A VPN that leaks your location defeats the entire purpose of using one. That’s exactly the problem GrapheneOS has now solved in Android 16, with a fix for a VPN flaw that Google has reportedly decided to ignore.
The security-focused operating system has patched what researchers call the “Tiny UDP Cannon” bug – a vulnerability that could let malicious apps leak small amounts of data outside an active VPN tunnel, potentially exposing users’ real IP addresses even when Android’s strictest privacy controls are enabled.
As reported by security researcher lowlevel/Yusuf, this Android 16 bug creates a narrow but concerning workaround for VPN protections. The flaw affects Android’s “Always-On VPN” and “Block connections without VPN” settings – features specifically designed to prevent any traffic from leaving your phone unless it goes through the VPN tunnel.
The vulnerability stems from a networking optimization in Android 16. When certain connections close, Android fails to properly check whether tiny data packets should be restricted by VPN rules. Instead, these packets can slip out through the regular internet connection. If a malicious app ensures these packets contain identifying information like your IP address, it undermines the core privacy protection that VPNs provide.
While this isn’t a widespread threat for most users, it represents a significant concern for anyone relying on Android’s VPN lockdown mode for serious privacy protection. An attacker would still need to get a malicious app installed on your device first, which limits the immediate risk for typical users who stick to official app stores and avoid suspicious downloads.
Google’s Android Security Team reportedly classified the issue as “Won’t Fix (Infeasible)” and decided against including it in security bulletins. This decision highlights a philosophical difference between Google’s approach to edge-case vulnerabilities and that of privacy-focused alternatives.
GrapheneOS took the opposite approach, completely disabling the problematic networking feature in release 2026050400. For users of the Pixel-focused operating system, this represents another example of how alternative Android distributions can prioritize privacy over performance optimizations.
The fix comes at a time when VPN usage continues growing, driven by increased awareness of digital privacy and security threats. Corporate data breaches, government surveillance concerns, and the rise of remote work have all contributed to VPNs becoming mainstream privacy tools rather than niche technical solutions.
For stock Android users without access to the GrapheneOS fix, the researcher notes that the vulnerable feature can be manually disabled using ADB commands. However, this technical workaround isn’t practical for most users and requires both technical knowledge and computer access.
This situation also reflects broader tensions in the Android ecosystem between Google’s mainstream approach and the security community’s demands for more aggressive privacy protections. While Google often focuses on fixes that affect large numbers of users, specialized distributions like GrapheneOS can afford to prioritize theoretical vulnerabilities that might only affect small groups of high-risk users.
The GrapheneOS fix demonstrates how alternative Android distributions continue carving out their niche by addressing security gaps that major vendors leave unfixed. For privacy-conscious users, particularly those in high-risk situations, these differences can be significant factors in choosing which operating system to trust with their digital security.