A program crucial to managing security vulnerabilities has just lost its funding. This quiet change could slow down future Android updates. And it could also make threat tracking more difficult to coordinate.
Every month, Google releases an Android security update to fix vulnerabilities detected in the system. These patches are essential for protecting user data against attacks and spyware. In February 2025, one of these flaws, active since 2008, was exploited to remotely access files on a smartphone via the USB port. This critical vulnerability, named CVE-2024-53104, shows how crucial it is to have rigorous threat monitoring. This monitoring, which therefore relies on a system called CVE, is now under threat.
The CVE program, previously supported by the American government, has just lost its funding. This system assigns a unique number to every known security vulnerability. Google, like many players in the industry, relies on it to organize its monthly Android security bulletins. Without this common foundation, vulnerability management risks becoming more complex, especially in future versions of the system, such as Android 15 and Android 16.
The end of the CVE program could slow down and disrupt Android updates
With the disappearance of CVE, each smartphone manufacturer may have to develop its own vulnerability tracking system. This change risks creating gaps between brands, with delays in detecting and patching vulnerabilities. The standardization of monthly bulletins could disappear, making communication more unclear for users and professionals. It also complicates the work of security researchers.
Flaws already identified will remain available, but the program will no longer be updated starting April 16, 2025. Google may attempt to create a replacement database, but no solution has yet been announced. Other companies could also offer an alternative. In the meantime, this situation creates a critical void. If no system takes over, Android could lose responsiveness and transparency in its security management.
Source: The Register
0 Comments