GrapheneOS patches an Android VPN bypass that Google decided to leave alone

A small flaw in Android 16's networking stack let ordinary apps leak data outside the VPN tunnel, exposing real IP addresses

• An Android 16 flaw may let ordinary apps leak traffic outside an active VPN
• Google's Android Security Team declined to patch the bug
• GrapheneOS has shipped an update that disables the underlying feature

GrapheneOS, the privacy-focused alternative Android distribution, has just patched a newly discovered Android VPN flaw that Google decided to leave alone.

A security researcher discolsed the bug last week, showing that even the best VPN apps may be undermined by the operating system underneath it in some extreme circumstances. The flaw, nicknamed the "Tiny UDP Cannon," affects Android 16 and may allow a regular app to leak data outside an active VPN tunnel.

The leak works even when users have enabled Android's strictest privacy settings, including "Always-On VPN" and "Block ...