2025.1

This is a desktop only release.

Here's a list of all the changes since the last stable release 2024.8:

Added

• Add a new access method: Encrypted DNS Proxy. Encrypted DNS proxy is a way to reach the API via
  proxies. The access method is enabled by default.

macOS

• Detect whether full disk access is enabled in the split tunneling view.
• Add button to restart system service in split tunneling view. This can help mitigate edge-case
  issues when enabling full disk access.

Changed

• Replace the draft key encapsulation mechanism Kyber (round 3) with the standardized
  ML-KEM (FIPS 203) dito in the handshake for Quantum-resistant tunnels.
• Make Smart Routing override multihop if both are enabled. To manually set the entry relay,
  explicitly enable the "Direct only" option in the DAITA settings.
• Update maybenot from 1.1.3 to 2.0.1.

Windows

• Enable quantum-resistant tunnels by default (when set to auto).

Fixed

• Handle network switching better when using WG over Shadowsocks.
• Fix multihop entry location list sometimes being shown when multihop is disabled.

macOS

• Fix GUI getting stuck when opening the split tunneling view.
• Fix packets being duplicated on LAN when split tunneling is enabled.
• Fix DNS issues caused by forcibly using a local DNS resolver in all states.
  Note that this fix is not present on macOS versions between 14.6 and 15.1.

Security

Windows

• Block WSL/Hyper-V traffic in secured states (except the connected state). The normal firewall
  (WFP) filters normally do not apply for VMs. This mitigates the issue by ensuring that it does not
  leak (as easily) when the VPN tunnel is up. Previously, WSL would leak while in the blocked or
  connecting state, or while lockdown mode was active.

android/2024.10-beta2

Fixed

• Update bundled relay list to address a UI bug in the filter screen.

android/2024.10-beta1

Added

• Add multihop which allows the routing of traffic through an entry and exit server, making it harder to trace.
• Enable DAITA to route traffic through servers with DAITA support to enable the use of all servers together with DAITA. This behaviour can be disabled with the use of the "Direct only" setting.

Changed

• Update to DAITA v2. The main difference is that many different machines are provided by relays instead of a bundled list.

android/2024.9

Here is a list of all changes since last stable release android/2024.8:

Added

• Add a new access method: Encrypted DNS Proxy. Encrypted DNS proxy is a way to reach the API via proxies. The access method is enabled by default.

Changed

• Improve animations so that they look better with predictive back.
• Improve detection and logging of a potential rare in-app purchase limbo state.

Fixed

• Fix a bug where the Android account expiry notifications would not be updated if the app was running in the background for a long time.
• Fix ANR due to the tokio runtime being blocked by getaddrinfo when dropped.

Security

• Remove alternative stack for fault signal handlers on unix based systems. It was implemented incorrectly and could cause stack overflow and heap memory corruption. Fixes audit issue MLLVD-CR-24-01.
• Remove/disable unsafe signal code from fault signal handler on unix based systems. Fixes audit issue MLLVD-CR-24-02.

2024.9-beta1

This release is for desktop only.

Here is a list of all changes since last stable release 2024.8.

Added

• Add a new access method: Encrypted DNS Proxy. Encrypted DNS proxy is a way to reach the API via
  proxies. The access method is enabled by default.

macOS

• Detect whether full disk access is enabled in the split tunneling view.
• Add button to restart system service in split tunneling view. This can help mitigate edge-case
  issues when enabling full disk access.

Changed

• Replace the draft key encapsulation mechanism Kyber (round 3) with the standardized
  ML-KEM (FIPS 203) dito in the handshake for Quantum-resistant tunnels.
• Make Smart Routing override multihop if both are enabled. To manually set the entry relay,
  explicitly enable the "Direct only" option in the DAITA settings.
• Update maybenot from 1.1.3 to 2.0.1.

Windows

• Enable quantum-resistant tunnels by default (when set to auto).

Fixed

• Handle network switching better when using WG over Shadowsocks.
• Fix multihop entry location list sometimes being shown when multihop is disabled.

macOS

• Fix packets being duplicated on LAN when split tunneling is enabled.
• Fix DNS issues caused by forcibly using a local DNS resolver in all states.
  Note that this fix is not present on macOS versions between 14.6 and 15.1.

Security

Windows

• Block WSL/Hyper-V traffic in secured states (except the connected state). The normal firewall
  (WFP) filters normally do not apply for VMs. This mitigates the issue by ensuring that it does not
  leak (as easily) when the VPN tunnel is up. Previously, WSL would leak while in the blocked or
  connecting state, or while lockdown mode was active.

2024.8

This release is for desktop only.

This release addresses issues identified in a recent audit. Here is a list of all changes since last stable release 2024.7.

Security

• Remove invalidly set up alternative stack for fault signal handlers on unix based systems. This prevents potential stack overflow and heap memory corruption. Fixes audit issue MLLVD-CR-24-01.
• Remove/disable not signal safe code from fault signal handler on unix based systems. Fixes audit issue MLLVD-CR-24-02.

Windows

• Fix issue where the installer would allow any executable named taskkill.exe in the working directory to run as admin. This fixes audit issue MLLVD-CR-24-06.

Linux

• Prevent attackers able to send ARP requests to the device running Mullvad from figuring out the in-tunnel IP. Fixes 2024 audit issue MLLVD-CR-24-03.

android/2024.9-beta1

Added

• Add a new access method: Encrypted DNS Proxy. Encrypted DNS proxy is a way to reach the API via
  proxies. The access method is enabled by default.

Changed

• Animation has been changed to look better with predictive back.

Fixed

• Fix a bug where the Android account expiry notifications would not be updated if the app was
  running in the background for a long time.
• Fix ANR due to the tokio runtime being blocked by getaddrinfo when dropped.

android/2024.8

Here is a list of all changes since last stable release android/2024.7:

Added

• Add feature indicators to the main view along with redesigning the connection details.
• Add new "Connect on device start-up" setting for devices without system VPN settings.
• Add a confirmation dialog shown when creating a new account if there's already an existing
  account in the account history of the login screen.

Changed

• Replace the draft key encapsulation mechanism Kyber (round 3) with the standardized
  ML-KEM (FIPS 203) dito in the handshake for Quantum-resistant tunnels.
• Move version information and changelog to a new app info screen.
• Update icons to material design.

Fixed

• Fix the account number input keyboard being broken on Amazon FireStick by adding a workaround.
  This should eventually be fixed by Amazon since the FireStick behavior is broken.
• Improve connection stability when roaming while using Shadowsocks.
• Fix MTU calculation to avoid connectivity issues when using some specific settings.
• Fix unlabeled icon buttons for basic accessibility with screen readers.

2024.7

This release is for desktop only.

This release is identical to 2024.7-beta1.

Here is a list of all changes since last stable release 2024.6.

Fixed

macOS

• Fix DNS not working due to broken PF redirect.

2024.7-beta1

This release is for desktop only.

Here is a list of all changes since last stable release 2024.6.

Fixed

macOS

• Fix DNS not working due to broken PF redirect.