The February Android security patch is live, marking both the first on-time patch for the Pixel 6 and the last patch ever for the Pixel 3.
The Pixel 3 launched in October 2018 to lukewarm reviews, thanks to a giant camera notch on the XL model and a worrying dearth of RAM across the lineup. Google only offers three years of major OS updates (even on the Pixel 6), so the phone’s last regular update was the Android 12 launch in October 2021. Pushing one of the biggest Android launches ever as the final update is a little scary (there are bound to be some bugs), so Google promised one last wrap-up update before it said goodbye to the Pixel 3. The device ended up with two more updates: one in January to patch that wild 911 bug and this final update. Google hasn’t posted any release notes for the last Pixel 3 update, but the February update should cover all the security issues up to today, and from now on, you’re out of date.
The Pixel 6’s update plan is promoted by Google as “five years of Android security updates,” but that still includes only three years of major Android version updates. The Pixel 6 will be obsolete in October 2024, but it will continue to get security updates until October 2026. We’ve long seen Android companies blame SoC vendors for the short support times compared to the iPhone’s six years of updates, but with the Google Tensor, Google is its own SoC vendor now, so it could support the Pixel 6 for longer if it wanted.
The Pixel 6’s Tensor SoC was built in collaboration with Samsung, marking a break from the Qualcomm-based Pixel 1-5 devices. Google’s vendor switch and the rough holiday timeline for the Pixel 6 have resulted in a sloppy initial rollout, with the device missing the first few security patches while bugs get worked out. After getting a big patch in the middle of January, this is the first on-time security patch.
Besides a passing of the baton for Pixel devices, the security update fixes what sounds like a nasty remote escalation vulnerability, CVE-2021-39675. The bug is still undisclosed, but Google gave it a special shoutout in the security bulletin, calling it “a critical security vulnerability in the System component that could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.” Google has only updated Android 12 to fix this bug, either because it does not affect older versions or because fixes for older versions are still in the works.
The updates should roll out to all users over the next few weeks, but if you know what you’re doing, you can manually apply them from Google’s developer site.