"Pixnapping" rendering side channel attack

matchboxbananasynergy

Based on the website, it seems that even though Google's first attempt at patching this was worked around by the researchers, Google has tried again, and that patch is included with the December patches.

Therefore, it is possible that people who are using the security preview releases are already protected from this.

If that is the case, it is a nice example of a real world scenario in which having these patches applied in advance is beneficial for average users.

mmobder

matchboxbananasynergy is beneficial for average users

it's great this option is ON by default

Watermelon

PolarOctopus Based on this website, I can see three vulnerabilities involved here, with the third one being independent:

matchboxbananasynergy Therefore, it is possible that people who are using the security preview releases are already protected from this.

NoahRaketic Are GrapheneOS devices without Google's upcoming patch vulnerable to this attack?

I didn't see the aforementioned CVE in the list of additional CVEs that the security preview releases fix, so I don't think it's fixed at all for now?

IDtheTarget

mmobder I don't know if it is. I saw an alert after the last update asking me to opt in. I hadn't been following this option so I didn't know what to do. I trust the Deva so I opted in, then started searching for what I had opted in to. I'm glad in retrospect that I did, but I still don't know if it's on by default or opt in.

mmobder

IDtheTarget the toggle to opt-in is ON by default in that recent update)

GrouchyGrape

mmobder you are incorrect. Reread the latest release notes. While recommended by the team, it's still an opt-in option.

GrapheneOS

mmobder mmobder It's disabled by default, but the page for choosing to explicitly enable or disable it has it toggled on by default since that's the recommendation. If someone ignores the notification, it remains disabled since that's the default. People are pushed to choose either enabled or disabled since the notification will come back until they choose either one and press save, or until they set it explicitly in the update settings. It shows the notification opening the activity to choose for everyone who hasn't set it explicitly. New users get the page in the Setup Wizard where they have to choose to proceed. People can change what they chose later on via the update settings.

mmobder

GrouchyGrape the toggle is ON by default, one can turn it OFF, what are you talking about?

userofgos

mmobder did you read this post correctly?

Our plan is to keep it off-by-default with a new page added to the Setup Wizard which will have it toggled on as a recommendation. We'll prompt users on existing installs to choose.

GrouchyGrape

mmobder my mistake, I misread your post. I haven't been through the owner setup screen since the latest update, so perhaps your right and the opt-in option for security releases is checked (enabled) by default.

If that's the case, I would consider it an opt-out feature. That being said, I agree with making it optional, but enabled by default.

mmobder

userofgos yep, and as others has mentioned, I'm also wondering why for security-centric GOS, it should be the opt-in instead of current opt-out? (it's for that thread)

mmobder

GrouchyGrape I would consider it an opt-out feature. That being said, I agree with making it optional, but enabled by default.

If that's ok, please support me and others with this question https://discuss.grapheneos.org/d/27068-grapheneos-security-preview-releases/44

NoahRaketic

Are GrapheneOS devices without Google's upcoming patch vulnerable to this attack?

alwaysprotected

Watermelon

Google likely included it in the december Pixel Update.
The graphene security preview releases dont contain the monthly pixel updates in advance.

GrapheneOS

alwaysprotected They haven't come close to making the monthly Pixel update for December 2025 yet. They're talking about the December monthly security bulletin. Note that there are often multiple CVEs to refer to something regarded publicly as 1 vulnerability when there are multiple cases of it fixed separately and/or it's fixed in multiple phases.

Watermelon CVE-2025-48561 is listed as fixed in https://source.android.com/docs/security/bulletin/2025-09-01 and subsequent patches for fixing additional issues not covered by that will not use the same CVE. The CVE refers to the specific patch they made in the September 2025 bulletin. There are separate CVEs for other fixes. If a patch only partially fixes an issue or doesn't fix it properly, they use additional CVEs for the additional patches. You're drawing an incorrect conclusion.

Spleendid

Oh, thats some pretty bad CVE for people who uses NON FOSS apps. Any app could implement this and wreck havoc on the security and privacy of the OS.

NetRunner88

Spleendid
Even foss apps can do that especially those coming from fdroid

PolarOctopus

It sounds like there will be a further fix to this in the December security patches, according to https://9to5google.com/2025/10/14/google-patched-pixnapping-attack-further-fix-december-update/

23Sha-ger

This can be mitigated by having sensitive apps (like 2FA apps, Authenticators) on a separate profile.
Since the attack requires sending crafted intents to the target (sensitive) app.

BuffaloStance

23Sha-ger

Switching profiles and then back again in time to input the code would be cumbersome at best.

Watermelon

GrapheneOS Watermelon CVE-2025-48561 is listed as fixed in https://source.android.com/docs/security/bulletin/2025-09-01 and subsequent patches for fixing additional issues not covered by that will not use the same CVE. The CVE refers to the specific patch they made in the September 2025 bulletin. There are separate CVEs for other fixes. If a patch only partially fixes an issue or doesn't fix it properly, they use additional CVEs for the additional patches. You're drawing an incorrect conclusion.

I didn't know the failed fix was already committed and part of the September bulletin. It sounded like it wasn't, so I didn't check it. Thanks