Google has declined to fix a bug in Android 16 [1] that bypasses always-on VPN connections and exposes a device's real IP address [1].
This vulnerability undermines a core security feature designed to ensure that internet traffic remains encrypted and anonymous. For users who rely on VPNs to avoid surveillance or bypass regional restrictions, the leak represents a significant failure in privacy protection.
Reports published this week indicate that the flaw exists within the network stack of Android 16 [1], [5]. The bug causes always-on VPN connections to drop silently, allowing the device to communicate directly with the internet without the protection of the tunnel [5]. This failure occurs across all VPN apps [2], meaning no specific developer can patch the issue on their own.
Security researchers reported the vulnerability to Google, but the company has marked the report as "Won't Fix" [1], [2]. This designation suggests that Google does not intend to issue a software update to resolve the specific bypass mechanism in the current version of the operating system [1].
Because the issue is rooted in the operating system's handling of network traffic, the leak happens at a system level. This makes it invisible to the user until the real IP address has already been transmitted to a destination server [5].
Users on Android 16 [1] currently have no official way to prevent these leaks if the system decides to drop the VPN connection. The lack of a planned fix leaves a gap in the security posture of millions of devices worldwide [2], [3].
“Google has marked the vulnerability report as “Won’t Fix.””
The decision to leave this bug unpatched suggests a conflict between Google's network stack implementation and the requirements of third-party VPN providers. By marking the issue as 'Won't Fix,' Google effectively shifts the burden of security to the users and app developers, who cannot fix a flaw embedded in the OS kernel. This may lead to a decrease in trust for the 'always-on' feature in future Android releases.
