Security researchers have uncovered several high-severity vulnerabilities in the popular Mullvad VPN service that could allow attackers to execute malicious code and compromise user privacy. The flaws were discovered during a comprehensive security audit conducted by X41 D-Sec GmbH in late 2024.
The most serious issues involve race conditions and temporal safety violations in Mullvad’s signal handler code, which could lead to memory corruption and potential code execution. While exploitation is considered non-trivial, researchers warn that an attacker who can trigger a signal at the right moment may be able to exploit these vulnerabilities.
“The fact that the alternate stack collides with the heap of concurrently running processes makes exploitation a possibility if an attacker is able to trigger a signal in the right context,” the researchers noted in their report.
Another high-severity flaw allows for DLL sideloading during the Mullvad VPN installation process on Windows systems. The installer executes certain programs without specifying the full path, potentially allowing an attacker to trick it into running malicious code.
Free Webinar on Best Practices for API vulnerability & Penetration Testing: Free Registration
In addition to code execution risks, the audit uncovered privacy-related vulnerabilities that could allow network attackers to deanonymize Mullvad users in some scenarios.
One issue enables adjacent network participants to discover a user’s virtual IP address, while another flaw involving NAT could let sophisticated attackers determine if a Mullvad client has connected to a specific website.
Mullvad, known for its strong focus on privacy and security, has already addressed most of the vulnerabilities that have been discovered. The company worked closely with X41 to implement fixes and verify their effectiveness.
“We take these findings extremely seriously and have moved quickly to patch the identified issues,” said a Mullvad spokesperson. “We’re grateful to X41 for their thorough audit, which helps us continually improve our service’s security.”
Despite the concerning nature of some vulnerabilities, the researchers praised Mullvad’s overall security posture. “The Mullvad VPN Application appears to have a high security level and is well positioned to protect from the threat model proposed in this report,” the audit stated.
The discovery of these flaws highlights the importance of regular security audits for VPN providers entrusted with protecting user privacy and security. Mullvad’s swift response and transparency in addressing the issues demonstrate the company’s commitment to maintaining a secure service.
Users are advised to update to the latest version of Mullvad VPN to ensure they are protected against these vulnerabilities.
The incident serves as a reminder that even security-focused services can have hidden flaws, underscoring the need for ongoing vigilance and third-party security assessments in the VPN industry.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free