android security bulletin: 2026 AOSP changes

Android security bulletin: AOSP timing, major fixes and update guidance

Introduction: Why the android security bulletin matters

The android security bulletin is a central source of information about platform and device security updates. Its guidance affects manufacturers, developers and end users by detailing fixes for vulnerabilities and recommending build and release practices. Recent changes to how source code is published to AOSP and summaries of significant patched vulnerabilities make this bulletin particularly relevant for anyone responsible for device security or software supply chains.

Main body: Changes, categories and notable fixes

AOSP publishing and build guidance (effective 2026)

To align with a trunk stable development model and improve platform stability, the bulletin states that source code will be published to AOSP in Q2 and Q4 beginning in 2026. For building and contributing to AOSP, the bulletin recommends using the android-latest-release manifest branch instead of aosp-main. The android-latest-release branch will always reference the most recent release pushed to AOSP. Further details are available under “Changes to AOSP” in the bulletin documentation.

Bulletin structure and device coverage

The android security bulletin is organised into platform-specific and device-specific sections. Platform-specific bulletins include Android platform fixes, upstream Linux kernel fixes and fixes from SoC manufacturers. Separate update bulletins cover Android Automotive OS and Android Wear. Device-specific bulletins include Pixel update bulletins (Google devices), Chromecast security bulletins, Pixel Watch security bulletins and Android XR security bulletins. The bulletin information provided here was last updated on 2026-01-15 UTC.

Notable vulnerabilities and patch cadence

Generally published monthly—often on the first of each month—the bulletins summarise patches, automatic fixes and protective measures. In August 2025 Google patched six vulnerabilities, including two assessed as critical. One critical issue, tracked as CVE-2025-48530, was a vulnerability in the Android System that could enable remote code execution in combination with other bugs. Researchers also reported serious vulnerabilities affecting the GPU micronode of Qualcomm’s Adreno GPUs, which power a large number of Android devices.

What users and administrators should do

Users can find their device’s Android version number, security update level and Google Play system level in the Settings app; most phones provide an Updates option under device or phone settings to check for available updates (interfaces may vary by vendor). Administrators and developers should follow the new AOSP publishing schedule and use android-latest-release for builds to remain aligned with the latest stable releases.

Conclusion: Significance and outlook

The 2026 changes to AOSP publishing and the continued monthly security bulletins aim to improve platform stability and transparency. Timely application of patches—especially for critical issues like CVE-2025-48530 and reported GPU vulnerabilities—remains essential for protecting devices across the ecosystem.