We ported the Android 16 security preview patches to 16 QPR1. 2025111801 is our first 16 QPR1 with December 2025, January 2026, February 2026 and March 2026 ASB patches:

grapheneos.org/releases#202511…

We'll fix a few more QPR1 regressions and then it should be able to reach Stable.

We were contacted by a journalist at Le Parisien newspaper with this prompt:

I am preparing an article on the use of your secure personal data phone solution by drug traffickers and other criminals. Have you ever been contacted by the police?

Are you aware that some of your clients might be criminals? And how does the company manage this issue?

Absolutely no further details were provided about what was being claimed, who was making it or the basis for those being made about it. We could only provide a very generic response to this.

Our response was heavily cut down and the references to human rights organizations, large tech companies and others using GrapheneOS weren't included. Our response was in English was translated by them: "we have no clients or customers" was turned into "nous n’avons ni clients ni usagers", etc...

GrapheneOS is a freely available open source privacy project. It's obtained from our website, not shady dealers in dark alleys and the "dark web". It doesn't have a marketing budget and we certainly aren't promoting it through unlisted YouTube channels and the other nonsense that's being claimed.

GrapheneOS has no such thing as the fake Snapchat feature that's described. What they're describing appears to be forks of GrapheneOS by shady companies infringing on our trademark. Those products may not even be truly based on GrapheneOS, similar to how ANOM used parts of it to pass it off as such.

France is an increasingly authoritarian country on the brink of it getting far worse. They're already very strong supporters of EU Chat Control. Their fascist law enforcement is clearly ahead of the game pushing outrageous false claims about open source privacy projects. None of it is substantiated.

iodéOS and /e/OS are based in France. iodéOS and /e/OS make devices dramatically more vulnerable while misleading users about privacy and security. These fake privacy products serve the interest of authoritarians rather than protecting people. /e/OS receives millions of euros in government funding.

Those lag many months to years behind on providing standard Android privacy and security patches. They heavily encourage users to use devices without working disk encryption and important security protections. Their users have their data up for grabs by apps, services and governments who want it.

There's a reason they're going after a legitimate privacy and security project developed outside of their jurisdiction rather than 2 companies based in France within their reach profiting from selling 'privacy' products.

discuss.grapheneos.org/d/24134…

Here's that article:

archive.is/AhMsj

The team have ported all security preview patches to Android 16 QPR1 now & plan to start building an initial SP release soon.

We don't plan on moving an A16 QPR1 release to Beta channel until its available, yet either may still have issues preventing progression regardless.

Changes in version 142.0.7444.171.0:

• update to Chromium 142.0.7444.171

A full list of changes from the previous release (version 142.0.7444.158.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Comparing 142.0.7444.158.0...142.0.7444.158.0 · GrapheneOS/Vanadium

Privacy and security enhanced releases of Chromium for GrapheneOS. Vanadium provides the WebView and standard user-facing browser on GrapheneOS. It depends on hardening in other GrapheneOS reposito...

^GitHub

Following our experimental releases, this is our first non-experimental release based on Android 16 QPR1, the first quarterly release of Android 16. Android 16 QPR1 was pushed to the Android Open Source Project on November 11 rather than September 3 as expected. This is a very large quarterly release with more prominent user-facing improvements than Android 16 provided compared to Android 15 QPR2.

Tags:

• 2025111800 (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold, Pixel 9a, emulator, generic, other targets)

Changes since the 2025110800 release:

• rebased onto BP3A.250905.014 Android Open Source Project release (Android 16 QPR1)
• Terminal (virtual machine management app): re-enable GUI support now that the surfaceflinger crashes are resolved upstream by Android 16 QPR1
• adevtool: massive overhaul entirely replacing the small remnants of the Pixel device trees to fix several regressions introduced since Android 16 such as charging mode booting into the regular OS and to prepare for adding 10th gen Pixel devices via automated device support without any need for device trees to use as a reference
• adevtool: switch to obtaining Android 16 QPR1 backports from the latest November releases for relevant Pixels (there are no security patches listed for the Android or Pixel bulletins and not all Pixels received the tiny release)
• kernel (6.12): update to latest GKI LTS branch revision
• raise declared patch level to 2025-11-05 which has already been provided in GrapheneOS since our regular 2025090200 release (not a security preview) since the patches were included in the September security preview and were then pushed to AOSP despite not being listed in the bulletin along with there being no Pixel Update Bulletin patches for November 2025
• Vanadium: update to version 142.0.7444.158.0

Creating a security preview release on top of the new Android 16 QPR1 release is still in progress and will be available soon. For detailed information on security preview releases, see our post about it.

GrapheneOS security preview releases - GrapheneOS Discussion Forum

GrapheneOS discussion forum

^{GrapheneOS Discussion Forum}

Releases of GrapheneOS based on Android 16 QPR1 are available for public testing. These are highly experimental and aren't being pushed out via the Alpha channel yet. Join our testing chat room if you have a spare device you can use to help with testing.

grapheneos.org/contact#communi…

We've resolved all the major regressions reported during testing of our experimental 2025111700 release based on Android 16 QPR1. Our upcoming 2025111800 release will likely be our initial production release based on Android 16 QPR1. It should reach our Alpha and Beta channels.

We're aware a small company which wanted to partner with us but was unable to meet our security requirements has been attacking GrapheneOS with misinformation and libel since November 12. We'll write detailed a response to it once our port to Android 16 QPR1 is shipped to Stable.

They launched a device using a fork of LineageOS without standard privacy and security patches or protections. Their launch announcement goes out of the way to attack GrapheneOS with inaccurate claims. They doubled down on it on several forums where they got a negative response.

