Mullvad said an Android 16 flaw can let apps send traffic outside VPN tunnels and expose users’ real IP addresses even when Always-On VPN and Block connections without VPN are enabled.
The bug stems from Android 16’s handling of QUIC connection shutdowns, which can be abused through the Connectivity Manager service; Mullvad said it affects all VPN apps because the weakness is in the OS.
Google’s Android Security Team reportedly closed the disclosure as “Won’t Fix (Infeasible),” while GrapheneOS has already patched the issue in its own codebase.
A workaround is available via adb—disabling the close_quic_connection setting after enabling USB debugging—but Mullvad warned future Android updates may reverse the mitigation.
The leak is especially sensitive for users relying on Android VPN kill switches on public Wi-Fi or in higher-risk environments, where hiding location and preventing tracking are core protections.
Why can GrapheneOS fix the critical Android VPN flaw that Google calls 'infeasible' to patch?
Is your Android VPN secretly leaking your real IP address due to a flaw Google refuses to fix?