No main vulnerabilities had been present in Mullvad’s newest impartial safety audit, the corporate mentioned in a blog post on Friday. An audit of Mullvad’s new WireGuard implementation, GotaTun, was performed by Gothenburg-based Assured Safety Consultants between Jan. 19 and Feb. 15, 2026.
The latest audit is Mullvad’s 18th total since 2017, and additional cements the VPN’s place as some of the clear within the trade. Amongst CNET’s top VPN picks, solely ExpressVPN has out-audited Mullvad, with 23 audits commissioned since 2018.
Particularly, Assured Safety Consultants accomplished a code audit of GotaTun, Mullvad’s implementation of the WireGuard connection protocol, written in Rust. The audit consisted of a supply code assessment and testing of your complete GotaTun implementation, excluding Mullvad’s AI-traffic evaluation blocking DAITA code and its command line interface. Though auditors discovered no main vulnerabilities within the code, they did flag two safety problems with low-risk severity.
The primary subject needed to do with how GotaTun dealt with session identifier era. Auditors famous that GotaTun generated the session identifiers by way of a 24-bit Linear Suggestions Shift Register, whereas the WireGuard specification requires a 32-bit random quantity.
“Whereas it doesn’t appear to weaken the safety of community tunnels, it might reveal details about the variety of friends in addition to the variety of occasions handshakes have been exchanged with the friends to anybody who can listen in on community site visitors,” the audit states.
Mullvad mentioned that the weak point supplied almost no additional information to an observer as a result of they’d have already got complete peer rely and session length info. The corporate nonetheless issued a repair in a subsequent launch and now implements peer identifiers in line with WireGuard specs.
The second subject additionally concerned a deviation from WireGuard specs whereby GotaTun didn’t pad knowledge packets to 16 bytes earlier than encryption. Auditors famous that this wasn’t a significant cryptographic subject, however really useful including the padding to comply with WireGuard specs.
Mullvad has already applied a repair to this as properly, however factors out that “the safety that this padding supplies is considerably related in nature, however a lot much less highly effective than our DAITA performance. Mullvad recommends anybody who contains subtle site visitors evaluation of their menace mannequin to contemplate enabling DAITA.”
Whereas impartial audits aren’t excellent and don’t paint a full picture as a result of they’ll solely validate their findings through the course of the audit itself, it is a good instance of how audits will help VPNs determine and shore up vulnerabilities, regardless of how minor they’re.
Mullvad has constantly demonstrated an unwavering dedication to transparency and person privateness. The VPN’s software program is totally open supply, that means the code is publicly obtainable for anybody to examine, however that Mullvad takes the additional step to fee audits from outdoors safety companies as properly helps totally illustrate that dedication to transparency.
The constructive evaluation from Assured Safety Consultants in the end helps bolster belief in GotaTun’s safety and reliability, whereas concurrently strengthening Mullvad’s total privateness posture.
GotaTun goals to enhance the reliability and velocity of Mullvad’s WireGuard implementation, and was launched for Mullvad’s Android app in December, with plans to roll out to different platforms this 12 months.