We have a serious OEM partnership with a large company actively working on implementing MTE and the rest of what we need. We need a proper secure device which can be refreshed yearly as a replacement for Pixels. We're not going to abandon properly protecting users to provide it.

Our focus is Android 16 QPR1, then Android 16 QPR1 security preview releases with all the current December 2025 / January 2026 / February 2026 / March 2026 patches and finally support for all four Pixel 10 models. We can find time to debunk another falsely marketed product too.

Companies marketing phones as being private while lacking basic privacy patches and protections clearly feel very threatened by GrapheneOS. Completely unprovoked attacks on us including linking harassment content is a bold launch strategy for a product asking people to trust it.

Check out the interview with @GrapheneOS's very own @metr0pl3x community team moderator and project member featured on David Bombal's latest video!

youtu.be/eUEtc6gblK0

Thanks for doing this David and Metroplex!

Do you have 2 minutes?

Please consider nominating GrapheneOS and Accrescent (submit the form once for each) for the 2025 Proton Lifetime Fundraiser.

Direct link to form: form.typeform.com/to/XixQrG8Q

Learn more about the fundraiser: proton.me/blog/lifetime-fundra…

#grapheneOS #opensource #accrescent #android

Help us choose recipients for our 2025 Lifetime Account Charity Fundraiser!

Join Proton’s 2025 Lifetime Fundraiser and help decide which organizations receive grants supporting privacy, free speech, and human rights.

^{Irina Marcopol (Proton)}

Thursday, November 13, 2025 - Proton Foundation has launched their 8th edition Lifetime Fundraiser:

Since 2018, the Proton community has helped raise more than $4 million in direct grants to over 40 organizations defending privacy, free speech, and human rights.

Help us choose recipients for our 2025 Lifetime Account Charity Fundraiser!

• Deadline to nominate organizations: November 24, 2025
• Raffle opens: December 16, 2025
• Raffle closes: January 5, 2026
• Winners announced: January 6, 2026

Now it’s time to choose this year’s beneficiaries. We’re asking you to nominate the organizations you believe are making a real difference. We’ll select 10 to receive support in the 2025 Proton Lifetime Account Charity Fundraiser.

The form direct link for the Tell us who to support page is located here:
form.typeform.com/to/XixQrG8Q

GrapheneOS has already received two donations through past Proton Foundation fundraising campaigns.
For more details, see: discuss.grapheneos.org/d/28065

Donations are what fund our work on upcoming features and improvements to GrapheneOS, maintaining our current ones, and the upkeep of our infrastructure.

Forum: discuss.grapheneos.org/d/28065
Mastodon: grapheneos.social/@akc3n/11554…
Bluesky: bsky.app/profile/akc3n.bsky.so…

Help us choose recipients for our 2025 Lifetime Account Charity Fundraiser!

Join Proton’s 2025 Lifetime Fundraiser and help decide which organizations receive grants supporting privacy, free speech, and human rights.

^{Irina Marcopol (Proton)}

Another GrapheneOS feature from April 2023:

• Dialer: add modernized call recording implementation using modern Android storage (no files permission) [cont...]

grapheneos.org/releases#202304…

9to5google.com/2025/11/13/pixe…

Google is 'inspired' yet again by GrapheneOS.

We are so far ahead and this shows how far behind the curve Android 17 is with this, we had it implemented on Android 13 in May 2023.

androidauthority.com/android-1…

Our release for it:

grapheneos.org/releases#202305…

All the while damaging the innovators by refusing to whitelist the leading privacy and security focused OS and pushing the anti-competitive monopolistic Play Integrity API , GMS licensor protection racket.

Nothing new about what is being offered. Everything we've done and do is provided without strings FREE, while Google moves to make you opt-in to their platform for less robust provision or to make OEMS pay for it.

Android 17's new Contacts Picker is a game-changer for privacy

Android 17 may finally let you share only specific contacts with apps thanks to a new Contacts Picker tool. Here's how it may work.

^{Mishaal Rahman (Android Authority)}

Thursday, November 13, 2025 - Proton Foundation has launched their 8th edition Lifetime Fundraiser:

Since 2018, the Proton community has helped raise more than $4 million in direct grants to over 40 organizations defending privacy, free speech, and human rights.

Help us choose recipients for our 2025 Lifetime Account Charity Fundraiser!

• Deadline to nominate organizations: November 24, 2025
• Raffle opens: December 16, 2025
• Raffle closes: January 5, 2026
• Winners announced: January 6, 2026

Now it’s time to choose this year’s beneficiaries. We’re asking you to nominate the organizations you believe are making a real difference. We’ll select 10 to receive support in the 2025 Proton Lifetime Account Charity Fundraiser.

The form direct link for the Tell us who to support page is located here:
form.typeform.com/to/XixQrG8Q

GrapheneOS has already received two donations through past Proton Foundation fundraising campaigns.
For more details, see: discuss.grapheneos.org/d/28065

Donations are what fund our work on upcoming features and improvements to GrapheneOS, maintaining our current ones, and the upkeep of our infrastructure.

Forum: discuss.grapheneos.org/d/28065
Mastodon: grapheneos.social/@akc3n/11554…
Bluesky: bsky.app/profile/akc3n.bsky.so…

Help us choose recipients for our 2025 Lifetime Account Charity Fundraiser!

Join Proton’s 2025 Lifetime Fundraiser and help decide which organizations receive grants supporting privacy, free speech, and human rights.

^{Irina Marcopol (Proton)}

We received an ASN and IPv6 space for GrapheneOS from ARIN: AS40806 and 2602:f4d9::/40.

We've deployed 2 anycast IPv6 networks for our authoritative DNS servers to replace our existing setup: 2602:f4d9::/48 for ns1 and 2602:f4d9:1::/48 for ns2. BGP/RPKI setup is propagating.

