No significant risk was found in MullvadThe latest independent safety research, the company said in a blog post on Friday. A test of the use of Mullvad’s new WireGuard, GotaTun, was carried out by Assured Security Consultants of Gothenburg between Jan. 19 and Feb. 15, 2026.
The latest study is Mullvad’s 18th in total since 2017, and reinforces the VPN’s position as one of the most transparent in the industry. In the middle CNET’s top VPN picksonly ExpressVPN has audited Mullvad, with 23 audits conducted since 2018.
Specifically, Certified Security Advisors have completed GotaTun code testing, the Mullvad implementation WireGuard communication protocolwritten in Rust. The audit included a source code review and testing of all GotaTun implementations, in addition to AI-traffic analysis of Mullvad blocking DAITA code and the command line interface. Although the auditors found no major vulnerabilities in the code, they flagged two security issues of low severity.
The first issue concerned the way GotaTun handles the generation of session identifiers. The auditors noted that GotaTun generated session identifiers with a 24-bit Linear Feedback Shift Register, while the WireGuard specification calls for a 32-bit random number.
“Although it does not appear to weaken the protection of network channels, it may reveal information about the number of peers and the number of times the peer has been shaken to anyone who can listen to the network traffic,” the auditor said.
Mullvad said the vulnerability did not provide more information to the observer because they would already have the full peer count and session duration information. The company however released a fix in the next release and now uses peer identifiers according to WireGuard specifications.
The second issue also involves a deviation from the WireGuard specification where GotaTun did not append data packets to 16 bytes before encryption. The auditors noted that this was not a major cryptographic problem, but recommended adding padding to track WireGuard information.
Mullvad has already implemented a fix for this, but points out that “the protection provided by this wallet is similar in nature, but much more powerful than our DAITA implementation. Mullvad recommends anyone integrating complex traffic analysis into their threat model to consider enabling DAITA.”
Although independent testing is not perfect either don’t paint the full picture because they can only confirm what they find during the audit itself, this is a good example of how an audit can help VPNs identify and eliminate weaknesses, no matter how small.
Mullvad has consistently demonstrated an unwavering commitment to transparency and user privacy. The VPN software is fully open source, meaning the code is publicly available for anyone to test, but Mullvad takes the extra step of authorizing tests from third-party security firms and helps fully demonstrate that commitment.
Positive reviews from Certified Security Advisors ultimately help strengthen GotaTun’s security trust and credibility, while at the same time strengthening Mullvad’s overall privacy standing.
GotaTun aims to improve the reliability and speed of Mullvad’s WireGuard implementation, and was released for Mullvad’s Android app in December, with plans to roll out to other platforms this year.
