By ByteBot
GrapheneOS hit #1 on Hacker News today with 498 points for exposing an uncomfortable truth: it’s the only Android OS providing complete security patches from the Android Security Bulletin. While Google’s December 2025 bulletin patches over 100 vulnerabilities including two actively exploited zero-days, most Android vendors—including Google itself for standard Pixels—cherry-pick patches or delay them for months. Moreover, GrapheneOS not only provides all December 2025 patches right now, but also ships security preview releases with January through March 2026 patches months before official disclosure. The revelation raises a critical question: if a small non-profit can do it, why can’t billion-dollar corporations?
December 2025: Active Exploitation Happening Now
Google’s December 2025 Android Security Bulletin isn’t just another monthly update. It patches 107 vulnerabilities, including four critical kernel issues and two actively exploited zero-days—CVE-2025-48633 and CVE-2025-48572. These aren’t theoretical risks. Furthermore, attackers are using them right now to achieve information disclosure and privilege escalation on Android 13-16 devices.
The bulletin affects 31 Framework vulnerabilities, 6 critical kernel issues, and 11 system components, with third-party patches from Arm, MediaTek, Qualcomm, and others. Most devices need security patch level 2025-12-05 or later for complete protection. However, here’s the problem: most Android devices showing a December 2025 patch level don’t actually have all December 2025 patches.
GrapheneOS Security Patches: Full Coverage, Months Early
GrapheneOS doesn’t just apply every patch from the Android Security Bulletin—it applies them months before most vendors even acknowledge they exist. Through security preview releases, GrapheneOS provides access to December 2025, January 2026, February 2026, and March 2026 patches right now.
This isn’t magic. Android’s new security update system provides OEMs approximately three months of early access to patches, with permission to make binary-only releases before official disclosure. Nevertheless, GrapheneOS is the first (and possibly only) Android OS to actually use this capability. Users can enable it through Settings → System → System Updates → “Receive security preview releases.”
The trade-off is minor: source code isn’t available until official disclosure dates. However, GrapheneOS users get protection months before the rest of the Android ecosystem, proving that early, comprehensive patching is not just possible—it’s achievable with limited resources.
The Broken System: Vendor Cherry-Picking
Research has repeatedly caught Android OEMs skipping patches while claiming devices are “up-to-date.” Studies show that most Android vendors regularly forget to include patches, leaving the ecosystem exposed. Consequently, some vendors skip four or more patches while still displaying current security patch levels.
The problem isn’t always chipset vendors. While MediaTek often lags 9-10 patches behind, research found that OEMs themselves actively slack off, skipping patches specific to their implementations. Specifically, the “-01” security patch level only includes Android framework fixes, not vendor patches or upstream Linux kernel patches. The “-05” level includes everything, but most users don’t know the difference.
Google’s new “risk-based” security update approach makes transparency worse. Monthly bulletins now only include vulnerabilities Google deems “high-risk,” leading to some bulletins listing zero fixes—the July 2025 Android Security Bulletin was completely empty. Meanwhile, larger quarterly updates in March, June, September, and December now carry the load: September 2025 listed 119 vulnerabilities compared to zero in July and six in August.
The Uncomfortable Question
If GrapheneOS—a non-profit open source project with limited resources—can apply every Android Security Bulletin patch and ship preview releases months before disclosure, why can’t Google apply all patches to its own Pixel devices? Similarly, why can’t Samsung, with billions in revenue, match a volunteer-driven project?
The answer isn’t technical capability. The early access system exists. The patches are available. Indeed, GrapheneOS proves full implementation is achievable. The answer is priorities: applying all patches costs money and delays product releases. Ultimately, vendors have chosen speed and cost savings over complete security.
What GrapheneOS exposes isn’t just a patching gap—it’s security theater. Users see “December 2025 security patch” and assume they’re fully protected. They’re not. Vendors can claim up-to-date status while skipping critical fixes, and there’s no transparency requirement forcing them to disclose which patches they skipped.
What This Means for Developers and Businesses
Developers and businesses relying on Android device security need to reevaluate their assumptions. You cannot trust security patch level dates alone. Therefore, enterprise BYOD policies, compliance requirements, and security strategies built on the assumption of fully patched Android devices may not meet actual protection needs.
App developers who assume the underlying OS is secure are building on false foundations. Defense-in-depth strategies aren’t optional when the base layer is compromised. Consequently, organizations need to verify which specific patches their Android fleet actually receives, not just which patch level they display.
The trust deficit is real. Vendor incentives are misaligned: comprehensive patching conflicts with fast releases and cost control. Without transparency requirements or mandates for complete patch application, this won’t change through vendor goodwill.
The Real Issue: Transparency
GrapheneOS didn’t just expose incomplete patching—it proved full patching is possible and practical. The Android security model isn’t broken because complete patching is technically impossible. Instead, it’s broken because vendors choose not to do it, and users have no way to know which patches they’re actually getting.
When a small non-profit outperforms billion-dollar corporations on basic security hygiene, the industry has a problem. GrapheneOS’s #1 Hacker News ranking reflects developer frustration with this gap between vendor promises and reality. Ultimately, the question isn’t whether Android can be secure—GrapheneOS proves it can. The question is whether the rest of the ecosystem will follow.