We applied for an IPv4 /24 for ns2 via NRPM 4.10 and can apply for one for ns1 after we obtain that one.

Our ns1 network has New Jersey, Miami, Los Angeles, Seattle, Frankfurt and Singapore. Our ns2 network currently has New York, Las Vegas and Bern. We'll be expanding both.

This provides an overview of worldwide latency for our ns1 cluster via the Rage4 anycast service we currently use for IPv4+IPv6 with ns1:

ping6.ping.pe/2a05:b0c4:1::8

Here's ns1 via our own IPv6 /48:

ping6.ping.pe/2602:f4d9::1

Here's ns2 via our own IPv6 /48:

ping6.ping.pe/2602:f4d9:1::1

In the future, we plan to use these 2 anycast networks to provide recursive DNS resolvers as an option for our users. For now, it's only for the authoritative DNS used to provide other GrapheneOS services which is what DNS resolver servers query after the root and TLD servers.

ARIN gave us an IPv4 /24 based on our NRPM 4.10 request in under 24 hours. It's being announced from our ns2 network:

github.com/GrapheneOS/ns1.grap…

It will take a long time to propagate since the RPKI IRR/ROA data gets fetched via timed jobs rather than pushed hop-by-hop like BGP.

It cost us US$50 to register with ARIN as an organization and US$262.50/year paid in advance to become an 3X-Small network. It'll be US$525/year when we get a 2nd IPv4 since we'll get pushed into 2X-Small. 2X-Small covers IPv4 /22, i.e. 4x /24, which we can get via the waitlist.

We've deployed our IPv4 /24 and IPv6 /48 for ns2 in production to replace the IPv4-only anycast tunnel system it relied on before. It has somewhat better latency and significantly better reliability now. We're waiting a bit longer for production deployment of our ns1 IPv6 /48.

We need to choose a host in Singapore with IPv4+IPv6 BGP support to extend ns2 with a location in Asia. Once that's added, it will be good enough for our current needs. The subset of our dedicated/colocated update servers with BGP could be used as extra ns2 locations eventually.

Changes in version 142.0.7444.158.0:

• update to Chromium 142.0.7444.158

A full list of changes from the previous release (version 142.0.7444.138.1) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Comparing 142.0.7444.138.1...142.0.7444.158.0 · GrapheneOS/Vanadium

Privacy and security enhanced releases of Chromium for GrapheneOS. Vanadium provides the WebView and standard user-facing browser on GrapheneOS. It depends on hardening in other GrapheneOS reposito...

^GitHub

Tags:

• 2025110800 (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold, Pixel 9a, emulator, generic, other targets)

Changes since the 2025110600 release:

• adevtool: fully automate handling SoC and radio firmware image backports, which resolves an issue with a version string mismatch in the previous release for the initial installation process which resulted in us cancelling the Stable channel release
• Vanadium: update to version 142.0.7444.138.1

All of the Android 16 security patches from the current December 2025, January 2026, February 2026 and March 2026 Android Security Bulletins are included in the 2025110801 security preview release. List of additional fixed CVEs:

• Critical: CVE-2025-48631, CVE-2026-0006
• High: CVE-2022-25836, CVE-2022-25837, CVE-2023-40130, CVE-2025-22420, CVE-2025-22432, CVE-2025-26447, CVE-2025-32319, CVE-2025-32348, CVE-2025-48525, CVE-2025-48536, CVE-2025-48555, CVE-2025-48564, CVE-2025-48565, CVE-2025-48566, CVE-2025-48567, CVE-2025-48572, CVE-2025-48573, CVE-2025-48574, CVE-2025-48575, CVE-2025-48576, CVE-2025-48577, CVE-2025-48578, CVE-2025-48579, CVE-2025-48580, CVE-2025-48582, CVE-2025-48583, CVE-2025-48584, CVE-2025-48585, CVE-2025-48586, CVE-2025-48587, CVE-2025-48589, CVE-2025-48590, CVE-2025-48592, CVE-2025-48594, CVE-2025-48596, CVE-2025-48597, CVE-2025-48598, CVE-2025-48600, CVE-2025-48601, CVE-2025-48602, CVE-2025-48603, CVE-2025-48604, CVE-2025-48605, CVE-2025-48609, CVE-2025-48612, CVE-2025-48614, CVE-2025-48615, CVE-2025-48616, CVE-2025-48617, CVE-2025-48618, CVE-2025-48619, CVE-2025-48620, CVE-2025-48621, CVE-2025-48622, CVE-2025-48626, CVE-2025-48628, CVE-2025-48629, CVE-2025-48630, CVE-2025-48632, CVE-2025-48633, CVE-2025-48634, CVE-2026-0005, CVE-2026-0007, CVE-2026-0008

2025110801 provides at least the full 2025-12-01 Android security patch level (a Pixel Update Bulletin for November 2025 hasn't been released could have fixes we don't get early, although it's likely empty) but will remain marked as providing 2025-11-01.

For detailed information on security preview releases, see our post about it.

GrapheneOS security preview releases - GrapheneOS Discussion Forum

GrapheneOS discussion forum

^{GrapheneOS Discussion Forum}

Changes in version 142.0.7444.138.1:

• revert our addition of Mullvad Leta since it's being shut down on November 27
• disable Chrome Tips cards for the New Tab Page as many are inappropriate for Vanadium due to the removal of Google service integration and other changes

A full list of changes from the previous release (version 142.0.7444.138.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Comparing 142.0.7444.138.0...142.0.7444.138.1 · GrapheneOS/Vanadium

Privacy and security enhanced releases of Chromium for GrapheneOS. Vanadium provides the WebView and standard user-facing browser on GrapheneOS. It depends on hardening in other GrapheneOS reposito...

