The majority of OnePlus phones in use today may be vulnerable to a security flaw that leaves SMS and MMS data exposed, and it won’t be patched until mid-October. Only OnePlus phones still running 2020’s OxygenOS 11 or earlier are believed to be safe from the flaw.

Security company Rapid7 was first to discover the vulnerability, which relates to changes OnePlus made to the Telephony service within Android. The long and short of it is that it would allow installed apps to access SMS data “without permission, user interaction, or consent.” The company found the flaw on devices running OxygenOS 12, 14, and 15, though reported that the older OxygenOS 11, based on Android 11, is not vulnerable. While Rapid7 only tested two types of hardware — the OnePlus 8T and 10 Pro 5G — it says the flaw “affects a core component of Android,” and so is unlikely to be hardware-specific.

OnePlus has admitted to the issue, but in a statement given to 9to5Google by an unnamed spokesperson it says a fix won’t arrive until mid-October at the earliest.

We acknowledge the recent disclosure of CVE-2025-10184 and have implemented a fix. This will be rolled out globally via software update starting from mid-October. OnePlus remains committed to protecting customer data and will continue to prioritize security improvements.

Rapid7 announced the discovery on its blog on Monday this week, but OnePlus didn’t respond until Wednesday. Rapid7 says it tried and failed to contact OnePlus privately to discuss the problem, and only turned to a public disclosure after also ruling out the company’s bug bounty program because of its “restrictive Non Disclosure Agreement.”

Until the flaw is patched, Rapid7 recommends that OnePlus device owners should only install apps from trusted sources, uninstall any unnecessary ones, switch to encrypted messaging apps, and use authenticator apps rather than SMS-based two-factor authentication.