GrapheneOS versions before 2026050400 allow an application to trigger a system component that transmits UDP traffic on its behalf, causing the real IP address of a VPN user to be exposed when both the "Block connections without VPN" and "Always‑on VPN" settings are enabled. This occurs because of an optimization in registerQuicConnectionClosePayload. The vulnerability does not enable arbitrary code execution, but it does leak the user’s non‑VPN IP to entities that can observe the outgoing traffic. The likely attack vector is a local attacker who can install or control an application that invokes this vulnerability; remote exploitation would require such an application to be present on the device. Based on the description, it is inferred that the exposure is limited to the device’s network layer and is not a direct privilege escalation or data exfiltration risk.

GrapheneOS releases earlier than build 2026050400 are affected. Devices running any older build may disclose a user’s real IP address when both the block‑connection and always‑on VPN settings are active. No specific hardware variants are mentioned, so any device that runs an affected build with these settings enabled is at risk.

The CVSS score of 2.2 indicates a low severity vulnerability. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog, suggesting a low likelihood of widespread exploitation. Because the weakness relies on a local application to trigger the vulnerable system call, the exploitation probability is limited to users who install malicious apps or are otherwise exposed to local attacker capabilities. The risk is therefore primarily privacy‑related exposure of the device’s real IP address.