GrapheneOS releases
grapheneos.org
Official releases of GrapheneOS, a security and privacy focused mobile OS with Android app compatibility.

Upgrading this release from a release not yet based on Android 17 requires using the standard over-the-air update system rather than ADB sideload. For users who only update via ADB sideload, we’ll be releasing a special Android 16 QPR2 release with a backported fix for the upstream Android bug causing the issue. This bug also exists in the Pixel OS for both Android 16 QPR3 and Android 17 too but it bypasses it through being bloated enough to always trigger a fallback path. We confirmed adding a 1GiB randomly generated file to GrapheneOS would bypass the issue similarly to the stock Pixel OS but we’ll be fixing the issue instead.

Tags:

  • 2026062100 (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold, Pixel 9a, Pixel 10, Pixel 10 Pro, Pixel 10 Pro XL, Pixel 10 Pro Fold, Pixel 10a, emulator, generic, other targets)

Changes since the 2026061800 release:

  • disable MTE for Widevine Rikers service since it’s incompatible with it (issue predates Android 17)
  • Sandboxed Google Play compatibility layer: avoid opening extra file descriptions to obtain Play services data prefix paths to avoid a compatibility issue with anti-tampering code used by the Kia Connect app and likely others (issue predates Android 17)
  • separate GrapheneOS framework resource IDs from AOSP resource IDs to avoid incompatibilities with Pixel vendor components (issue predates Android 17)
  • kernel (Pixel 10): fix for an upstream Broadcom Wi-Fi bcm4383 driver memory corruption bug to avoid invalid memory accesses caught by the kernel hardware memory tagging enabled by GrapheneOS
  • disable UBLK feature flag for over-the-air updates due to it likely causing update reliability issues for devices with support for it (6.6 kernel or newer)
  • disable UBLK for generated over-the-air update packages to force disable it for updates from the initial Android 17 release
  • increase the maximum size of log events in production builds to match debug builds to avoid the kernel panic message and traceback being cut off
  • use DevicePolicyManager.MAX_PASSWORD_LENGTH PIN length limit for the new upstream SystemUI PIN user interface for entering the PIN outside of the lockscreen to fix support for the expanded limit of 128 on GrapheneOS instead of using Android’s limit of 16 (this didn’t apply to passwords and it was straightforward to work around it by changing the PIN to a password)
  • Settings: show night light settings even when Pixel Comfort View is enabled since we’re missing the settings for it (currently only relevant to the 10th gen Pixels other than the Pixel 10a)
  • allow using the new flashlight quick tile while locked (GrapheneOS requires unlocking by default for system quick tiles)
  • SystemUI: avoid crashing when trying to edit a screen recording without a video editor app
  • fix upstream bug causing the security scan in the Settings app to take much longer in Android 17 (also impacts the stock OS)
  • fix compatibility issue breaking resetting permissions for apps with special-runtime permissions (Nearby Devices is now split to have Local Network access enabled by default for compatibility for apps not targeting Android 17 and there are bugs with how this is handled)
  • Launcher: remove quick search bar from showing on large display devices since Android 17
  • Launcher: remove space reserved for the quick search bar since Android 17
  • add Pixel Comfort View settings for supported devices (Pixel 10, Pixel 10 Pro, Pixel 10 Pro XL, Pixel 10 Pro Fold)
  • add back error message for entering an incorrect 2nd factor PIN for the GrapheneOS 2-factor fingerprint unlock feature
  • fix compatibility with the native zygote spawning system added by Android 17 which isn’t enabled yet (this was added to provide more lightweight sandboxed renderer processes for Chromium and will benefit Vanadium even more due to having finer-grained process isolation but isn’t used by Chromium/Chrome yet and our secure spawning will need to be ported to it)
  • GmsCompatConfig: update to version 171

All of the Android 17 security patches from the current July 2026, August 2026, September 2026, October 2026, November 2026 and December 2026 Android Security Bulletins are included in the 2026062101 security preview release. List of additional fixed CVEs:

  • Critical: CVE-2026-28591, CVE-2026-28604, CVE-2026-28639, CVE-2026-28662, CVE-2026-28666, CVE-2026-45515, CVE-2026-45531
  • High: CVE-2025-22442, CVE-2025-48564, CVE-2025-48565, CVE-2025-48566, CVE-2026-28582, CVE-2026-28584, CVE-2026-28588, CVE-2026-28593, CVE-2026-28594, CVE-2026-28599, CVE-2026-28600, CVE-2026-28602, CVE-2026-28603, CVE-2026-28606, CVE-2026-28607, CVE-2026-28612, CVE-2026-28613, CVE-2026-28614, CVE-2026-28617, CVE-2026-28619, CVE-2026-28620, CVE-2026-28622, CVE-2026-28623, CVE-2026-28624, CVE-2026-28626, CVE-2026-28630, CVE-2026-28631, CVE-2026-28633, CVE-2026-28634, CVE-2026-28635, CVE-2026-28638, CVE-2026-28643, CVE-2026-28650, CVE-2026-28652, CVE-2026-28655, CVE-2026-28657, CVE-2026-28658, CVE-2026-28660, CVE-2026-28663, CVE-2026-28664, CVE-2026-28665, CVE-2026-28667, CVE-2026-28668, CVE-2026-28671, CVE-2026-45513, CVE-2026-45514, CVE-2026-45516, CVE-2026-45517, CVE-2026-45518, CVE-2026-45519, CVE-2026-45520, CVE-2026-45521, CVE-2026-45523, CVE-2026-45524, CVE-2026-45525, CVE-2026-45527, CVE-2026-45528, CVE-2026-45529, CVE-2026-49880
  • Unclassified: CVE-2026-28653

For detailed information on security preview releases, see our post about it.