, Android security patch level, and Play Protect / mobile threat defense telemetry.
Disclosure date	2026-06-01 in the Android bulletin and CVE publication record.
Reporting / attribution	Public sources reviewed do not name a researcher or threat group. Google only discloses that exploitation appears limited and targeted.

04 · The Call

noisgate verdict.

Final Verdict

= UNCHANGED to HIGH (7.5/10)

The decisive factor is that this bug is local-only, which means it is inherently a post-compromise privilege-escalation issue rather than an initial-access event. It stays HIGH instead of MEDIUM because Google reports active targeted exploitation and CISA has already KEV-listed it, which means this is not theoretical lab-only risk.

HIGH Affected Android version range and patch-level guidance

HIGH Active exploitation / KEV status

MEDIUM Public exploit maturity and exact attacker tradecraft

Why this verdict

Downgrade for attacker position: AV:L requires local code execution on the handset, so this is post-initial-access, not a remotely reachable fleet-wide breach primitive.
Downward pressure from exposure population: only Android 14/15/16/16-qpr2 devices are affected, and only the subset that are both unpatched and meaningful corporate access devices matter operationally.
Upward pressure from exploitation evidence: Google says exploitation is already occurring and CISA added it to KEV on 2026-06-02, which outweighs the very low EPSS signal.
Downward pressure from operational friction: mobile app controls, Play Protect, MDM allowlists, and work-profile policies block many commodity delivery paths that would otherwise make a local EoP far worse.
Upward pressure from business impact: on a compromised work device, successful LPE can unlock mailbox, chat, tokens, and identity artifacts that turn one phone compromise into broader enterprise access abuse.

Why not higher?

This is not CRITICAL because there is no evidence the CVE itself provides unauthenticated remote reachability, wormability, or broad one-to-many blast radius. The attacker must already have a foothold on each target device, and exploit reliability in Android land is usually build- and OEM-sensitive.

Why not lower?

This is not MEDIUM or LOW because the exploitation question is already settled: KEV-listed plus Google's targeted exploitation note means real adversaries found value here. On enterprises that allow Android access to mail, chat, SSO, and MFA workflows, a single-device local EoP can produce outsized identity and data impact.

05 · Compensating Control

What to do — in priority order.

Block sideloading — Disable unknown-source installs and tighten enterprise app allowlists to reduce the most likely local foothold path. Because this is KEV-listed / actively exploited, deploy this immediately, within hours on managed Android populations that cannot be patched at once.
Enforce patch-level compliance — Use MDM / Android Enterprise compliance rules to quarantine or restrict access for devices below 2026-06-01 Android security patch level. Because this is active exploitation, apply the access gate immediately, within hours rather than waiting for the standard HIGH mitigation window.
Require Play Protect and mobile threat defense — Keep Google Play Protect enabled and ingest mobile threat defense telemetry to catch malicious apps and post-compromise behaviors that can serve as the prerequisite for this LPE. Enforce this immediately, within hours for any fleet that allows Android access to corporate identity or mail.
Limit mobile token value — Shorten session lifetime, require device-compliance checks for sensitive apps, and prefer phishing-resistant or hardware-bound auth where possible so an elevated mobile compromise yields less reusable identity material. For a HIGH finding, institutionalize these controls within 30 days, even if emergency mitigations go live sooner.
Quarantine stale Android builds — Create a dynamic group for Android 14/15/16 devices with patch levels earlier than 2026-06-01 and restrict them from mail, VPN, or admin portals until updated. For this KEV-backed case, start enforcement immediately, within hours.

What doesn't work

A WAF does not help because there is no network-facing web transaction to filter.
Perimeter vulnerability scanning does not meaningfully detect this; the right control plane is MDM/mobile inventory, not internet-facing scan data.
MFA alone is not enough because a privileged device compromise may still steal existing tokens, app data, or session material after login.

06 · Verification

Crowdsourced verification payload.

