"Patches are available to sophisticated attackers as soon as Google discloses them to OEMs. A partial embargo for months makes no sense." (opens in new tab)

cross-posted from: [ > June 2026 Android Security Bulletin notes CVE-2025-48595 is being exploited in the wild. It’s being widely misreported in tech media as a 0-day vulnerability being exploited. That’s a major misunderstanding of Android Security Bulletins and how poorly OEMs keep up with patches. > > Google disclosed CVE-2025-48595 to OEMs in a security preview release near the end of September 2025. Those patches are allowed to be shipped right away, so it was included in our 2025092501 ...