- Mullvad has begun testing a fix for newly found IP fingerprinting issues
- The company confirmed the bug does not reveal a user’s true identity
- The patch is expected to begin to be deployed in the coming weeks
Following the discovery of a minor networking vulnerability earlier this month, Mullvad has begun testing a mitigation to fix an exit IP fingerprinting issue across its server fleet.
Last Friday, May 15, the privacy-focused provider became aware that its servers were mapping exit IP addresses in a highly predictable way after a security researcher found this flaw during a security analysis. If a user jumped from one location to another, a mathematical quirk meant their sessions could be linked, compromising the anonymity of the server switch.
While this flaw never risked exposing your real IP address or personal identity, it did allow websites to see that the same anonymous person connecting from Server A was now connecting from Server B.
Now, Mullvad has designed a permanent fix to sever this link. This ensures its network privacy standards remain on par with the best VPN services on the market. Deployment is expected to begin in the coming weeks, and anyone can track the progress of the update here.
The announcement comes as Mullvad co-founder and co-CEO Fredrik Strömberg was quick to acknowledge the issue, promising a fix for any unintended behavior and a reassessment of “whether the intended behaviors are acceptable or not.”
We have approached Mullvad for further comment.
How the vulnerability works
Typically, fingerprinting is a threat associated with web browsers silently gathering hardware data. However, this issue occurred entirely at the network level.
Each Mullvad server hosts multiple users sharing a single exit IP. To manage heavy traffic, these servers utilize a wide range of exit addresses. When a user connects, their device uses a unique WireGuard key to encrypt the connection, alongside an internal tunnel address.
Because of how these internal addresses were processed, a user switching servers was highly likely to be assigned an exit address with the exact same relative position.
“When a user switches from one VPN server to another, this sometimes makes it possible for services such as websites to confidently guess that the same user that connected from the new VPN server is the one that connected from the previous VPN server,” the company explained in its announcement.
On Friday the 15th of May, we became aware of a fingerprinting issue affecting Mullvad users. We have a method which changes this behaviour currently being tested, with plans to begin rolling it out to our VPN servers in the coming weeks. Read more here:…May 20, 2026
The company ensures, however, that “this does not reveal the identity of the user.”
Mullvad also added that because multiple users share every exit IP, the flaw will not provide certainty but “in many cases good guesses can be made.”
To permanently close the loophole, Mullvad is currently testing a new internal method for assigning exit IPs. The company confirmed that this upcoming patch “will give no information on which exit address is used on another VPN server, or by another user on the same server.”
The update will be rolled out gradually over the coming weeks. In the meantime, if your personal threat model requires absolute separation between server sessions, Mullvad recommends logging out and logging back into the app before switching servers. This action forces the app to generate a fresh WireGuard key and internal IP address.
A win for the wider ecosystem
Interestingly, Mullvad’s swift remediation won’t just protect its direct customers. The patch will natively benefit users of other privacy tools that rely on Mullvad’s server infrastructure as an exit node.
One notable example is Obscura VPN, a new provider built entirely on a two-party architecture. Obscura manages the initial entry hop to encrypt your connection, but relies on Mullvad-operated servers to complete the final exit hop to the open web.
As Obscura’s Founder Carl Dong noted in a post on X, because Obscura utilizes Mullvad’s network, this incoming anti-fingerprinting patch will seamlessly pass downstream, actively shoring up the privacy guarantees for users across multiple services.
https://cdn.mos.cms.futurecdn.net/UDKrY9EKLb3LrPPBfUYRcF-720-80.jpg
Source link
