- Mullvad has started testing a fix for new IP fingerprinting issues
- The company confirmed that the bug does not reveal the user’s true identity
- Patch deployment should begin in the coming weeks
Following the discovery of a minor network vulnerability earlier this month, Mullvad began testing a mitigation solution to resolve an egress IP fingerprinting issue on its server fleet.
Last Friday, May 15, the privacy-focused provider became aware that its servers were mapping egress IP addresses in a highly predictable manner after a security researcher discovered the flaw during a security scan. If a user jumped from one location to another, a mathematical quirk meant their sessions could be linked, compromising the anonymity of switching servers.
Although this flaw was never in danger of exposing your true IP address or personal identity, this allowed websites to see that the same anonymous person connecting from server A was now connecting from server B.
Mullvad has now designed a permanent fix to break this link. This ensures that its network’s privacy standards remain comparable to the best VPN services on the market. The rollout is expected to begin in the coming weeks, and everyone can follow the update’s progress here.
The announcement comes as Fredrik Strömberg, co-founder and co-CEO of Mullvad, quickly acknowledged the problem, promising a solution to any unintended behavior and a re-evaluation of “whether the intended behaviors are acceptable or not.”
We have contacted Mullvad for further comment.
How the vulnerability works
Each Mullvad server hosts multiple users sharing a single egress IP address. To handle heavy traffic, these servers use a wide range of exit addresses. When a user connects, their device uses a unique WireGuard key to encrypt the connection, as well as an internal tunnel address.
Because of the way these internal addresses were handled, a user switching servers was very likely to be assigned an exit address with exactly the same relative position.
“When a user moves from one VPN server to another, this sometimes allows services such as websites to confidently guess that the same user who connected from the new VPN server is the same user who connected from the previous VPN server,” the company explained in its announcement.
On Friday, May 15, we became aware of a fingerprinting issue affecting Mullvad users. We currently have a method that changes this behavior, currently being tested, and we plan to start rolling it out to our VPN servers in the coming weeks. Read more here:…May 20, 2026
The company assures, however, that “this does not reveal the identity of the user”.
Mullvad also added that because multiple users share each exit IP address, the flaw won’t provide certainty but that “in many cases, good guesses can be made.”
To permanently close this gap, Mullvad is currently testing a new internal method of assigning egress IP addresses. The company confirmed that this upcoming patch “will not give any information about the exit address used on another VPN server or by another user on the same server.”
The update will be rolled out gradually over the coming weeks. In the meantime, if your personal threat model requires absolute separation between server sessions, Mullvad recommends logging out and logging back into the application before changing servers. This action forces the application to generate a new WireGuard key and internal IP address.
A victory for the ecosystem at large
Interestingly, Mullvad’s prompt corrective action will not only protect its direct customers. The fix will natively benefit users of other privacy tools that rely on Mullvad’s server infrastructure as an exit node.
As Obscura founder Carl Dong noted in an article on
