CVE-2026-45182 Cyberinsider CVE debrief

Who should care

GrapheneOS users who rely on Always-on VPN and Block connections without VPN, especially anyone who assumes all app traffic is fully forced through the VPN. Security teams supporting such devices should verify that affected builds are updated.

Technical summary

The NVD record and cited references describe a flaw tied to a registerQuicConnectionClosePayload optimization in GrapheneOS. In the affected configuration, an application could leverage system_server to send UDP traffic, creating a path that may disclose the device’s real IP address despite VPN enforcement settings. The CVSS vector provided by NVD is AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N, indicating local, high-complexity, user-interaction-dependent exposure with limited confidentiality impact and no integrity or availability impact.

Defensive priority

Medium for privacy-sensitive deployments, otherwise low. The issue does not indicate code execution or device compromise, but it can defeat an expected VPN privacy boundary under specific settings.

Recommended defensive actions

• Update GrapheneOS to build 2026050400 or later.
• Review device policy for Always-on VPN and Block connections without VPN on any GrapheneOS systems that depend on strict VPN routing.
• Treat the issue as a privacy exposure and verify whether any apps or workflows depend on the affected UDP path.
• Monitor official GrapheneOS release notes and CVE references for any follow-up guidance or related fixes.

Evidence notes

This debrief is based only on the supplied CVE record and the references listed in that record. The record states the affected condition, the build boundary (before 2026050400), the VPN settings involved, and the low confidentiality-only impact. No unsupported exploit steps or external claims were added.

Official resources