Android monthly updates are out – critical bugs found in critical places!

Google’s May 2022 updates for Android are out.

As usual, the core of Android received two different patch versions.

The first is dubbed 2022-05-01and contains fixes for 13 CVE-numbered vulnerabilities.

Fortunately, none of these are currently being exploited, meaning that there are no zero-day holes known this month; none of them directly lead to remote code execution (RCE); and none of them are flagged as Critical.

Nevertheless, at least one of these vulnerabilities could allow an entirely innocent-looking app (one that needs no special privileges at all when you install it) to attain what amounts to root level access.

If you’re wondering why we aren’t giving you specific CVE numbers for the most serious vulnerabilities, that’s because Google itself doesn’t detail which vulnerabilities present what risks, but instead merely states the potential side-effects of “The most severe vulnerability” in each group of bugs.

The second tranche of updates is dubbed 2022-05-05an official identifier that covers all the patches provided by 2022-05-01plus 23 more CVE-numbered bugs in numerous parts of the operating system.

Components affected by these bugs include the Android kernel itself, along with various closed-source software modules that are provided to Google by hardware makers MediaTek and Qualcomm.

Non-unified patches

Ideally, Google wouldn’t split the monthly updates apart in this fashion, but would provide a single, unified set of patches and expect all vendors of Android devices to get up-to-date as soon as possible.

However, as the company admits in its bulletins, there are “Two security patch levels so that Android partners have the flexibility to fix a subset of vulnerabilities that are similar across all Android devices more quickly.”

We can understand Google’s approach, which presumably reflects the assumption that it’s better if everybody fixes at least something and some vendors fix everything.

… Than if some vendors fix everything but others fix nothing at all.

Nevertheless, Google publicly notes that “Android partners are encouraged to fix all issues in this bulletin and use the latest security patch level.”

In the modern vernacular, our opinion on this issue is simple and clear: +1.