Run this on an auditor workstation with adb installed, against a USB- or network-connected Android device. Invoke it as ./check_cve_2025_48595.sh SERIAL (example: ./check_cve_2025_48595.sh R58N12345AB) or omit the serial if only one device is attached; no root is required, but the device must allow adb shell access.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# check_cve_2025_48595.sh
# Determine likely exposure to CVE-2025-48595 using Android version and security patch level.
# Output: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN, 3=tool/runtime error

set -u

TARGET_PATCH="2026-06-01"
SERIAL="${1:-}"
ADB_BASE=(adb)
if [[ -n "$SERIAL" ]]; then
  ADB_BASE+=( -s "$SERIAL" )
fi

need_cmd() {
  command -v "$1" >/dev/null 2>&1
}

getprop_safe() {
  local prop="$1"
  "${ADB_BASE[@]}" shell getprop "$prop" 2>/dev/null | tr -d '\r'
}

normalize_patch() {
  # Accept YYYY-MM-DD only
  local p="$1"
  if [[ "$p" =~ ^[0-9]{4}-[0-9]{2}-[0-9]{2}$ ]]; then
    printf '%s' "$p"
  else
    printf ''
  fi
}

main() {
  if ! need_cmd adb; then
    echo "UNKNOWN - adb not installed"
    exit 3
  fi

  if ! "${ADB_BASE[@]}" get-state >/dev/null 2>&1; then
    echo "UNKNOWN - no adb device available or unauthorized"
    exit 2
  fi

  local android_release sdk patch fingerprint model
  android_release="$(getprop_safe ro.build.version.release)"
  sdk="$(getprop_safe ro.build.version.sdk)"
  patch="$(getprop_safe ro.build.version.security_patch)"
  fingerprint="$(getprop_safe ro.build.fingerprint)"
  model="$(getprop_safe ro.product.model)"

  patch="$(normalize_patch "$patch")"

  # Affected versions per Android bulletin: 14, 15, 16, 16-qpr2.
  # We key primarily on SDK / release and then on security patch level.
  local affected_version="false"
  case "$sdk" in
    34|35|36)
      affected_version="true"
      ;;
    *)
      # Fallback to release string if SDK missing/unusual
      case "$android_release" in
        14*|15*|16*) affected_version="true" ;;
      esac
      ;;
  esac

  if [[ "$affected_version" != "true" ]]; then
    echo "PATCHED - device is not in the known affected Android 14/15/16 range (model=$model sdk=$sdk release=$android_release patch=${patch:-unknown})"
    exit 0
  fi

  if [[ -z "$patch" ]]; then
    echo "UNKNOWN - affected Android version but security patch level unavailable (model=$model sdk=$sdk release=$android_release fingerprint=$fingerprint)"
    exit 2
  fi

  if [[ "$patch" < "$TARGET_PATCH" ]]; then
    echo "VULNERABLE - affected Android version with security patch level earlier than $TARGET_PATCH (model=$model sdk=$sdk release=$android_release patch=$patch fingerprint=$fingerprint)"
    exit 1
  else
    echo "PATCHED - affected Android version but security patch level is $patch, which is >= $TARGET_PATCH (model=$model sdk=$sdk release=$android_release fingerprint=$fingerprint)"
    exit 0
  fi
}

main "$@"

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning: pull an MDM inventory of all Android 14/15/16 devices, quarantine anything below 2026-06-01 patch level from sensitive apps, and shut down sideloading where policy allows. Because this CVE is KEV-listed / actively exploited, override the normal HIGH mitigation window and patch / mitigate immediately, within hours; that is your practical noisgate mitigation SLA here. Then drive the actual OTA/vendor update rollout fleet-wide under the noisgate remediation SLA for HIGH findings, which is ≤180 days, but do not treat that outer limit as permission to leave high-value Android users exposed if patches are already available from the OEM.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.