CVE-2024-55884 is a critical vulnerability identified in the Mullvad VPN client software across multiple platforms: desktop version 2024.6, iOS version 2024.8, and Android 2024.8-beta1. The root cause is the exhaustion of the exception-handling alternate stack, which leads to heap-based out-of-bounds writes within the enable() function located in the exception_logging/unix.rs source file. This vulnerability is categorized under CWE-787 (Out-of-bounds Write). The alternate stack is used to handle exceptions safely, and its exhaustion can corrupt heap memory, potentially destabilizing the application or allowing an attacker to manipulate program flow. Although achieving arbitrary code execution is considered non-trivial, the vulnerability severely compromises the confidentiality, integrity, and availability of the VPN client. The CVSS 3.1 base score is 9.0, indicating critical severity with attack complexity high, no privileges required, no user interaction, and scope changed. No patches have been published yet, and no exploits are known in the wild. The vulnerability affects a widely used privacy tool, which is critical for secure communications, making it a significant concern for users and organizations relying on Mullvad VPN for data protection.

The vulnerability could allow attackers to cause heap corruption leading to potential denial of service or, with advanced exploitation techniques, arbitrary code execution within the Mullvad VPN client. This jeopardizes the confidentiality and integrity of VPN-protected communications, potentially exposing sensitive user data or allowing interception and manipulation of traffic. Because the vulnerability requires no privileges or user interaction, remote exploitation is plausible if an attacker can induce the vulnerable code path. Organizations relying on Mullvad VPN for secure remote access, privacy, or bypassing censorship could face service disruption or data breaches. The critical CVSS score reflects the high risk of impact on confidentiality, integrity, and availability. Although no exploits are currently known, the widespread use of Mullvad VPN in privacy-conscious regions and industries increases the potential attack surface. The vulnerability could undermine trust in the VPN service and expose users to surveillance or data theft if exploited.

Organizations and users should monitor Mullvad’s official channels for patches and apply updates promptly once available. Until patches are released, consider temporarily disabling the affected versions and using alternative VPN solutions with verified security. Implement network-level monitoring to detect unusual exception handling or memory corruption behaviors in VPN clients. Employ endpoint protection solutions capable of detecting heap corruption or anomalous process behavior. Conduct internal audits to identify systems running vulnerable Mullvad versions and prioritize their remediation. Educate users about the risk and advise against using untrusted networks or exposing VPN clients to untrusted code or inputs that might trigger the vulnerability. Collaborate with Mullvad support for guidance and possible workarounds. Finally, maintain robust incident response plans to quickly address potential exploitation attempts.