Vulnerability Description
GrapheneOS before 2026050400 allows attackers to discover the real IP address of a VPN user as a consequence of a registerQuicConnectionClosePayload optimization, because an application can let system_server transmit UDP traffic on its behalf. This occurs when the "Block connections without VPN" and "Always-on VPN" settings are enabled.
CVSS Score
LOW
Related Weaknesses (CWE)
References
- https://cyberinsider.com/grapheneos-fixes-android-vpn-leak-google-refused-to-pat
- https://grapheneos.org/releases#2026050400
- https://lowlevel.fun/posts/tiny-udp-cannon-android-vpn-bypass/
- https://lowlevel.fun/posts/tiny-udp-cannon-android-vpn-bypass/
FAQ
What is CVE-2026-45182?
CVE-2026-45182 is a vulnerability with a CVSS score of 2.2 (LOW). GrapheneOS before 2026050400 allows attackers to discover the real IP address of a VPN user as a consequence of a registerQuicConnectionClosePayload optimization, because an application can let system...
How severe is CVE-2026-45182?
CVE-2026-45182 has been rated LOW with a CVSS base score of 2.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-45182?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.