CVE-2024-34446 is a vulnerability in Mullvad VPN for Android (up to version 2024.1) where the application fails to properly handle DNS server settings after a hard failure to create a VPN tunnel. Normally, VPN clients route DNS traffic through the encrypted tunnel to prevent DNS leaks. However, due to this flaw, when the tunnel creation fails, the VPN client does not set the DNS server in a blocking state, allowing DNS queries to be sent directly from the device to external DNS servers outside the VPN tunnel. This results in DNS leakage, exposing potentially sensitive DNS requests that can reveal user browsing behavior, device origin, or other metadata to unintended DNS operators. The vulnerability is classified under CWE-923 (Improper Neutralization of DNS Resolution). The CVSS 3.1 base score is 7.5 (high), reflecting network attack vector, low complexity, no privileges or user interaction required, and high confidentiality impact. Although no exploits have been reported in the wild, the vulnerability undermines the core privacy guarantees of the VPN service. The issue affects all Android users running Mullvad VPN through version 2024.1, and the lack of a patch at the time of disclosure necessitates immediate mitigation efforts by users and organizations relying on this VPN for secure communications.

The primary impact of CVE-2024-34446 is the compromise of user privacy and confidentiality. DNS leakage can allow adversaries, including ISPs, network operators, or malicious DNS servers, to observe DNS queries that reveal visited domains, potentially exposing sensitive user activity despite the use of a VPN. This undermines the trust in Mullvad VPN's ability to anonymize and secure user traffic. For organizations, this leakage could lead to exposure of internal domain queries or user behavior patterns, increasing the risk of targeted attacks or surveillance. The vulnerability does not affect data integrity or availability but significantly impacts confidentiality. Given the widespread use of Mullvad VPN among privacy-conscious users and activists, the risk of surveillance and data collection is heightened. The ease of exploitation (no authentication or user interaction needed) and the broad scope of affected devices (all Android devices running the vulnerable versions) increase the potential scale of impact globally.

Until an official patch is released by Mullvad VPN, users should consider the following mitigations: 1) Temporarily disable Mullvad VPN on Android devices if DNS privacy is critical, or switch to alternative VPN clients with verified DNS leak protection. 2) Use system-level DNS leak protection features if available, such as configuring DNS over HTTPS (DoH) or DNS over TLS (DoT) at the device level to prevent DNS queries from leaking outside the VPN tunnel. 3) Monitor network traffic for DNS leaks using tools or apps that detect DNS queries sent outside the VPN tunnel. 4) Avoid connecting to untrusted networks where DNS leakage could be exploited for surveillance. 5) Follow Mullvad VPN announcements closely and apply updates immediately once a patch addressing this vulnerability is released. 6) For organizations, enforce endpoint security policies that include DNS leak detection and VPN client version controls to prevent use of vulnerable versions.