CVE-2026-45182

LOW 2.2

CVSS Score

2.2

EPSS Score

0.0%

EPSS Percentile

1th

GrapheneOS before 2026050400 allows attackers to discover the real IP address of a VPN user as a consequence of a registerQuicConnectionClosePayload optimization, because an application can let system_server transmit UDP traffic on its behalf. This occurs when the "Block connections without VPN" and "Always-on VPN" settings are enabled.

CWE	CWE-441
Vendor	grapheneos
Product	grapheneos
Published	May 9, 2026
Last Updated	May 11, 2026

Stay Ahead of the Next One

Get instant alerts for grapheneos grapheneos

Be the first to know when new low vulnerabilities affecting grapheneos grapheneos are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Affected Versions

GrapheneOS / GrapheneOS

0 < 2026050400

References

NVD ↗ CVE.org ↗ EPSS Data ↗

lowlevel.fun: https://lowlevel.fun/posts/tiny-udp-cannon-android-vpn-bypass/ grapheneos.org: https://grapheneos.org/releases#2026050400 cyberinsider.com: https://cyberinsider.com/grapheneos-fixes-android-vpn-leak-google-refused-to-patch/