Google has released the May 2016 Android Security Bulletin, previously called monthly security patch notes,  and the scope has been expanded to include mention of vulnerabilities that affect phones and tablets that aren’t Nexus branded from Google.
Google has also updated the Android Security severity ratings. These changes were the result of data collected over the last six months on reported security vulnerabilities and aim to align severities more closely with real world impact to users.
The update is still Android 6.0.1, but carries a different version number depending which phone or tablet you are using.
The table below contains a list of security vulnerabilities, the Common Vulnerability and Exposures ID (CVE), their assessed severity and whether or not Nexus devices are affected. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are disabled for development purposes or if successfully bypassed. [table style=”table-striped”]
Issue CVE Severity Affects Nexus? Remote Code Execution Vulnerability in Mediaserver CVE-2016-2428 CVE-2016-2429 Critical Yes Elevation of Privilege Vulnerability in Debuggerd CVE-2016-2430 Critical Yes Elevation of Privilege Vulnerability in Qualcomm TrustZone CVE-2016-2431 CVE-2016-2432 Critical Yes Elevation of Privilege Vulnerability in Qualcomm Wi-Fi Driver CVE-2015-0569 CVE-2015-0570 Critical Yes Elevation of Privilege Vulnerability in NVIDIA Video Driver CVE-2016-2434 CVE-2016-2435 CVE-2016-2436 CVE-2016-2437 Critical Yes Elevation of Privilege Vulnerability in Kernel CVE-2015-1805 Critical Yes Remote Code Execution Vulnerability in Kernel CVE-2016-2438 High Yes Information Disclosure Vulnerability in Qualcomm Tethering Controller CVE-2016-2060 High No Remote Code Execution in Bluetooth CVE-2016-2439 High Yes Elevation of Privilege in Binder CVE-2016-2440 High Yes Elevation of Privilege Vulnerability in Qualcomm Buspm Driver CVE-2016-2441 CVE-2016-2442 High Yes Elevation of Privilege Vulnerability in Qualcomm MDP Driver CVE-2016-2443 High Yes Elevation of Privilege Vulnerability in Qualcomm Wi-Fi Driver CVE-2015-0571 High Yes Elevation of Privilege Vulnerability in NVIDIA Video Driver CVE-2016-2444 CVE-2016-2445 CVE-2016-2446 High Yes Elevation of Privilege in Wi-Fi CVE-2016-2447 High Yes Elevation of Privilege Vulnerability in Mediaserver CVE-2016-2448 CVE-2016-2449 CVE-2016-2450 CVE-2016-2451 CVE-2016-2452 High Yes Elevation of Privilege Vulnerability in MediaTek Wi-Fi Driver CVE-2016-2453 High Yes Remote Denial of Service Vulnerability in Qualcomm Hardware Codec CVE-2016-2454 High Yes Elevation of Privilege in Conscrypt CVE-2016-2461 CVE-2016-2462 Moderate Yes Elevation of Privilege Vulnerability in OpenSSL & BoringSSL CVE-2016-0705 Moderate Yes Elevation of Privilege Vulnerability in MediaTek Wi-Fi Driver CVE-2016-2456 Moderate Yes Elevation of Privilege in Wi-Fi CVE-2016-2457 Moderate Yes Information Disclosure Vulnerability in AOSP Mail CVE-2016-2458 Moderate Yes Information Disclosure Vulnerability in Mediaserver CVE-2016-2459 CVE-2016-2460 Moderate Yes Denial of Service Vulnerability in Kernel CVE-2016-0774 Low Yes[/table]
Android and Google Service MitigationsAccording to Google,
“The most severe of these issues is a Critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files.”
In total, 25 security vulnerabilities have been addressed, ranging from critical to low in terms of their assessed severity. 24 of these fixes affect Nexus or Android One branded devices.
This is a summary of the mitigations provided by the Android security platform and service protections such as SafetyNet. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android.
Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible. The Android Security team actively monitors for abuse with Verify Apps and SafetyNet, which are designed to warn users about Potentially Harmful Applications. Verify Apps is enabled by default on devices with Google Mobile Services, and is especially important for users who install applications from outside of Google Play. Device rooting tools are prohibited within Google Play, but Verify Apps warns users when they attempt to install a detected rooting applicationâ€â€no matter where it comes from. Additionally, Verify Apps attempts to identify and block installation of known malicious applications that exploit a privilege escalation vulnerability. If such an application has already been installed, Verify Apps will notify the user and attempt to remove the detected application. As appropriate, Google Hangouts and Messenger applications do not automatically pass media to processes such as mediaserver.Partners were notified about the issues described in the bulletin on April 04, 2016 or earlier. This explains why the recent BlackBerry Priv Marshmallow release (and beta) already contained the May security update.
Source code patches for these issues will be released to the Android Open Source Project (AOSP) repository over the next 48 hours. We will revise this bulletin with the AOSP links when they are available.
Nexus ImagesThe updates for the Nexus line  both over the air or as a new factory image  haven’t changed. OTA updates have begun their staggered roll out, and new factory images are now available for manual downloading and installation.
Full details of the May 2016 Android Security Bulletin is available here.
