NDSS 2025 – Vulnerability, Where Art Thou? Vulnerability Management In Android Smartphone Chipsets

The study’s creation of a comprehensive vulnerability database marks a pivotal step for both academia and industry. By aggregating data from all four major chipset vendors, the authors illuminate a hidden dimension of Android security: hardware‑level flaws that propagate through successive product lines. This inheritance pattern means that a single design error can jeopardize not only current flagship devices but also legacy phones still in active use, expanding the attack surface far beyond what operating‑system patches alone can address.

Beyond the technical findings, the paper highlights a systemic weakness in the responsible disclosure ecosystem. While the 90‑day window is widely cited as a benchmark for timely remediation, the authors document frequent deviations, with many vulnerabilities lingering far beyond that period. Coupled with opaque update policies from OEMs and carriers, end‑users often receive no clear indication of whether their devices are patched. This lag creates a fertile environment for exploit developers, as demonstrated by recent real‑world attacks that leveraged outdated chipset code to execute arbitrary commands or exfiltrate data.

To curb this risk, the authors recommend several pragmatic changes: standardized vulnerability reporting across vendors, mandatory inclusion of chipset patches in OTA updates, and transparent public advisories linking specific CVEs to affected phone models. Implementing these measures could accelerate remediation timelines and restore consumer confidence. Moreover, the newly released knowledge base equips researchers with a richer dataset for evaluating exploit feasibility and for designing next‑generation defenses, fostering a more resilient Android ecosystem overall.