Android goes without monthly security updates for the second time in 10 years Android goes without monthly security updates for the second time in 10 years

Why hasn’t Android disclosed security updates in October’s Security Bulletin?

byAlex Ivanovs
October 7, 2025

For over a decade, Google has published monthly Android Security Bulletins listing vulnerabilities fixed in that month’s patches. In July 2025, the bulletin diverged from that pattern: a “blank” bulletin appeared, showing zero vulnerabilities listed. Then in October 2025, no new vulnerabilities were disclosed again — marking the second time in ten years that Google skipped content in the monthly bulletin.

Did Google simply find nothing to fix? Or is it a change in policy rather than an absence of work?

The gap in October (and earlier in July) aligns with Google’s adoption of a Risk-Based Update System (RBUS) for Android security patches.

Under RBUS:

  • Google will include only “high-risk” vulnerabilities in monthly bulletins.
  • Other vulnerabilities (e.g. moderate or lower risk) are deferred to quarterly bulletins.
  • Consequently, some monthly bulletins may list no new vulnerabilities, even if lower-level issues exist.

In effect, the October bulletin’s blank state does not necessarily mean there were no vulnerabilities to fix. Rather, it suggests that none qualified as “high risk” under Google’s threshold for monthly disclosure.

What the October 2025 bulletin actually says

Even though no vulnerability entries are listed, the Android Security Bulletin for October 2025 still exists and is published (albeit sparsely).

The bulletin notes that:

  1. Some devices (Android 10 and newer) will have a Google Play system update with a “2025-10-01” patch level.
  2. The bulletin includes two security patch levels to allow more flexibility for OEMs in merging fixes.

In other words, the architecture for a bulletin remains; it’s just that the content is minimal.

OEMs (e.g. Samsung) are still issuing patches

While Google’s official bulletin is empty, individual manufacturers continue to issue patches as part of their security maintenance releases. For example, Samsung’s October 2025 update includes fixes for several “High” severity CVEs. These are derived from Google’s broader security pool and alignment with the Android bulletin framework.

It’s also notable that some of the fixes Samsung lists are drawn from earlier Android Security Bulletins.

Thus, device makers are not silent — they are still patching, even if Google’s bulletin doesn’t highlight every fix.

Implications & cautions

  • The shift to risk-based disclosures means monthly bulletins are less predictable: in some months, there may be zero publicly listed patches.
  • Major quarterly bulletins (e.g. March, June, September, December) are expected to carry a larger share of fixes, including those of lower severity.
  • Some security observers caution that delaying disclosure for non–high risk issues may give attackers more time if details leak in advance.
  • Device owners should continue installing manufacturer updates promptly — even if Google’s published bulletins don’t reference them explicitly.

Some of the information and clarification in this article was made possible thanks to original reporting from Android Authority; thanks to their team for the scoop!

Share this:

Share on Reddit Share on LinkedIn Share on Telegram Share on Bluesky
byAlex Ivanovs
Published

Read more