EDIT 2: And of course, my Samsung Galaxy S8+, despite having received an update in April, is only at the March 1st security patch level. So I'm likely vulnerable until Samsung's next update.
Thanks, I was hoping to figure out when it was distributed. But your comment encouraged me to search for the CVE, and it looks like it was fixed in the Android 04-05 security patch:
For vendor patches, you really can't trust that value in any way... I'm afraid there is no real way to check, except for trying the attack.
Qualcomm patches are not distributed as part of AOSP security patches, and is not tested for Google certification, so there is really no reason for it to be accurate, except possibly for Pixels.
I remember reading that phone manufacturers sometimes update the patch version but don't pull all the patches presumably because it's too much effort to integrate into their forked codebases.
Do firmware updates typically get distributed along with OS updates on Android, or is there some other process you'd need to use to patch those device?
> Recommendation
> Qualcomm has already designed and distributed a patch to address this issue. Ensure that your devices are running the most recent firmware version.
Also, here's the list from that page: IPQ8074, MDM9150, MDM9206, MDM9607, MDM9650, MDM9655, MSM8909W, MSM8996AU, QCA8081, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 615/16/SD 415, SD 625, SD 632, SD 636, SD 650/52, SD 712 / SD 710 / SD 670, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 8CX, SDA660, SDM439, SDM630, SDM660, Snapdragon_High_Med_2016, SXR1130