"Pixnapping" rendering side channel attack

mmobder

userofgos yep, and as others has mentioned, I'm also wondering why for security-centric GOS, it should be the opt-in instead of current opt-out? (it's for that thread)

mmobder

GrouchyGrape I would consider it an opt-out feature. That being said, I agree with making it optional, but enabled by default.

If that's ok, please support me and others with this question https://discuss.grapheneos.org/d/27068-grapheneos-security-preview-releases/44

NoahRaketic

Are GrapheneOS devices without Google's upcoming patch vulnerable to this attack?

Watermelon

PolarOctopus Based on this website, I can see three vulnerabilities involved here, with the third one being independent:

matchboxbananasynergy Therefore, it is possible that people who are using the security preview releases are already protected from this.

NoahRaketic Are GrapheneOS devices without Google's upcoming patch vulnerable to this attack?

I didn't see the aforementioned CVE in the list of additional CVEs that the security preview releases fix, so I don't think it's fixed at all for now?

alwaysprotected

Watermelon

Google likely included it in the december Pixel Update.
The graphene security preview releases dont contain the monthly pixel updates in advance.

GrapheneOS

alwaysprotected They haven't come close to making the monthly Pixel update for December 2025 yet. They're talking about the December monthly security bulletin. Note that there are often multiple CVEs to refer to something regarded publicly as 1 vulnerability when there are multiple cases of it fixed separately and/or it's fixed in multiple phases.

Watermelon CVE-2025-48561 is listed as fixed in https://source.android.com/docs/security/bulletin/2025-09-01 and subsequent patches for fixing additional issues not covered by that will not use the same CVE. The CVE refers to the specific patch they made in the September 2025 bulletin. There are separate CVEs for other fixes. If a patch only partially fixes an issue or doesn't fix it properly, they use additional CVEs for the additional patches. You're drawing an incorrect conclusion.

Spleendid

Oh, thats some pretty bad CVE for people who uses NON FOSS apps. Any app could implement this and wreck havoc on the security and privacy of the OS.

NetRunner88

Spleendid
Even foss apps can do that especially those coming from fdroid

PolarOctopus

It sounds like there will be a further fix to this in the December security patches, according to https://9to5google.com/2025/10/14/google-patched-pixnapping-attack-further-fix-december-update/

23Sha-ger

This can be mitigated by having sensitive apps (like 2FA apps, Authenticators) on a separate profile.
Since the attack requires sending crafted intents to the target (sensitive) app.

BuffaloStance

23Sha-ger

Switching profiles and then back again in time to input the code would be cumbersome at best.

GrapheneOS

mmobder mmobder It's disabled by default, but the page for choosing to explicitly enable or disable it has it toggled on by default since that's the recommendation. If someone ignores the notification, it remains disabled since that's the default. People are pushed to choose either enabled or disabled since the notification will come back until they choose either one and press save, or until they set it explicitly in the update settings. It shows the notification opening the activity to choose for everyone who hasn't set it explicitly. New users get the page in the Setup Wizard where they have to choose to proceed. People can change what they chose later on via the update settings.

Watermelon

GrapheneOS Watermelon CVE-2025-48561 is listed as fixed in https://source.android.com/docs/security/bulletin/2025-09-01 and subsequent patches for fixing additional issues not covered by that will not use the same CVE. The CVE refers to the specific patch they made in the September 2025 bulletin. There are separate CVEs for other fixes. If a patch only partially fixes an issue or doesn't fix it properly, they use additional CVEs for the additional patches. You're drawing an incorrect conclusion.

I didn't know the failed fix was already committed and part of the September bulletin. It sounded like it wasn't, so I didn't check it. Thanks

« Previous Page