Skip to main content

GrapheneOS CVE-2026-45182

LOW
Unintended Proxy or Intermediary ('Confused Deputy') (CWE-441)
2026-05-09 mitre
Information Disclosure
2.2
CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
May 09, 2026 - 23:00 vuln.today
CVE Published
May 09, 2026 - 22:07 nvd
LOW 2.2

DescriptionNVD

GrapheneOS before 2026050400 allows attackers to discover the real IP address of a VPN user as a consequence of a registerQuicConnectionClosePayload optimization, because an application can let system_server transmit UDP traffic on its behalf. This occurs when the "Block connections without VPN" and "Always-on VPN" settings are enabled.

AnalysisAI

GrapheneOS versions before 2026050400 leak the real IP address of VPN users through a registerQuicConnectionClosePayload optimization that allows applications to request system_server transmit UDP traffic on their behalf, bypassing VPN confinement when both 'Block connections without VPN' and 'Always-on VPN' are enabled. This information disclosure affects users relying on VPN privacy protections and requires local access with user interaction to trigger, resulting in a CVSS 2.2 score despite the privacy-sensitive nature of IP address leakage.

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-45182 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy