Direct link to the PDF report: https://x41-dsec.de/static/reports/X41-Mullvad-Audit-Public-Report-2024-12-10.pdf

Titles of issues they found:

• 4.1.1 MLLVD-CR-24-01: Signal Handler’s Alternate Stack Too Small
• 4.1.2 MLLVD-CR-24-02: Signal Handler Uses Non-Async-Safe Functions
• 4.1.3 MLLVD-CR-24-03: Virtual IP Address of Tunnel Device Leaks to Net- work Adjacent Participant
• 4.1.4 MLLVD-CR-24-04: Deanonymization Through NAT
• 4.1.5 MLLVD-CR-24-05: Deanonymization Through MTU
• 4.1.6 MLLVD-CR-24-06: Sideloading Into Setup Process

Mullvad’s blog post: https://mullvad.net/en/blog/the-report-for-the-2024-security-audit-of-the-app-is-now-available