EUVD-2026-36151
GHSA-f6c5-28vq-94w2
Severity by source
CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-delivered crafted packet from authenticated peer (AV:N, PR:L); specific epoch key codepath required (AC:H); kernel driver crash changes scope (S:C); availability-only DoS impact.
Primary rating from Vendor (OpenVPN).
CVSS VectorVendor: OpenVPN
CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
An incorrect buffer size calculation in the epoch key generator in OpenVPN ovpn-dco-win version 2.0.0 through 2.8.3 allows a remote authenticated peer to trigger a heap-based buffer overflow and kernel memory corruption via a crafted data packet, resulting in a system crash (denial of service).
AnalysisAI
Heap-based buffer overflow in OpenVPN's ovpn-dco-win Windows kernel driver (versions 2.0.0-2.8.3) allows a remote authenticated VPN peer to crash the host system by sending a crafted data packet that exploits an incorrect buffer size calculation in the epoch key generator. Because the vulnerable code executes in kernel mode, the resulting memory corruption causes a full system crash (BSOD), not a user-space fault. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The target Windows host must have the ovpn-dco-win kernel driver loaded and active, meaning the OpenVPN Data Channel Offload feature must be explicitly in use - deployments not utilizing DCO are not affected. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 5.6 with vector AV:L/AC:H/AT:P/PR:L/UI:P indicates moderate assessed severity, with high availability impact on both the vulnerable system (VA:H) and subsequent systems (SA:H), reflecting the OS-level crash. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A malicious or compromised VPN client that holds valid authentication credentials connects to a Windows host running ovpn-dco-win 2.0.0-2.8.3 and establishes an authenticated session. The attacker then transmits a crafted data packet engineered to trigger the buffer size miscalculation in the epoch key generator, overflowing a kernel heap allocation and corrupting kernel memory, causing an immediate system crash. … |
| Remediation | Upgrade ovpn-dco-win to the patched release published by OpenVPN; consult https://github.com/OpenVPN/ovpn-dco-win/releases to identify the minimum safe version beyond 2.8.3, as the exact fix version is not specified in the available input data and should not be inferred. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today