CVE-2025-48595 is a high-severity (CVSS 8.4) integer overflow in the Android Framework that lets a local attacker escalate privileges to code execution with no user interaction required. It affects Android 14, 15, 16, and 16 QPR2. Pixel devices receive the patch immediately via the 2026-06-01 and 2026-06-05 patch levels; OEM rollout will lag by weeks or months depending on the vendor. CISA added CVE-2025-48595 — alongside the four-year-old CVE-2022-0492 Linux kernel improper authentication bug — to the Known Exploited Vulnerabilities catalog on June 2, the same day Google published the bulletin. The Linux kernel entry is a reminder that KEV additions aren't always fresh discoveries; that one has been in the wild since 2022. FCEB agencies face the standard 21-day patch deadline; everyone else should treat the Android fix as urgent given the confirmed exploitation.