The issue was discovered by Google's Eric Dumazet, and quietly dealt with at the end of 2015 with a small fix applied to the open-source kernel.
.
.
Then this month, Google issued a bunch of security fixes for Android
.
.
So, in short, yes, there is a remote kernel-level code execution vulnerability in Linux, which sounds like the worst of the very worst, but it is pretty much patched by now – and it appears to be tricky to exploit. It was silently addressed in the kernel source over a year ago, and fixed in updates to machines earlier this year, but only now has it come to wider attention.
Oh, so Google are quite prepared to drop their noisy and swift approach to announcing bugs in other people's code when it affects their own product? It's taken them well over a year to include the fix in their own product, yet they're quite happy to start trash-talking about flaws in other people's products after 90 days regardless of the consequences to users (many of whom are also Google customers).
What a bunch of duplicitous immature w*************.