^GitHub

Both of the November 2025 patches have been provided in our regular non-security-preview releases for over a month, so we've already had the 2025-11-05 Android security patch level for over a month. Our patch level is set based on providing both the Android and Pixel security patches, so we're leaving it at 2025-11-01 until the Pixel stock OS release and Pixel Update Bulletin are published. The stock Pixel OS also included both November 2025 patches in early September. We expect they made a 2nd October release to ship the November carrier changes and will make a release in mid-November with patches from future Android Security Bulletins.

Tags:

• 2025110600 (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold, Pixel 9a, emulator, generic, other targets)

Changes since the 2025102800 release:

• raise declared patch level to 2025-11-01 which has already been provided in GrapheneOS since our regular 2025090200 release (not a security preview) since the patches were included in the September security preview and were then pushed to AOSP despite not being listed in the bulletin
• kernel (6.1): update to latest GKI LTS branch revision
• kernel (6.1): keep POSIX_MQUEUE disabled to avoid increasing attack surface
• kernel (6.6): update to latest GKI LTS branch revision including update to 6.6.114
• kernel (6.12): update to latest GKI LTS branch revision
• adevtool: switch to obtaining Android 16 QPR1 backports from the latest October releases for 7th/8th/9th gen Pixels (6th gen Pixels did not have an October release) for very minor radio carrier configuration changes (no code changes)
• Settings: add 1 second delay for approving device admin activation to mitigate tapjacking (this matches the 1 second delay we add to both permission prompts and ADB authorization prompts which is currently not configurable)
• Vanadium: update to version 142.0.7444.138.0

All of the Android 16 security patches from the December 2025, January 2026, February 2026 and March 2026 Android Security Bulletins are included in the 2025110601 security preview release. List of additional fixed CVEs:

• Critical: CVE-2025-48631, CVE-2026-0006
• High: CVE-2022-25836, CVE-2022-25837, CVE-2023-40130, CVE-2025-22420, CVE-2025-22432, CVE-2025-26447, CVE-2025-32319, CVE-2025-32348, CVE-2025-48525, CVE-2025-48536, CVE-2025-48555, CVE-2025-48564, CVE-2025-48565, CVE-2025-48566, CVE-2025-48567, CVE-2025-48572, CVE-2025-48573, CVE-2025-48574, CVE-2025-48575, CVE-2025-48576, CVE-2025-48577, CVE-2025-48578, CVE-2025-48579, CVE-2025-48580, CVE-2025-48582, CVE-2025-48583, CVE-2025-48584, CVE-2025-48585, CVE-2025-48586, CVE-2025-48587, CVE-2025-48589, CVE-2025-48590, CVE-2025-48592, CVE-2025-48594, CVE-2025-48596, CVE-2025-48597, CVE-2025-48598, CVE-2025-48600, CVE-2025-48601, CVE-2025-48602, CVE-2025-48603, CVE-2025-48604, CVE-2025-48605, CVE-2025-48609, CVE-2025-48612, CVE-2025-48614, CVE-2025-48615, CVE-2025-48616, CVE-2025-48617, CVE-2025-48618, CVE-2025-48619, CVE-2025-48620, CVE-2025-48621, CVE-2025-48622, CVE-2025-48626, CVE-2025-48628, CVE-2025-48629, CVE-2025-48630, CVE-2025-48632, CVE-2025-48633, CVE-2025-48634, CVE-2026-0005, CVE-2026-0007, CVE-2026-0008

2025110601 provides at least the full 2025-12-01 Android security patch level (a Pixel Update Bulletin for November 2025 hasn't been released could have fixes we don't get early, although it's likely empty) but will remain marked as providing 2025-11-01.

For detailed information on security preview releases, see our post about it.

GrapheneOS security preview releases - GrapheneOS Discussion Forum

GrapheneOS discussion forum

^{GrapheneOS Discussion Forum}

Changes in version 142.0.7444.138.0:

• update to Chromium 142.0.7444.138

A full list of changes from the previous release (version 142.0.7444.48.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Comparing 142.0.7444.48.0...142.0.7444.138.0 · GrapheneOS/Vanadium

Privacy and security enhanced releases of Chromium for GrapheneOS. Vanadium provides the WebView and standard user-facing browser on GrapheneOS. It depends on hardening in other GrapheneOS reposito...

^GitHub

Both patches in the November 2025 Android Security Bulletin have been included since our September 2nd release. It's now known that our 2025090200 and later releases provided the 2025-11-05 Android security patch level early due to shipping extra patches.

source.android.com/docs/securi…

It's because these two patches were included in the full September 2025 bulletin patches we shipped but were made optional until November 2025.

Later in September, we started our security preview releases able to provide Android Security Bulletin patches around 2-3 months early.

Our security preview releases currently have the December 2025 and January 2026 patches.

December 2025 has a huge set of patches due to being a quarterly patch level. January 2026 will likely be empty.

We should have quarterly March 2026 patches to ship within a couple weeks.

Due to having early access to the patches which we can use for our security preview releases, we've been able to determine that a subset were pushed to AOSP and other projects prior to the official embargo ending which means we'll be including those in our regular releases soon.

Our security preview releases shipped all available December 2025 security patches in September 2025 and have continued adding the remaining patches. It should be frozen soon, but most of the patches have remained the same since September. Some were deferred to future bulletins.

The new security patch system being used by Android is confusing for users and bad for the security of anyone not using GrapheneOS with our security preview releases. We could have set the patch level string to 2025-11-01 in early September but in this case we didn't do that.

