GrapheneOS VPN IP Leak Vulnerability

A vulnerability in GrapheneOS prior to release 2026050400 allows applications to leak the real IP address of a VPN user. This issue arises from a QUIC connection optimization that lets apps send UDP traffic through the system's server process, bypassing VPN protections. The vulnerability is present when the 'Block connections without VPN' and 'Always-on VPN' settings are enabled.

Impact

Exploitation of this vulnerability causes the device's actual public IP address to be exposed to external servers, undermining the privacy guarantees of the VPN service.

Reproduction

The vulnerability can be reproduced on a device running GrapheneOS prior to the fixed release by installing an application that requests 'INTERNET' and 'ACCESS_NETWORK_STATE' permissions. Once the app is installed, it can register a payload to be sent over UDP through the 'system_server' process, using the device's Wi-Fi IP as the source. After the payload is registered, the app can be closed or terminated, triggering 'system_server' to send the payload over the physical network, effectively bypassing the active VPN connection. This process can be automated with a proof-of-concept application that performs these steps.

Remediation

Users can update to GrapheneOS release 2026050400, which disables the problematic QUIC connection optimization and includes the May 2026 Android security patch. Instructions for updating are available on the GrapheneOS website.