The latest Android security updates address only two vulnerabilities: a critical denial-of-service (DoS) issue, and a StrongBox flaw whose impact does not appear to have been disclosed.
The DoS vulnerability is tracked as CVE-2026-0049 and it affects Android’s Framework component. The weakness can be exploited by a local attacker with no additional execution privileges and without user interaction to cause a DoS condition.
The second vulnerability affects StrongBox, Android’s hardware-backed secure keystore that adds a higher level of protection for cryptographic keys.
StrongBox works by storing and managing keys inside a dedicated Secure Element (SE), a separate, tamper-resistant hardware chip that includes its own processor, isolated memory, a hardware-based random number generator, with strong defenses against physical and side-channel attacks.
The StrongBox flaw is tracked as CVE-2025-48651 and it has been assigned a ‘high severity’ rating, but it’s unclear what it can be exploited for. StrongBox vulnerabilities in general could allow key extraction, privilege escalation, or triggering a DoS condition.
Technical details will likely become available at a later time.
According to the Android security bulletin, CVE-2025-48651 affects StrongBox implementations from Google, NXP, STMicroelectronics, and Thales.
Neither of the vulnerabilities appears to have been exploited in the wild.
Related: Android Update Patches Exploited Qualcomm Zero-Day
Related: Android Zero-Days Patched in December 2025 Security Update
Related: Android 17 Beta Strengthens Secure-by-Default Design for Privacy and App Security
