Never mind the December security patches, Samsung haven't even released the November patches yet, the ones for the critical severity RCE. Unless you have a "major flagship model" [1], because apparently only the richest users deserve to be secure.
> Being reliant on the hardware manufacturer (or network operator?) for OS updates is the crazy world we live in.
Being reliant on a single OS permanently nailed to the hardware is no less crazier. I'd like to be able to install another OS on a vulnerable device, it would help tremendously and not only with the security of that specific device.
Now I've got some expensive paperweights that I can't even use as such because every time I see them I have the urge to throw them in the trash can.
Provide a way to unlock the phones and a standard BSP, it should be the law.
If you are buying now, you want a device on a v5 Linux kernel with BPF support, where the bootloader can be unlocked and VoLTE is implemented in the 3rd-party ROM.
LineageOS has a build roster of current devices at this URL:
The Pixels are the most flexible, but don't buy a model from Verizon (they don't allow unlocked bootloaders).
Most other OEMs require you to generate an unlock token and send it to them, then wait a week, which is extrememly inconvenient (and sometimes they just stop and refuse, as I understand OnePlus has).
If you want a locked bootloader at the end of the process for security, then you will be on a later Pixel with Graphene.
e-recycling is only marginally better than a landfill. At least a landfill in pseudo-regulated government economy has the chance to be safely abated in 100 years. Though a few things of value are sometimes extracted, mostly it all ends in places like Turkey or India and burned or buried.
Sorry for the cynical take, but patronizing folks like this is worse than cynicism because it suggests that you actually believe what you're saying is true.
I switched away from my flagship Samsung tablet when they pushed it to quarterly updates, meaning security issues often went unpatched for a while. In the fine print of the "X years of updates" they mention that they switch devices to updates only every 3 months and then every 6 months down the road.
I vote to just change the spelling to what almost everyone already thinks it is anyways.
It'll still be just as weird. But "chs" is just nonsensical. The idea that it would sound like "sh" is baffling. I mean, I know this is English spelling which is not known for its regularity, but this is just too much.
> But "chs" is just nonsensical. The idea that it would sound like "sh" is baffling
In the word "french" C H is pronounced sh and nobody bats an eye, I don't think it's that outlandish that someone once read it as fuch-sia, incorrectly splitting it compared to the original.
In the language French, fuchsia is unequivocally read something more like few-shia, and I'd bet that even though it comes from German Fuchs-ia (fooks-ia) English has picked it up from the French side.
If you find such a loanword weird, don't you dare try reading Japanese.
The beginning of the English word "fuchsia" is not pronounced like the German word Fuchs, so indeed the spelling does not match the pronunciation. This is independent of the fact that it comes from that word. Plenty of things in English (and, in fact, loanwords in every language) sound different from the words they're derived from; that doesn't mean trying to imitate the source language is the "right" pronunciation. If you pronounce fuchsia like "fuksia" nobody will understand you.
That's always the case, even on Windows, even on Linux for closed-source third party drivers. The only exception is macOS because Apple insists on writing the drivers themselves - that was, in addition to Soldergate, the reason why Apple dropped NVIDIA.
I think your carrier hasn't approved it yet. T-mobile seems to lag on these things. I also can't seem to find a system update. A Google Play system update does seem to exist
We have an OS security update that is only release to users of a specific hardware, once approved by their mobile operator. It may be added to vendor-specific OS versions some time later (weeks, month or never). The vendor-specific may not be approved by a telco if the vendor doesn't have a relationship with that telco.
Now think that millions of people use the same OS on many different flavours, on different hardware, on multiple operators.
Just go to the software update, touch the button, then touch it a second time, and that will give you all available updates immediately, regardless of your random position in the rollout process.
I had the same experience as peer comments. I'm on Pixel 8 and Google Fi. When I check for updates, I'm told I'm up-to-date with the last update being over a month old.
Not working for me on Android 16, additional taps of the "Check for update" button in the bottom-right don't change the fact that it says "Your system is up to date" and that the last change was last month.
