High severity7.5NVD Advisory· Published May 3, 2024· Updated Apr 15, 2026

CVE-2024-34446

Description

Mullvad VPN through 2024.1 on Android does not set a DNS server in the blocking state (after a hard failure to create a tunnel), and thus DNS traffic can leave the device. Data showing that the affected device was the origin of sensitive DNS requests may be observed and logged by operators of unintended DNS servers.

Patches

0c39306a40f4

https://github.com/mullvad/mullvadvpn-appvia osv

commit

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/mullvad/mullvadvpn-app/blob/main/CHANGELOG.mdnvd
github.com/mullvad/mullvadvpn-app/commit/0c39306a40f426853d617e20d596942e41091f13nvd
mullvad.net/en/blog/dns-traffic-can-leak-outside-the-vpn-tunnel-on-androidnvd
news.ycombinator.com/itemnvd

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000