GrapheneOS patches Android VPN leak Google declined to fix
GrapheneOS ships a workaround for Android’s VPN bypass bug
GrapheneOS has released an update that closes a newly disclosed Android VPN leak capable of exposing a user’s real IP address, even when Android’s strongest VPN protections were enabled.
The fix, included in GrapheneOS release 2026050400, disables the registerQuicConnectionClosePayload optimization that triggered the bypass. GrapheneOS said that change effectively neutralizes the attack on supported Pixel devices.
The issue was disclosed last week by security researcher Yusuf, known online as lowlevel. In technical write-ups, the researcher said the bug affects Android 16 and stems from a QUIC connection teardown feature added to Android’s networking stack. Affected apps needed only the standard, automatically granted INTERNET and ACCESS_NETWORK_STATE permissions.
According to the report, an app could register arbitrary UDP payloads with Android’s system_server. When the app’s UDP socket was later destroyed, system_server would send the stored payload over the device’s physical network interface rather than through the VPN tunnel. Because system_server runs with elevated networking privileges and is exempt from VPN routing restrictions, the packet could escape Android’s lockdown mode entirely.
Yusuf demonstrated the flaw on a Pixel 8 running Android 16 with Proton VPN enabled and Android’s “Always-On VPN” and “Block connections without VPN” settings turned on. Despite those protections, the device reportedly leaked its real public IP address to a remote server.
The researcher said Google’s Android security team classified the report as “Won’t Fix (Infeasible)” and “NSBC,” meaning it would not be included in a security bulletin. Yusuf appealed, arguing that the issue allowed ordinary apps to leak identifying network information using standard permissions, but Google kept its position and approved public disclosure on April 29.
GrapheneOS, which is built around privacy and security on Google Pixel hardware, moved faster. The project said it disabled the underlying optimization in order to stop the leak, adding a practical fix for users who depend on VPNs to hide their network identity.
Sources:
Browse privately with Doppler VPN — no logs, one tap connect.