# Ongoing changes to Android security patches due to AI vulnerability discovery

> Source: <https://discuss.grapheneos.org/d/40286-ongoing-changes-to-android-security-patches-due-to-ai-vulnerability-discovery>
> Published: 2026-07-14 03:53:45+00:00

Android's security policy for the past several years has been to backport patches for Critical and High severity Android vulnerabilities to the past 3 major yearly releases. Moderate and Low severity patches including most fixes for privacy weaknesses have required upgrading to the latest releases.

Google recently informed OEMs of greatly reduced security support for older releases of Android. For the vast majority of discovered vulnerabilities, only Critical severity issues deemed to be an imminent risk will be backported at all and only to the most recent 2 major yearly releases (16 and 17).

Externally reported vulnerabilities will currently still follow the same policy for backports as before. High and Critical severity vulnerabilities reported to Google by external parties will be backported to releases going back around 3 years (currently 14, 15, 16 and the current latest stable 17).

Android Security Bulletins already omit Moderate and Low severity patches. They're already dated 2-4 months after the vulnerabilities were disclosed to OEMs and allowed to be shipped. Only Samsung flagships and Pixels ship any of it 'early' on practice. Only GrapheneOS ships the full set 'early'.

The vast majority of vulnerabilities are now being discovered internally by Google for Android and Chrome. These are largely being discovered with AI. The subset deemed Critical severity and an imminent risk will be backported to 16 and 17. Bare minimum security support for older releases is over.

Bare minimum Android security patches now require being on Android 16, 16 QPR2 or 17 and quickly moving to Android 18 when it's released. Once Android 18 is released, it will be the only release with current High and Critical severity patches. Serious support for older Android releases has ended.

Android 17 is the only Android release with the current set of disclosed Moderate and Low severity patches. Android 16, 16 QPR2 and 17 will soon be the only releases with the current set of disclosed Critical and High severity patches too. Once Android 18 is released, it will be the only one.

Vast majority of Linux kernel vulnerabilities aren't covered by Android Security Bulletins, externally disclosed patches are backported very slowly and Android Security Bulletins come 2-4 months later than when Android patches can be shipped. If you want bare minimum patches, use iOS or GrapheneOS.

We're going to need to do a lot of work with Motorola and Qualcomm to provide serious patches for GrapheneOS devices. We're going to need more developers. After the launch of the new devices with GrapheneOS support, we want to repeatedly port to the latest Linux LTS branch among other major changes.

Google is completely overwhelmed by the massive torrent of vulnerabilities discovered by AI models. They've done repeated cycles of layoffs and buyouts crippling their ability to handle it. The change to the schedule for Android Security Bulletins is also extremely at odds with this new reality.

Google switched to a performative Android Security Bulletin system with vulnerabilities listed 2-4 months after they're shipped. They're pretending as if not open sourcing patches protects people from OEMs not patching them. Our community has people successfully reverse engineering binary patches.

Google needs to start open sourcing QPR1 and QPR3 releases again along with open sourcing security preview patches shortly after disclosure to OEMs. Otherwise, we'll just hire people to start doing reverse engineering work in an official capacity to start publishing the changes as open source early.
