Google has posted a new Security Bulletin:
Especially CVE‑2025‑48593 looks quite concerning. It has been covered in some press articles already (i.e.: Heise: Patchday: Critical malicious code vulnerability in Android 13, 14, 15, 16 closed | heise online, forbes: Samsung And Google Issue Update Warning—No Fix For 1 Billion Users)
How ciritical is it really?
Is /e/OS affected?
P.S.: If this is the wrong category, wrong tags, please fix them. I tried to find a good category, but wasn’t successful
here’s some commentary and links into source: Zhuowei Zhang: “Android November Security Bulletin's out: https://source.android.com/docs/security/bulletin/2025-11-01 CVE-2025-48593 seems to be a Bluetooth headphone issue: https://android.googlesource.com/plat...”
if that holds, for the RCE you’d need to use the phone itself as bluetooth speaker
the PoE (apexd) seems more broad.
Both affect /e/OS ofc, but a framework update with the next build will fix this. Easier than vendor kernel issues or blobs.
CVE-2025-48581 “high” exclusively impacts Android 16
the linked dev zhuowei keeps grinding at the bluetooth vuln to make an exploit (educational) - but for the enduser this is the assessment from the readme:
You shouldn’t worry about this. As far as I can tell, phones are NOT vulnerable to CVE-2025-48593. The issue only affects Android devices that support acting as Bluetooth headphones / speakers, such as some smartwatches, smart glasses, and cars. In addition, an attacker has to get a victim to pair to the attacker before they can access the headset service. As long as you don’t accept the pairing request on your smartwatch/glasses/car, you should be fine.