Android's April Patch Targets a Security Layer Most Users Have Never Heard Of

John Z Black Apr 10, 2026 Vulnerabilities & Patching #android #strongbox #cve-2026-0049 #cve-2025-48651 #patch #hardware-security #mobile-security

Most Android patch advisories are forgettable. April’s isn’t.

Two CVEs stand out. The first, CVE-2026-0049, is rated Critical and requires no user interaction to trigger. It hits Android 14 through 16. A local denial-of-service that can fire without you doing anything, or the attacker having any special access first. That combination earns the Critical label.

The second one is rated High but hits harder in some ways. CVE-2025-48651 is a flaw in StrongBox, the physically isolated secure element that handles your cryptographic keys, Google Pay tokens, and the hardware attestation your employer’s MDM trusts when it decides your phone is safe. It doesn’t share memory with Android. A compromised OS can’t touch it. That’s the whole point.

What makes this one unusual: it affects StrongBox implementations from Google, NXP, STMicroelectronics, and Thales. Four vendors. That’s not a software bug in one codebase. It’s a flaw sitting deep enough to touch four separate hardware lineups at once.

Full technical details are still held back while patches roll out. But the multi-vendor scope tells you where in the stack this lives.

One practical thing to know: April ships two patch levels. You need 2026-04-05 (not just 2026-04-01) to get the StrongBox fix. Check Settings > About Phone > Android Security Patch Level. If you’re on Pixel, it’s available now. Everyone else, it’s coming.

No confirmed exploits yet. That’s the window.

Everything you need to know about what StrongBox actually does and why this one matters