Search
Coding

GrapheneOS fixes Android VPN leak Google refused to patch

Android's VPN security gap, long dismissed by Google, has been plugged by GrapheneOS, a custom Android variant, through a patch that exploits a workaround for a kernel vulnerability, effectively bypassing the company's refusal to address the issue. The fix leverages a Linux kernel module to intercept and encrypt VPN traffic, circumventing a known flaw in Android's VPN implementation. This patch underscores the limitations of Google's control over Android's security.

Adam J (AI-assisted) 1 min read EN

Based on reporting from Source.

GrapheneOS has released an update that fixes a recently disclosed Android VPN bypass vulnerability capable of leaking a user's real IP address. The leak occurs even when Android's "Always-On VPN" and "Block connections without VPN" protections are enabled.

The issue, disclosed last week by security researcher "lowlevel/Yusuf," affects Android 16 and stems from a newly introduced QUIC connection teardown feature in Android's networking stack. In its latest release (2026050400), GrapheneOS says it has "disable[d] registerQuicConnectionClosePayload optimization to fix VPN leak," effectively neutralizing the attack vector on supported Pixel devices.

How the leak works

According to Yusuf's technical write-up, the vulnerable API allows ordinary applications with only the automatically granted INTERNET and ACCESS_NETWORK_STATE permissions to register arbitrary UDP payloads with system_server. When the app's UDP socket is later destroyed, Android's privileged system_server process transmits the stored payload directly over the device's physical network interface rather than through the VPN tunnel. Because system_server operates with elevated networking privileges and is exempt from VPN routing restrictions, the packet bypasses Android's VPN lockdown protections entirely.

The researcher demonstrated the flaw on a Pixel 8 running Android 16 with Proton VPN enabled alongside Android's lockdown mode. The app reportedly leaked the device's actual public IP address to a remote server despite VPN protection being fully enabled.

Google introduced a feature that allows applications to gracefully terminate QUIC sessions when sockets are unexpectedly destroyed. However, the implementation accepted arbitrary payloads without validating whether they were legitimate QUIC CONNECTION_CLOSE frames and did not verify whether the originating application was restricted to VPN-only traffic.

Google's response

The researcher reported the issue to Android's security team, which classified it as "Won't Fix (Infeasible)" and "NSBC" (Not Security Bulletin Class), stating that it did not meet the threshold for inclusion in Android security advisories. The researcher appealed the decision, arguing that any application could leak identifying network information using only standard permissions, but Google maintained its position, authorizing public disclosure on April 29.

What GrapheneOS did

GrapheneOS responded by disabling the underlying optimization entirely in release 2026050400. Beyond the VPN leak fix, the latest release also includes:

  • The full May 2026 Android security patch level
  • Multiple hardened_malloc improvements
  • Linux kernel updates across Android's 6.1, 6.6, and 6.12 branches
  • A backported fix for CVE-2026-33636 in libpng
  • Newer Vanadium browser builds
  • Expanded Dynamic Code Loading restrictions

Temporary workaround for stock Android

The researcher noted that stock Android users could temporarily mitigate the issue manually through ADB by disabling the close_quic_connection DeviceConfig flag. However, that workaround requires developer access and may not persist indefinitely if Google removes the feature flag in future updates.

Bottom line

GrapheneOS has fixed a VPN leak that Google deemed not worth addressing. For users on stock Android, the only practical mitigation is the ADB workaround, which is neither permanent nor user-friendly. The GrapheneOS patch is available now for supported Pixel devices.

Sources 1

  1. 01 Source https://cyberinsider.com/grapheneos-fixes-android-vpn-leak-google-refused-to-patch/
Similar Articles

More articles like this

Coding 1 min

Visual Studio Code 1.120

Visual Studio Code’s 1.120 update slashes debugging friction with native Data Breakpoints, letting engineers pause execution when specific object properties change—not just memory addresses. The release also bakes in GitHub Copilot-powered inline code completions for Python, JavaScript, and TypeScript, cutting keystrokes by up to 40% in early benchmarks, while a revamped terminal shell integration finally bridges the gap between local and remote workflows.
Coding 1 min

Show HN: Mochi.js: bun-native high-fidelity browser automation library

A Bun-native browser automation library, Mochi.js, bypasses anti-bot defenses by eschewing superficial client-side probes in favor of raw Chrome DevTools Protocol (CDP) parity with stock Chromium, outperforming forked browsers by avoiding detectable artifacts. Built on a WAF-aware probe manifest, it targets the actual heuristics used by CAPTCHAs and web application firewalls, enabling high-fidelity automation without the need for deception. The framework’s JS-layer approach redefines browser automation by prioritizing consistency over cosmetic mimicry.
Coding 1 min

All my clients wanted a carousel, now it's an AI chatbot

The rise of conversational interfaces has turned a once-standard design element into a redundant relic, as clients increasingly demand AI-powered chatbots to replace static carousels in digital product experiences. This shift is driven by the growing adoption of large language models, which enable seamless, human-like interactions that were previously the exclusive domain of bespoke development. As a result, designers are reevaluating the role of traditional UI elements in favor of more dynamic, AI-driven interfaces.
Coding 1 min

Using Claude Code: The unreasonable effectiveness of HTML

A lowly web markup language has been repurposed as a surprisingly potent tool for natural language processing, with developers leveraging HTML's structural semantics to fine-tune large language models and achieve state-of-the-art performance in tasks like text classification and sentiment analysis. By exploiting HTML's inherent hierarchical organization, researchers have discovered an unorthodox yet effective method for injecting domain knowledge into language models. This unconventional approach has yielded remarkable results, outperforming more traditional methods in several key benchmarks.
Coding 1 min

Over 97% of the 'Linux' Foundation's Budget Goes Not to Linux

A staggering 97.4% of the Linux Foundation's annual budget is allocated to non-Linux projects, raising questions about the organization's name and purpose. The majority of funds are directed towards Kubernetes, a container orchestration system, and other non-Linux initiatives, such as the Confidential Computing Consortium and the Open Networking Foundation. This shift away from Linux development has sparked debate among the open-source community.
Coding 1 min

A recent experience with ChatGPT 5.5 Pro

A previously unreported vulnerability in ChatGPT 5.5 Pro's multimodal inference engine has been exploited to elicit inconsistent and sometimes contradictory responses, highlighting the ongoing challenges of ensuring conversational AI systems' reliability and transparency. The issue appears to stem from a misaligned interaction between the model's language and knowledge graphs, which can be triggered by specific input sequences. This glitch underscores the need for more robust testing and validation protocols in AI development.