The first Monday of each month has become Android Security day, when Google publishes a notice about all the security issues that have been reported and fixed in the last month. Like previous security updates, Google has alerted partners about these bugs ahead of time so they are able to issue patches. Additionally, Nexus devices such as the Nexus Player will soon be receiving these patches with an OTA update. You’ll know your device has been patched when the security level says June 2016.
There were a number of high priority issues fixed, mostly related to elevation privilege, where certain apps can do more than they are supposed to do. These existed in a number of Qualcomm drivers for graphics, Wi-Fi, and audio.
Even more serious were critical priority issues related to the Mediaserver. This process, which processes and can display images, audio, and video to the user, has had a number of exploits in the past. A new exploit can allow apps to do remote code execution using a special media file. This is a problem because the Mediaserver is able to execute much broader code since it’s tied to the system, and this enables a rogue app to do much more than it is supposed to.
Also it is an issue due to the prevalence throughout the operating system. It is commonly used to play media from a browser or an MMS message, making it a bigger problem than simply a rogue app. Any attacker can exploit a system just by getting you to click on a web URL or open a text message notification.
Google has now patched this bug and now you should be getting it soon. You can check out the factory images here. Or Google is now publishing the OTA zips that you can download and use to update your device over ADB. Of course, if you aren’t sure how to flash your device, you’re better off just waiting for the OTA.