Security Overview
KaiOS is committed to providing a secure environment for our users and partners. We maintain a proactive security posture by integrating rigorous testing and rapid patching into our release cycle. We recognize the critical role that independent security researchers play in the ecosystem and welcome feedback that helps us harden the system.
Feedback a Security Issue
We encourage users and developers to report potential vulnerabilities through our official submission channel. To ensure a prompt triage process, please use the KaiOS Security Bug Feedback linked below.
Submit a Security IssueDisclosure and Visibility Policy
To ensure the protection of our users, submissions categorized as security issues are strictly restricted to the KaiOS Security Team and the original reporter. Access to these reports remains limited until a fix has been successfully deployed across affected devices. Following the resolution or thorough evaluation of the issue, we may update the visibility of the report to support community transparency.
Issue Triage
Upon submission, every report enters our security bugs triage workflow. The KaiOS Security Team will perform an initial technical review to ensure the submission contains the necessary data (PoC, version, and impact) to proceed.
Scope and Context
To help us route the report to the appropriate engineering team, identifying the correct scope is essential. The following table categorizes vulnerabilities based on the affected layer of the KaiOS architecture.
| Context | Definition |
|---|---|
| Applications | Vulnerabilities within preloaded Apps or Apps downloaded from Kai Store (the official store channel). |
| Run-time engine | Issues related to permission access, web engine, rendering engine, platform features (connectivity, wifi, multimedia...etc) |
| Kernel and low-level frameworks | Vulnerabilities within the Linux kernel, HAL, or system-level drivers. |
Severity
We assess the severity of a vulnerability based on its potential impact on user data and system integrity, as well as the complexity of the exploit.
| Severity | Consequence of Successful Exploitation |
|---|---|
| Critical | Remote arbitrary code execution (RCE) with user privileges in the normal course of browsing, or unauthorized access to the Kernel, TEE, or Secure Element. |
| High | Vulnerabilities that allow an attacker to bypass the Content Security Policy (CSP), impersonate other origins, or escape the web sandbox. Unauthorized permission access, or bypassing the same-origin policy. |
| Moderate | Issues that allow access to limited amounts of sensitive information or require significant user interaction/unusual configurations to exploit. |
| Low | Vulnerabilities with highly limited scope or those requiring extreme mitigating factors. |
| Negligible (NSI) | Issues where the impact has been mitigated by platform security mechanisms (e.g., SELinux policies, filesystem encryption) such that the effective severity is below Low. This includes local temporary denial-of-service recoverable by reboot or app uninstall. NSI issues typically do not receive CVE assignments. |
Crashes
While many crashes are functional bugs, the KaiOS Security Team treats specific types of system failures as high-priority security issues. However, it is important to distinguish these from standard memory management.
Security-Related Crashes
Crashes that indicate memory corruption (e.g., buffer overflows, use-after-free, or kernel panics) are evaluated as High or Critical severity. If a crash can be reliably triggered by a malicious web page or application to gain unauthorized execution or bypass the sandbox, it is triaged as a security vulnerability.
System Stability Mechanisms
KaiOS has mechanisms designed to ensure platform stability. When the system encounters extreme resource exhaustion or memory pressure, these mechanisms may intentionally terminate a process to prevent a global system hang. Terminations triggered by these stability safeguards are generally not considered security vulnerabilities. They are categorized as functional performance issues unless it can be demonstrated that the resource exhaustion allows for a bypass of security boundaries.
NULL Pointer Dereferences
NULL pointer dereferences require case-by-case evaluation.
| Condition | Security Issue? | Rationale |
|---|---|---|
| Small, fixed offset (< 32KB) | No | Modern platforms prevent memory mapping in the first 32KB of address space, resulting in a non-exploitable crash. |
| Large offset (> 32KB) | Yes | May access valid mapped memory, potentially leading to exploitation. |
| Controllable offset | Yes | Attacker may manipulate the offset to reach exploitable memory regions. |
Updates
The KaiOS Security Committee is responsible for the ongoing monitoring, evaluation, and integration of security patches. To ensure the platform remains resilient against emerging threats, the committee conducts monthly security review meetings to evaluate security findings, risks, and updates from internal research, external reports, and other resources, and to audit OS security label update plans.
| Review Month | Status | Target Release |
|---|---|---|
| Feb 2026 | No Applicable Risks | N/A |
Security Patch Level
The latest security patch level for KaiOS is 20251031. For technical details regarding the specific CVE (Common Vulnerabilities and Exposures) items addressed within this and previous patch levels, please refer to our internal vulnerability trackers: Gecko, Frameworks, Kernel.
Deployment
Validated patches are bundled into the next scheduled Maintenance Release (MR) or Over-the-Air (OTA) update for our OEM partners. Upon release, the Security Patch Level is updated to reflect the new baseline, providing a clear timestamp for users and OEMs to verify their device's security posture.