Google has released the details surrounding the April 2 security patch for Android, completely mitigating issues described in a bulletin several weeks ago as well as a slew or other critical and moderate issues. This one is a bit different from previous bulletins, with special attention paid to a privilege escalation vulnerability in versions 3.4, 3.10 and 3.14 of the Linux kernel used in Android. We'll discuss that further down the page. In the meantime, here's the breakdown of what you need to know about this month's patch.

Updated firmware images are now available for currently supported Nexus devices on the Google Developer site. The Android Open Source Project has these changes rolling out to the relevant branches now, and everything will be complete and synchronized within 48 hours. Over the air updates are in progress for currently supported Nexus phones and tablets, and will follow the standard Google rollout procedure — it may take a week or two to get to your Nexus. All partners — that means the people who built your phone, regardless of brand — have had access to these fixes as of March 16 2016, and they will announce and patch devices on their own individual schedules.

The most severe issue addressed is a vulnerability that could allow remote code execution when processing media files. These files can be sent to your phone by any means — email, web browsing MMS or instant messaging. Other critical issues patched are specific to the DHCP client, Qualcomm's Performance Module and RF driver. These exploits could allow code to run that permanently compromises the device firmware, forcing the end user to need to re-flash the full operating system — if "platform and service mitigations are disabled for development proposes." That's security-nerd speak for allowing apps from unknown sources to be installed and/or allowing OEM unlocking.

Other vulnerabilities patched also include methods to bypass Factory Reset Protection, issues that could be exploited to allow denial of service attacks, and issues that allow code execution on devices with root. IT professionals will be happy to also see mail and ActiveSync issues that could allow access to "sensitive" information patched in this update.

As always, Google also reminds us that there have been no reports of users being affected by these issues, and they have a recommended procedure to help prevent devices from falling victim to these and future issues:

Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.

The Android Security team is actively monitoring for abuse with Verify Apps and SafetyNet, which will warn the user about detected potentially harmful applications about to be installed. Device rooting tools are prohibited within Google Play. To protect users who install applications from outside of Google Play, Verify Apps is enabled by default and will warn users about known rooting applications. Verify Apps attempts to identify and block installation of known malicious applications that exploit a privilege escalation vulnerability. If such an application has already been installed, Verify Apps will notify the user and attempt to remove any such applications.

As appropriate, Google Hangouts and Messenger applications do not automatically pass media to processes such as mediaserver.

Regarding issues mentioned in the previous bulletin