Could be model-specific. I got the update by doing that manually on my Pixel 8 Pro, that also happens to be on the beta track so there are a few confounders. But that is the way to get the latest software that is waiting to be released to your phone, without waiting.
>"In hasAccountsOnAnyUser of DevicePolicyManagerService.java, there is a possible way to add a Device Owner after provisioning due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed."
Basically, just like most things these days, its all just local privilege escalation. This means that you have to install/run an app that has these exploits built in.
Soif you usage profile doesn't include downloading apps from untrusted sources, you don't need to worry.
In todays world, web based exploits are pretty rare. The only time you really see this happen is with full proprietary systems like IPhones because the software stack on those is all intertwined between kernel code and user code, and things like sending a text message with some formatted characters can lead to reboots of phones. But even then, to gain a full command line shell or steal secrets is either impossible due to attack surface, or requires the phone to be in a specific state, like fully factory reset.
The only real danger is chains of trust being compromised, as in some attacker manages to insert malitious code into an already trusted app that uses these exploits.
On a side note i get kick out of reading HN comments about exploitation and hacking. I think people firmly believe that with enough time, a hacker can figure out how to basically take over your phone given any exploit, no matter what it is.
Both mentioned CVEs seem to be about local privilege escalation. So basically yes, if you don't install crap apps, there's a high chance that you are protected. Problem is that it might not seem to be a crap app, but a nice-looking game, etc. Also an attack can come in with an update of any app you have already installed on your phone.
The point was surely more that apps being exploited via the Play Store can be mitigated there without client OS updates. The only hole here requiring the update needs a sideloaded attack.
Whilst the play store supposedly scans all apps for malicious behaviour, it's pretty easy to detect the test environment they use for testing and make malicious behaviour only trigger in situations Google doesn't test - eg. 5 days after installation, only if the device IP address changes at least once.
> if I don't install any crap on my phone I am safe?
We don't know. Practically no technical information is released about the bug, for what I care any play store app may exploit this at one time or another and there's no way to know. It's not like everyone and their CFO are shy of exploiting any user data they can get their greedy hands on.
>But in reality, Samsung (and the other Android OEMs) cannot compete with Google and its unique control over hardware and software.
Yes, they can. We are talking about applying provided security patches to source code, and then releasing a new version of their OS. For patches that have existed for months. The time from patch to release should be on the order l
of days from receiving the patches to having a validated OS release with the fix being sent to users. It's not the control of Android which makes Google possible to patch their Pixel branch of AOSP faster than Samsung can patch their own. It's that Samsung doesn't care about prompt security fixes so they don't allocate engineers to do the work.
If you want to go that route, each manufacturer is responsible for their own drivers for windows, linux, and possibly Mac (though if it’s novel enough, they will do it). Then think about the components that make up a PC. Motherboard, CPU, Memory Control, IO, OS, Audio, Video. Each of those needs to release patches. So its orders of magnitude more than any Android OS. It’s just pure laziness on the hardware manufacturers that don’t want to invest in software/support. They want Google to do that.
The big difference with PC hardware is that the OS will get most driver updates for the individual components directly from the OEM. A driver update for, say, a sound card will directly be available to every machine with that sound card installed. The PC vendor doesn't have to be involved in any way.
It's the other way around with Android. Google does a new core release, and each individual manufacturer is responsible for modifying it for their devices. If you don't bother to upstream your drivers to mainline Linux and use a skin which heavily modifies core Android, backporting those fixes can quickly become a nightmare.
Again, no sympathy as that’s the route they chose. Rely on Google for everything OS and make a phone whereas Apple made a phone and supplied an OS.
Apple made a product. Google made a software revenue stream. Entirely different things and now the Android makers are crying foul that they too have to do product engineering support. Nah. This is what you get when you rely on out of house innovation. I hope they all close shop. Not because I like Apple, but because they aren’t in the business of making products, only selling you hardware with bolt on software that it vaguely supports. Like buying a raspberry pi that can make phone calls. Google has them all by the balls.
