This serious Android VPN bug can leak your internet traffic – here's what you need to know

(Image credit: NurPhoto / Getty Images)

A newly discovered Android 16 bug could allow apps to leak traffic outside VPN tunnels, potentially exposing users' real IP addresses even when Always-On VPN and Android's built-in kill switch are enabled.The flaw affects all the best VPNs, and was highlighted by Mullvad VPN, one of the most private VPNs available.A new VPN leak that allows any app to leak traffic outside the VPN tunnel has recently been discovered by @cybaqkebm Read more here: https://t.co/K9bxtiGHbwMay 12, 2026What's behind the Android 16 VPN leak?The leak stems from a flaw in how Android 16 handles QUIC connection shutdowns.According to Mullvad, apps can abuse a system function tied to the Connectivity Manager service to send specific traffic outside the VPN tunnel. This means a malicious app could reveal a user's real IP address to external servers, even if the device is configured to block all non-VPN traffic.Mullvad says the issue affects all VPN apps on Android 16 because the vulnerability exists within the operating system itself. The Sweden-based VPN also noted that GrapheneOS, a privacy-focused Android-based operating system, has already patched the flaw in its own codebase.Why this isn't just a Mullvad problem

This serious Android VPN bug can leak your internet traffic – here's what you need to know

Other newsrooms on this story

Related reading

‘Won’t Fix’—All VPN Apps Affected As Google Android 16 Leaks Info

New Android 16 VPN Bypass Confirmed—And There’s No Fix From Google

Mullvad VPN discloses fingerprinting flaw that could track users across servers…

Mullvad corregge il fingerprinting VPN: cosa rischiavano gli utenti

How to turn on Private DNS Mode on Android - and why it's a must for security

VPNs top App Store charts as Online Safety Act age checks kick in