CVE-2024-34446
- Source
- https://cve.org/CVERecord?id=CVE-2024-34446
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-34446.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-34446
- Published
- 2024-05-03T15:15:08.210Z
- Modified
- 2026-04-10T05:12:54.883951Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- [none]
- Details
-
Mullvad VPN through 2024.1 on Android does not set a DNS server in the blocking state (after a hard failure to create a tunnel), and thus DNS traffic can leave the device. Data showing that the affected device was the origin of sensitive DNS requests may be observed and logged by operators of unintended DNS servers.
- References
-
- https://news.ycombinator.com/item?id=40247604
- https://github.com/mullvad/mullvadvpn-app/blob/main/CHANGELOG.md
- https://github.com/mullvad/mullvadvpn-app/tags
- https://github.com/mullvad/mullvadvpn-app/commit/0c39306a40f426853d617e20d596942e41091f13
- https://mullvad.net/en/blog/dns-traffic-can-leak-outside-the-vpn-tunnel-on-android
Affected packages
Git / github.com/mullvad/mullvadvpn-app
Affected versions
2017.*
2017.1-alpha4
2017.1-alpha5
2017.1-beta1
2017.1-beta2
2017.1-beta3
2017.1-beta4
2018.*
2018.1-beta8
2018.1-beta9
2018.2-beta1
2018.2-beta2
2018.2-beta3
2018.3
2018.3-beta1
2018.4-beta1
2018.4-beta2
2018.6-beta1
2019.*
2019.10-beta1
2019.10-beta2
2019.2-beta1
2019.7
2019.7-beta1
2019.8
2019.8-beta1
2019.9
2019.9-beta1
2020.*
2020.4-beta1
2020.4-beta2
2020.5-beta1
2020.5-beta2
android/2024.*
android/2024.1
android/2024.1-beta1
Other
android/fix-devmole-google-play
ios/2020.*
ios/2020.1
ios/2020.2
ios/2020.3
ios/2020.4
ios/2020.5
ios/2021.*
ios/2021.1
ios/2021.2
ios/2021.3
ios/2021.4
ios/2022.*
ios/2022.1
ios/2022.2
ios/2022.3
ios/2022.3-build1
ios/2022.3-build2
ios/2023.*
ios/2023.1
ios/2023.1-build5