
GrapheneOS claims Google has significantly reduced security patch backports for older Android versions.
This change could leave devices on previous releases with fewer vulnerability fixes despite continuing to receive monthly security updates. Google has not publicly documented the alleged policy change, and the company has not yet responded to CyberInsider's request for comment.
According to the privacy-focused Android operating system, Google recently informed Android device manufacturers (OEMs) that it will dramatically narrow the range of security vulnerabilities backported to older Android branches.
Changes to Android's backport policy
According to GrapheneOS, Google previously backported most High- and Critical-severity Android vulnerabilities to roughly the previous three major Android releases, while moderate- and low-severity issues, including many privacy-related fixes, were generally limited to the latest version.
The project now says Google will generally backport only internally discovered Critical vulnerabilities deemed to pose an imminent exploitation risk, and only to the two newest Android releases, currently Android 16 and Android 17. By contrast, High and Critical vulnerabilities reported by external researchers would reportedly continue following the previous policy, receiving backports for Android 14 through Android 17.
If confirmed, this would create different maintenance paths for vulnerabilities of similar severity depending on whether they were discovered internally by Google or reported by external researchers.
What this means for users
The reported policy would not necessarily affect users running the latest Android release on supported devices. Pixel phones and many flagship Samsung devices that receive timely major Android upgrades would continue receiving current platform security fixes after updating.
The greater impact would likely fall on devices that continue to receive monthly security updates while running older Android versions, either because they are no longer eligible for major OS upgrades or because manufacturers have delayed platform updates. According to GrapheneOS, such devices could continue showing an up-to-date Android security patch level while missing fixes that were never backported to their Android branch.
Google has already changed aspects of Android's patch distribution process in recent years, including moving Android Open Source Project (AOSP) platform updates to a quarterly release schedule while continuing to publish monthly Android Security Bulletins. However, Google's public documentation does not currently describe the reduced backport policy outlined by GrapheneOS.
GrapheneOS also argues that Android Security Bulletins omit moderate and low-severity vulnerabilities and are published months after OEMs receive fixes. The project attributes the reported changes to the increasing number of vulnerabilities discovered internally and says it plans to expand its long-term patching efforts for supported devices.
CyberInsider contacted Google to confirm whether it has changed its Android security backport policy as described by GrapheneOS and to clarify how the reported changes would affect supported devices running older Android releases, but we have not yet received a response.






Leave a Reply