Google released its June 2026 Android security update on June 2, addressing 124 vulnerabilities across two patch levels. The update applies to Android 14, 15, 16, and the 16-QPR2 quarterly platform release. One vulnerability in the batch is already being exploited in limited, targeted attacks – a classification that typically means nation-state or sophisticated criminal actors are actively using the flaw before the patch reached end-user devices.
The zero-day: CVE-2025-48595
The actively exploited vulnerability is tracked as CVE-2025-48595 and carries a CVSS score of 8.4. It is an integer overflow flaw in the Android Framework component, which handles core operating system services shared across all applications running on the device.
The critical detail for enterprise risk assessment is that exploitation requires no user interaction. An attacker who can execute code at a lower privilege level on the device – through a malicious application, a browser exploit, or another initial access vector – can use this vulnerability to escalate to full system-level privileges without the device owner doing anything at all. Full system privilege on an Android device means access to all data, all credentials stored in the keychain, all network traffic from applications, camera, microphone, and location services.
The vulnerability is present in all four currently supported Android versions, meaning the exposure spans the majority of the managed Android device fleet in any enterprise that has not yet applied the June patch.
Two patch levels, one deadline
Google’s June 2026 update ships in two tiers. Devices running patch level 2026-06-01 receive fixes for core Android OS vulnerabilities. Devices running 2026-06-05 or later receive the complete set, including fixes for kernel and chipset components that require device-specific OEM packaging.
For enterprise MDM enforcement, this distinction matters: a policy requiring devices to run patch level 2026-06-01 or later will remediate CVE-2025-48595 and the other Framework vulnerabilities, but will not address kernel-level issues in the second patch tier. The more protective target for MDM minimum patch level enforcement is 2026-06-05.
The practical constraint is OEM delay. Google Pixel devices typically receive the full update within days of the bulletin. Samsung, OnePlus, Xiaomi, and other Android OEMs are contractually required to ship security patches within 90 days of the bulletin, but in practice many ship within two to three weeks. Some enterprise-grade devices from Samsung and Nokia have historically been faster due to their own enterprise security commitments.
Why this matters under GDPR and NIS2
For European organisations, the regulatory dimension of unpatched mobile vulnerabilities is concrete rather than theoretical.
Under GDPR Article 32, organisations must implement appropriate technical measures to ensure a level of security appropriate to the risk. A known, actively exploited privilege escalation vulnerability on devices that access corporate email, HR systems, customer relationship management tools, or any other system processing personal data is exactly the kind of risk Article 32 is designed to address. If a breach occurs because a device running an unpatched Android version is compromised via CVE-2025-48595 and personal data is exfiltrated, the unpatched state of the device fleet will be a relevant factor in any supervisory authority investigation of whether Article 32 was complied with.
Under NIS2, organisations in sectors classified as essential or important are required to maintain appropriate security hygiene across their systems and devices. Mobile devices used by staff to access operational technology systems, critical infrastructure management interfaces, or sector-specific tools fall within scope of those obligations.
The June 2026 Android patch cycle is not a routine update. It contains a zero-day under active exploitation with a critical attack profile. The appropriate response is not to treat it like a background maintenance task.
What enterprise mobile teams should do now
Set an MDM patch level minimum immediately. If your MDM platform – whether that is Microsoft Intune, Jamf, IBM MaaS360, or another solution – supports conditional access based on Android patch level, configure a policy that restricts access to corporate applications and email from devices running a patch level older than 2026-06-01. Devices that have not updated by a defined deadline should be quarantined from corporate resources until they do.
Identify devices that cannot receive the update. Some older Android devices on the managed fleet may be running Android 13 or earlier and will not receive the June patch. Android 13 reached end-of-life for Google security updates in October 2025. Any such device that still has access to corporate data is now running an operating system with no security update path – which is a compliance and insurance risk. Those devices should be identified, flagged, and removed from corporate access.
Review application permissions on managed devices. The attack chain for CVE-2025-48595 requires an initial foothold on the device at a lower privilege level. Reducing the attack surface means auditing which third-party applications are permitted on managed devices, enforcing a corporate app whitelist, and reviewing which applications have been granted sensitive permissions such as accessibility services or device administrator rights – both of which are common vectors for the initial foothold that leads to a privilege escalation exploit.
Document the patch management action in your security records. For organisations subject to NIS2 or DORA, maintaining documented evidence that you identified a critical vulnerability and took timely action is part of demonstrating compliance. Record the patch deployment timeline, the MDM policy changes made, and the list of devices that were quarantined for non-compliance.
Check your MDR or EDR coverage for Android. Many endpoint detection and response platforms cover Windows and macOS but have limited or no telemetry from Android devices. If your mobile device fleet is outside your security monitoring perimeter, a compromised device may not trigger any alert. Review whether your current security tooling gives you visibility into Android device behaviour and whether the June patch creates an opportunity to close that gap.
If you need help building an Android patch management policy, configuring conditional access enforcement in your MDM platform, or assessing your organisation’s mobile security posture against GDPR and NIS2 obligations, contact Excello Digital. We help European organisations close the gap between mobile device management and regulatory compliance requirements.