Grapheneos
Monthly
GrapheneOS versions before 2026050400 leak the real IP address of VPN users through a registerQuicConnectionClosePayload optimization that allows applications to request system_server transmit UDP traffic on their behalf, bypassing VPN confinement when both 'Block connections without VPN' and 'Always-on VPN' are enabled. This information disclosure affects users relying on VPN privacy protections and requires local access with user interaction to trigger, resulting in a CVSS 2.2 score despite the privacy-sensitive nature of IP address leakage.
GrapheneOS versions before 2026050400 leak the real IP address of VPN users through a registerQuicConnectionClosePayload optimization that allows applications to request system_server transmit UDP traffic on their behalf, bypassing VPN confinement when both 'Block connections without VPN' and 'Always-on VPN' are enabled. This information disclosure affects users relying on VPN privacy protections and requires local access with user interaction to trigger, resulting in a CVSS 2.2 score despite the privacy-sensitive nature of IP address leakage.