Skip to main content

GrapheneOS CVE-2026-45182

LOW
Unintended Proxy or Intermediary ('Confused Deputy') (CWE-441)
2026-05-09 mitre
2.2
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
2.2 LOW
AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
May 09, 2026 - 23:00 vuln.today
CVE Published
May 09, 2026 - 22:07 nvd
LOW 2.2

DescriptionCVE.org

GrapheneOS before 2026050400 allows attackers to discover the real IP address of a VPN user as a consequence of a registerQuicConnectionClosePayload optimization, because an application can let system_server transmit UDP traffic on its behalf. This occurs when the "Block connections without VPN" and "Always-on VPN" settings are enabled.

AnalysisAI

GrapheneOS versions before 2026050400 leak the real IP address of VPN users through a registerQuicConnectionClosePayload optimization that allows applications to request system_server transmit UDP traffic on their behalf, bypassing VPN confinement when both 'Block connections without VPN' and 'Always-on VPN' are enabled. This information disclosure affects users relying on VPN privacy protections and requires local access with user interaction to trigger, resulting in a CVSS 2.2 score despite the privacy-sensitive nature of IP address leakage.

Technical ContextAI

GrapheneOS implements VPN enforcement through Android's VPN framework, which typically routes all application traffic through the VPN tunnel. The vulnerability exploits a QUIC connection close optimization in registerQuicConnectionClosePayload that allows applications to delegate UDP transmission to system_server, a privileged system process. This delegation mechanism can bypass the per-application VPN routing controls because system_server operates outside the normal per-app VPN constraints. The root cause (CWE-441: Unintended Proxy/Intermediary) occurs because an unprivileged application can manipulate a privileged process (system_server) into performing network operations outside the VPN tunnel. The vulnerability is specific to GrapheneOS's implementation of this QUIC optimization and affects the fundamental assumption that system_server traffic respects per-app VPN routing policies.

RemediationAI

Users must upgrade to GrapheneOS build 2026050400 or later, which patches the registerQuicConnectionClosePayload optimization to prevent application-initiated system_server UDP transmission outside the VPN tunnel. The patch is available via the standard GrapheneOS release mechanism (grapheneos.org/releases#2026050400). There are no documented workarounds that maintain QUIC functionality; users seeking immediate mitigation must disable 'Always-on VPN' if they cannot upgrade, though this reduces VPN enforcement to opt-in mode and does not fully eliminate the vulnerability if applications can still request system_server delegation. As a temporary measure pending upgrade, users can disable QUIC support in applications if available in app settings, though this is not a reliable defense since QUIC is increasingly transparent to applications. Blocking UDP port 53 and 443 at the network level may reduce outbound UDP leakage but will not prevent the vulnerability and will break legitimate QUIC traffic.

Share

CVE-2026-45182 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy