Patchday: Android key store system security issues resolved
Google, Samsung & Co. have released security updates for Android devices that are still under support.
Google Android Bugdroid in front of a lock symbol.
(Image: Primakov / Shutterstock.com)
Attackers can target Android smartphones and cause devices to crash, among other things. In addition, unauthorized access to cryptographic keys that are actually isolated is possible. Security patches for selected devices resolve the security issues.
As stated in a post by Google, the developers have closed two security vulnerabilities on this patchday. Since July 2025, the smartphone manufacturer has only been addressing vulnerabilities that are considered particularly dangerous on a monthly basis. Further security patches will follow quarterly.
DoS and Key Leak
So far, there are no reports that attackers are already exploiting the vulnerabilities. If you own a Pixel smartphone that is still under support, you should ensure that Patch Level 2026-04-01 or 2026-04-05 is installed. In addition to Google, Huawei and Samsung, among others, provide monthly security updates for selected devices for download (see box).
This month, a "critical" DoS vulnerability (CVE-2026-0049) in Android 14, 15, 16, and 16-qpr2 is considered the most dangerous. Attackers are said to be able to exploit this without additional execution rights. How attacks are carried out in detail and which service/process crashes after a successful attack is currently unclear.
Videos by heise
A vulnerability in Android's key storage system StrongBox (CVE-2025-48651, "high") affects various components from NXP and Thales, among others. What attackers can do after successful attacks is not clear from the description of the vulnerability. Since Android stores cryptographic keys in the Hardware Security Module (HSM), unauthorized access is likely.
(des)
