CVE-2026-45182

Vulnerability

Overview

CVE-2026-45182 describes a low-severity information disclosure in GrapheneOS versions prior to 2026050400. The flaw stems from a QUIC connection close payload optimization (registerQuicConnectionClosePayload) that allowed an unprivileged application to have the system_server process transmit UDP traffic on its behalf [1]. This occurred even when the user had enabled both the "Block connections without VPN" and "Always-on VPN" settings, which are intended to prevent any traffic from leaving the VPN tunnel [1].

Exploitation

Details

The attack does not require the app to directly send packets. Instead, an application with the automatically granted INTERNET and ACCESS_NETWORK_STATE permissions can register a UDP socket and a payload with system_server via a Binder method [2]. When the socket is destroyed, system_server (UID 1000) sends the payload, exempt from VPN routing restrictions) sends the payload on the original network interface directly, bypassing the VPN enforcement [2][3]. Because VPN lockdown filters apply to app UIDs, not the system UID, the packet travels past the intended protections and reveals the user's real public IP address to an attacker-controlled remote server [2].

Impact

An attacker exploiting this vulnerability can learn the actual IP address of a VPN user, defeating the privacy guarantees provided by VPN lockdown settings [2][3]. This could deanonymize journalists, activists, or other users relying on the VPN for anonymity, with no additional permissions beyond those automatically granted to every Android app [2].

Mitigation

Status

GrapheneOS released a fix in build 2026050400 that disables the registerQuicConnectionClosePayload optimization, closing the vulnerability [1]. Google was reportedly notified via the Android VRP but declined to patch the issue, claiming it was outside their threat model [2]. Affected GrapheneOS users should update to the latest release to protect against this leak [1][3].