CVE-2024-34446

HIGH

Mullvad VPN <2024.1 - Info Disclosure

Title source: llm

Description

Mullvad VPN through 2024.1 on Android does not set a DNS server in the blocking state (after a hard failure to create a tunnel), and thus DNS traffic can leave the device. Data showing that the affected device was the origin of sensitive DNS requests may be observed and logged by operators of unintended DNS servers.

References (5)

Core 5

Core References

Various Sources

https://github.com/mullvad/mullvadvpn-app/blob/main/CHANGELOG.md

View Writeup ZIP pw:eip

Various Sources

https://github.com/mullvad/mullvadvpn-app/tags

Various Sources

https://mullvad.net/en/blog/dns-traffic-can-leak-outside-the-vpn-tunnel-on-android

Various Sources

https://news.ycombinator.com/item?id=40247604

Patch

https://github.com/mullvad/mullvadvpn-app/commit/0c39306a40f426853d617e20d596942e41091f13

View Patch ZIP pw:eip

Scores

CVSS v3 7.5

EPSS 0.0029

EPSS Percentile 52.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-923

Status published

Published May 03, 2024

Tracked Since Feb 18, 2026