No main vulnerabilities had been present in Mullvad’s newest impartial safety audit, the corporate mentioned in a weblog publish on Friday. An audit of Mullvad’s new WireGuard implementation, GotaTun, was carried out by Gothenburg-based Assured Safety Consultants between Jan. 19 and Feb. 15, 2026.
The newest audit is Mullvad’s 18th general since 2017, and additional cements the VPN’s place as one of the clear within the trade. Amongst CNET’s high VPN picks, solely ExpressVPN has out-audited Mullvad, with 23 audits commissioned since 2018.
Particularly, Assured Safety Consultants accomplished a code audit of GotaTun, Mullvad’s implementation of the WireGuard connection protocol, written in Rust. The audit consisted of a supply code evaluate and testing of all the GotaTun implementation, excluding Mullvad’s AI-traffic evaluation blocking DAITA code and its command line interface. Though auditors discovered no main vulnerabilities within the code, they did flag two safety problems with low-risk severity.
The primary situation needed to do with how GotaTun dealt with session identifier era. Auditors famous that GotaTun generated the session identifiers by a 24-bit Linear Suggestions Shift Register, whereas the WireGuard specification requires a 32-bit random quantity.
“Whereas it doesn’t appear to weaken the safety of community tunnels, it might reveal details about the variety of friends in addition to the variety of instances handshakes have been exchanged with the friends to anybody who can snoop on community visitors,” the audit states.
Mullvad mentioned that the weak point supplied virtually no extra data to an observer as a result of they’d have already got whole peer rely and session length data. The corporate nonetheless issued a repair in a subsequent launch and now implements peer identifiers based on WireGuard specs.
The second situation additionally concerned a deviation from WireGuard specs whereby GotaTun didn’t pad information packets to 16 bytes earlier than encryption. Auditors famous that this wasn’t a serious cryptographic situation, however advisable including the padding to comply with WireGuard specs.
Mullvad has already applied a repair to this as effectively, however factors out that “the safety that this padding offers is considerably comparable in nature, however a lot much less highly effective than our DAITA performance. Mullvad recommends anybody who consists of refined visitors evaluation of their menace mannequin to contemplate enabling DAITA.”
Whereas impartial audits aren’t good and don’t paint a full image as a result of they’ll solely validate their findings in the course of the course of the audit itself, it is a good instance of how audits can assist VPNs establish and shore up vulnerabilities, regardless of how minor they’re.
Mullvad has persistently demonstrated an unwavering dedication to transparency and consumer privateness. The VPN’s software program is totally open supply, that means the code is publicly accessible for anybody to examine, however that Mullvad takes the additional step to fee audits from outdoors safety corporations as effectively helps totally illustrate that dedication to transparency.
The constructive evaluation from Assured Safety Consultants in the end helps bolster belief in GotaTun’s safety and reliability, whereas concurrently strengthening Mullvad’s general privateness posture.
GotaTun goals to enhance the reliability and velocity of Mullvad’s WireGuard implementation, and was launched for Mullvad’s Android app in December, with plans to roll out to different platforms this 12 months.
