Google Expands Linux Kernel Support to Keep Android Devices Secure Longer

Android, like many other operating systems, uses the open-source Linux kernel. There are several different types of Linux kernel releases, but the most important one for Android is the long-term support (LTS) type, as they are regularly updated with important bug fixes and security patches. Starting in 2017, the support period for Linux LTS releases was extended from two to six years, but that extension was revoked early last year. Thankfully, Google announced that it will now support its own LTS kernel releases for four years. Here’s why this is important for the security of Android devices.

The Linux kernel found on most Android devices comes from one of Google’s Android Common Kernel (ACK) branches. These ACK branches are created from the main Android kernel branch whenever a new LTS release is declared. For example, the android15-6.6 ACK branch was created shortly after version 6.6 was declared as the latest LTS release, and the “android15” in its name refers to the version of Android the kernel is associated with (in this case, Android 15).

Google lists three reasons for maintaining its own fork of each Linux LTS kernel release. First, Google forks can contain backports and cherry-picks of upstream features needed for Android features. Second, they can deliver features that are ready for Android devices even while still in upstream development. Third, they can contain some vendor or OEM features that are useful to other Android partners.

Once they are created, ACKs continue to be updated by Google to receive bug fixes for Android-specific code, as well as LTS merges from the upstream kernel branch. Security vulnerabilities affecting the Linux kernel that are disclosed in the monthly Android Security Bulletin, such as those listed in the July 2024 bulletin, are addressed in these updates.

However, it’s not always possible to identify when a bug fix is ​​a security fix, because a bug fix may actually be closing a security hole that the author didn’t know about or didn’t want to disclose. Google tries to identify these cases when they happen, but it’s impossible to catch them all, leading to situations where fixes end up in the upstream Linux system months before they hit Android devices. That’s why Google pushes Android OEMs to regularly roll out LTS updates so they’re not caught by surprise by a security flaw being disclosed.

It goes without saying that Linux LTS kernel releases are incredibly important for Android device security, as they help Google and OEMs address known and unknown security vulnerabilities. The longer the support period for a Linux LTS kernel release, the longer Google and OEMs can update their devices with security fixes.

Unfortunately, while a longer support period is good for Google and OEMs, it puts a huge burden on Linux kernel developers and maintainers, many of whom are unpaid volunteers. Furthermore, if we exclude Android and embedded devices, there aren’t that many devices running older versions of Linux.

Essentially, Linux maintainers decided that the six-year support period for LTS kernel releases no longer made sense to them, so they decided to shorten the period again to two years. This change was made public in early 2023, leaving many observers wondering what this would mean for the Android world. Some believed that this would force OEMs to finally start making major kernel version updates to stay up to date, while others believed that Google or the chip vendors would extend LTS themselves.

The latter is what Google does. On its developer page for ACKs, Google writes that “starting with kernel 6.6, the support period for stable kernels is 4 years.” It prefaces this with the statement that “ACKs may be supported longer than the corresponding stable kernel on kernel.org. In such a case, Google provides extended support until the End of Life (EOL) date listed in this section.” When a kernel is EOL, Google obviously no longer supports it, but more importantly, “the devices it runs on are considered vulnerable.”

The previous six-year Linux LTS lifecycle allowed Android OEMs to release devices after one, two, or even three years of the lifecycle and still benefit from several years of support.

However, since Google only supports new ACK branches for four years, OEMs can no longer do so. Therefore, starting with Android 15, devices can only launch with Android 14-6.1 or Android 15-6.6, the two most recent kernel versions. The former will be supported until July 2029, and the latter until July 2028, so devices could launch with them this year and still receive three to five years of support before they need to upgrade their kernel.

Google says that in the future there will only be one new ACK branch for each kernel version, hence no android15-6.1 branch. That simplifies things a bit, but eventually OEMs will have to start doing major kernel version updates if they’re going to commit to an increasingly long phone update policy.