Final's avatar
Final final@stacker.news 3 months ago
The first Security Preview release of #GrapheneOS is now live and available to opt in. Android has scheduled monthly security patch releases. For security patches, Google assigns patches to be released in different months in the future, and are then distributes them early to Android OEMs with a source code release embargo that lasts a month. This means that they fix certain vulnerabilities 3-4 months before an official publication date. This is problematic, as this is just a manual delay getting patches to users that can be taken advantage of by highly sophisticated threats. It is September 25th. There are security patches scheduled for December that aren't going to be released until then. By being able to opt-in to a Security Preview you get such patches before everyone. We will still work to make early patching in the main release branch of GrapheneOS as we have done already. These are all brand new changes we have access too thanks to our new OEM partnership. To keep GrapheneOS open source and not delayed open source, this will strictly be opt-in and on a separate release channel. Do not opt in if you do not want that. The Security Preview is for people: - Who want patches immediately, without the traditional 1 month delay. - Who want to perform security research / reverse engineering on the latest Android security patches.
Final's avatar Final
#GrapheneOS version 2025092500 and Security Preview 2025092501 released: This update adds more Android 16 QPR1 backports and the ability to opt-in to Security Preview updates. The Security Preview update channel have very early full patches that are held under an embargo. The first Security Preview will contain extremely early security patches scheduled to be released in Android by December. The security preview provides patches for 55 (1 critical, 54 high) vulnerabilities. Changes added to 2025092500: - System Updater: add support for opting into security preview releases - backport more cellular related code from Android 16 QPR1 - backport Pixel Wi-Fi extension APEX from Android 16 QPR1 - Vanadium: update to version 140.0.7339.207.0 Additional security patches from the November 2025 and December 2025 Android Security Bulletins are included in the 2025092501 security preview release. List of additional fixed CVEs: Critical: CVE-2025-48593 High: CVE-2022-25836, CVE-2022-25837, CVE-2023-40130, CVE-2024-43766, CVE-2025-22420, CVE-2025-22432, CVE-2025-32348, CVE-2025-48525, CVE-2025-48536, CVE-2025-48544, CVE-2025-48555, CVE-2025-48567, CVE-2025-48572, CVE-2025-48573, CVE-2025-48574, CVE-2025-48575, CVE-2025-48576, CVE-2025-48577, CVE-2025-48578, CVE-2025-48579, CVE-2025-48580, CVE-2025-48581, CVE-2025-48582, CVE-2025-48583, CVE-2025-48584, CVE-2025-48585, CVE-2025-48586, CVE-2025-48587, CVE-2025-48589, CVE-2025-48590, CVE-2025-48592, CVE-2025-48594, CVE-2025-48595, CVE-2025-48596, CVE-2025-48597, CVE-2025-48598, CVE-2025-48600, CVE-2025-48601, CVE-2025-48602, CVE-2025-48603, CVE-2025-48604, CVE-2025-48605, CVE-2025-48607, CVE-2025-48609, CVE-2025-48611, CVE-2025-48612, CVE-2025-48614, CVE-2025-48615, CVE-2025-48616, CVE-2025-48617, CVE-2025-48618, CVE-2025-48619, CVE-2025-48620, CVE-2025-48621 We're allowed to provide an early release with these patches and to list the CVEs but must wait until the embargo ends to publish sources or details on the patches. We strongly disagree with broadly distributing patches to OEMs 3-4 months before the official publication date. It further delays getting patches to users and sophisticated attackers will have no issue getting the patches from one of many people at Android OEMs with early access. It should be limited to at most 7 days. The lack of actual secrecy has been acknowledged through Android limiting the embargo to source code and details which allows us to fix these early. We're doing it with separate opt-in releases to keep the regular releases properly open source instead of delayed open source. We plan to integrate this choice into the initial setup wizard. The positive side is that we can now provide patches to people who truly need them without even the previous 1 month embargo delay.
View quoted note →

Replies (4)

Final's avatar
Final final@stacker.news 2 months ago
You can consider the security patches to be quite stable. They're not feature changes. They will go through the Alpha/Beta/Stable release process. Since we have source access, fixes can be made to them too. They're separated because the source code cannot be released yet. It's simply a choice for those who want that super early patching now that we have access to this material through our OEM partner.
1 replies ↓
freeborn | ἐλεύθερος | 8r0gwg's avatar
freeborn | ἐλεύθερος | 8r0gwg arongahagan@nostrplebs.com 2 months ago
I'm hearing: - pro: patches to known issues, early - con: added element of 'trust' since source code cannot be reviewed* (yet) I appreciate your responses, thank you. *not that I've ever done this myself, no aptitude for that; I'm already 'trusting the community' to alert us if something nefarious makes it into the code; among those in the community, I've already decided to trust the grapheneOS crew by installing it; therefore--if I'm being consistent--I have no reason not to opt-in
1 replies ↓
Final's avatar
Final final@stacker.news 2 months ago
Patches' source codes will continue to be released on the months they are due to be released. If you wanted to get an early impression you'd need to reverse engineer and compare OS images with and without. Should be kept in mind that these patches are not for some new change from Google. They have and continue to release patches monthly and we'd put them in once they were released before. This is only available to us because now we have exclusive access. It's a bonus.