Tags:

• 2026050400 (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold, Pixel 9a, Pixel 10, Pixel 10 Pro, Pixel 10 Pro XL, Pixel 10 Pro Fold, Pixel 10a, emulator, generic, other targets)

Changes since the 2026042100 release:

• full 2026-05-01 security patch level
• disable registerQuicConnectionClosePayload optimization to fix VPN leak
• Sandboxed Google Play compatibility layer: add shim for BluetoothAdapter.ACTION_REQUEST_ENABLE
• apply active Dynamic Code Loading restrictions for Java inside isolated processes
• add app API for checking Dynamic Code Loading restriction states
• fully enable lockscreen widget support by default to avoid the swipe gesture being missing for the Pixel 10a and the whole feature being missing for the emulator
• enable standard secure NFC mode by default which can be changed via Settings > Connected devices > Connection preferences > NFC > Require device unlock for NFC (note this only disables card emulation while locked rather than all uses of NFC)
• backport upstream fix for getBubblePackageForLogging() crash
• kernel (6.1): update to latest GKI LTS branch revision including update to 6.1.170
• kernel (6.6): update to latest GKI LTS branch revision including update to 6.6.130
• kernel (6.12): update to latest GKI LTS branch revision
• hardened_malloc: fix slightly non-uniform distribution of random u16 values used for randomizing slot selection, slab allocation quarantining and free slab quarantining
• hardened_malloc: improve the robustness of disabling memory tagging against theoretical issues by making it fork-safe and adding more synchronization to avoid technically undefined parallel reads of the memory tagging state
• hardened_malloc: improve handling of out-of-memory edge cases
• hardened_malloc: improve sized deallocation hardening
• libpng: backport fix for CVE-2026-33636
• bionic: clamp the minimum size of the random guard region we add between the stack and pthread_internal_t (thread-local storage and other sensitive data) for secondary stack randomization to the page size to guarantee we always add a guard page protecting pthread_internal_t from stack buffer overflows
• App Store: update to version 36
• Vanadium: update to version 147.0.7727.111.0
• Vanadium: update to version 148.0.7778.49.0
• Vanadium: update to version 148.0.7778.60.0
• Vanadium: update to version 148.0.7778.60.1
• Vanadium: update to version 148.0.7778.96.0
• adevtool: add update-gservices-flag command for fetching gservices flags

All of the Android 16 security patches from the current June 2026, July 2026, August 2026, September 2026, October 2026 and November 2026 Android Security Bulletins are included in the 2026050401 security preview release. List of additional fixed CVEs:

• Critical: CVE-2026-0039, CVE-2026-0040, CVE-2026-0041, CVE-2026-0042, CVE-2026-0043, CVE-2026-0044, CVE-2026-0051, CVE-2026-0052, CVE-2026-0080, CVE-2026-0097, CVE-2026-21352, CVE-2026-21353, CVE-2026-27280, CVE-2026-28590, CVE-2026-28591
• High: CVE-2025-22424, CVE-2025-22426, CVE-2025-48600, CVE-2025-48612, CVE-2026-0008, CVE-2026-0016, CVE-2026-0036, CVE-2026-0048, CVE-2026-0050, CVE-2026-0053, CVE-2026-0054, CVE-2026-0055, CVE-2026-0056, CVE-2026-0059, CVE-2026-0060, CVE-2026-0061, CVE-2026-0062, CVE-2026-0063, CVE-2026-0065, CVE-2026-0067, CVE-2026-0070, CVE-2026-0074, CVE-2026-0075, CVE-2026-0076, CVE-2026-0077, CVE-2026-0078, CVE-2026-0079, CVE-2026-0084, CVE-2026-0085, CVE-2026-0086, CVE-2026-0087, CVE-2026-0088, CVE-2026-0089, CVE-2026-0091, CVE-2026-0093, CVE-2026-0094, CVE-2026-0095, CVE-2026-0096, CVE-2026-0098, CVE-2026-0099, CVE-2026-0100, CVE-2026-28572, CVE-2026-28574, CVE-2026-28577, CVE-2026-28578, CVE-2026-28580, CVE-2026-28581, CVE-2026-28582, CVE-2026-28583, CVE-2026-28585, CVE-2026-28586, CVE-2026-28588, CVE-2026-28594, CVE-2026-28596, CVE-2026-28602

For detailed information on security preview releases, see our post about it.