GrapheneOSOur security preview releases have provided the December 2025 security patches for the Android Open Source Project since September 2025. December 2025 security patches are now public and being integrated into our regular releases while our security previews have up to March 2026.
A bunch of the patches previously scheduled for December 2025 were made optional and deferred to future months so they're not listed in the public bulletin. That's why even our September 2025 security preview releases list CVEs which are still not public in December 2025.
The reason patches get deferred is because OEMs aren't capable of quickly integrating, testing and shipping patches. When issues are identified including an OEM having trouble with it, they'll often defer it to a future month. Our security previews can continue shipping these.
Vibuda NimsaraGrapheneOS is the only Android-based OS providing the full security preview patches. Samsung ships a small subset of their flagship devices. Pixel stock OS gets a portion of it early but we aren't sure exactly how much since they don't follow their guidelines for listing patches.
Providing our security preview patches is a lot of work for us. It requires a full time developer spending a significant fraction of their time on it. It's hard to understand why large companies can't keep up with these patches but what matters is that we can provide them early.
Android security preview patches are currently backports to Android 13, 14, 15 and 16. Since GrapheneOS is based on Android 16 QPR1, we need to forward port the patches from 16 to 16 QPR1. Our understanding is they're going to start backporting to some quarterly releases too.
Android 16 QPR2 appears to be the first quarterly release of Android which is going to be shipped by non-Pixel devices. If that's the case, they'll need to start providing security preview patches backported to it too. It's not clear if it will happen for every quarterly release.
Spending a significant amount of time on this is part of the reason GrapheneOS feature development has slowed down. Expanding our servers and now migrating away from OVH is another. We'll be hiring more people and improving our organization structure to get things moving better.
We would greatly prefer it if patches were disclosed to OEMs 1 week ahead instead of 2-4 months ahead so our security preview releases would only need to exist for a week and regular releases would get the patches much faster. OEMs should just hire far more people and do better.
48kRAM but with parity@GrapheneOS thank you all for doing this work. I will use this as my reminder to donate to the project now
suzune@GrapheneOS Thanks for the great work!
Daniel@GrapheneOS I am not sure to understand the consequences, you distribute security update a few months before the public release?
@DanielDNK A more accurate way to put it is that the March 2026 security patches were available in November 2025 to be shipped early and we did that. Most OEMs are going to ship them in March 2026 while some OEMs such as Fairphone tend to take an additional 1-2 months beyond that to ship it. The dates corresponding to the patches are the date for the regular scheduled release but most is available to ship 3-4 months earlier. By around 2 months ahead, it's near finalized. 1 month is finalized.
@GrapheneOS ok but I understand that is not public so it means the last release with march security patch is not open source anymore only old one are?
@DanielDNK We have the sources for the patches, but the sources aren't allowed to be published until the public disclosure. That's a bit more complex than it sounds because they often defer patches to future months but still allow shipping them for the current month. We aren't sure if we're allowed to publicly disclose it on the original disclosure date or if we have to wait. Based on what they do for AOSP quarterly and yearly releases, it should be okay to publish it on the original date.
Roxxor@GrapheneOS @DanielDNK may i ask how you obtain the source? Are you registered as an OEM at Google?
Andromxda ๐บ๐ฆ๐ต๐ธ๐น๐ผ@Roxxor GrapheneOS has partnered with an OEM, and they have signed an NDA with that company. They are allowed to build OS releases with that code, but they can't release the code, before Google's embargo ends.
@Andromxda
Is the OEM known?
Is the OEM known?
@Roxxor It's public information, but the GrapheneOS team wants to wait before broadly announcing it.
xyhhx ๐ป@GrapheneOS plz hire me
@GrapheneOS ask flawedworld im awesome
topcaser@GrapheneOS how much people are currently working for GOS?
@GrapheneOS I finally brought my brother to GrapheneOS. The third person I was able to move away from stock software๐
@GrapheneOS you are the best. Thanks for sharing and please keep up the extra ordinary work.