No major vulnerabilities were found in Mullvad’s latest independent security audit, the company said in a blog post on Friday. An audit of Mullvad’s new WireGuard implementation, GotaTun, was conducted by Gothenburg-based Assured Security Consultants between Jan. 19 and Feb. 15, 2026.
The latest audit is Mullvad’s 18th overall since 2017, and further cements the VPN’s position as one of the most transparent in the industry. Among CNET’s top VPN picks, only ExpressVPN has out-audited Mullvad, with 23 audits commissioned since 2018.
Specifically, Assured Security Consultants completed a code audit of GotaTun, Mullvad’s implementation of the WireGuard connection protocol, written in Rust. The audit consisted of a source code review and testing of the entire GotaTun implementation, excluding Mullvad’s AI-traffic analysis blocking DAITA code and its command line interface. Although auditors found no major vulnerabilities in the code, they did flag two security issues of low-risk severity.
The first issue had to do with how GotaTun handled session identifier generation. Auditors noted that GotaTun generated the session identifiers through a 24-bit Linear Feedback Shift Register, whereas the WireGuard specification calls for a 32-bit random number.
“While it does not seem to weaken the protection of network tunnels, it could reveal information about the number of peers as well as the number of times handshakes have been exchanged with the peers to anyone who can eavesdrop on network traffic,” the audit states.
Mullvad said that the weakness provided almost no additional information to an observer because they would already have total peer count and session duration information. The company nonetheless issued a fix in a subsequent release and now implements peer identifiers according to WireGuard specifications.
The second issue also involved a deviation from WireGuard specifications wherein GotaTun didn’t pad data packets to 16 bytes before encryption. Auditors noted that this wasn’t a major cryptographic issue, but recommended adding the padding to follow WireGuard specifications.
Mullvad has already implemented a fix to this as well, but points out that “the protection that this padding provides is somewhat similar in nature, but much less powerful than our DAITA functionality. Mullvad recommends anyone who includes sophisticated traffic analysis in their threat model to consider enabling DAITA.”
While independent audits aren’t perfect and don’t paint a full picture because they can only validate their findings during the course of the audit itself, this is a good example of how audits can help VPNs identify and shore up vulnerabilities, no matter how minor they are.
Mullvad has consistently demonstrated an unwavering commitment to transparency and user privacy. The VPN’s software is fully open source, meaning the code is publicly available for anyone to inspect, but that Mullvad takes the extra step to commission audits from outside security firms as well helps fully illustrate that commitment to transparency.
... continue reading