CVE-2026-45182

Name of the Vulnerable Software and Affected Versions GrapheneOS versions prior to 2026050400

Description An optimization in the registerQuicConnectionClosePayload function allows attackers to discover the real IP address of a VPN user. This occurs because an application can cause the system server to transmit UDP traffic on its behalf when both "Block connections without VPN" and "Always-on VPN" settings are enabled.

Recommendations Update to version 2026050400 or later.