Calvin Wankhede / Android Authority
TL;DR
- GrapheneOS has patched an Android 16 VPN flaw that Google reportedly decided not to fix.
- The bug could let a malicious app leak small amounts of data outside an active VPN tunnel.
- In extreme cases, that means it’s possible stock Android users could have their IP address leaked, even with strict lockdown controls enabled.
A VPN that can leak your location is a pretty big failure of the tech at the best of times, but it’s especially concerning when Android’s lockdown controls exist to reassure you that it won’t happen. That’s the problem GrapheneOS has now addressed in Android 16, with a fix for a VPN flaw Google has reportedly decided to leave alone.
As reported by TechRadar, a security researcher going by lowlevel/Yusuf recently disclosed a bug nicknamed Tiny UDP Cannon. The issue affects Android 16 and can allow a regular app to leak a small amount of data outside an active VPN tunnel, potentially exposing your real IP address.
While not a widespread risk, the biggest red flag with the bug is that this can apparently happen even when Android’s strictest VPN settings are enabled. Always-On VPN and Block connections without VPN are supposed to prevent traffic from leaving your phone unless it goes through the VPN. They’re intended to give you extra peace of mind, but this bug creates a narrow way around that protection.
Before you panic, it’s worth noting that an attacker would need to get a malicious app onto your phone first to exploit this bug. That makes the day-to-day risk modest for most Android users, but it’s still not ideal if you rely on Android’s VPN lockdown mode as a serious privacy guarantee.
Don’t want to miss the best from Android Authority?
The flaw appears to stem from a networking optimization in Android 16. According to the researcher, Android doesn’t properly check whether a tiny packet of data sent while closing certain connections should be restricted by the VPN, so it can go out over the regular connection instead. If the malicious app ensures that the packet contains your IP address, it undermines one of the biggest reasons that people use VPNs in the first place.
Google’s Android Security Team reportedly classified the issue as “Won’t Fix (Infeasible)” and decided it wouldn’t be included in a security bulletin. GrapheneOS — the security-focused Android-based operating system focused on Pixels — took a different route, disabling the underlying feature entirely in release 2026050400.
For GrapheneOS fans, it’s another demonstration that the OS takes these privacy edge cases more seriously than its rivals. Stock Android users don’t have a neat official fix right now, though the researcher notes the feature can be turned off manually via an ADB command.
Thank you for being part of our community. Read our Comment Policy before posting.