A critical update to Android’s device-side debugging service shows how patch timing, not just vulnerability severity, can define the real risk window.