GrapheneOS releases
grapheneos.org
Official releases of GrapheneOS, a security and privacy focused mobile OS with Android app compatibility.

This release resolves 2 upstream Android VPN leaks discovered by GrapheneOS and our community testers. We aren’t aware of any other outbound Android VPN leaks when Private DNS is set to Off. Android’s Private DNS feature needs a significant overhaul for how it works with secondary profiles and VPNs.

Tags:

  • 2025072700 (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold, Pixel 9a, emulator, generic, other targets)

Changes since the 2025071900 release:

  • prevent using SO_BINDTODEVICE to bypass VPN lockdown mode (leak protection) to resolve an upstream Android VPN leak discovered by GrapheneOS testers where code specifies a specific interface via a special system call to bypass the VPN
  • prevent using NsdService#connect for components restricted by VPN lockdown mode to prevent a very limited upstream Android local network VPN leak discovered by GrapheneOS
  • add workaround for upstream Android asynchronous dexopt bug causing concurrent installs of the same package to be handled incorrectly which then causes crashes when attempting to uninstall
  • temporarily disable asynchronous pre-reboot OS update app optimization (dexopt) added in Android 16 to avoid the Finalizing step completing before apps are recompiled which can then result in it causing a very long initial boot of the new OS version if the user reboots before the background app optimization completes (this will not apply to updating to this release but rather only updating to future releases from this one and onwards)
  • MediaMetadata: fix upstream Android bug by using shared bitmaps to avoid serialized metadata going beyond the Binder transaction size limit and causing system service failures including Bluetooth service crashes (this issue existed prior to Android 16)
  • Sandboxed Google Play compatibility layer: revert change for dropping phenotype flag overrides before applying new ones since it can cause flag values to be set inconsistently due to a race
  • kernel (6.1): update to latest GKI LTS branch revision including update to 6.1.146
  • kernel (6.6): update to latest GKI LTS branch revision including update to 6.6.99
  • AppCompatConfig: update to version 4
  • GmsCompatConfig: update to version 160
  • Vanadium: update to version 138.0.7204.168.0
  • Vanadium: update to version 138.0.7204.168.1