31 matches found
CVE-2026-32323 Mullvad VPN for macOS: Local Privilege Escalation via unverified bundle path in installer
Mullvad VPN is a VPN client app for desktop and mobile. When using macOS with versions 2026.1 and below, Mullvad VPN may allow local privilege escalation during installation or upgrade. The installer package executes binaries from /Applications/Mullvad VPN.app without verifying if the bundle is...
CVE-2026-32323
Mullvad VPN is a VPN client app for desktop and mobile. When using macOS with versions 2026.1 and below, Mullvad VPN may allow local privilege escalation during installation or upgrade. The installer package executes binaries from /Applications/Mullvad VPN.app without verifying if the bundle is...
CVE-2023-50446
An issue was discovered in Mullvad VPN Windows app before 2023.6-beta1. Insufficient permissions on a directory allow any local unprivileged user to escalate privileges to SYSTEM...
CVE-2024-34446
Mullvad VPN through 2024.1 on Android does not set a DNS server in the blocking state after a hard failure to create a tunnel, and thus DNS traffic can leave the device. Data showing that the affected device was the origin of sensitive DNS requests may be observed and logged by operators of...
EUVD-2024-52840
Malicious code in bioql PyPI...
PT-2025-91: Local Privilege Escalation in Mullvad VPN
The vulnerability was identified in Mullvad VPN, version 2025.4. The discovered vulnerability allows an attacker to escalate privileges from a normal user to root. Vulnerability status: Confirmed by vendor Date of vulnerability remediation: 24.06.2025 Recommendations: Update to version 2025.7 or...
CVE-2024-55884
In the Mullvad VPN client 2024.6 Desktop, 2024.8 iOS, and 2024.8-beta1 Android, the exception-handling alternate stack can be exhausted, leading to heap-based out-of-bounds writes in enable in exceptionlogging/unix.rs, aka MLLVD-CR-24-01. NOTE: achieving code execution is considered non-trivial...
CVE-2024-55884
In the Mullvad VPN client 2024.6 Desktop, 2024.8 iOS, and 2024.8-beta1 Android, the exception-handling alternate stack can be exhausted, leading to heap-based out-of-bounds writes in enable in exceptionlogging/unix.rs, aka MLLVD-CR-24-01. NOTE: achieving code execution is considered non-trivial...
CVE-2024-55884
In the Mullvad VPN client 2024.6 Desktop, 2024.8 iOS, and 2024.8-beta1 Android, the exception-handling alternate stack can be exhausted, leading to heap-based out-of-bounds writes in enable in exceptionlogging/unix.rs, aka MLLVD-CR-24-01. NOTE: achieving code execution is considered non-trivial...
CVE-2024-55884
In the Mullvad VPN client 2024.6 Desktop, 2024.8 iOS, and 2024.8-beta1 Android, the exception-handling alternate stack can be exhausted, leading to heap-based out-of-bounds writes in enable in exceptionlogging/unix.rs, aka MLLVD-CR-24-01. NOTE: achieving code execution is considered non-trivial...
CVE-2024-55884
In the Mullvad VPN client 2024.6 Desktop, 2024.8 iOS, and 2024.8-beta1 Android, the exception-handling alternate stack can be exhausted, leading to heap-based out-of-bounds writes in enable in exceptionlogging/unix.rs, aka MLLVD-CR-24-01. NOTE: achieving code execution is considered non-trivial...
CVE-2024-55884
Mullvad VPN client vulnerability CVE-2024-55884 affects 2024.6 (Desktop), 2024.8 (iOS), and 2024.8-beta1 (Android). The issue is an exhaustion of the exception-handling alternate stack that causes heap-based out-of-bounds writes in enable() within exception_logging/unix.rs (MLLVD-CR-24-01). The d...
GHSA-XM4R-5RJ9-2PG3 gratient 0.5 contains credential harvesting code
gratient is a user-facing library for generating color gradients of text. Version 0.5 contained obfuscated, malicious code targeting Windows platforms, harvesting information and credentials from the user's system and sending them to a remote server. Services may include Mullvad VPN and Telegram...
gratient 0.5 contains credential harvesting code
gratient is a user-facing library for generating color gradients of text. Version 0.5 contained obfuscated, malicious code targeting Windows platforms, harvesting information and credentials from the user's system and sending them to a remote server. Services may include Mullvad VPN and Telegram...
CVE-2024-34446
Mullvad VPN through 2024.1 on Android does not set a DNS server in the blocking state after a hard failure to create a tunnel, and thus DNS traffic can leave the device. Data showing that the affected device was the origin of sensitive DNS requests may be observed and logged by operators of...
CVE-2024-34446
Mullvad VPN through 2024.1 on Android does not set a DNS server in the blocking state after a hard failure to create a tunnel, and thus DNS traffic can leave the device. Data showing that the affected device was the origin of sensitive DNS requests may be observed and logged by operators of...
CVE-2024-34446
Mullvad VPN through 2024.1 on Android does not set a DNS server in the blocking state after a hard failure to create a tunnel, and thus DNS traffic can leave the device. Data showing that the affected device was the origin of sensitive DNS requests may be observed and logged by operators of...
CVE-2024-34446
CVE-2024-34446 affects Mullvad VPN on Android (versions up to 2024.1). The issue occurs when Mullvad fails to set a DNS server in the blocking state after a tunnel creation failure, allowing DNS traffic to leak from the device. Reports from multiple sources (NVD, Red Hat, OSV, CNNVD, CVE listings...
CVE-2024-34446
Mullvad VPN through 2024.1 on Android does not set a DNS server in the blocking state after a hard failure to create a tunnel, and thus DNS traffic can leave the device. Data showing that the affected device was the origin of sensitive DNS requests may be observed and logged by operators of...
PYSEC-2024-1 gratient 0.5 contains credential harvesting code
gratient is a user-facing library for generating color gradients of text. Version 0.5 contained obfuscated, malicious code targeting Windows platforms, harvesting information and credentials from the user's system and sending them to a remote server. Services may include Mullvad VPN and Telegram...