GrapheneOS has released a new update that fixes a recently disclosed Android VPN bypass flaw capable of leaking a user’s real IP address.

Hacker News is a community-driven platform for sharing and discussing technology news, startups, and programming-related topics. Through user submissions and comments, Hacker News offers insights into emerging technology trends, industry developments, and entrepreneurial ventures. Readers can participate in discussions, share their insights, and stay informed about the latest advancements in technology and innovation.

Hacker News

GrapheneOS has patched an Android VPN bypass vulnerability that Google declined to fix, which could leak a user's real IP address even with Always-On VPN and lockdown mode enabled. The flaw, discovered by researcher Yusuf, stemmed from a new QUIC connection teardown feature in Android 16's networking stack. Apps with only standard INTERNET permissions could register arbitrary UDP payloads with system_server, which would then transmit them outside the VPN tunnel via the physical network interface. Google classified the issue as 'Won't Fix' and not security bulletin class. GrapheneOS's fix disables the registerQuicConnectionClosePayload optimization entirely. Stock Android users can temporarily mitigate via ADB by disabling the close_quic_connection DeviceConfig flag, though this workaround may not persist.

GrapheneOS fixes Android VPN leak Google refused to patch