They patched their code and didn't tell users about the patch.
You’re unable to view this Tweet because this account owner limits who can view their Tweets. Learn more
Conversation
It's in the monthly security bulletin with links to the commits fixing the issues.
The security bulletin and the corresponding updates pushed out every month for devices receiving ongoing support are how users are informed.
I don't know what was silent about these fixes.
They added a note about active exploitation for certain vulnerabilities. As part of patching issues, they often ship instrumentation to detect failed exploitation. It's one of the services under the SafetyNet branding. It would be hard to detect these things before they patch it.
1
1
1
It's much more likely to detect it after broadly deploying a patch with instrumentation for SafetyNet. If it widely exploited enough, then maybe they could detect it in the couple weeks of internal testing. It can uncover other actively exploited bugs being used in the same ops.