Tags:

• 2025102800 (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold, Pixel 9a, emulator, generic, other targets)

Changes since the 2025102600 release:

• Sandboxed Google Play compatibility layer: temporarily limit system service override infrastructure added for GmsFontProvider shim to Pixel Camera to work around certain banking apps detecting it as tampering (we can change the approach to avoid this to enable it for all apps using the Google Play client libraries again, especially since we want to expand it to improve app compatibility without Play services installed)
• kernel (6.1): update to latest GKI LTS branch revision
• kernel (6.6): update to latest GKI LTS branch revision including update to 6.6.112
• kernel (6.12): update to latest GKI LTS branch revision including update to 6.12.53

All of the Android 16 security patches from the current November 2025, December 2025 and January 2026 Android Security Bulletins are included in the 2025102801 security preview release. List of additional fixed CVEs:

• Critical: CVE-2025-48593, CVE-2025-48631
• High: CVE-2022-25836, CVE-2022-25837, CVE-2023-40130, CVE-2024-43766, CVE-2025-22420, CVE-2025-22432, CVE-2025-32319, CVE-2025-32348, CVE-2025-48525, CVE-2025-48536, CVE-2025-48555, CVE-2025-48564, CVE-2025-48565, CVE-2025-48566, CVE-2025-48567, CVE-2025-48572, CVE-2025-48573, CVE-2025-48574, CVE-2025-48575, CVE-2025-48576, CVE-2025-48577, CVE-2025-48578, CVE-2025-48579, CVE-2025-48580, CVE-2025-48582, CVE-2025-48583, CVE-2025-48584, CVE-2025-48585, CVE-2025-48586, CVE-2025-48587, CVE-2025-48589, CVE-2025-48590, CVE-2025-48592, CVE-2025-48594, CVE-2025-48596, CVE-2025-48597, CVE-2025-48598, CVE-2025-48600, CVE-2025-48601, CVE-2025-48602, CVE-2025-48603, CVE-2025-48604, CVE-2025-48605, CVE-2025-48609, CVE-2025-48612, CVE-2025-48614, CVE-2025-48615, CVE-2025-48616, CVE-2025-48617, CVE-2025-48618, CVE-2025-48619, CVE-2025-48620, CVE-2025-48621, CVE-2025-48622, CVE-2025-48626, CVE-2025-48628, CVE-2025-48629, CVE-2025-48630, CVE-2025-48632, CVE-2025-48633, CVE-2025-48634

2025102801 provides at least the full 2025-11-01 patch level and the Android 2025-11-05 patch level (Pixel Update Bulletin could have fixes we don't get early) but will remain marked as providing 2025-10-05.

For detailed information on security preview releases, see our post about it.

GrapheneOS security preview releases - GrapheneOS Discussion Forum

GrapheneOS discussion forum

^{GrapheneOS Discussion Forum}

Tags:

• 2025102600 (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold, Pixel 9a, emulator, generic, other targets)

Changes since the 2025102300 release:

• Sandboxed Google Play compatibility layer: add shim implementation of GmsFontProvider to prevent crashes of apps depending on Play services when it's missing or disabled (restores support for using Pixel Camera without Play services)
• Sandboxed Google Play compatibility layer: extend shim for background service starts to address edge cases where a foreground service is required
• Sandboxed Google Play compatibility layer: fix NoOpPrewarmService chain crash in Pixel Camera caused by lack of privileged OS integration
• kernel (6.6): update to latest GKI LTS branch revision
• Vanadium: update to version 142.0.7444.48.0

All of the Android 16 security patches from the current November 2025, December 2025 and January 2026 Android Security Bulletins are included in the 2025102601 security preview release. List of additional fixed CVEs:

• Critical: CVE-2025-48593, CVE-2025-48631
• High: CVE-2022-25836, CVE-2022-25837, CVE-2023-40130, CVE-2024-43766, CVE-2025-22420, CVE-2025-22432, CVE-2025-32319, CVE-2025-32348, CVE-2025-48525, CVE-2025-48536, CVE-2025-48555, CVE-2025-48564, CVE-2025-48565, CVE-2025-48566, CVE-2025-48567, CVE-2025-48572, CVE-2025-48573, CVE-2025-48574, CVE-2025-48575, CVE-2025-48576, CVE-2025-48577, CVE-2025-48578, CVE-2025-48579, CVE-2025-48580, CVE-2025-48582, CVE-2025-48583, CVE-2025-48584, CVE-2025-48585, CVE-2025-48586, CVE-2025-48587, CVE-2025-48589, CVE-2025-48590, CVE-2025-48592, CVE-2025-48594, CVE-2025-48596, CVE-2025-48597, CVE-2025-48598, CVE-2025-48600, CVE-2025-48601, CVE-2025-48602, CVE-2025-48603, CVE-2025-48604, CVE-2025-48605, CVE-2025-48609, CVE-2025-48612, CVE-2025-48614, CVE-2025-48615, CVE-2025-48616, CVE-2025-48617, CVE-2025-48618, CVE-2025-48619, CVE-2025-48620, CVE-2025-48621, CVE-2025-48622, CVE-2025-48626, CVE-2025-48628, CVE-2025-48629, CVE-2025-48630, CVE-2025-48632, CVE-2025-48633, CVE-2025-48634

2025100901 provides at least the full 2025-11-01 patch level and the Android 2025-11-05 patch level (Pixel Update Bulletin could have fixes we don't get early) but will remain marked as providing 2025-10-05.

For detailed information on security preview releases, see our post about it.

GrapheneOS security preview releases - GrapheneOS Discussion Forum

GrapheneOS discussion forum

^{GrapheneOS Discussion Forum}

Changes in version 101:

• fix a font preloading crash caused by the GmsFontProvider shim introduced in the previous release

A full list of changes from the previous release (version 100) is available through the Git commit log between the releases.

GmsCompatLib is a core component of the GrapheneOS sandboxed Google Play compatibility layer.

This update is available to GrapheneOS users via our app repository and and will be obsoleted by the next OS release including the changes in the base package.

