Calvin Wankhede / Android Authority
TL; DR
- GrapheneOS fixed the Android 16 VPN flaw that Google reportedly didn’t want to fix.
- A bug could allow malware to leak small amounts of data outside an active VPN tunnel.
- In extreme cases, this means that the IP addresses of stock Android users can be leaked, even with strict lock-down controls enabled.
A VPN that can leak your location is a pretty big failure of technology at the best of times, but that’s especially because Android’s lockdown controls are there to make sure that doesn’t happen. That’s the problem GrapheneOS Now, by fixing a VPN flaw in Android 16, Google has reportedly decided to leave it alone.
As reported TechRadarA security researcher who recently went by low level / Yusuf explained his mistake aka Tiny UDP Cannon. The issue affects Android 16 and can allow a regular app to leak small amounts of data outside of an active VPN tunnel, potentially exposing your real IP address.
While not a widespread risk, the bug’s biggest red flag is that it can happen even with Android’s strictest VPN settings enabled. Always-on VPN and blocking non-VPN connections should prevent traffic from leaving your phone unless it goes through a VPN. They are meant to give you extra comfort, but this bug creates a narrow way around that protection.
Before you start panicking, it’s important to note that an attacker would first need to get malware onto your phone to exploit this bug. This makes the day-to-day risk modest for most Android users, but it’s still not ideal if you’re relying on Android’s VPN lock-down mode as a strict privacy guarantee.
Don’t want to miss out on the best Android Authority?
The flaw is caused by network optimization in Android 16. According to the researcher, when Android closes certain connections, it properly checks whether the small packet of data sent should be restricted by the VPN, so it can exit the normal connection instead. If malware manages to include your IP address in the packet, it undermines one of the biggest reasons people use VPNs in the first place.
Google’s Android Security Team has reportedly classified the issue as “Unfixable (not possible)” and decided not to include it in the security bulletin. GrapheneOS – a Pixel-focused security-focused Android-based operating system – took a different path and disabled the key feature entirely. release 2026050400.
For GrapheneOS fans, this is another demonstration that the OS is taking these privacy issues more seriously than its competitors. Stock Android users currently don’t have a neat official fix, though the researcher notes that the feature can be disabled manually with an ADB command.
Thank you for being a part of our community. Read our Comment Policy before deployment.
