CVE-2024-34446 is a vulnerability in Mullvad VPN for Android devices through version 2024.1, where the VPN client fails to properly handle DNS server settings after a hard failure to establish a VPN tunnel. Specifically, when the tunnel creation fails, the application does not set the DNS server into a blocking state, which would normally prevent DNS traffic from leaving the device outside the VPN tunnel. As a result, DNS queries can be sent directly to external DNS servers rather than being routed securely through the VPN. This leakage exposes sensitive DNS request data, which can reveal user browsing habits, device origin, or other metadata to unintended DNS operators or network observers. The vulnerability is classified under CWE-923 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), indicating a failure in controlling how DNS traffic is handled post-failure. The CVSS 3.1 base score is 7.5, reflecting a network attack vector, low attack complexity, no privileges or user interaction required, and a high impact on confidentiality. No integrity or availability impacts are noted. No patches or exploits are currently documented, but the vulnerability poses a significant privacy risk for users relying on Mullvad VPN on Android. The issue highlights the importance of fail-safe DNS handling in VPN clients to prevent data leakage during connection failures.

The primary impact of CVE-2024-34446 is the compromise of user privacy and confidentiality. Sensitive DNS queries, which can reveal visited domains, user interests, or device location, may be exposed to external DNS servers or network adversaries. This undermines the fundamental privacy guarantees of using a VPN, especially for users relying on Mullvad VPN for anonymity or secure communications. Organizations using Mullvad VPN on Android for secure remote access or privacy protection may face data leakage risks that could lead to targeted surveillance, profiling, or exposure of sensitive operational details. Although the vulnerability does not affect data integrity or availability, the confidentiality breach can have severe consequences in high-risk environments such as journalism, activism, or corporate espionage. The ease of exploitation—requiring no privileges or user interaction—means that any network observer can potentially capture leaked DNS traffic. This broadens the scope of affected systems to all Android devices running the vulnerable Mullvad VPN versions, increasing the global risk footprint.

To mitigate CVE-2024-34446, users and organizations should: 1) Monitor Mullvad VPN updates closely and apply patches immediately once available to ensure proper DNS blocking after tunnel failures. 2) Temporarily disable Mullvad VPN on Android devices if sensitive DNS leakage is unacceptable until a fix is released. 3) Use additional DNS leak protection tools or configure device-level firewall rules to block DNS traffic outside the VPN tunnel. 4) Employ DNS over HTTPS (DoH) or DNS over TLS (DoT) where possible to encrypt DNS queries, reducing exposure even if leakage occurs. 5) Conduct regular network traffic analysis to detect unexpected DNS requests leaving the device. 6) Consider alternative VPN clients with verified DNS leak protections for critical use cases. 7) Educate users about the risk of DNS leaks and encourage cautious use of VPNs during connection failures. These measures go beyond generic advice by focusing on immediate containment of DNS leakage and proactive monitoring until official patches are deployed.