Comparing lib-100...lib-101 · GrapheneOS/platform_packages_apps_GmsCompat

Contribute to GrapheneOS/platform_packages_apps_GmsCompat development by creating an account on GitHub.

^GitHub

Pixel Camera recently added a hard dependency on Google Play services. It still works on GrapheneOS, but started requiring sandboxed Google Play services.

GmsCompatLib version 100 for GrapheneOS 2025102300 or later restores support for Pixel Camera without Play services:

grapheneos.social/@GrapheneOS/…

Changes in version 100:

• add shim implementation of GmsFontProvider to prevent crashes of apps depending on Play services when it's missing or disabled (restores support for using Pixel Camera without Play services with recent Pixel Camera versions depending on it for this)
• extend shim for background service starts to address edge cases where a foreground service is required
• fix NoOpPrewarmService chain crash in Pixel Camera caused by lack of privileged OS integration

A full list of changes from the previous release (GrapheneOS version 2025102300) is available through the Git commit log between the releases.

GmsCompatLib is a core component of the GrapheneOS sandboxed Google Play compatibility layer.

This update is available to GrapheneOS users via our app repository and and will be obsoleted by the next OS release including the changes in the base package.

Comparing 2025102300...lib-100 · GrapheneOS/platform_packages_apps_GmsCompat

Contribute to GrapheneOS/platform_packages_apps_GmsCompat development by creating an account on GitHub.

^GitHub

While we greatly appreciate businesses seeing value in our work, selling devices with GrapheneOS preinstalled or being a business in the privacy/security space, recognising our users buying services/products, and so donating to us. GrapheneOS has no official direct affiliations.

Unless mentioned by the project account no team members make any recommendations on behalf of the project for any app/product/service, any that may be linked, are personal recommendations or just to make users aware they exist for them to decide for themselves.

Changes in version 142.0.7444.48.0:

• update to Chromium 142.0.7444.48
• allow registration of passkeys regardless of residentKey value

A full list of changes from the previous release (version 141.0.7390.122.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Comparing 141.0.7390.122.0...142.0.7444.48.0 · GrapheneOS/Vanadium

Privacy and security enhanced releases of Chromium for GrapheneOS. Vanadium provides the WebView and standard user-facing browser on GrapheneOS. It depends on hardening in other GrapheneOS reposito...

^GitHub

Tags:

• 2025102300 (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold, Pixel 9a, emulator, generic, other targets)

Changes since the 2025102200 release:

• fix signing the GmsCompatLib package with a dedicated cross-device key, which was added in the last release but wasn't being replaced by a release key and blocked moving the last release past Alpha
• kernel (6.12): update to latest GKI LTS branch revision

All of the Android 16 security patches from the current November 2025, December 2025 and January 2026 Android Security Bulletins are included in the 2025102301 security preview release. List of additional fixed CVEs:

• Critical: CVE-2025-48593, CVE-2025-48631
• High: CVE-2022-25836, CVE-2022-25837, CVE-2023-40130, CVE-2024-43766, CVE-2025-22420, CVE-2025-22432, CVE-2025-32319, CVE-2025-32348, CVE-2025-48525, CVE-2025-48536, CVE-2025-48555, CVE-2025-48564, CVE-2025-48565, CVE-2025-48566, CVE-2025-48567, CVE-2025-48572, CVE-2025-48573, CVE-2025-48574, CVE-2025-48575, CVE-2025-48576, CVE-2025-48577, CVE-2025-48578, CVE-2025-48579, CVE-2025-48580, CVE-2025-48582, CVE-2025-48583, CVE-2025-48584, CVE-2025-48585, CVE-2025-48586, CVE-2025-48587, CVE-2025-48589, CVE-2025-48590, CVE-2025-48592, CVE-2025-48594, CVE-2025-48596, CVE-2025-48597, CVE-2025-48598, CVE-2025-48600, CVE-2025-48601, CVE-2025-48602, CVE-2025-48603, CVE-2025-48604, CVE-2025-48605, CVE-2025-48609, CVE-2025-48612, CVE-2025-48614, CVE-2025-48615, CVE-2025-48616, CVE-2025-48617, CVE-2025-48618, CVE-2025-48619, CVE-2025-48620, CVE-2025-48621, CVE-2025-48622, CVE-2025-48626, CVE-2025-48628, CVE-2025-48629, CVE-2025-48630, CVE-2025-48632, CVE-2025-48633, CVE-2025-48634

2025100901 provides at least the full 2025-11-01 patch level and the Android 2025-11-05 patch level (Pixel Update Bulletin could have fixes we don't get early) but will remain marked as providing 2025-10-05.

For detailed information on security preview releases, see our post about it.

GrapheneOS security preview releases - GrapheneOS Discussion Forum

GrapheneOS discussion forum

^{GrapheneOS Discussion Forum}

Tags:

• 2025102200 (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold, Pixel 9a, emulator, generic, other targets)

Changes since the 2025100900 release:

• adevtool: add satellite eSIM overlays to avoid the special Skylo eSIM on 9th/10th gen Pixels being listed as a regular eSIM and being possible to erase with the regular eSIM erase functionality
• kernel (6.6): update to latest GKI LTS branch revision including update to 6.6.111
• kernel (6.12): update to latest GKI LTS branch revision including update to 6.12.52
• System Updater: prevent reboot and security preview notifications from timing out after 3 days which is standard behavior since Android 15 QPR1
• System Updater: mark notification permission as fixed to prevent disabling overall notifications, but enable blocking progress, failure and already up to date notification channels
• Sandboxed Google Play compatibility layer: add support for overriding BinderProxy transactions
• Sandboxed Google Play compatibility layer: add support for out-of-band updates to GmsCompatLib
• Vanadium: update to version 141.0.7390.111.0
• Vanadium: update to version 141.0.7390.122.0
• raise emulator super / dynamic partition size due to reaching the limit in some cases
• adevtool: prefer prebuilt AOSP JDK 21

