Tags:

• 2026030500 (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold, Pixel 9a, Pixel 10, Pixel 10 Pro, Pixel 10 Pro XL, Pixel 10 Pro Fold, emulator, generic, other targets)

Changes since the 2026030200 release:

• full 2026-03-05 security patch level
• integrate extra security patches not included in the Android Security Bulletin from the March 2026 Android 16 security tag release
• update Pixel kernel sources to CP1A.260305.018 (Android 16 QPR3)
• update Pixel firmware and a large portion of the driver libraries/HALs to CP1A.260305.018 (Android 16 QPR3)
• fix Network permission enforcement for MediaPlayerService clients by closing a bypass caused by an upstream Android vulnerability for INTERNET permission enforcement caused by using case-sensitive rather than case-insensitive string comparisons
• rename geocoder options to “GrapheneOS server” and “OpenStreetMaps server” since we’re now self-hosting Nominatim instead of providing a proxy to the OpenStreetMaps instance

All of the Android 16 security patches from the current April 2026, May 2026, June 2026, July 2026 and August 2026 Android Security Bulletins are included in the 2026030501 security preview release. List of additional fixed CVEs:

• Critical: CVE-2026-0039, CVE-2026-0040, CVE-2026-0041, CVE-2026-0042, CVE-2026-0043, CVE-2026-0044, CVE-2026-0049, CVE-2026-0052, CVE-2026-0073
• High: CVE-2025-22424, CVE-2025-22426, CVE-2025-48600, CVE-2025-48612, CVE-2026-0016, CVE-2026-0036, CVE-2026-0048, CVE-2026-0050, CVE-2026-0053, CVE-2026-0054, CVE-2026-0055, CVE-2026-0056, CVE-2026-0059, CVE-2026-0060, CVE-2026-0061, CVE-2026-0062, CVE-2026-0063, CVE-2026-0065, CVE-2026-0067, CVE-2026-0070, CVE-2026-0074, CVE-2026-0076

For detailed information on security preview releases, see our post about it.