Yeah, and I also hope that all the PC makers close up shop as well. They rely on Microsoft for everything OS. Listen, you can just enjoy your iPhone in peace. Let other people make things, even if you feel they don't meet your standards.
That's still one OS. Customization is mostly userspace "system" apps that they swap out and maintain, but reused across all their phones with some small variation. Hardware enablement will differ between models, but that's just the cost of doing business.
Can be a pain to move the whole suite to a new major (porting all their inhouse apps, getting all the hardware enablement from vendors updated to match, ...), but we're not dealing with a major upgrade here.
A security patch is "just" a matter of taking the last release, applying the diff, build, qa, release. No customization.
Weird how LineageOS supports ~300 devices while still managing to release patches.
I bet this CVE's patched quicker on a samsung device running LineageOS than the stock OS.
The real difference is that Google has a more competent software development process and release process than other android OEMs, regardless of how many different devices they have.
LineageOS doesn't customize the hell out of their OSes per device.
That's core of the issue. Samsung takes Android, customizes per device and then tosses them into the world. So now they don't have 1 OS to update, they have 100s of OSes to update.
And 5000+ laptop models per year, yet linux runs on (pretty much) all of them. This is an entirely self-inflicted problem. They don't deserve an ounce of mercy.
My tinfoil hat might be on too tight again... but the timing of this exploit coinciding with Google's full court press on Android user rights is just a little suspect. Especially after the ongoing public education campaign about the evils of "sideloading" an Android application.
Never mind the December security patches, Samsung haven't even released the November patches yet, the ones for the critical severity RCE. Unless you have a "major flagship model" [1], because apparently only the richest users deserve to be secure.
[1] https://security.samsungmobile.com/securityUpdate.smsb
Samsung for the longest time was releasing updates way too late, and what they were releasing monthly was old patches.
Buying a device directly from Samsung may be different, but the manufacturer still has to usually convert the pure android update to their branch.
Still, trying to find a pure android phone is important. More manufacturers used to make them.
Example: https://www.androidauthority.com/best-smartphones-stock-andr...
Google Pixel 7 and Pixel 7 Pro are still stuck on the October patches.
No fix yet for Samsung. Being reliant on the hardware manufacturer (or network operator?) for OS updates is the crazy world we live in.
> Being reliant on the hardware manufacturer (or network operator?) for OS updates is the crazy world we live in.
Being reliant on a single OS permanently nailed to the hardware is no less crazier. I'd like to be able to install another OS on a vulnerable device, it would help tremendously and not only with the security of that specific device.
Now I've got some expensive paperweights that I can't even use as such because every time I see them I have the urge to throw them in the trash can.
Provide a way to unlock the phones and a standard BSP, it should be the law.
If you are buying now, you want a device on a v5 Linux kernel with BPF support, where the bootloader can be unlocked and VoLTE is implemented in the 3rd-party ROM.
LineageOS has a build roster of current devices at this URL:
https://lineageos.org/Changelog-30/
The Pixels are the most flexible, but don't buy a model from Verizon (they don't allow unlocked bootloaders).
Most other OEMs require you to generate an unlock token and send it to them, then wait a week, which is extrememly inconvenient (and sometimes they just stop and refuse, as I understand OnePlus has).
If you want a locked bootloader at the end of the process for security, then you will be on a later Pixel with Graphene.
Please try to e-recycle rather than normal land-fill trash.
e-recycling is only marginally better than a landfill. At least a landfill in pseudo-regulated government economy has the chance to be safely abated in 100 years. Though a few things of value are sometimes extracted, mostly it all ends in places like Turkey or India and burned or buried.
Sorry for the cynical take, but patronizing folks like this is worse than cynicism because it suggests that you actually believe what you're saying is true.
I switched away from my flagship Samsung tablet when they pushed it to quarterly updates, meaning security issues often went unpatched for a while. In the fine print of the "X years of updates" they mention that they switch devices to updates only every 3 months and then every 6 months down the road.
I hoped with a move to Fuschia, Google would attempt to fix this, but unfortunately Fuschia on mobile is dead.
