A regular Android app with no special permissions, on a Pixel running Android 16 QPR1+, can hand system_server a buffer of bytes and a destination, then walk away. A moment later system_server (UID 1000, exempt from VPN routing) opens a UDP socket on the physical Wi-Fi interface and fires those bytes at the destination. The VPN tunnel never sees the packet. The destination sees the device's real IP. Full write-up: https://lowlevel.fun Confirmed on Pixel 8 / Android 16 with Proton VPN. Code path verified unchanged on Android 17 (Pixel 9 Pro) — same Binder transaction code, same AIDL signature, same system_server dispatch routine. Affected Android 16 QPR1+ (@hide API registerQuicConnectionClosePayload, ships in com.android.tethering Mainline module). The bug is gated by a DeviceConfig flag tethering/close_quic_connection. On the March 2025 build this defaulted on; on the April 2026 patch the default is off but the code path is still present and re-enabling the flag re-exposes it. See blog post for details. Reproduce Connect the device to any underlying network (Wi-Fi, mobile data, ethernet) and turn on a VPN (any provider). Wi-Fi is the typical case but the PoC picks up cellular too — the bug is not Wi-Fi-specific. On a server you control, start a UDP listener: nc -ulp 3131 Open the PoC, enter the listener's public IP and port, tap Send & Exit. The listener sees an EXFIL{src=…,via=…} line whose source IP is the device's real underlying-network IP, not the VPN exit. The phone's logcat shows: Close QUIC socket for QuicConnectionCloseInfo{ uid: 10331, netId: 100, src: /<underlying-net-ip>:<port>, dst: /<your-listener>:3131, payload length: 24}, destroySocket=true netId matches whichever physical network was picked (Wi-Fi, cellular, …). If your listener sees nothing, your build either has the flag disabled or already shipped a fix. Confirm with: adb shell dumpsys connectivity | grep "Close QUIC" Close QUIC connection: false means the feature is off and the leak can't fire on this build. Mitigation (no root required) Warning: Use it only if you understand the implications and on your own risk. adb shell device_config put tethering close_quic_connection -1 adb reboot Pins the flag to disabled. Persists across reboots. Authorized use only This PoC sends a UDP packet with the device's real IP to a server you specify. Only run it against a listener you control, on a device you own.