Google Fixes One Actively Exploited Android Zero-Day, 124 Flaws in June 2026 Update

Google Fixes Actively Exploited Android Zero-Day in June 2026 Security Update

Google has released the June 2026 Android security update, patching 124 vulnerabilities across the Android ecosystem — including one zero-day flaw that has been actively exploited in targeted attacks in the wild. Android users and device manufacturers are urged to apply the update as soon as it becomes available on their devices.

The patches were published on June 2, 2026, and cover vulnerabilities affecting the Android framework, system components, kernel, and vendor-specific drivers from Qualcomm, Arm, and other chipset manufacturers.

The Actively Exploited Zero-Day

The June 2026 bulletin includes one vulnerability flagged as "under limited, targeted exploitation" — indicating that threat actors have been using the flaw in real attacks before a public patch was available.

While full technical details are withheld pending broad patch deployment, what is known:

Zero-days exploited in targeted Android attacks are typically associated with:

• Nation-state surveillance operations targeting journalists, dissidents, and government officials
• Commercial spyware operators (similar to Pegasus, Predator) who develop or acquire mobile exploits
• Advanced persistent threat (APT) groups targeting high-value individuals for intelligence collection

Full Patch Breakdown

The 124 vulnerabilities are distributed across several Android components:

Android Framework and System

Vendor Components

Google's June bulletin addresses vulnerabilities in components from:

• Qualcomm — DSP, modem, and GPU driver flaws affecting Snapdragon-powered devices
• Arm — Mali GPU driver vulnerabilities
• MediaTek — Chipset-specific driver issues

Vendor component patches are critical because they require device manufacturer (OEM) integration before reaching end users — meaning Pixel devices receive patches first, followed by Samsung, OnePlus, and other manufacturers on their own update schedules.

Android Patch Level System

Android uses a two-part patch level date system:

Devices showing 2026-06-05 have received the most complete protection. To check your patch level:

Settings → About Phone → Android Security Patch Level

Which Devices Are Affected?

The June 2026 patches affect Android versions that are still within Google's support window. Android 12, 13, 14, and 15 receive security patches; older versions are end-of-life and will not receive fixes.

Update Timeline by Manufacturer

Risk Context

Why Mobile Zero-Days Matter

Android zero-day vulnerabilities — especially those exploited before public disclosure — represent a significant threat because:

1. Billions of targets: Android runs on approximately 3 billion active devices globally
2. Always-on sensors: Smartphones carry microphones, cameras, location data, and sensitive communications
3. Corporate access: Enterprise mobile devices access email, VPN, cloud storage, and internal applications
4. Delayed patching: The Android ecosystem's fragmented update model means millions of devices remain vulnerable for weeks or months after patches are released

Nation-State and Spyware Context

Targeted exploitation of Android zero-days has been linked historically to:

• NSO Group's Pegasus spyware — exploited iOS and Android zero-days for covert surveillance
• Intellexa's Predator spyware — similarly leveraged mobile zero-days
• APT groups including those linked to China (APT41), Russia (Sandworm), and Iran — all of which have demonstrated mobile exploitation capabilities

Recommended Actions

For Individual Users

1. Update immediately — Check Settings → System → Software Update and apply the June 2026 patch when available for your device
2. Enable automatic updates — Enable automatic security update installation where supported
3. Prioritize Pixel devices — If you are a high-risk individual (journalist, activist, executive), consider using Google Pixel for faster patch delivery
4. Use Google Play Protect — Ensure Play Protect is enabled to detect malicious apps that may exploit device vulnerabilities

For Enterprise Security Teams

1. Inventory all Android devices — Including BYOD devices that access corporate resources

2. Enforce minimum patch level — Use MDM/EMM solutions (Intune, Jamf, VMware Workspace ONE) to require June 2026 patch level before granting access to corporate resources:

   MDM Policy: Require Android Security Patch Level >= 2026-06-05
   Action on non-compliant: Block corporate email / VPN access
   

   Copy

3. Prioritize high-risk users — Executives, legal, finance, and IT teams should be on the fastest update track

4. Monitor threat intelligence — Track any CVE disclosures from this bulletin that may later develop into mass exploitation

Historical Context

Android zero-days patched in recent months have followed a pattern of targeted nation-state exploitation followed by broader criminal adoption. The June 2026 zero-day underscores the need for rapid mobile patching as part of any comprehensive security program.

Key Takeaways

1. Google's June 2026 Android update patches 124 vulnerabilities including one actively exploited zero-day
2. The zero-day has been used in targeted attacks — likely by nation-state or commercial spyware actors
3. Pixel devices receive the patch immediately; other Android OEMs follow on their own schedules
4. Organizations should enforce minimum patch levels via MDM to protect corporate-connected Android devices
5. Android users on unsupported versions (Android 11 and below) will not receive patches and should upgrade devices

Sources

• BleepingComputer — Google fixes one actively exploited Android zero-day, 124 flaws
• Android Security Bulletin — June 2026
• Google Pixel Security Bulletins