It’s “Fuchsia” with a “chs” not a “sch”. Where do you get your information that it’s dead?
As Randall Munroe pointed out in https://blog.xkcd.com/2010/05/03/color-survey-results/, almost nobody knows how to spell "fuchsia" correctly. I only remember it by the mnemonic of it's fuck, but with an s.
It’s helps if you know that the flower the fuchsia, was discovered by Dr Fuchs
I vote to just change the spelling to what almost everyone already thinks it is anyways.
It'll still be just as weird. But "chs" is just nonsensical. The idea that it would sound like "sh" is baffling. I mean, I know this is English spelling which is not known for its regularity, but this is just too much.
> But "chs" is just nonsensical. The idea that it would sound like "sh" is baffling
In the word "french" C H is pronounced sh and nobody bats an eye, I don't think it's that outlandish that someone once read it as fuch-sia, incorrectly splitting it compared to the original.
In the language French, fuchsia is unequivocally read something more like few-shia, and I'd bet that even though it comes from German Fuchs-ia (fooks-ia) English has picked it up from the French side.
If you find such a loanword weird, don't you dare try reading Japanese.
https://aethermug.com/posts/the-beautiful-dissociation-of-th...
It comes from the surname of a German botanist. Which just happens to mean "fox". Never had problems with it.
It would probably help if you pronounced it right, with a /ks/.
The beginning of the English word "fuchsia" is not pronounced like the German word Fuchs, so indeed the spelling does not match the pronunciation. This is independent of the fact that it comes from that word. Plenty of things in English (and, in fact, loanwords in every language) sound different from the words they're derived from; that doesn't mean trying to imitate the source language is the "right" pronunciation. If you pronounce fuchsia like "fuksia" nobody will understand you.
That's always the case, even on Windows, even on Linux for closed-source third party drivers. The only exception is macOS because Apple insists on writing the drivers themselves - that was, in addition to Soldergate, the reason why Apple dropped NVIDIA.
Are apples drivers open source?
> This [update] was rushed out to all Pixel users.
Pixel 8 here, still don't have the update. That's... not great.
I think your carrier hasn't approved it yet. T-mobile seems to lag on these things. I also can't seem to find a system update. A Google Play system update does seem to exist
We have an OS security update that is only release to users of a specific hardware, once approved by their mobile operator. It may be added to vendor-specific OS versions some time later (weeks, month or never). The vendor-specific may not be approved by a telco if the vendor doesn't have a relationship with that telco.
Now think that millions of people use the same OS on many different flavours, on different hardware, on multiple operators.
What an inneficient way of doing things.
You can manually download the full OTA from https://developers.google.com/android/ota#shiba and install it with adb.
I'd suggest you to use GrapheneOS.
Is the patch already available for GrapheneOS?
How quickly did GrapheneOS roll out the update?
Three days ago.
https://grapheneos.org/releases#2025120400
https://github.com/GrapheneOS/platform_manifest/releases/tag...
https://grapheneos.social/@GrapheneOS/115666650605430196
not sure how soon it made it to a majority of devices, but i do have it rn
EDIT: I was wrong, it's actually first mentioned in https://grapheneos.org/releases#2025102200
oct 22? https://github.com/GrapheneOS/platform_manifest/releases/tag...
Only one of the two was included. The other, the privesc, apparently remains unpatched even in GrapheneOS.
My friend is still on the Pixel 2. Are they affected?
Pixel 2 stopped getting updates almost 5 years ago
Just go to the software update, touch the button, then touch it a second time, and that will give you all available updates immediately, regardless of your random position in the rollout process.
I had the same experience as peer comments. I'm on Pixel 8 and Google Fi. When I check for updates, I'm told I'm up-to-date with the last update being over a month old.
Not working for me on Android 16, additional taps of the "Check for update" button in the bottom-right don't change the fact that it says "Your system is up to date" and that the last change was last month.
I see same behavior on my 8.
Could be model-specific. I got the update by doing that manually on my Pixel 8 Pro, that also happens to be on the beta track so there are a few confounders. But that is the way to get the latest software that is waiting to be released to your phone, without waiting.
