Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
No major vulnerabilities were found moleThe company said in its latest independent security audit Blog post Friday. A review of Mullvad’s new WireGuard application, GotaTun, was conducted by Gothenburg-based Assured Security Consultants between January 19 and February 15, 2026.
the Latest audit It is Mullvad’s 18th network overall since 2017, and cements the VPN’s position as one of the most transparent in the industry. within CNET’s top VPN picksonly ExpressVPN The accounts were audited by Mullvad, with 23 audits conducted since 2018.
Specifically, Assured Security Consultants completed a code review for GotatonMullvad’s implementation WireGuard communication protocolWritten in rust. The audit consists of reviewing the source code and testing the entire GotaTun implementation, with the exception of Mullvad’s AI traffic analysis blocking DAITA code and its command line interface. Although auditors did not find any major vulnerabilities in the code, they did flag two low-severity security issues.
The first issue was with how GotaTun handles session ID generation. Auditors noted that GotaTun generated session IDs by recording a 24-bit linear feedback offset, while the WireGuard specification calls for a 32-bit random number.
“While it does not appear to weaken the protection of network tunnels, it can reveal information about the number of peers as well as the number of times handshakes have been exchanged with peers to anyone who could eavesdrop on network traffic,” the review said.
Mulvad said that the weakness provided Almost no additional information to an observer because he or she will already have the total number of peers and session duration information. However, the company released a fix in a later release and is now implementing peer IDs according to the WireGuard specification.
The second issue also involved a deviation from the WireGuard specification where GotaTun did not pack data packets to 16 bytes before encryption. The auditors noted that this was not a major encryption issue, but recommended adding padding to follow the WireGuard specifications.
Mullvad has already implemented a fix for this issue as well, but notes that “the protection provided by this padding is somewhat similar in nature, but much less robust than our DAITA functionality. Mullvad recommends that anyone who includes sophisticated traffic analysis in their threat model should consider enabling DAITA.”
While independent audits are not perfect and Don’t paint a complete picture Since they can only validate their findings during the audit itself, this is a good example of how audits can help VPNs identify and shore up vulnerabilities, no matter how small.
Mullvad has consistently demonstrated an unwavering commitment to transparency and user privacy. The VPN software is entirely open source, meaning the code is publicly available and anyone can inspect it, but Mullvad taking the extra step of commissioning third-party security firms to conduct audits also helps fully illustrate this commitment to transparency.
A positive rating from Assured Security Consultants ultimately helps reinforce confidence in GotaTun’s security and reliability, while at the same time strengthening Mullvad’s overall privacy posture.
GotaTun aims to improve the reliability and speed of Mullvad’s WireGuard app, and was released for Mullvad’s Android app in December, with plans to roll it out to other platforms this year.