Google has shipped an out-of-band patch for Android shuttering a bug that is under active exploitation to root devices.

The vulnerability (CVE-2015-1805) affects all Android devices running Linux kernel versions below 3.18 – we're talking millions of gadgets and handhelds, here.

The vulnerability is a privilege elevation that lets apps execute arbitrary code in the kernel, allowing normal software to commandeer the hardware and install spyware, malware or legit custom firmware.

Affected users will need to re-flash their Android operating system to apply the fix. That can only be done with the help of manufacturers and carriers, which are lousy at distributing security patches in a hurry. Nexus phones and tablets can receive their updates direct from Google, though.

Google found an application that exploits the vulnerability to root Nexus 5 and 6 handsets. The Alphabet subsidiary did not say whether the application was malicious or an app to help users to root their Nexus devices to install non-official builds of Android.

Google has blocked the rooting app in its Play Store, while users of the latest Android operating systems will receive security flags warning of the rooting capabilities of the app. The search tsar distributed the patch to its phone manufacturer partners on 15 March ahead of today's general release.

"Google has become aware of a rooting application using an un-patched local elevation of privilege vulnerability in the kernel on some Android devices," the company said in an advisory.

"This is a known issue in the upstream Linux kernel that was fixed in April 2014 but wasn’t called out as a security fix. On February 19, 2016, C0RE Team notified Google that the issue could be exploited on Android and a patch was developed to be included in an upcoming regularly scheduled monthly update."

Android devices with a security patch level of April 2 are protected against the root exploit. ®