GrapheneOS rolled out update 2026050400 that patches a VPN leak affecting Android 16. The flaw lets apps with only INTERNET and ACCESS_NETWORK_STATE permissions register UDP payloads that bypass the device’s VPN tunnel, exposing its real IP even when “Always‑On VPN” is active. The issue surfaced last week after a researcher exposed it on a Pixel 8.

At the core, Android introduced a QUIC connection‑teardown optimization that accepted arbitrary CONNECTION_CLOSE frames without validating the sender. When a socket was destroyed, system_server pushed the payload directly over the physical interface, sidestepping VPN restrictions. GrapheneOS disabled this registerQuicConnectionClosePayload optimization, neutralizing the attack vector on supported Pixel devices.

Google classified the bug as “Won’t Fix (Infeasible)” and marked it non‑security‑bulletin, sparking criticism from the researcher who argued any app could leak identifying data with standard permissions. The public disclosure on April 29 forced the community to act. GrapheneOS’s patch also bundles the May 2026 Android security level, kernel hardening, and a libpng CVE fix.

Users of stock Android can temporarily mitigate the leak by disabling the close_quic_connection flag via ADB, but the workaround requires developer access and may not survive future updates. With the new GrapheneOS release, privacy‑conscious developers and activists now have a robust, VPN‑secure platform that mitigates a previously unpatched Android flaw.