Mullvad has published an official advisory confirming a fingerprinting issue in its VPN infrastructure that could allow online services to probabilistically correlate users as they switch between VPN servers.
The company says the flaw does not expose a user’s identity, but it can allow an attacker to infer that the same person connected through multiple Mullvad servers.
The disclosure follows independent research published last week by security researcher “tmctmt,” who demonstrated that Mullvad’s exit IP assignment system produced recognizable patterns tied to WireGuard tunnel characteristics. At the time, Mullvad acknowledged parts of the report and said mitigations were already under testing.
According to Mullvad’s announcement, users connecting through a VPN server are assigned one of several available exit IP addresses used to route traffic to the internet. Because each server maintains a pool of exit IPs shared among many users, the assignment process is designed to distribute users across those addresses.
However, Mullvad confirmed that users connecting to different VPN servers while retaining the same internal tunnel address could end up receiving exit IPs that occupy roughly the same relative positions in each server’s address pool.
For example, a user assigned an IP approximately 40% into one server’s exit range could consistently receive addresses near the 40% mark on other servers as well. Mullvad says this behavior stems from how internal tunnel addresses and WireGuard keys interact with the company’s exit IP allocation logic.
The Sweden-based VPN provider emphasized that the issue does not reveal a user's identity or expose their browsing activity directly. Instead, it weakens unlinkability between VPN sessions by making cross-server correlations more reliable for websites, online services, or entities that can monitor traffic patterns.
The identified behavior is particularly problematic for users who intentionally rotate VPN servers to reduce linkability between activities or evade long-term correlation. While the issue does not provide certainty, Mullvad acknowledges that “in many cases good guesses can be made.”
The VPN provider recommends that users who rely on server switching to prevent correlation attacks regenerate their WireGuard identities before changing servers. The company says users can do this by logging out and back into the Mullvad application, which generates a new WireGuard key and assigns a different internal tunnel address.
Mullvad is currently testing a redesigned exit IP assignment mechanism intended to eliminate information leakage between servers. The new method will ensure that a user’s exit IP selection on one server provides no information about which exit IP they may receive on another server or which addresses other users are assigned on the same server.
The infrastructure changes are expected to begin rolling out across its VPN network in the coming weeks, and progress updates will be posted on this page.
Leave a Reply