GrapheneOS security preview releases

GrapheneOS

GOS21606 The patches are included in the regular releases since the first 2025-12-01 security patch release. Security preview patches are the same patches the regular releases end up getting. The major quarterly/yearly Android releases get a lot of the patches before the official Android Security Bulletin launch dates and our current list of security preview patches in the release notes are only the ones applicable to Android 16 QPR2. It would be a significantly longer list if the OS was based on Android 16 instead.

GOS21606

GrapheneOS Thanks for your reply.

So it is not a big risk to run the regular release or is it still recommended to switch to the security patch release?

de0u

GOS21606 So it is not a big risk to run the regular release or is it still recommended to switch to the security patch release?

I think the question asked was whether pixnapping is patched in the regular release and the answer is that it is patched in recent (December) regular-release images. But that means it was not patched in the November regular releases, so in November running the security-preview release was necessary to resist that attack.

At any moment in time the security-preview release has many patches that the regular release does not, including some that will be unpatched in the regular releases for three months.

GOS21606

de0u Yes that was the indeed the question and that's is clear to me.

The GOS team is doing a very good job to adapt this since the embargo.

Maybe Google will change there policy (again) in the future regarding security updates?

de0u

GOS21606 Maybe Google will change there policy (again) in the future regarding security updates?

Sure, maybe. But I can imagine that after all the effort of switching to this model they're likely to try it for at least a year or two before making changes.

ryrona

GrapheneOS Yes, it will be possible to reproduce the builds after the fact as can be done with the regular releases at launch. We've implemented the security preview releases by using the same sources we used for the regular releases and running a script which applies patches we've saved in a repository for the preview patches with the conflicts resolved by us in advance and a script to apply them. It also patches it into being a security preview release by renaming the channel metadata. We're tagging the security preview releases in this repository, so we can make a public variant of the repository where we push the same stuff once the embargo ends.

Since December has passed, the first batch of patches for releases 3 months ago should have been released by now to reproduce those builds. Are they? Where are they located? I couldn't find them.

xxx

ryrona releases 3 months ago should have been released by now to reproduce those builds.

I think they will be in the next (non-preview) update.

GrapheneOS

ryrona Many of the December patches were delayed to future bulletins and we continued shipping those. The deferred patches were included in Android 16 QPR2. We should be able to release the preview patches up until it started including beyond December but haven't set it up yet. We tagged each release in the private repository but there isn't a way to partially open the repository on GitHub. We likely need to make a new repository with only the processed patches we used and copy over all of the patches for each tagged release to a new tagged release there. We've had a lot of extremely high priorities and still do so we haven't gotten to it yet. A lot of unforeseen things happened including needing to leave multiple server providers and many severe upstream bugs we had to deal with ourselves.

Falcon

I know there is a dedicated thread for the "pixnapping attack" here https://discuss.grapheneos.org/d/27296-pixnapping-rendering-side-channel-attack, but my question is more about Security Preview Release:

CVE-2025-48561 appears to be fixed permanently in the release https://grapheneos.org/releases#2025122500
Does this mean that stock Android (and all other manufacturers) will only receive a fix for this bug 3 months after the embargo ends?

Cpt_FLAM

Thank you for all your hard work!!!!!

JMP

My thanks also to you all for the time and effort put into the project for us. Very much appreciated.

glueckself

Is CVE-2026-0106 fixed in the current security preview release (2026012801)? I don't see it in the list of CVEs fixed in security preview releases, and 2026012801 states patch level 2026-01-05, but Google says that CVE-2026-0106 is fixed in patch level 2026-02-05.
Also, I see two new releases (2026020400 and 2026020600), but the updater says my device is up to date with 2026012801. Are the security preview releases delayed, or am I really up to date and all is good?

Thanks :)

harp

glueckself
2026020400 never left beta channel and 2026020600 is still in beta channel but may go to stable approximately today or tomorrow, if no serious bugs are reported.
https://grapheneos.org/releases#devices

GrapheneOS

glueckself

I don't see it in the list of CVEs fixed in security preview releases

The list of CVEs for the security preview releases are a list of the included security preview patches, not the overall patches. Security preview patches are future Android Security Bulletin patches from the subset for the Android Open Source Project. Driver and firmware patches aren't part of the security preview patches which are being provided. Android Security Bulletins do list a tiny subset of driver and firmware patches but the security previews aren't providing those for shipping early.

Our release notes for 2026020400 say it provides the 2025-02-05 Pixel patch level. CVE-2026-0106 may not even be relevant to GrapheneOS.

2026020600 was in the Stable channel only a few hours after these posts.

glueckself

Argh, I should've looked into beta status, thanks!

But just to make sure I understand correctly, even the security preview is currently vulnerable to CVE-2026-0106, until 2026020601 is released as stable?

xxx

glueckself CVE-2026-0106

is patched in the last 2releases.
You can switch to beta -> get the last one -> and switch back to stable.

'since the 2026012800 release:

raise declared Android security patch level to February 2026 which has been provided since we moved to Android 16 QPR2 in December (currently declared as 2026-02-01 **even though 2026-02-05 has been provided since Android 16 QPR2** but it wasn't worth restarting the builds)
**update to February 2026 Pixel driver/firmware code providing the 2026-02-05 Pixel security patch** level'

Not clear to me if the patch was included even longer.

« Previous Page