Tags:

• 2025122500 (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold, Pixel 9a, Pixel 10, Pixel 10 Pro, Pixel 10 Pro XL, Pixel 10 Pro Fold, emulator, generic, other targets)

Changes since the 2025121700 release:

• restore support for bypassing carriers disallowing choosing the cellular network mode (this was lost in a recent major version migration such as the port to Android 16 QPR1 but we aren't sure exactly when it regressed)
• remove poorly designed upstream end session button on the lockscreen (it remains available in the power menu)
• enable feature flag for new upstream end session button in the user switcher
• switch to vendor files from 2nd December 2025 release (BP4A.251205.006.E1) for devices with it available
• enable lockscreen widget support
• fix upstream system_server crash in NotificationHistoryProtoHelper
• Wi-Fi HAL: ignore debug logging requests on all Pixels with MTE support to avoid a crash from detecting an invalid memory access in the upstream code
• Sandboxed Google Play compatibility layer: add support for redirecting Google Play location service requests from within Google Play services itself which means the GrapheneOS provided network location will work for internal Play services features such as Google Maps location sharing when redirecting to the OS is enabled (which is the default) and the Location permission is granted to it
• Sandboxed Google Play compatibility layer: force redirecting Google Play location service requests from within Google Play services and Android Auto when the Location permission is disabled for better error handling (neither properly handles the Location permission not being granted since it's always granted on any Google Mobile Services OS in practice instead of being explicitly opt-in)
• Sandboxed Google Play compatibility layer: fix a compatibility issue with the Chromium test suite
• Network Location: improve position estability accuracy and stability
• Network Location: prevent potential division by zero exception
• Network Location: improve experimental Wi-Fi RTT support which is still disabled in production
• kernel (6.1): update to latest GKI LTS branch revision
• kernel (6.6): update to latest GKI LTS branch revision including update to 6.6.119
• kernel (6.6): disable CONFIG_TLS to reduce attack surface
• kernel (6.12): update to latest GKI LTS branch revision including update to 6.12.63
• kernel (6.12): disable CONFIG_TLS to reduce attack surface
• include configuration for thermometer on 10th gen Pixels
• adevtool: auto-detect filesystem image type (ext4 vs. EROFS)
• adevtool: add support for canary builds
• adevtool: improve performance
• remove obsolete workaround for using a prebuilt recovery extension

All of the Android 16 security patches from the current January 2026, February 2026, March 2026, April 2026, May 2026 and June 2026 Android Security Bulletins are included in the 2025121701 security preview release. List of additional fixed CVEs:

• High: CVE-2025-32348, CVE-2025-48561, CVE-2025-48630, CVE-2025-48641, CVE-2025-48642, CVE-2025-48644, CVE-2025-48645, CVE-2025-48646, CVE-2025-48649, CVE-2025-48652, CVE-2025-48653, CVE-2026-0014, CVE-2026-0015, CVE-2026-0016, CVE-2026-0017, CVE-2026-0018, CVE-2026-0020, CVE-2026-0021, CVE-2026-0022, CVE-2026-0023, CVE-2026-0024, CVE-2026-0025

2025121701 provides at least the full 2026-01-01 Android and Pixel security patch level but will remain marked as providing 2025-12-05.

For detailed information on security preview releases, see our post about it.

GrapheneOS security preview releases - GrapheneOS Discussion Forum

GrapheneOS discussion forum

^{GrapheneOS Discussion Forum}