This serious Android VPN bug can leak your internet traffic – here’s what you need to know
This serious Android VPN bug can leak your internet traffic – here’s what you need to know
Publish Date: 2026-05-21 05:37:00
Source Domain: www.tomsguide.com
A newly discovered Android 16 bug could allow apps to leak traffic outside VPN tunnels, potentially exposing users’ real IP addresses even when Always-On VPN and Android’s built-in kill switch are enabled.
The flaw affects all the best VPNs, and was highlighted by Mullvad VPN, one of the most private VPNs available.
A new VPN leak that allows any app to leak traffic outside the VPN tunnel has recently been discovered by @cybaqkebm Read more here: https://t.co/K9bxtiGHbwMay 12, 2026
What’s behind the Android 16 VPN leak?
The leak stems from a flaw in how Android 16 handles QUIC connection shutdowns.
According to Mullvad, apps can abuse a system function tied to the Connectivity Manager service to send specific traffic outside the VPN tunnel. This means a malicious app could reveal a user’s real IP address to external servers, even if the device is configured to block all non-VPN traffic.
Mullvad says the issue affects all VPN apps on Android 16 because the vulnerability exists within the operating system itself. The Sweden-based VPN also noted that GrapheneOS, a privacy-focused Android-based operating system, has already patched the flaw in its own codebase.
Why this isn’t just a Mullvad problem
(Image credit: Kenneth Cheung / Getty Images)
VPN leaks are not entirely new, but this case stands out because it bypasses Android’s strongest VPN protections, including “Always-On VPN” and “Block connections without VPN.”
The issue was reportedly shared with Google’s Android Security Team, but Mullvad says the report was closed as “Won’t Fix…
