If that's true, that's interesting. Because there have been cases where vendors have asked Google for more time to vet a fix that was going to lapse the responsible disclosure's window and Google (or perhaps more specifically, Project Zero) wouldn't allow it. Mid-March to end of June is a bit over 90 days at my estimation (depending on specific dates, obviously) and yet by September nothing and no updates.
The ZDI disclosure is rather vague, but I suspect this is a vendor-specific vulnerability and the speculation otherwise in the Ars Technica article is just wrong. There is no single "v4l2 driver" used by across all of Android - every device has its own v4l2 driver with its own implementation of the userland-facing v4l2 APIs, and vendors being what they are some of them are of pretty poor quality.
