meowijuana See: https://discuss.grapheneos.org/d/30743-pixel-9-0-click-exploit-chain-reported-by-project-zero/2
We've never listed out the CVEs addressed by Android Security Bulletins or Pixel Update Bulletins but rather document those updates in the release notes. CVE-2025-54957 was fixed in the 2025-12-05 Pixel security patch level which was shipped when we moved to the December 2025 driver/HAL/firmware code in December 2025. If you want to know when the others were fixed, please search for them.
The security preview releases are only for Android Open Source Project patches being shipped early and only document the CVEs fixed early in the security preview releases, not the regular releases. There are similarly no CVEs listed for Linux kernel updates, SQLite updates, etc. but rather the update is listed. Android issues we fix ourselves don't have a CVE in the release notes either. You seem to be under the wrong impression that it's the norm for a CVE to be listed in the release notes due to that being how the set of security preview patches is applicable to GrapheneOS are listed in the security preview release notes. Security preview releases notes are a special thing and are not applicable to regular releases.