Android 12 will include patches for over 160 security vulnerabilities
Google surprised us today by announcing the release of Android 12 … but postponing the update for Pixel phones until later. Had today’s update included the long-awaited version bump, Pixel users would have been treated to a fresh new OS update, a promised Pixel Feature Drop, and a security update all at once. Alas, Pixel users will have to wait a few weeks to get the update, but in the meanwhile, we have some news to share about what’s included in the update. Apart from the new design and a host of new features, Android 12 will also include patches for over 160 security vulnerabilities.
Earlier today, Google published the October 2021 Android Security Bulletin and rolled out new updates to Pixel phones, bumping the security patch level on those devices to 2021-10-05. The underlying OS version of the updated builds is still Android 11, however. Today’s AOSP release of Android 12 will have a default security patch level of 2021-10-01, but since we don’t know when Google plans to release the Android 12 update to Pixel phones, we don’t know if the stable builds will include this month’s or next month’s security patch level.
What we do know is the list of security vulnerabilities addressed by the Android 12 update. In the Android 12 Security Release Notes, Google identifies 162 security vulnerabilities across a range of components, such as the Android runtime, the Android Framework, the Media Framework, and the System. Here is the number of vulnerabilities fixed as part of Android 12, grouped by the component they affect. You can find the CVE identifier, type of vulnerability, and the severity of the vulnerability on the release notes page.
- Android TV – 2
- Android runtime – 4
- Android Framework – 70
- Library – 2
- Media Framework – 21
- System – 63
These vulnerabilities are mitigated by patches made to the Android platform as part of the AOSP Android 12 release. Android devices running Android 12 with a security patch level of 2021-10-01 or later will have mitigations against these vulnerabilities. The source code patches for these issues will be made public in the AOSP repository as part of today’s source code drop, so OEMs and vendors are free to merge these patches or backport them if necessary.