GrapheneOS disabled the registerQuicConnectionClosePayload API to fix an Android 16 VPN bypass that leaked real IP addresses despite lockdown mode.
Key Takeaways
The flaw let any app with only INTERNET and ACCESS_NETWORK_STATE permissions register arbitrary UDP payloads via system_server, which sent them outside the VPN tunnel.
system_server runs with elevated network privileges exempt from VPN routing, making this a structural bypass of Android’s lockdown protections.
Google classified the bug as “Won’t Fix (Infeasible)” and “Not Security Bulletin Class” even after the researcher appealed, then authorized public disclosure on April 29.
GrapheneOS release 2026050400 neutralizes the vector by disabling the QUIC optimization entirely on supported Pixel devices.
Stock Android users can temporarily disable the close_quic_connection DeviceConfig flag via ADB, but the workaround requires developer access and may not persist.
Hacker News Comment Review
Commenters are skeptical of Google’s “infeasible” classification, viewing it as a policy or organizational failure rather than a legitimate technical assessment.
Some commenters go further, framing Google’s inaction as evidence of intentional backdoor behavior rather than negligence, reflecting broader distrust of stock Android security posture.
