Whonix 18.1.4.2 Patches a VM Fingerprinting Flaw

Whonix version 18.1.4.2 dropped on February 15th, 2026, and while the version number screams "minor point release," the changes here address something that should have been fixed a long time ago. The headline fix targets a VirtualBox feature that was quietly leaking your screen resolution as a fingerprinting vector, which is the kind of leak that defeats the entire purpose of running Whonix in the first place.

For anyone who missed it, Whonix 18.0.8.7 shipped back in November 2025 as the major release that brought LXQt as the new desktop environment, a full rewrite of Kloak for Wayland-only keystroke anonymization, and IPv6 support across the system. That was the big overhaul. This 18.1.4.2 release is the follow-up that cleans up the sharp edges left behind.

Ok so the biggest change here is that dynamic resolution has been disabled by default in Whonix-Workstation. On the surface it sounds like a minor display tweak, but the implications are serious. VirtualBox has an "Auto-resize guest display" feature that adjusts your VM's screen resolution to match the window size. Convenient, sure, but every time you resize that window, VirtualBox stores your new resolution in its XML configuration file. That resolution becomes a fingerprint. A website running JavaScript can query your screen dimensions and compare them against known standard resolutions. A VM running at 1847x1023 pixels because you dragged the corner of the window stands out against a sea of users running at 1920x1080.

The problem gets worse. Once VirtualBox stores those non-standard size hints, there is no straightforward way to reset them. The resolution data persists in the VM's extra data even after you disable auto-resize, even after you reboot. A developer named arraybolt3 discovered this in December 2025 while working on privacy features for Whonix's `wlr_resize_watcher` utility, and the finding was concerning enough that they filed a bug report with VirtualBox because the size-hint persistence makes it impossible to fully undo the fingerprinting damage without directly editing the VM's configuration files. Malware with access to `/sys/class/drm/card*/modes` can read these stored resolutions and use them to re-identify a previously infected machine.

Whonix 18.1.4.2 takes the straightforward approach and disables dynamic resolution by default in the Workstation VM. If you want auto-resize back, you can re-enable it manually, but now the default protects users who would have had no idea their window size was leaking identifying information.

Beyond the resolution fix, this release also disables removable media automounting on both the Gateway and Workstation VMs. From what I found, this was already effectively disabled in practice for most users, but the configuration changes in `anon-gw-base-files` and `anon-ws-base-files` make it explicit at the package level. Automounting USB devices in an anonymity-focused OS is an attack vector because a malicious USB device could execute code or exfiltrate data outside the Tor tunnel. The Gateway VM especially should never be mounting external media because its only job is running Tor and forwarding traffic.

The Tor configuration changes in `anon-gw-anonymizer-config` consolidate settings and improve user feedback for torrc and tordata operations. Whonix uses a drop-in configuration system where Tor settings live in `/etc/torrc.d/` rather than a single monolithic torrc file. This prevents the classic problem where a user edits `/etc/tor/torrc`, the package updates, and dpkg throws an interactive conflict dialog that most people handle by blindly keeping their old config and missing security improvements. The consolidated settings in this release reduce the chances of configuration errors on the Gateway.

The stream isolation improvements are worth paying attention to. Whonix already isolates different applications into separate Tor circuits by routing them through dedicated SocksPort numbers. Tor Browser gets port 9150, Thunderbird gets 9102, sdwdate gets 9108. This release extends that isolation with enhanced SOCKS protocol handling for curl and dnf, so package management and command-line HTTP requests get properly separated from your browser traffic. If your apt-get traffic and your web browsing share the same Tor circuit, an exit node operator seeing both streams could correlate them back to the same user. Separate circuits eliminate that risk entirely.

IPv6 handling also got cleaned up. The `anon-ws-disable-stacked-tor` package now makes IPv6 socket units conditional rather than always-on. Whonix historically disables IPv6 entirely because there was no IPv6-capable anonymity firewall, and exposing IPv6 sockets without proper firewall rules is an obvious leak vector. Making the socket units conditional means they only activate when IPv6 is explicitly enabled by the user, which is a cleaner implementation than the previous approach of disabling everything system-wide and hoping nothing breaks.

On the application side, the `anon-apps-config` package removed the VLC X11 decoding configuration. This aligns with the Wayland migration that started in Whonix 18.0, where the entire system moved to LXQt on Wayland and Kloak was rewritten to be Wayland-only. Removing X11-specific configurations from pre-installed applications prevents confusion and eliminates dead code that was referencing a display server the system no longer uses.

The Windows installer got improved error handling and a cleaner Hyper-V selection workflow. VirtualBox and Hyper-V conflict on Windows because both compete for hardware virtualization extensions, and running them simultaneously degrades VirtualBox performance to the point of being unusable for most workloads. The installer includes a `DisableHyperV.bat` script that turns off Hyper-V for VirtualBox compatibility, but previous versions handled the selection poorly when users had Hyper-V enabled. The improved workflow in 18.1.4.2 gives better feedback about what will happen when you choose to disable Hyper-V, which features you will lose (Windows Sandbox, WSL2 with Hyper-V backend, etc.), and catches errors more gracefully if the disable process fails.

Point releases like this tend to get ignored, but they reveal something about the project's responsiveness. Whonix sits on a stack that goes Debian at the bottom, Kicksecure in the middle for security hardening, and Whonix on top for anonymity. This 18.1.4.2 release is built on Kicksecure 18.1.4.2, and all three layers need to be maintained for the system to work. The dynamic resolution fingerprinting issue is a textbook case of the anonymity layer getting undermined by something happening at the virtualization layer, two levels below where most users are paying attention. Whonix developers found it and shipped a fix within about two months of discovery. That turnaround, from arraybolt3's December 2025 forum post to a production release in February 2026, is faster than most commercial privacy products respond to disclosed vulnerabilities.

The release is a free download for Windows, macOS, and Linux through VirtualBox. Existing Whonix 18 users can update in place through the Whonix repository without downloading new images. If you are still on Whonix 17, there is a release upgrade path available, but that is a major version jump and should be treated accordingly.

My advice: if you are running Whonix and you have ever resized the VM window, update immediately. The resolution fingerprint is already baked into your VM's configuration data, and the only way to clean it is to either update to 18.1.4.2 where dynamic resolution is off by default, or manually edit your VirtualBox XML config to strip the stored size hints. The update is the easier path.