Stagefright 2.0 vulnerabilities were found in core Android library called libtuils, while the second, a dependent vulnerability in Android 5.0; it calls into libutils in an vulnerable manner. Researcher Joshua Drake of Zimperium disclosed the flaws last week after privately reporting them to Google. Google said last week that patches were provided to partners on Sept. 10 and that it was working with OEMs and carriers to deliver those updates as soon as possible. Google also patched critical vulnerabilities in a number of other components, many of which enable remote code execution via media files.
Source: https://threatpost.com/google-pushes-stagefright-2-0-patches-to-nexus-devices/114923/