GrapheneOS fixes Android VPN leak Google refused to patch
Source: Hacker News
Overview
GrapheneOS released a new update that patches a recently disclosed Android VPN‑bypass vulnerability capable of leaking a user’s real IP address even when Always‑On VPN and Block connections without VPN are enabled.
The flaw, disclosed last week by security researcher lowlevel/Yusuf, affected Android 16 and stemmed from a newly introduced QUIC connection‑teardown feature in Android’s networking stack. GrapheneOS disables the problematic optimization, effectively neutralising the attack vector on supported Pixel devices.
The vulnerability
- Affected platform: Android 16 (Pixel 8 used for demonstration)
- Root cause: The
registerQuicConnectionClosePayloadoptimization allowed any app with only the defaultINTERNETandACCESS_NETWORK_STATEpermissions to register arbitrary UDP payloads withsystem_server. - Exploit flow:
- An app registers a fake QUIC
CONNECTION_CLOSEpayload. - When the app’s UDP socket is destroyed,
system_serversends the stored payload directly over the physical network interface, bypassing the VPN tunnel. - Because
system_serverruns with elevated networking privileges, the packet is exempt from VPN routing restrictions, leaking the device’s public IP address.
- An app registers a fake QUIC
Figure 1 – Attack flow (source: lowlevel.fun)
The researcher reproduced the leak on a Pixel 8 running Android 16 with Proton VPN and Android’s lockdown mode enabled. The device’s real IP was sent to a remote server despite the VPN being fully active.
Google’s response
- The issue was reported to Android’s security team.
- Classification: “Won’t Fix (Infeasible)” and NSBC (Not Security Bulletin Class).
- Google argued the bug did not meet the threshold for inclusion in Android security advisories.
- After an appeal, Google maintained its stance and authorised public disclosure on April 29, 2026.
GrapheneOS fix
In release 2026050400, GrapheneOS:
- Disabled the
registerQuicConnectionClosePayloadoptimization. - Integrated the full May 2026 Android security patch level.
- Added multiple
hardened_mallocimprovements. - Updated the Linux kernel across Android’s 6.1, 6.6, and 6.12 branches.
- Back‑ported a fix for CVE‑2026‑33636 in
libpng. - Shipped newer Vanadium browser builds and expanded Dynamic Code Loading restrictions.
Temporary mitigation for stock Android
The researcher noted a short‑term workaround using ADB:
adb shell settings put global close_quic_connection falseThis disables the close_quic_connection DeviceConfig flag.
The fix requires developer access and may be removed in future Android updates.
Follow the story
Stay updated on security news:
- X/Twitter:
- LinkedIn:
Original article published on CyberInsider.
More from CyberInsider
About Alex Lekander
Alex Lekander is the Editor‑in‑Chief and owner of CyberInsider.com. Passionate about cybersecurity and privacy, he launched the site in 2020. His expertise spans privacy research, technical writing, software testing, and site administration. Alex holds a B.S. and an M.S. from Johns Hopkins University.