An Android 16 VPN bug can leak your internet traffic outside the VPN tunnel, exposing your real IP address even when you’ve enabled Android’s strongest VPN protections. The issue affects every VPN app—not just Mullvad—and represents a platform-level privacy failure that users need to address immediately.
Key Takeaways
- Android 16 VPN bug leaks traffic outside the tunnel, revealing your real IP address
- The leak occurs even with Always-On VPN and Block Connections Without VPN enabled
- All VPN apps are vulnerable, making this a system-wide Android problem
- A technical mitigation using adb commands can disable QUIC graceful shutdown
- GrapheneOS and other hardened Android variants may offer better protection
What the Android 16 VPN Bug Actually Does
The Android 16 VPN bug exploits a system-level mechanism called the ConnectivityManager service and specifically the registerQuicConnectionClosePayload method. This method is designed to handle graceful QUIC connection teardown—a technical process that should happen inside your VPN tunnel. Instead, the payload gets sent outside the tunnel, leaking your device’s real IP address to anyone monitoring network traffic.
This is not a flaw in any single VPN app. WireGuard, ProtonVPN, and other established VPN services all exhibit the same vulnerability when running on affected Android 16 devices. The bug bypasses Android’s own safety mechanisms. Users who have activated Always-On VPN (which blocks all traffic unless routed through the VPN) and enabled Block Connections Without VPN still experience leaks. Your VPN app is working as designed; Android’s system layer is betraying it.
Why This Matters Right Now
IP address leaks are not theoretical privacy concerns. Your real IP reveals your physical location, ISP, and browsing patterns to websites, advertisers, and malicious actors. A VPN’s entire purpose is to hide this information. When Android‘s own operating system defeats that protection without user knowledge, it undermines the security decision you made by installing a VPN in the first place.
The timing is critical because Android 16 is now in active use, and the bug was only recently discovered. Many users have no idea their traffic is leaking. You could believe your privacy is protected while your real IP is being logged by every website you visit.
How to Disable the Leak with adb Commands
Fixing this requires technical steps using Android Debug Bridge (adb), a developer tool. This is not a simple toggle in Settings. First, enable USB debugging on your Android device by going to Settings > About Phone, tapping Build Number seven times, then navigating to Developer Options and enabling USB Debugging.
Connect your device to a computer with adb installed. Then run these two commands in sequence:
adb shell device_config put tethering close_quic_connection -1
adb reboot
The first command disables QUIC graceful shutdown, closing the leak vector. The second reboots your device to apply the change. This mitigation persists across reboots unless undone by a system update. When Google releases a patch for Android 16, you may need to reapply these commands if the setting gets reset.
The downside: disabling QUIC graceful shutdown can leave server-side QUIC sockets half-open until they timeout, though this should not harm your device or apps.
Alternatives to adb: Using Hardened Android Variants
If adb commands feel too technical, consider switching to a privacy-focused Android variant like GrapheneOS. These hardened distributions apply stricter security controls at the system level and may prevent this class of leak entirely. However, switching Android variants requires wiping your device and is a more drastic step than running two adb commands.
In the interim, avoiding untrusted apps also reduces exposure. Malicious apps could theoretically exploit this leak to track your location, but legitimate apps have no reason to probe for your real IP when you are using a VPN.
Is the leak already fixed in Android?
No official patch from Google has been confirmed in the research available. The adb mitigation is a workaround, not a permanent fix. You are disabling a system feature to close the leak, not patching the underlying bug. Google will eventually address this in an Android update, but until then, the mitigation is your best defense.
Do I need to reapply the fix after updates?
Yes. System updates may reset the close_quic_connection setting, which means the leak could return. After any major Android update, rerun the adb commands to ensure the mitigation stays active. This is inconvenient, but necessary until Google releases a proper fix.
Will this affect my VPN performance?
Disabling QUIC graceful shutdown should not noticeably impact speed or reliability. QUIC is a modern protocol designed for faster connections, but the graceful shutdown feature is a cleanup mechanism, not a core performance driver. You lose a refinement, not the foundation.
The Android 16 VPN bug is a serious privacy failure, but it is fixable. If you use a VPN on Android 16, run the adb mitigation today. Do not wait for a patch that may take months to arrive. Your real IP is leaking right now, and two commands can stop it.
Edited by the All Things Geek team.
Source: Tom's Guide
