CVE-2026-45182 Overview
CVE-2026-45182 affects GrapheneOS versions prior to release 2026050400. The flaw allows an attacker to discover the real IP address of a VPN user when both the "Block connections without VPN" and "Always-on VPN" settings are enabled. The leak originates from a registerQuicConnectionClosePayload optimization that permits an application to have system_server transmit UDP traffic on its behalf, bypassing the VPN tunnel. The issue is classified under [CWE-441] (Unintended Proxy or Intermediary, also known as Confused Deputy).
Critical Impact
A malicious application can deanonymize the user by causing privileged system code to leak the device's real public IP outside the VPN tunnel, defeating user expectations of network isolation.
Affected Products
- GrapheneOS releases before 2026050400
- Devices configured with "Always-on VPN" enabled
- Devices configured with "Block connections without VPN" enabled
Discovery Timeline
- 2026-05-09 - CVE-2026-45182 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-45182
Vulnerability Analysis
The vulnerability is a confused deputy condition in Android's system_server process as shipped on GrapheneOS. Android's VPN enforcement applies routing and firewall rules to user applications, but system_server runs with elevated privileges and is exempt from the same constraints. The registerQuicConnectionClosePayload API was designed to optimize QUIC connection teardown by allowing the system to send a final UDP payload after an application's network socket closes. A crafted application can register an arbitrary UDP payload and destination, then exit the network restrictions so that system_server transmits that payload directly over the underlying network interface rather than the VPN tunnel.
The outcome is a one-way UDP leak that reveals the real IP address of the device to an attacker-controlled endpoint, even when the user has enabled the strongest VPN lockdown settings Android offers. Exploitation is local and requires a malicious or compromised application to be installed and run by the user.
Root Cause
The root cause is that the QUIC close-payload optimization in system_server does not honor the per-UID VPN routing policy that applies to the requesting application. Traffic generated on behalf of an app inherits the privileges of system_server and escapes the VPN, breaking the security boundary the user configured.
Attack Vector
A local application registers a QUIC connection close payload targeting an attacker-controlled server. When the registration is processed, system_server emits the UDP datagram outside the VPN. The attacker server records the source IP, deanonymizing the user. User interaction is required to install and run the malicious application. See the LowLevel blog post on the VPN bypass and CyberInsider's coverage of the Android VPN leak for additional technical context.
Detection Methods for CVE-2026-45182
Indicators of Compromise
- Outbound UDP datagrams originating from the device's real network interface while an Always-on VPN is active and "Block connections without VPN" is enabled.
- DNS or UDP traffic to unexpected destinations immediately following application launch or termination events.
- Newly installed applications that request network access and exhibit short-lived QUIC connection patterns.
Detection Strategies
- Compare the device's observed public IP from external services against the VPN provider's expected egress IP to identify leaks.
- Capture packet traces on the local network or upstream gateway and confirm whether any UDP traffic bypasses the VPN interface while lockdown settings are enabled.
- Review installed application inventories for untrusted packages with network permissions on devices used for sensitive work.
Monitoring Recommendations
- Log VPN tunnel state transitions and correlate them with outbound UDP flows at the network egress point.
- Alert on traffic from mobile endpoints that does not transit the expected VPN concentrator when always-on policy is mandated.
- Track GrapheneOS build identifiers across managed devices to confirm the patched release 2026050400 or later is deployed.
How to Mitigate CVE-2026-45182
Immediate Actions Required
- Update GrapheneOS to release 2026050400 or later, which contains the fix for the registerQuicConnectionClosePayload leak.
- Audit installed applications and remove any untrusted packages on devices that rely on VPN-based anonymity.
- Re-verify that "Always-on VPN" and "Block connections without VPN" remain enabled after the update.
Patch Information
GrapheneOS addressed the vulnerability in release 2026050400. Details are published in the GrapheneOS release notes. Google declined to patch the underlying Android behavior, so the fix is currently specific to GrapheneOS.
Workarounds
- Restrict installation to vetted applications from trusted sources until the device is updated.
- Use a VPN client that enforces routing at a layer outside system_server where feasible, or route the device through an upstream network gateway that drops non-tunnel traffic.
- For high-assurance use cases, treat the device's real IP as potentially exposed until the patched build is confirmed installed.
# Verify the running GrapheneOS build is patched (2026050400 or later)
adb shell getprop ro.build.version.release
adb shell getprop ro.build.date.utc
adb shell getprop ro.build.id
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
