CVE-2021-1048 Critical Zero-Day exploit. Patches available from Google

So although security is an issue to some degree for just about everyone it’s not the same and I am interested and so follow the topic.

Sure I don’t understand very much of it but calling me or anyone else stupid etc. is well off topic as I see it and provocative.

So are you really surprise it was me that took issue with your dispersions or more that no one else can be bothered.

You are clearly upset not just about security but ~ well I just don’t know and then to add

do you really want to be ignored ???

Given security is a personal issue I see no reason not to comment on how I am effected by it and it would be reasonable for anyone reading my experience to know it isn’t everyone else’s without you calling me ~ whatever you have at your disposal.

I said ignorant, with stupid behind brackets. If you want to be positive about it you can read ignorant, if you want to be negative you can read stupid.

I argued very clearly how your standpoint is at least ignorant. Which, as this reply states is a big problem in this field.

The reality is the following:

Practically EVERYONE has very personal data on their smartphones. You want to keep this data secure and private.

For example, I have a password manager on my smartphone. You may have one or not. If someone has root, they have access to all my passwords. Does that mean they figure that out, does that mean they will use any of these? No, but the danger is there, and very real. I already mentioned sextortion as well, as well as implants being applied world-wide on a certain job description (journalists).

If you want to, for example, install some random application via the Play Store which is shady, then this is your choice, and its your freedom to do that. User B might decide not to. That’s akin to the liberty of visiting a website. It involves free will. Here in this specific case, we don’t have the freedom to work around this issue barring installing some third party OS. We cannot patch this ourselves. We’re at the mercy of Fairphone/Arima. Which is why saying ‘Given security is a personal issue’ is a non-starter.

FYI: I don’t care if I get ignored by you. I don’t think you’re reasonable when it comes to this subject (given this isn’t the first time you pull this very argument from your hat), and I want to warn the other readers your viewpoint is unreasonable. Given that, if you decide to not reply to my arguments, that’s actually a Good Thing :smiley: so, feel free!

1 Like

I’m not getting what the problem you have is although I take it you think I am ignorant and not stupid (to be further assessed no doubt)

  • I have an encrypted areas, virtual volumes, on my PCs etc and I have a password manager too where I consider it necessary, which is for all internet sites for example.
  • I want to warn the other readers your viewpoint is unreasonable. ( JerornH quote not mine :slight_smile:

So why would you think I wouldn’t respond to you, whatever gave you that idea? My apologies that you thought I may ignore you, but I still don’t understand how my view point is unreasonable to you, and further what viewpoint do you have such an unrequited issue over?

Can’t we all just get along?

And of course we all support sustainable technology. Right?

So we should support the notion of our favourite sustainable technology provider being widely used. To get there we need the certification, and to get the certification we need timely security updates.

We’re all on the same side here. This is what’s required to achieve our shared goals.


Not going to happen. Pretty much every monthly patch from Google contains critical patches. The only way to make sure that you receive those in a timely manner is to buy a Pixel phone (or a recent Galaxy S, Samsung is also pretty quick these days).

Fairphone for example has (at least to the best of my knowledge) outsourced its OS development to its main assemlby partner in Taiwan. So they cannot even directly control the availability of OS patches AFAIK.

Best wishes,


Looks like the required update is available for the FP2 now!


Just wondering if authors here have read

and more

What makes you think that update is related?

Well… since I can’t just post a quote, here’s a sentence too!

1 Like


It was the link. I just looked at the post. You could go back and edit the link to remove the 3 at the end :slight_smile:

It may be that the FOS A9 which is an in-house build, doesn’t require the same google certification, hence can be rolled out once the update has been accomplished.

The usual 500,000 tests google demand might therefore not be needed.

For what it’s worth, the corresponding topic in the Beta category mentioned "fixes required for Google approval" prior to public release, so even if the process might not be entirely the same, they don’t seem to get around Google’s OK :wink: .

1 Like

each “official” Android OS has to go through google certification (therefore custom ROM updates can be published more often and faster). However for the FP2 there is no Network provider related rollout and that seem to make it a lot easier and its therefore also directly available to everyone.


Hi everyone. Thanks @Mark_Jaroski for flagging this. Our team is already aware. The build is ready and we are starting the cycle certification process. I’ll keep you all updated once we have more info to share.


Thank you @rae . I got the update yesterday.

@Mark_/Jaroski Just curious about this update you have. What update is that/this?

Rae’s post was only yesterday I would doubt it’s available today. Are you confusing it with the FP3 A0132 update (security patch 5th Nov) or is there some idea it contained the 1048 patch?

or is this about the FP2 ???

My understanding was that it was in the 5 Nov security patch.

1 Like

I thought that too, so I wonder why on 18th Nov Rae posted that, maybe there was some delay in sending the post??

1 Like

Hi @Rae is this 1048 patch separate from the A1032 as your post is after the push of the A1032 and you say you are starting the certification process on the 18th Nov?

Chiming in here, CVE-2021-1048 is part of the 2021-11-06 patch level (https://source.android.com/security/bulletin/2021-11-01#2021-11-06-security-patch-level-vulnerability-details) so it’s not included in the 2021-11-05 patch level that the recent update has.


OK. Thank you @lucaweiss .