CVE-2026-45182

Summary

GrapheneOS before 2026050400 allows attackers to discover the real IP address of a VPN user as a consequence of a registerQuicConnectionClosePayload optimization, because an application can let system_server transmit UDP traffic on its behalf. This occurs when the "Block connections without VPN" and "Always-on VPN" settings are enabled.

Affected Software

VendorProductVersion RangeStatus
GrapheneOSGrapheneOS0 < 2026050400affected

Weaknesses

  • CWE-441: CWE-441 Unintended Proxy or Intermediary ('Confused Deputy')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

Additional References

References