I don't see it yet either and have mashed it a bunch (Pixel 7, T-Mobile). Says it's running October's update with no updates available.
I'm really struggling to find any concrete information about what this vulnerability actually is. Does anyone know where to look for a good summary?
>[...] there is a possible way to launch activities from the background due to a permissions bypass.
https://www.cve.org/CVERecord?id=CVE-2025-48572
https://android.googlesource.com/platform/frameworks/base/+/...
https://android.googlesource.com/platform/frameworks/base/+/...
>"In hasAccountsOnAnyUser of DevicePolicyManagerService.java, there is a possible way to add a Device Owner after provisioning due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed."
https://www.cve.org/CVERecord?id=CVE-2025-48633
https://android.googlesource.com/platform/frameworks/base/+/...
Search CVE numbers.
https://www.cve.org/CVERecord?id=CVE-2025-48633
Basically, just like most things these days, its all just local privilege escalation. This means that you have to install/run an app that has these exploits built in.
Soif you usage profile doesn't include downloading apps from untrusted sources, you don't need to worry.
In other words, continue as normal: Don't install random crap you don't trust. That this is even newsworthy is kind of strange.
This requires user action, right? User needs to install the APK by hand? In other words - if I don't install any crap on my phone I am safe?
Yes (with caveats)
In todays world, web based exploits are pretty rare. The only time you really see this happen is with full proprietary systems like IPhones because the software stack on those is all intertwined between kernel code and user code, and things like sending a text message with some formatted characters can lead to reboots of phones. But even then, to gain a full command line shell or steal secrets is either impossible due to attack surface, or requires the phone to be in a specific state, like fully factory reset.
The only real danger is chains of trust being compromised, as in some attacker manages to insert malitious code into an already trusted app that uses these exploits.
On a side note i get kick out of reading HN comments about exploitation and hacking. I think people firmly believe that with enough time, a hacker can figure out how to basically take over your phone given any exploit, no matter what it is.
Both mentioned CVEs seem to be about local privilege escalation. So basically yes, if you don't install crap apps, there's a high chance that you are protected. Problem is that it might not seem to be a crap app, but a nice-looking game, etc. Also an attack can come in with an update of any app you have already installed on your phone.
The point was surely more that apps being exploited via the Play Store can be mitigated there without client OS updates. The only hole here requiring the update needs a sideloaded attack.
Whilst the play store supposedly scans all apps for malicious behaviour, it's pretty easy to detect the test environment they use for testing and make malicious behaviour only trigger in situations Google doesn't test - eg. 5 days after installation, only if the device IP address changes at least once.
> if I don't install any crap on my phone I am safe?
We don't know. Practically no technical information is released about the bug, for what I care any play store app may exploit this at one time or another and there's no way to know. It's not like everyone and their CFO are shy of exploiting any user data they can get their greedy hands on.
CVE records are public. All info is there.
>But in reality, Samsung (and the other Android OEMs) cannot compete with Google and its unique control over hardware and software.
Yes, they can. We are talking about applying provided security patches to source code, and then releasing a new version of their OS. For patches that have existed for months. The time from patch to release should be on the order l of days from receiving the patches to having a validated OS release with the fix being sent to users. It's not the control of Android which makes Google possible to patch their Pixel branch of AOSP faster than Samsung can patch their own. It's that Samsung doesn't care about prompt security fixes so they don't allocate engineers to do the work.
The problem is that each OEM releases 50 different models per year, vs Google (or Apple) that release 3 or 4 models.
If that truly is an issue then Android is a fundamentally broken OS.
How many different models of PCs get released? How hard is it to patch any of their OSs?
>How many different models of PCs get released?
If you want to go that route, each manufacturer is responsible for their own drivers for windows, linux, and possibly Mac (though if it’s novel enough, they will do it). Then think about the components that make up a PC. Motherboard, CPU, Memory Control, IO, OS, Audio, Video. Each of those needs to release patches. So its orders of magnitude more than any Android OS. It’s just pure laziness on the hardware manufacturers that don’t want to invest in software/support. They want Google to do that.
