IP Address Exposure Vulnerability in GrapheneOS by GrapheneOS
CVE-2026-45182

2.2LOW

Key Information:

Vendor: Grapheneos
Status: Grapheneos
Vendor: CVE Published:; 9 May 2026

What is CVE-2026-45182?

An IP address exposure vulnerability exists in GrapheneOS which can allow attackers to uncover the true IP address of users utilizing VPN services. This flaw, stemming from an optimization in the registerQuicConnectionClosePayload, arises when both the 'Block connections without VPN' and 'Always-on VPN' features are activated. As a result, applications can manipulate system_server to route UDP traffic, compromising user anonymity and confidentiality. Users of GrapheneOS should update to version 2026050400 or later to mitigate this risk effectively.

Affected Version(s)

GrapheneOS 0 < 2026050400

References

https://lowlevel.fun/posts/tiny-udp-cannon-android-vpn-by...

https://grapheneos.org/releases#2026050400

https://cyberinsider.com/grapheneos-fixes-android-vpn-lea...

CVSS V3.1

Score:

2.2

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 9, 2026
Vulnerability Reserved
May 9, 2026

CVE-2026-45182 Data

JSON

Grapheneos

What is CVE-2026-45182?

Affected Version(s)

References

CVSS V3.1

Timeline