Patch Levels
A note on operating system security
There is a singular all-or-nothing, all-encompassing Android security bulletin released every month that covers security issues across the entire system. Below we break it into five parts solely for ease of understanding for you to determine the general security of a given operating system. Being behind on any one part means the system is inherently insecure.
- the version of Android itself, newer versions have more security features/hardening
- the ASB patch level, these are essential security patches
- the Pixel ASB patch level, these are recommended security patches and are only provided for the latest Android version. Despite the name, the majority are NOT Pixel specific as described here and here.
- the vendor (aka SOC) ASB patch level, see e.g. Qualcomm
- and lastly the Linux kernel version, newer versions have more security features/hardening
Does AXP.OS make my device secure?
The short answer: No. “Just” more secure.
The long answer is that AXP.OS is likely the best harm reduction option if your device is no longer in support by its manufacturer or vendor. Any project or product claiming they make end-of-life devices secure should be rigorously scrutinized.
AXP.OS tries to fill a gap mainly for end-of-life devices and offers more security and privacy than e.g. an outdated STOCK OS version of such a device. Compared to other custom OS it even offers highly increased security due to the integrated kernel patching (see The AXP.OS patch level)
Lastly it must be noted that privacy and security go hand-in-hand, there is a fundamental limit of how much privacy you can achieve if you do not have security backing it up.
If AXP.OS isn’t secure, then why should I be using it?
To be clear: you should seek out a newer non-EOL device, but not everyone can afford such.
Additionally for a handful of use cases AXP.OS fills the gap enough to be OKish, eg. offline music/maps/wikipedia device, basic gaming (solitaire/sudoku/etc.), basic browsing of trusted websites with updated browsers, a spare/backup device, website or Android app development/testing, etc.
And security aside, it still has substantial benefits over the stock/final release for EOL devices.
The AXP.OS patch level
Each month Google releases an Android Security Bulletin (“ASB”) which contains important patches (check next topic, as their content has heavily changed) and marked with different patch dates.
until 2025-12
Up to 2025-12 AXP.OS re-used Google’s patch dates and mapped -05 for all devices where the Linux kernel could be patched, regardless if they were Firmware updates included.
| Patch date | STOCK OS | AXP.OS |
|---|---|---|
YYYY-MM-01 | 🧩 Android platform fixes only | 🧩 Android platform fixes only |
YYYY-MM-05 | 🧩 Android platform fixes + 💽 SoC manufacturers/OEM’s + 🐧 Linux kernel | 🧩 Android platform fixes + 💽 SoC manufacturers/OEM’s + 🐧 Linux kernel |
since 2026-01
A new patch level "YYYY-MM-03" has been added to distinguish better between fully patched (i.e. including Firmware) and “just” including Kernel patches:
| Patch date | STOCK OS | AXP.OS |
|---|---|---|
YYYY-MM-01 | 🧩 Android platform fixes only | 🧩 Android platform fixes only |
YYYY-MM-03 | N/A | 🧩 Android platform fixes + 🐧 Linux kernel |
YYYY-MM-05 | 🧩 Android platform fixes + 💽 SoC manufacturers/OEM’s + 🐧 Linux kernel | 🧩 Android platform fixes + 💽 SoC manufacturers/OEM’s + 🐧 Linux kernel |
Android platform fixes (often referred to as just ASB, meaning Android Security Bulletins) are backports of official released fixes by Google and can be provided for a wide range of devices. Backports will usually not cover all ASB patches as code is constantly evolving and so might not even apply to older versions, especially on ultra legacy Android versions (i.e. ~5 or more versions older than the latest Android version).*see next topic
New (2025) ASB release cycle for more detailsSoC manufacturers (SoC = System-on-Chip, e.g. QualComm) and/or OEM's (Original Equipment Manufacturer, e.g. Samsung, Google, Sony, …) can be usually provided for modern (i.e. still OEM supported) devices only (e.g. Fairphone, SHIFT).Note: These updates are usually simply referred to as
"Firmware".Many devices get these updates for a short period of time only and they are always proprietary / closed source.
Besides that they are always bound to the Android version used by the AXP.OS release and so can be even outdated (i.e. if AXP.OS is A13 and there are A14 SoC/OEM patches they can not be applied).
Check out the
Patchlevel row of the Devices page for your model to see what is covered for your device.One of the outstanding AXP.OS features is patching each and every Android Linux Kernel. OEM’s or other OS developers usually “just” take Google patches and backport them to their devices. If they do it at all! AXP.OS on the other hand applies kernel patches by using the CVE-Patcher (originally developed by DivestOS) which often fixes issues before they are even/ever part of a Google ASB (Kernel patches sometimes can take months until they get merged by Google which already resulted in several open security holes for longer than necessary). Additionally the CVE-Patcher covers a lot more than an ASB does, legacy devices easily have 1000+ patches applied (exact amount can be revealed in the Kernel version shown as -pXXXX in Android’s About-Info page).
AXP.OS Linux kernel patches include:
- patches by Google
- patches by the CIP project
- patches by kernel.org
- Note: not all these patches can be applied on all devices. These exclusions are handled via Fix_CVE_Patchers.sh
New (2025) ASB release cycle
Since July 2025, Google has fundamentally changed the way Android security updates are announced and released. Many patches are now only released quarterly, which has a significant impact on the custom OS community and the importance of the monthly ASB for us. For more information, please visit the News page.