Mullvad VPN is a popular privacy-focused VPN service. The service is using a disk-less infrastructure and has recently started to run encrypted DNS servers in RAM as well. You may also buy Mullvad codes on Amazon or through other ways that keep you anonymous.

In late 2024, Mullvad asked Germany-based X41 D-Sec to conduct an audit of the service, making it the fourth external security audit since 2018.

Company engineers were tasked with auditing the source code of Mullvad's VPN apps on all platforms and performing penetration testing. This happend between October and November 2024.

Vulnerabilities were found

X41 D-Sec discovered a total of six vulnerabilities.

• Three high-security vulnerabilities.
• Two medium-rated vulnerabilities.
• One low vulnerability.

Additionally, the researches found three issues with security impact.

Mullvad addressed the issues that were within scope. Some of the discovered issues are not fixable by Mullvad, as they are found in certain behaviors of operating systems or protocols.

The three security issues rated high are all fixed. They were:

• A potential heap corruption issue on Android, Linux, and macOS.
• An issue with the fault signal handler in mullvad-daemon affecting Android, Linux, and macOS.
• Use of taskkill.exe on Windows in the installer without use of absolute paths.

Not all issues can be fixed by Mullvad

One issue, rated medium, for instance, which may leak the virtual IP address of tunnel devices to network adjacent participants, affects Linux and Android only. On Linux, Mullvad solved the issue by changing a kernel parameter.

On Android, Mullvad's app has no control over that parameter. The company did report the issue to Google, hoping that Google will change the default behavior on Android to address this.

It should be noted that the issue affects other apps on Android as well. Mullvad says that it does not consider the leak high severity. It may however leak the tunnel IP to observers. IPs get changed monthly, but signing out of the app and back in again gives the client a new tunnel IP address as well.

Closing Words

Security audits find potential vulnerabilities, which companies may then fix proactively. They may also help instill confidence in existing or future users of the service, especially if conducted regularly.

Now it is your turn. Do you us a VPN solution? If so which and why? Feel free to leave a comment down below.