Google has posted a new Security Bulletin:
Especially CVE‑2025‑48593 looks quite concerning. It has been covered in some press articles already (i.e.: Heise: Patchday: Critical malicious code vulnerability in Android 13, 14, 15, 16 closed | heise online, forbes: Samsung And Google Issue Update Warning—No Fix For 1 Billion Users)
How ciritical is it really?
Is /e/OS affected?
P.S.: If this is the wrong category, wrong tags, please fix them. I tried to find a good category, but wasn’t successful
here’s some commentary and links into source: Zhuowei Zhang: “Android November Security Bulletin's out: https://source.android.com/docs/security/bulletin/2025-11-01 CVE-2025-48593 seems to be a Bluetooth headphone issue: https://android.googlesource.com/plat...”
if that holds, for the RCE you’d need to use the phone itself as bluetooth speaker
the PoE (apexd) seems more broad.
Both affect /e/OS ofc, but a framework update with the next build will fix this. Easier than vendor kernel issues or blobs.
CVE-2025-48581 “high” exclusively impacts Android 16