GrapheneOS version 2026062100 released - Mander
> Upgrading this release from a release not yet based on Android 17 requires
using the standard over-the-air update system rather than ADB sideload. For
users who only update via ADB sideload, we’ll be releasing a special Android 16
QPR2 release with a backported fix for the upstream Android bug causing the
issue. This bug also exists in the Pixel OS for both Android 16 QPR3 and Android
17 too but it bypasses it through being bloated enough to always trigger a
fallback path. We confirmed adding a 1GiB randomly generated file to GrapheneOS
would bypass the issue similarly to the stock Pixel OS but we’ll be fixing the
issue instead. > > Tags: > > - 2026062100
[https://github.com/GrapheneOS/platform_manifest/releases/tag/2026062100] (Pixel
6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel
Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL,
Pixel 9 Pro Fold, Pixel 9a, Pixel 10, Pixel 10 Pro, Pixel 10 Pro XL, Pixel 10
Pro Fold, Pixel 10a, emulator, generic, other targets) > > Changes since the
2026061800 release: > > - disable MTE for Widevine Rikers service since it’s
incompatible with it (issue predates Android 17) > - Sandboxed Google Play
compatibility layer: avoid opening extra file descriptions to obtain Play
services data prefix paths to avoid a compatibility issue with anti-tampering
code used by the Kia Connect app and likely others (issue predates Android 17) >
- separate GrapheneOS framework resource IDs from AOSP resource IDs to avoid
incompatibilities with Pixel vendor components (issue predates Android 17) > -
kernel (Pixel 10): fix for an upstream Broadcom Wi-Fi bcm4383 driver memory
corruption bug to avoid invalid memory accesses caught by the kernel hardware
memory tagging enabled by GrapheneOS > - disable UBLK feature flag for
over-the-air updates due to it likely causing update reliability issues for
devices with support for it (6.6 kernel or newer) > - disable UBLK for generated
over-the-air update packages to force disable it for updates from the initial
Android 17 release > - increase the maximum size of log events in production
builds to match debug builds to avoid the kernel panic message and traceback
being cut off > - use DevicePolicyManager.MAX_PASSWORD_LENGTH PIN length limit
for the new upstream SystemUI PIN user interface for entering the PIN outside of
the lockscreen to fix support for the expanded limit of 128 on GrapheneOS
instead of using Android’s limit of 16 (this didn’t apply to passwords and it
was straightforward to work around it by changing the PIN to a password) > -
Settings: show night light settings even when Pixel Comfort View is enabled
since we’re missing the settings for it (currently only relevant to the 10th gen
Pixels other than the Pixel 10a) > - allow using the new flashlight quick tile
while locked (GrapheneOS requires unlocking by default for system quick tiles) >
- SystemUI: avoid crashing when trying to edit a screen recording without a
video editor app > - fix upstream bug causing the security scan in the Settings
app to take much longer in Android 17 (also impacts the stock OS) > - fix
compatibility issue breaking resetting permissions for apps with special-runtime
permissions (Nearby Devices is now split to have Local Network access enabled by
default for compatibility for apps not targeting Android 17 and there are bugs
with how this is handled) > - Launcher: remove quick search bar from showing on
large display devices since Android 17 > - Launcher: remove space reserved for
the quick search bar since Android 17 > - add Pixel Comfort View settings for
supported devices (Pixel 10, Pixel 10 Pro, Pixel 10 Pro XL, Pixel 10 Pro Fold) >
- add back error message for entering an incorrect 2nd factor PIN for the
GrapheneOS 2-factor fingerprint unlock feature > - fix compatibility with the
native zygote spawning system added by Android 17 which isn’t enabled yet (this
was added to provide more lightweight sandboxed renderer processes for Chromium
and will benefit Vanadium even more due to having finer-grained process
isolation but isn’t used by Chromium/Chrome yet and our secure spawning will
need to be ported to it) > - GmsCompatConfig: update to version 171
[https://github.com/GrapheneOS/platform_packages_apps_GmsCompat/releases/tag/config-171]
> > All of the Android 17 security patches from the current July 2026, August
2026, September 2026, October 2026, November 2026 and December 2026 Android
Security Bulletins are included in the 2026062101 security preview release. List
of additional fixed CVEs: > > - Critical: CVE-2026-28591, CVE-2026-28604,
CVE-2026-28639, CVE-2026-28662, CVE-2026-28666, CVE-2026-45515, CVE-2026-45531 >
- High: CVE-2025-22442, CVE-2025-48564, CVE-2025-48565, CVE-2025-48566,
CVE-2026-28582, CVE-2026-28584, CVE-2026-28588, CVE-2026-28593, CVE-2026-28594,
CVE-2026-28599, CVE-2026-28600, CVE-2026-28602, CVE-2026-28603, CVE-2026-28606,
CVE-2026-28607, CVE-2026-28612, CVE-2026-28613, CVE-2026-28614, CVE-2026-28617,
CVE-2026-28619, CVE-2026-28620, CVE-2026-28622, CVE-2026-28623, CVE-2026-28624,
CVE-2026-28626, CVE-2026-28630, CVE-2026-28631, CVE-2026-28633, CVE-2026-28634,
CVE-2026-28635, CVE-2026-28638, CVE-2026-28643, CVE-2026-28650, CVE-2026-28652,
CVE-2026-28655, CVE-2026-28657, CVE-2026-28658, CVE-2026-28660, CVE-2026-28663,
CVE-2026-28664, CVE-2026-28665, CVE-2026-28667, CVE-2026-28668, CVE-2026-28671,
CVE-2026-45513, CVE-2026-45514, CVE-2026-45516, CVE-2026-45517, CVE-2026-45518,
CVE-2026-45519, CVE-2026-45520, CVE-2026-45521, CVE-2026-45523, CVE-2026-45524,
CVE-2026-45525, CVE-2026-45527, CVE-2026-45528, CVE-2026-45529, CVE-2026-49880 >
- Unclassified: CVE-2026-28653 > > For detailed information on security preview
releases, see our post about it
[https://discuss.grapheneos.org/d/27068-grapheneos-security-preview-releases].
philanthropicoctopus
cm0002
Trout Mask Replicant
Almöhi
Marvin von Papen