GrapheneOS fixes Android VPN leak Google refused to patch
5 hours ago
- #VPN Vulnerability
- #Android Security
- #GrapheneOS
- GrapheneOS released an update fixing an Android VPN bypass vulnerability.
- The vulnerability allowed apps to leak a user's real IP address even with VPN lockdown enabled.
- The issue stemmed from a QUIC connection teardown feature that transmitted UDP payloads outside the VPN.
- Google's Android security team considered the issue "Won't Fix (Infeasible)" and did not issue a security bulletin.
- GrapheneOS disabled the vulnerable optimization to neutralize the attack on Pixel devices.
- The update also includes May 2026 security patches, kernel updates, and other security improvements.
- A temporary mitigation for stock Android users involves disabling the close_quic_connection flag via ADB.