For the first time since August 2015, Google has not released any security updates for Android this month. However, the coast is not clear: Qualcomm has warned of a critical vulnerability in GPS components in more than a hundred chipsets.
Google published its July security bulletin yesterday, announcing that it would not be releasing any security patches. No reason was given. Pixel phones will also not receive any security updates this month, despite Google launching Android 16 in June. Apparently, no vulnerabilities have been discovered or resolved yet.
Since August 2015, Google has released monthly security bulletins addressing Android vulnerabilities. The monthly patches often include updates from third parties, especially chip manufacturers who release fixes for their code. These suppliers, such as Qualcomm (more on that below), also issue their own notifications. Perhaps Google and Qualcomm’s timelines were just off for preparing a patch for this month.
Vulnerabilities nonetheless
Qualcomm has, on the other hand, issued a significant security alert in its own July bulletin. It warns of a critical vulnerability: CVE-2025-21450. This involves faulty authentication in GPS components of more than a hundred different chipsets. Qualcomm calls it a cryptographic issue during downloads via unsecure connections, but does not provide any further details.
The impact is rated 9.1 on a scale of 1 to 10. In addition to Qualcomm, Samsung also mentions CVE-2025-21450 in its own bulletin. This shows once again that there are indeed new threats every month on Android, even when Google takes a breather for the first time in a decade.
Also read: Google introduces new Android design style