All of the Android 16 security patches from the current November 2025, December 2025 and January 2026 Android Security Bulletins are included in the 2025102201 security preview release. List of additional fixed CVEs:

• Critical: CVE-2025-48593, CVE-2025-48631
• High: CVE-2022-25836, CVE-2022-25837, CVE-2023-40130, CVE-2024-43766, CVE-2025-22420, CVE-2025-22432, CVE-2025-32319, CVE-2025-32348, CVE-2025-48525, CVE-2025-48536, CVE-2025-48555, CVE-2025-48564, CVE-2025-48565, CVE-2025-48566, CVE-2025-48567, CVE-2025-48572, CVE-2025-48573, CVE-2025-48574, CVE-2025-48575, CVE-2025-48576, CVE-2025-48577, CVE-2025-48578, CVE-2025-48579, CVE-2025-48580, CVE-2025-48582, CVE-2025-48583, CVE-2025-48584, CVE-2025-48585, CVE-2025-48586, CVE-2025-48587, CVE-2025-48589, CVE-2025-48590, CVE-2025-48592, CVE-2025-48594, CVE-2025-48596, CVE-2025-48597, CVE-2025-48598, CVE-2025-48600, CVE-2025-48601, CVE-2025-48602, CVE-2025-48603, CVE-2025-48604, CVE-2025-48605, CVE-2025-48609, CVE-2025-48612, CVE-2025-48614, CVE-2025-48615, CVE-2025-48616, CVE-2025-48617, CVE-2025-48618, CVE-2025-48619, CVE-2025-48620, CVE-2025-48621, CVE-2025-48622, CVE-2025-48626, CVE-2025-48628, CVE-2025-48629, CVE-2025-48630, CVE-2025-48632, CVE-2025-48633, CVE-2025-48634

2025100901 provides at least the full 2025-11-01 patch level and the Android 2025-11-05 patch level (Pixel Update Bulletin could have fixes we don't get early) but will remain marked as providing 2025-10-05.

For detailed information on security preview releases, see our post about it.

GrapheneOS security preview releases - GrapheneOS Discussion Forum

GrapheneOS discussion forum

^{GrapheneOS Discussion Forum}

Changes in version 141.0.7390.122.0:

• update to Chromium 141.0.7390.122

A full list of changes from the previous release (version 141.0.7390.111.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Comparing 141.0.7390.111.0...141.0.7390.122.0 · GrapheneOS/Vanadium

Privacy and security enhanced releases of Chromium for GrapheneOS. Vanadium provides the WebView and standard user-facing browser on GrapheneOS. It depends on hardening in other GrapheneOS reposito...

^GitHub

When not using Google Play services (e.g. #GrapheneOS, #LineageOS users), #Signal can be a real battery drain. @mollyim with @unifiedpush on the other hand is extremely battery efficient.

Here's how to set this up, using #Nextcloud as the UnifiedPush provider: kroon.email/site/en/posts/moll…

Changes in version 141.0.7390.111.0:

• update to Chromium 141.0.7390.111
• enable origin keyed processes by default for improved site isolation sandboxing
• drop unnecessary code related to our search engine changes
• replace enabling local network checks feature in Vanadium Config via the browser again (this was enabled upstream so we dropped our patch but then they disabled it again which we dealt with via Vanadium Config)

A full list of changes from the previous release (version 141.0.7390.70.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Comparing 141.0.7390.70.0...141.0.7390.111.0 · GrapheneOS/Vanadium

Privacy and security enhanced releases of Chromium for GrapheneOS. Vanadium provides the WebView and standard user-facing browser on GrapheneOS. It depends on hardening in other GrapheneOS reposito...

^GitHub

Our security preview releases provide early access to Android Security Bulletin patches prior to the official disclosure. Our current security preview releases provide the current revision of the November 2025 and December 2025 patches for the Android Open Source Project. We recommend enabling this.

The only difference between our regular releases and security preview releases are the future Android Security Bulletin patches being applied with any conflicts resolved. The downside of security preview releases is we cannot provide the sources for the patches until the official disclosure date.

The delay for being able to publish the sources is why we're now going through the significant effort of building 2 variants of each release. Our most recent 3 releases have both a regular and security preview variant:

2025092500 and 20250925012025092700 and 20250927012025100300 and 2025100301

You can enable security preview releases via Settings > System > System update > Receive security preview releases.

Our plan is to keep it off-by-default with a new page added to the Setup Wizard which will have it toggled on as a recommendation. We'll prompt users on existing installs to choose.

We're maintaining the upcoming Android security patches in a private repository where we've resolved the conflicts. Each of our security preview releases is tagged in this private repository. Our plan is to publish what we used once the embargo ends, so it will still be open source, but delayed.

The new security update Android is using provides around 3 months of early access to OEMs with permission to make binary-only releases from the beginning. As far as we know, GrapheneOS is the first to take advantage of this and ship the patches early. Even the stock Pixel OS isn't doing this yet.

During the initial month, many patches are added or changed. By around the end of the month, the patches are finalized with nothing else being added or changed. Our 2025092500 release was made on the day the December 2025 patches were finalized, but we plan to ship the March 2026 patches earlier.

Previously, Android had monthly security patches with a 1 month embargo not permitting early releases. For GrapheneOS users enabling security preview releases, you'll get patches significantly earlier than before. We'd greatly prefer 3 day embargoes over 3 month embargoes but it's not our decision.

