Mullvad to patch VPN fingerprinting issue to stop your activity from being tracked across servers
Date:
Thu, 21 May 2026 14:23:08 +0000
Description:
Following the discovery of an exit IP fingerprinting issue, Mullvad is
testing a new IP assignment method that prevents third parties from tracking users across multiple servers.
FULL STORY ======================================================================Copy link Facebook X Whatsapp Reddit Pinterest Flipboard Threads Email Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter Subscribe to our newsletter Mullvad has begun testing a fix for newly found IP fingerprinting issues The company confirmed the bug does not reveal a user's true identity The patch is expected to begin to be deployed in the coming weeks Following the discovery of a minor networking vulnerability earlier this month, Mullvad has begun testing a mitigation to fix an exit IP fingerprinting issue across its server fleet.
Last Friday, May 15, the privacy-focused provider became aware that its servers were mapping exit IP addresses in a highly predictable way after a security researcher found this flaw during a security analysis. If a user jumped from one location to another, a mathematical quirk meant their
sessions could be linked, compromising the anonymity of the server switch. While this flaw never risked exposing your real IP address or personal identity, it did allow websites to see that the same anonymous person connecting from Server A was now connecting from Server B. You may like Mullvad addresses WireGuard exit-IP fingerprinting concern after researcher flags privacy risk Mullvad pushes update in a bid to make your iOS VPN app even more secure but there's a catch 'No major vulnerabilities' Mullvads WireGuard implementation gets thumbs up from independent security audit
Now, Mullvad has designed a permanent fix to sever this link. This ensures
its network privacy standards remain on par with the best VPN services on the market. Deployment is expected to begin in the coming weeks, and anyone can track the progress of the update here.
The announcement comes as Mullvad co-founder and co-CEO Fredrik Strmberg was quick to acknowledge the issue , promising a fix for any unintended behavior and a reassessment of "whether the intended behaviors are acceptable or not."
We have approached Mullvad for further comment. How the vulnerability works Typically, fingerprinting is a threat associated with web browsers silently gathering hardware data. However, this issue occurred entirely at the network level.
Each Mullvad server hosts multiple users sharing a single exit IP. To manage heavy traffic, these servers utilize a wide range of exit addresses. When a user connects, their device uses a unique WireGuard key to encrypt the connection, alongside an internal tunnel address.
Because of how these internal addresses were processed, a user switching servers was highly likely to be assigned an exit address with the exact same relative position.
"When a user switches from one VPN server to another, this sometimes makes it possible for services such as websites to confidently guess that the same
user that connected from the new VPN server is the one that connected from
the previous VPN server," the company explained in its announcement . What to read next GrapheneOS patches an Android VPN bypass that Google decided to leave alone Mullvad Browser's testers now get access to updates every four weeks, also on Linux ARM devices Mullvad VPN takes its banned anti-surveillance ad to the streets after UK TV rejection On Friday the 15th of May, we became aware of a fingerprinting issue affecting Mullvad users. We have a method which changes this behaviour currently being tested, with plans to begin rolling it out to our VPN servers in the coming weeks. Read more here: May 20, 2026 The company ensures, however, that "this does not reveal the identity of the user."
Mullvad also added that because multiple users share every exit IP, the flaw will not provide certainty but "in many cases good guesses can be made."
To permanently close the loophole, Mullvad is currently testing a new
internal method for assigning exit IPs. The company confirmed that this upcoming patch "will give no information on which exit address is used on another VPN server, or by another user on the same server."
The update will be rolled out gradually over the coming weeks. In the meantime, if your personal threat model requires absolute separation between server sessions, Mullvad recommends logging out and logging back into the app before switching servers. This action forces the app to generate a fresh WireGuard key and internal IP address. A win for the wider ecosystem Interestingly, Mullvad's swift remediation won't just protect its direct customers. The patch will natively benefit users of other privacy tools that rely on Mullvad's server infrastructure as an exit node.
One notable example is Obscura VPN , a new provider built entirely on a two-party architecture. Obscura manages the initial entry hop to encrypt your connection, but relies on Mullvad-operated servers to complete the final exit hop to the open web.
As Obscura's Founder Carl Dong noted in a post on X , because Obscura
utilizes Mullvad's network, this incoming anti-fingerprinting patch will seamlessly pass downstream, actively shoring up the privacy guarantees for users across multiple services. Today's best VPN deals NordVPN 2 Year 2.59 /mth View +3 months free Surfshark 24 Months 1.49 /mth View Proton VPN 24 Month 2.39 /mth View PrivadoVPN - 24 Month Plan 1.11 /mth View Mullvad VPN 4.35 /mth View We check over 250 million products every day for the best prices
======================================================================
Link to news story:
https://www.techradar.com/vpn/vpn-services/mullvad-to-patch-vpn-fingerprinting -issue-to-stop-your-activity-from-being-tracked-across-servers
--- Mystic BBS v1.12 A49 (Linux/64)
* Origin: tqwNet Technology News (1337:1/100)