Mullvad VPN audit: low number of vulnerabilities found and fixed, lots of praise
Mullvad VPN is a popular privacy-focused VPN service. The service is using a disk-less infrastructure and has recently started to run encrypted DNS servers in RAM as well. You may also buy Mullvad codes on Amazon or through other ways that keep you anonymous.
In late 2024, Mullvad asked Germany-based X41 D-Sec to conduct an audit of the service, making it the fourth external security audit since 2018.
Company engineers were tasked with auditing the source code of Mullvad's VPN apps on all platforms and performing penetration testing. This happend between October and November 2024.
Vulnerabilities were found
X41 D-Sec discovered a total of six vulnerabilities.
- Three high-security vulnerabilities.
- Two medium-rated vulnerabilities.
- One low vulnerability.
Additionally, the researches found three issues with security impact.
Mullvad addressed the issues that were within scope. Some of the discovered issues are not fixable by Mullvad, as they are found in certain behaviors of operating systems or protocols.
The three security issues rated high are all fixed. They were:
- A potential heap corruption issue on Android, Linux, and macOS.
- An issue with the fault signal handler in mullvad-daemon affecting Android, Linux, and macOS.
- Use of taskkill.exe on Windows in the installer without use of absolute paths.
Not all issues can be fixed by Mullvad
One issue, rated medium, for instance, which may leak the virtual IP address of tunnel devices to network adjacent participants, affects Linux and Android only. On Linux, Mullvad solved the issue by changing a kernel parameter.
On Android, Mullvad's app has no control over that parameter. The company did report the issue to Google, hoping that Google will change the default behavior on Android to address this.
It should be noted that the issue affects other apps on Android as well. Mullvad says that it does not consider the leak high severity. It may however leak the tunnel IP to observers. IPs get changed monthly, but signing out of the app and back in again gives the client a new tunnel IP address as well.
Closing Words
Security audits find potential vulnerabilities, which companies may then fix proactively. They may also help instill confidence in existing or future users of the service, especially if conducted regularly.
Now it is your turn. Do you us a VPN solution? If so which and why? Feel free to leave a comment down below.
Read this: https://torrentfreak.com/best-vpn-anonymous-no-logging/
I have been using Mullvad VPN for a couple of years now. I have Wireguard setup on a GL-iNet home router and also run the app on Windows and Linux at the same time for multi-hopping experience with the router. Works great. I just updated the apps for added security thanks to this article.
I wish that Mullvad would let me pay for a year using Bitcoin. The yearly option only seems to be there if paying by Visa.
I use Mullvad, but not through their own app. Instead I’ve installed the standalone Wireguard app which you can download from here: https://www.wireguard.com/
How to configure Mullvad to use Wireguard is explained here: https://mullvad.net/en/help/wireguard-app-windows
For additional security, I also use Mullvad’s SOCKS 5 proxy for which the connection settings are 10.64.0.1 through Port 1080. It looks like this on Firefox: https://i.postimg.cc/vH8jgxQX/SOCKS-5-proxy-on-FF.png (scroll further down to the bottom and checkmark “Proxy DNS when using SOCKS 5” and then click OK).
Besides the additional safeguard to maintain your anomaly in the event the VPN fails the setting also allows users to run Mullvad VPN on systems which they don’t normally support which in my particular case is Windows 8.1
I also switched to Mullvad after doing some homework and using a couple of other (not as good) VPNs.
There are maybe 2 or 3 VPNs that I would trust these days, and trust what you’re paying your VPN for. Any VPN that is not audited and is not run by people who are identifiable as real accountable humans with first-and-last names and who have a hstory in the privacy community could just as easily be owned by the NSA as anyone else, and at least one is. My short list came down to Mullvad and Proton; I chose and am very happy with the former, but know people who are happy with the latter.
My priority is privacy. If you want a VPN primarily for access to geo-blocked streaming services, Mullvad would not be my first choice. Fine for torrents, however.
I had been using ProtonVPN for some time now.
Several months ago I read an arcticle on Mullvad blog about SAITA
Defense Against AI-guided Traffic Analysis https://mullvad.net/en/vpn/daita
This is what I want!! A VPN that takes the lead, and leaves the rest behind!
I was a long time user of PIA (Private Internet Access). I started doing some research on VPN’s and came to realize that PIA was not a very good choice. When that subscription ran out, I became a Mullvad user. I have been with them for going on two years nad I am quite pleased with their service.
Why do I use a VPN, with the internet becoming the cesspool that it is with ads, tracking, etc, I feel more comfortable using a VPN. I limit myself to what sites, services, etc that I use so hopefully my footprint is not that big or unique.
You are not clear why you rejected PIA or why you chose Mullvad. Enlighten us.
As for PIA, read Martin’s article from 2021 concerning Kape’s acquisition of Express VPN
(link – https://www.ghacks.net/2021/09/15/is-kapes-acquisition-of-expressvpn-cause-for-concern/).
For Mullvad, it comes down to privacy. I recall an article about the police showing with a warrant asking for their logs, Mullvad says sorry we don’t keep logs and the police left empty handed.
That is assumptions. PIA has the same story..
Express VPN, It’s fast, it’s diskless. Because google makes billions off our personal data and I don’t get my cut.
Interesting post. Would like to read more such posts about VPNs..