I just checked the security bulletin for my Motorola stock android device and it listed all the CVES that are for the android OS. But it does not list CVES for the kernel and for the Qualcomm chip, while the official android security bulletin from Google does list kernel and qualcomm CVES for the september patch. So does that mean Motorola does not patch kernel and Qualcomm CVES? I also checked security bulletins for Samsung and they say on the website that vendor specific updates for the chips might be delayed. I checked the security bulletins for every month of 2024 of Motorola and i did not see any mentions of Qualcomm CVES.
Firmware responsibility are that of the OEM’s. When ROMs like GrapheneOS and CalyxOS offer “extended support” for their devices, they only offer updates to open source components. Firmware can’t be updated by the ROM makers as it is proprietary.
Thank you for your reply but that was not my question. My question was probably not understood.
Does Motorola update Qualcomm firmware with the monthly android security updates? Because in the link that i posted above for the monthly security bulletin of Motorola Qualcomm CVES or even the android kernel CVES are not mentioned, while at Google android website they are mentioned. https://source.android.com/docs/security/bulletin/2024-09-01
It is my understanding that OEMS like Motorola and Samsung ship updates that include also updates for the kernel and the qualcomm/mediatek chips together with the android os updates.
For a device to claim a patch level it must implement all of the fixes of that bulletin as well as all previous bulletins.
So yes, it very much should.
In practice, there can be slippage.
You can see this directly as there are many vendor specific patches in the ASB however not all of them and this is even noted at the bottom:
Security vulnerabilities that are documented in this security bulletin are required to declare the latest security patch level on Android devices. Additional security vulnerabilities that are documented in the device / partner security bulletins are not required for declaring a security patch level.
so a Qualcomm device claiming 2024-09-05 MUST patch that… but for example CVE-2024-38402 and CVE-2024-33047 are only listed in the Qualcomm bulletin and not the ASB so a vendor does not have to patch them to claim the level.
Thanks! That clears things a bit for me. So i suppose Motorola and Samsung do implement the Qualcomm and kernel patches for CVES according to the Google android bulletin. It just seems strange to me that Motorola’s and Samsung’s security bulletins do not list them… I just wanted to be certain that i am receiving all patches and OEMS are not skipping on patches.