Finding Patch Links in Android Security Bulletin

Sometimes the patch links are published too late in the Android Security Bulletin. We can find them by going to https://osv.dev. Most of the bugs have the link to the patch.

There are another kind of bugs that starts with PUB. They are available in the OSV database and Android Security Acknowledgements, but we can't find them in the Bulletin, and there are no link to the patches in OSV. Let's take CVE-2025-36889 as an example.

If you have the latest AOSP source code on your computer, use repo forall -p -c 'git log --all --grep="369100626"'. 369100626 is the Android bug ID.

Modify this link: https://android.googlesource.com/platform/packages/apps/Camera2/+/744bd82d1cd5f306635793146e2d3911aa6ddb2c. You will now see the commit details.

If syncing AOSP takes too much time, or if you are a Mac user your computer does not have enough space for the repository, the details may include the file name.

Search for the file and open Blame. Search for the year, and you will probably find the commit.

Directly Googling the bug ID may also help.