Since October 2015, Google has released month security patches for Nexus devices. These are accompanied by an announcement in the form of the Nexus Security Bulletin, which details security vulnerabilities affecting Android devices. Beginning with the May 2016 bulletin, Google now calls this the Android Security Bulletin, better reflecting the broader scope of the bulletin.
The May 2016 edition of the Android Security Bulletin was just posted a short while ago. A new column in the summary table indicates if the vulnerability affects Nexus devices, since the bulletin now covers all of Android in general. There’s now also greater clarity, in the details provided within the bulletin, about exactly which Nexus device is affected by each issue.
There are six critical severity vulnerabilities listed, all affecting Nexus devices. One of them again manifests in the beleaguered Mediaserver. Mediaserver is responsible for rendering of multimedia content, and is often exploited through remotely-supplied media. Google Hangouts and Messenger applications have stopped automatically passing media to processes, including Mediaserver, so to some extent, the vulnerability is mitigated. However, there’s no telling how other applications on your Android device are handling remotely-supplied media.
The other five critical issues are with elevation of privileges in various components, namely Debuggerd, Qualcomm TrustZone, Qualcomm Wi-Fi Driver, NVIDIA Video Driver, and the Kernel.
It usually takes one to two weeks before Nexus devices actually receive their software updates over-the-air. Those who are highly impatient may flash factory images of the software which are made available much more quickly.