GrapheneOS disabled a QUIC connection teardown API in release 2026050400 to fix an Android 16 VPN bypass that leaked real IP addresses despite lockdown mode.
Key Takeaways
The flaw let any app with standard INTERNET and ACCESS_NETWORK_STATE permissions register arbitrary UDP payloads via registerQuicConnectionClosePayload; system_server sent them outside the VPN tunnel.
Android’s “Always-On VPN” and “Block connections without VPN” lockdown protections were fully enabled and still bypassed, demonstrated on a Pixel 8 with Proton VPN.
Google classified the bug “Won’t Fix (Infeasible)” and “Not Security Bulletin Class” after the researcher appealed; public disclosure was authorized April 29, 2025.
Stock Android workaround: disable the close_quic_connection DeviceConfig flag via ADB – requires developer access and may not survive future updates.
GrapheneOS release 2026050400 also ships the full May 2026 security patch, hardened_malloc improvements, kernel updates across 6.1/6.6/6.12, a libpng CVE-2026-33636 backport, and expanded Dynamic Code Loading restrictions.
Hacker News Comment Review
Commenters stressed that the violation occurs inside system_server, a privileged process explicitly exempt from VPN routing – making Google’s “not security class” ruling difficult to defend on technical grounds.
iOS was noted to have a similar system-process VPN exclusion by default, with the workaround requiring an enterprise MDM license; the problem is not unique to Android.
Practical GrapheneOS adoption friction surfaced: used Pixel prices, bootloader unlock uncertainty, and app store fragmentation (built-in store, Accrescent, then a third manager) were recurring concerns; a GrapheneOS-Motorola partnership was cited as a future relief path.
Notable Comments
@idovmamane: Pinpoints the kernel-level promise break – lockdown mode guarantees no traffic bypasses VPN, yet system_server sends the packet over the physical interface directly.
