Mullvad has warned that a recently disclosed Android 16 flaw can allow malicious applications to bypass VPN protections and leak a device’s real IP address, even when Android’s strictest VPN lockdown settings are enabled.
The VPN provider says the issue impacts all VPN applications on Android 16, not just Mullvad VPN, and has published a temporary mitigation for affected users while Google continues to leave the bug unpatched.
The flaw was originally disclosed by security researcher Yusuf, also known online as “lowlevel,” who detailed the issue in a technical write-up. The vulnerability abuses a newly introduced QUIC connection teardown mechanism in Android 16 that can cause packets to be transmitted outside the VPN tunnel.
Mullvad, a Sweden-based privacy company known for its no-logs VPN service, said it coordinated with the researcher and also reported the issue to Google through Android’s issue tracker after learning that the original report had been closed as “Won’t Fix (Infeasible)” by the Android Security Team. According to Mullvad, the issue tracker entry later became inaccessible for unknown reasons.
Root cause
The flaw stems from Android 16’s registerQuicConnectionClosePayload feature, which was designed to gracefully terminate QUIC connections by sending a final packet when a session closes unexpectedly. However, the implementation fails to ensure that the traffic remains inside the VPN tunnel.
Malicious apps with only standard permissions, such as INTERNET and ACCESS_NETWORK_STATE, can abuse the feature to send packets through the device’s physical network interface, exposing the real IP address even when Android’s “Always-On VPN” and “Block connections without VPN” protections are enabled. Because the packets are transmitted by Android’s privileged system_server process, they bypass normal VPN routing restrictions entirely.
Mullvad warns that the flaw can expose a user’s real public IP address to remote servers, creating potential privacy and tracking risks for users who rely on VPN software to conceal their location or browsing activity.
While Google has declined to issue a fix, GrapheneOS has already addressed the vulnerability in its hardened Android distribution for Pixel devices. The GrapheneOS team disabled the vulnerable QUIC optimization entirely in release 2026050400, preventing applications from abusing the feature to leak traffic outside the VPN tunnel.
Temporary mitigation
For users remaining on stock Android 16, Mullvad shared a temporary workaround that disables the vulnerable QUIC graceful shutdown feature through Android Debug Bridge (ADB).
The commands are:
adb shell device_config put tethering close_quic_connection -1
adb rebootAccording to Mullvad, the mitigation persists across reboots but may need to be reapplied after future Android system updates.
The company noted that disabling the feature may leave server-side QUIC sockets half-open until timeout occurs, though this is not expected to significantly impact normal device operation.
Because the workaround requires enabling USB debugging and using ADB, it is primarily intended for advanced users comfortable with modifying Android system settings.
If you liked this article, be sure to follow us on X/Twitter and also LinkedIn for more exclusive content.
