May 9, 2026
VPN? More like Very Public Network
GrapheneOS fixes Android VPN leak Google refused to patch
Google said an IP leak wasn’t a big deal, and the comments absolutely lost it
TLDR: A researcher found that Android could reveal a user’s real internet address even with VPN lockdown turned on, and GrapheneOS fixed it while Google declined to patch it. Commenters were furious, accusing Google of downplaying a privacy failure and questioning whether Android’s privacy promises mean much at all.
Nothing gets the privacy crowd frothing quite like a company saying “not a security issue” after a phone quietly spills your real internet address. That’s the mess here: a researcher showed that even when Android users flipped on the strongest VPN protections — basically the setting that says don’t let anything out unless it goes through the private tunnel — the phone could still send data outside it. GrapheneOS stepped in and killed the feature causing the leak on supported Pixel phones. Google, meanwhile, reportedly stamped it “Won’t Fix” and moved on. And yes, the comments went full scorched earth.
The angriest reactions were aimed at the sheer audacity of calling a VPN leak unimportant. One commenter basically asked how anyone could say that with a straight face. Another called the whole thing a “backdoor,” while others treated it as proof that stock Android can’t be trusted if privacy is the goal. The most damning criticism wasn’t even the bug itself — it was the idea that Android’s own lockdown promise got broken by the system, not some shady app. That detail had commenters seeing red.
Then came the existential dread: “So a VPN isn’t a VPN on Android?” one person asked, which is about as subtle as throwing a chair at the group chat. The jokes were dark, the hot takes were hotter, and the overall vibe was clear: GrapheneOS looks like the hero of the privacy fandom today, while Google is getting dragged like it just replied “working as intended.”
Key Points
- •GrapheneOS says it fixed an Android 16 VPN leak by disabling the registerQuicConnectionClosePayload optimization in release 2026050400.
- •The flaw allowed ordinary Android apps with standard permissions to register arbitrary UDP payloads that system_server later sent outside the VPN tunnel.
- •The article says the leak could occur even when Android’s Always-On VPN and Block connections without VPN protections were enabled.
- •The researcher demonstrated the issue on a Pixel 8 running Android 16 with Proton VPN, where the device’s real public IP address was reportedly exposed.
- •Google classified the report as Won’t Fix and NSBC, while GrapheneOS also bundled other security updates in the same release.