GrapheneOS (@GrapheneOS@grapheneos.social)
grapheneos.social
Google's embargo system harms security for nearly all Android users by setting the expectation of patches taking 2 to 6 months for OEMs to ship after disclosure. Patches are available to sophisticated attackers as soon as Google discloses them to OEMs. A partial embargo for months makes no sense.

June 2026 Android Security Bulletin notes CVE-2025-48595 is being exploited in the wild. It’s being widely misreported in tech media as a 0-day vulnerability being exploited. That’s a major misunderstanding of Android Security Bulletins and how poorly OEMs keep up with patches.

Google disclosed CVE-2025-48595 to OEMs in a security preview release near the end of September 2025. Those patches are allowed to be shipped right away, so it was included in our 2025092501 release. We noted it was already publicly fixed so it was added to our regular releases too in 2025100300.

We quickly shipped the patch after it was disclosed to OEMs by Google but we plan to do better in the future. SQLite 3.44.5 was released with this backport on 2025-07-24. We weren’t previously aware SQLite maintained upstream LTS branches for Android but our plan is to closely follow those now.

In this case, Google slipped up and took 2 months to add the patch to the security preview releases. We plan to avoid that in the future by handling this ourselves because this happens too often. It’s also a nice example of how Android Security Bulletins are set extremely low expectations for OEMs.

GrapheneOS quickly ships all security preview patches. Every AOSP patch included in the Android Security Bulletins was already available in GrapheneOS for over a month. We end up shipping patches 2-3 months earlier. Google having such low expectations for OEMs and even themselves is ridiculous.

Android’s security patch system doesn’t make any sense and is completely at odds with how quickly people can discover and exploit vulnerabilities with the help of LLMs. The security preview release system would be far more reasonable if the embargo for sources and details was no more than 48 hours.

Google’s embargo system harms security for nearly all Android users by setting the expectation of patches taking 2 to 6 months for OEMs to ship after disclosure. Patches are available to sophisticated attackers as soon as Google discloses them to OEMs. A partial embargo for months makes no sense.