The big difference with PC hardware is that the OS will get most driver updates for the individual components directly from the OEM. A driver update for, say, a sound card will directly be available to every machine with that sound card installed. The PC vendor doesn't have to be involved in any way.
It's the other way around with Android. Google does a new core release, and each individual manufacturer is responsible for modifying it for their devices. If you don't bother to upstream your drivers to mainline Linux and use a skin which heavily modifies core Android, backporting those fixes can quickly become a nightmare.
Again, no sympathy as that’s the route they chose. Rely on Google for everything OS and make a phone whereas Apple made a phone and supplied an OS.
Apple made a product. Google made a software revenue stream. Entirely different things and now the Android makers are crying foul that they too have to do product engineering support. Nah. This is what you get when you rely on out of house innovation. I hope they all close shop. Not because I like Apple, but because they aren’t in the business of making products, only selling you hardware with bolt on software that it vaguely supports. Like buying a raspberry pi that can make phone calls. Google has them all by the balls.
Yeah, and I also hope that all the PC makers close up shop as well. They rely on Microsoft for everything OS. Listen, you can just enjoy your iPhone in peace. Let other people make things, even if you feel they don't meet your standards.
But how are they doing to do the artificial market segmentation otherwise ?
(E.g. Samsung still limits Now brief to latest devices even though it is a 99% software feature + 1% cloud with 0 hardware requirements.)
If you can't support 50 different models, then perhaps you shouldn't be releasing 50 different models.
That's still one OS. Customization is mostly userspace "system" apps that they swap out and maintain, but reused across all their phones with some small variation. Hardware enablement will differ between models, but that's just the cost of doing business.
Can be a pain to move the whole suite to a new major (porting all their inhouse apps, getting all the hardware enablement from vendors updated to match, ...), but we're not dealing with a major upgrade here.
A security patch is "just" a matter of taking the last release, applying the diff, build, qa, release. No customization.
If they choose to release 50 models, they need to factor in the cost to maintain security on 50 models.
Weird how LineageOS supports ~300 devices while still managing to release patches.
I bet this CVE's patched quicker on a samsung device running LineageOS than the stock OS.
The real difference is that Google has a more competent software development process and release process than other android OEMs, regardless of how many different devices they have.
LineageOS doesn't customize the hell out of their OSes per device.
That's core of the issue. Samsung takes Android, customizes per device and then tosses them into the world. So now they don't have 1 OS to update, they have 100s of OSes to update.
The fix was released in September according to GrapheneOS, so you'd think they could have it out for the flagships
They must release drivers and firmware for all the devices that they no longer support.
And 5000+ laptop models per year, yet linux runs on (pretty much) all of them. This is an entirely self-inflicted problem. They don't deserve an ounce of mercy.
And then you install that 'security patch' and end up with a borked phone, apps that no longer work, new apps that you didn't ask for and so on.
Give me just the security updates please.
> with attacks that can achieve “remote denial of service
Denial of service doesn't sound so bad... Does a reboot of the device solve it?
nice list of vulnerabilities and source changes
https://source.android.com/docs/security/bulletin/2025-12-01
CVE-2025-54957 critical rce in Dolby audio processing is a worry.
https://source.android.com/docs/security/bulletin/pixel/2025...
Is GrapheneOS affected?
GrapheneOS has patched this CVE back in September, as long as you've opted into the security preview releases: https://grapheneos.social/@GrapheneOS/115647360248469626
From what I can tell, if you're running the latest security preview release[1] then it's already fixed: https://grapheneos.org/releases#2025120400
[1]: https://discuss.grapheneos.org/d/27068-grapheneos-security-p...
While the information leakage/disclosure is a big issue, It feels like its still a big jump to get users to install off-Play Store APKs?
https://archive.is/krzUC
My tinfoil hat might be on too tight again... but the timing of this exploit coinciding with Google's full court press on Android user rights is just a little suspect. Especially after the ongoing public education campaign about the evils of "sideloading" an Android application.