Security preview releases currently increment the build date and build number of the regular release by 1. You can upgrade from 2025100300 to 2025100301 but not vice versa. For now, you can switch back to regular releases without reinstalling such as 2025092701 to 2025100300, but this may change.

One of the changes in this release should result in Google Messages RCS working for users receiving a verification error caused by Play Store checking for an emulator with an easy to bypass check. It was already working for many users without this but this should get it working for everyone else.

Tags:

• 2025100900 (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold, Pixel 9a, emulator, generic, other targets)

Changes since the 2025100300 release:

• raise security patch level to 2025-10-05 since it's already provided without applying any additional patches
• System Updater, Setup Wizard: integrate support for recommending opting into security preview releases during the initial Owner user setup and for existing users via a persistent notification which is disabled after making an explicit choice on whether to use security preview releases (this is necessary to inform all users about the option with an explicit choice)
• Settings: add support for forcing VoWiFi availability
• Settings: improve the carrier configuration override by improving the summaries, adding detailed descriptions and using clarifying the options force features to be available since there are also toggles for directly enabling/disabling the features in the main SIM settings screen
• Sandboxed Google Play compatibility layer: fix a Google Messages RCS compatibility issue by removing the error string for the missing privileged permission from SurfaceFlinger::doDump() to make a DroidGuard check pass
• Sandboxed Google Play compatibility layer: make Play Store ignore app auto-install config
• Sandboxed Google Play compatibility layer: fix Build.getSerial() shim to fix an Android Auto issue
• Sandboxed Google Play compatibility layer: add stub for TelephonyManager.getImei()
• Sandboxed Google Play compatibility layer: add stub for Window.setHideOverlayWindows() to replace reliance on a feature flag override via GmsCompatConfig
• kernel (6.1): update to latest GKI LTS branch revision including update to 6.1.155
• update test suite to handle our carrier overrides support
• Vanadium: update to version 141.0.7390.70.0
• Camera: update to version 90

All of the Android 16 security patches from the current November 2025, December 2025 and January 2026 Android Security Bulletins are included in the 2025100901 security preview release. List of additional fixed CVEs:

• Critical: CVE-2025-48593
• High: CVE-2022-25836, CVE-2022-25837, CVE-2023-40130, CVE-2024-43766, CVE-2025-22420, CVE-2025-22432, CVE-2025-32319, CVE-2025-32348, CVE-2025-48525, CVE-2025-48536, CVE-2025-48544, CVE-2025-48555, CVE-2025-48567, CVE-2025-48572, CVE-2025-48573, CVE-2025-48574, CVE-2025-48575, CVE-2025-48576, CVE-2025-48577, CVE-2025-48578, CVE-2025-48579, CVE-2025-48580, CVE-2025-48581, CVE-2025-48582, CVE-2025-48583, CVE-2025-48584, CVE-2025-48585, CVE-2025-48586, CVE-2025-48587, CVE-2025-48589, CVE-2025-48590, CVE-2025-48592, CVE-2025-48594, CVE-2025-48596, CVE-2025-48597, CVE-2025-48598, CVE-2025-48600, CVE-2025-48601, CVE-2025-48602, CVE-2025-48603, CVE-2025-48604, CVE-2025-48605, CVE-2025-48607, CVE-2025-48609, CVE-2025-48612, CVE-2025-48614, CVE-2025-48615, CVE-2025-48616, CVE-2025-48617, CVE-2025-48618, CVE-2025-48619, CVE-2025-48620, CVE-2025-48621, CVE-2025-48622, CVE-2025-48626, CVE-2025-48628, CVE-2025-48629

CVE-2025-48595 was fixed in the regular GrapheneOS 2025100300 release and is no longer listed.

CVE-2025-48611 patch was retracted.

2025100901 provides at least the full 2025-11-01 patch level and the Android 2025-11-05 patch level (Pixel Update Bulletin could have fixes we don't get early) but will remain marked as providing 2025-10-05.

For detailed information on security preview releases, see our post about it.

GrapheneOS security preview releases - GrapheneOS Discussion Forum

GrapheneOS discussion forum

^{GrapheneOS Discussion Forum}

Android Security Bulletin (ASB) for October 2025 is empty:

source.android.com/docs/securi…

However, you can see Samsung has a list of ASB patches for their October 2025 release exclusive to flagships:

security.samsungmobile.com/sec…

It's a small subset of the December 2025 patches.

Android now discloses patches around 3 months prior to their inclusion in a bulletin requiring them to raise the Android security patch level. However, OEMs are allowed to ship the patches as soon as they're receive. We're doing this in our security preview release, but with the full set of patches.

Our initial security preview release on September 25th with the November/December patches included 1 Critical severity patch and 54 High severity patches, which is the full subset applicable to Android 16. In the past couple days, 5 patches applicable to Android 16 were added and 1 was retracted.

December 2025 patches from the past couple days have been included and the January 2026 preview is now available.

Our next release coming today provides a choice to use our security preview releases in the initial setup wizard with a notification for existing users. Opting into it is recommended.

discuss.grapheneos.org/d/27068… provides more information on our security preview releases. The reason we're providing both regular and security preview releases is because we're required to wait to the embargo end date to publish the source code for the patches in the future bulletins.

GrapheneOS security preview releases - GrapheneOS Discussion Forum

GrapheneOS discussion forum

^{GrapheneOS Discussion Forum}

I give a fiver each month to the wonderful FOSS-type things below:

- Signal (killing Meta's WhatsApp)
- Libre Office (slaying Microsoft's 365)
- GrapheneOS (kicking Google Stock Android in the goolies)

If you use any of these - and you can afford to - why not set up a monthly dontation to the wonderful organisations above.

#Signal #LibreOffice #GrapheneOS #Meta #Microsoft #Google #WhatsApp #Android

@signalapp @GrapheneOS @libreoffice