Skip to content
Tech News
← Back to articles

GrapheneOS fixes Android VPN leak Google refused to patch

2026-05-09 | original
read original get GrapheneOS Privacy Toolkit → more articles
Why This Matters

GrapheneOS has released an update to address a critical Android VPN leak vulnerability that could expose users' real IP addresses even when VPN protections are enabled. This fix is significant for privacy-focused users and organizations relying on Android devices, especially since Google has not patched the issue in the official Android OS. The update enhances security by disabling a specific network optimization, reinforcing the importance of tailored security measures for sensitive users.

Key Takeaways

GrapheneOS has released a new update that fixes a recently disclosed Android VPN bypass vulnerability capable of leaking a user’s real IP address.

The leak happens even when Android’s “Always-On VPN” and “Block connections without VPN” protections were enabled.

The issue, disclosed last week by security researcher “lowlevel/Yusuf,” affected Android 16 and stemmed from a newly introduced QUIC connection teardown feature in Android’s networking stack. In its latest release, GrapheneOS says it has “disable[d] registerQuicConnectionClosePayload optimization to fix VPN leak,” effectively neutralizing the attack vector on supported Pixel devices.

GrapheneOS is a privacy- and security-focused Android-based operating system primarily developed for Google Pixel devices. The project is widely used by privacy-conscious consumers, journalists, activists, and enterprise users seeking stronger application sandboxing, exploit mitigations, and reduced reliance on Google services.

According to Yusuf’s technical write-up, the vulnerable API allowed ordinary applications with only the automatically granted INTERNET and ACCESS_NETWORK_STATE permissions to register arbitrary UDP payloads with system_server.

When the app’s UDP socket was later destroyed, Android’s privileged system_server process would transmit the stored payload directly over the device’s physical network interface rather than through the VPN tunnel. Because system_server operates with elevated networking privileges and is exempt from VPN routing restrictions, the packet bypassed Android’s VPN lockdown protections entirely.

Attack flow overview

lowlevel.fun

The researcher demonstrated the flaw on a Pixel 8 running Android 16 with Proton VPN enabled alongside Android’s lockdown mode. The app reportedly leaked the device’s actual public IP address to a remote server despite VPN protection being fully enabled.

Google introduced a feature that allows applications to gracefully terminate QUIC sessions when sockets are unexpectedly destroyed. However, the implementation accepted arbitrary payloads without validating whether they were legitimate QUIC CONNECTION_CLOSE frames and did not verify whether the originating application was restricted to VPN-only traffic.

... continue reading

Explore topics: grapheneos android vpn google pixel quic connection system_server
Related:
I Tested Google's Biggest Pixel 10A Rival and It's a Colorful Bargain
6 hidden settings every Google Pixel owner needs to use
Health sensors on Google wearables are breaking down at an awkward moment
Google Broke reCAPTCHA for De-Googled Android Users
Google broke reCAPTCHA for de-googled Android users

© 2026 GoKawiil

About | Editorial Policy | Contact