{
"$type": "site.standard.document",
"bskyPostRef": {
"cid": "bafyreig4urhtpaq3n6r5v5l2ytmtgszgstwi7osk7ao22hs7ql2inw45ai",
"uri": "at://did:plc:q2k4ilmlzzrnoog5dccpqwor/app.bsky.feed.post/3mnet5yzqge62"
},
"path": "/post/48231531",
"publishedAt": "2026-06-03T08:59:45.000Z",
"site": "https://lemmy.ml",
"tags": [
"GrapheneOS [Unofficial]",
"KindnessInfinity",
"grapheneos",
"2 comments",
"https://grapheneos.social/@GrapheneOS/116681622144145170"
],
"textContent": "submitted by KindnessInfinity to grapheneos\n11 points | 2 comments\nhttps://grapheneos.social/@GrapheneOS/116681622144145170\n\nJune 2026 Android Security Bulletin notes CVE-2025-48595 is being exploited in the wild. It’s being widely misreported in tech media as a 0-day vulnerability being exploited. That’s a major misunderstanding of Android Security Bulletins and how poorly OEMs keep up with patches.\n\nGoogle disclosed CVE-2025-48595 to OEMs in a security preview release near the end of September 2025. Those patches are allowed to be shipped right away, so it was included in our 2025092501 release. We noted it was already publicly fixed so it was added to our regular releases too in 2025100300.\n\nWe quickly shipped the patch after it was disclosed to OEMs by Google but we plan to do better in the future. SQLite 3.44.5 was released with this backport on 2025-07-24. We weren’t previously aware SQLite maintained upstream LTS branches for Android but our plan is to closely follow those now.\n\nIn this case, Google slipped up and took 2 months to add the patch to the security preview releases. We plan to avoid that in the future by handling this ourselves because this happens too often. It’s also a nice example of how Android Security Bulletins are set extremely low expectations for OEMs.\n\nGrapheneOS quickly ships all security preview patches. Every AOSP patch included in the Android Security Bulletins was already available in GrapheneOS for over a month. We end up shipping patches 2-3 months earlier. Google having such low expectations for OEMs and even themselves is ridiculous.\n\nAndroid’s security patch system doesn’t make any sense and is completely at odds with how quickly people can discover and exploit vulnerabilities with the help of LLMs. The security preview release system would be far more reasonable if the embargo for sources and details was no more than 48 hours.\n\nGoogle’s embargo system harms security for nearly all Android users by setting the expectation of patches taking 2 to 6 months for OEMs to ship after disclosure. Patches are available to sophisticated attackers as soon as Google discloses them to OEMs. A partial embargo for months makes no sense.",
"title": "GrapheneOS Foundation's Response To CVE-2025-48595"
}