GrapheneOS closes an Android VPN loophole before Google does
Source: Android Authority
Calvin Wankhede / Android Authority
TL;DR
- GrapheneOS patched an Android 16 VPN flaw that Google reportedly decided not to fix.
- The bug could let a malicious app leak a small amount of data outside an active VPN tunnel.
- In extreme cases, stock Android users could have their IP address exposed even with strict lockdown controls enabled.
The Issue
A security researcher known as lowlevel/Yusuf disclosed a vulnerability nicknamed Tiny UDP Cannon. The issue affects Android 16 and allows a regular app to leak a tiny packet of data outside an active VPN tunnel, potentially revealing the device’s real IP address.
X/@cybaqkebm
The bug can bypass Android’s strictest VPN settings—Always‑On VPN and Block connections without VPN—which are supposed to prevent any traffic from leaving the device unless it goes through the VPN.
How It Works
The flaw stems from a networking optimization in Android 16. When certain connections are closed, Android fails to verify whether the final tiny packet should be subject to the VPN. Consequently, the packet can be sent over the regular network interface. If a malicious app crafts this packet to contain the device’s IP address, it defeats the primary purpose of using a VPN.
Impact
- Limited exploitability: An attacker must first get a malicious app onto the target device.
- Potential privacy breach: Even with VPN lockdown mode enabled, the device’s real IP address could be exposed.
- No widespread risk: The vulnerability only leaks a small amount of data, but it undermines VPN guarantees.
Responses from Google and GrapheneOS
- Google’s stance: The Android Security Team classified the issue as “Won’t Fix (Infeasible)” and omitted it from security bulletins.
- GrapheneOS’s solution: The project disabled the underlying feature entirely in release 2026050400. See the official release notes: .
For stock Android users, there is currently no official fix, though the researcher notes that the feature can be manually disabled via an ADB command.
Takeaway
GrapheneOS demonstrates a proactive approach to privacy edge cases, addressing a VPN bypass that Google chose not to fix. While the immediate risk to most users is modest, the vulnerability highlights the importance of scrutinizing even “locked‑down” VPN configurations on Android devices.