CVE-2025-48595 is the one to watch: a high-severity (CVSS 8.4) integer overflow in the Android Framework that allows privilege escalation, affecting Android 14, 15, 16, and 16 QPR2. It was already being used in targeted attacks before the patch dropped. The bulletin ships in two patch levels — 2026-06-01 and 2026-06-05 — and Pixel devices get it first, as usual. One hundred and twenty-four CVEs is a heavy month. If your team manages Android builds or has a bring-your-own-device policy, this is the bulletin to act on quickly — the confirmed exploitation makes it higher priority than a typical monthly drop.