Skip to main content

OpenVPN CVE-2026-35058

| EUVDEUVD-2026-35197 MEDIUM
Reachable Assertion (CWE-617)
2026-04-22
6.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
5.3 MEDIUM
AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

5
Source Code Evidence Fetched
Jun 08, 2026 - 20:25 vuln.today
Analysis Generated
Jun 08, 2026 - 20:25 vuln.today
CVSS changed
Jun 08, 2026 - 20:22 NVD
6.9 (MEDIUM)
Patch released
Apr 24, 2026 - 12:21 nvd
Patch available
CVE Published
Apr 22, 2026 - 19:46 nvd
N/A

Description PRE-NVD

Disclosed via GitHub release of openvpn/openvpn. NVD scoring and full description are pending.

AnalysisAI

Remote denial-of-service in OpenVPN server allows a low-privileged network attacker possessing a valid tls-crypt-v2 client key to crash the server daemon by sending a suitably malformed packet that passes cryptographic validation but triggers a fatal ASSERT() failure, terminating the server process and disconnecting all active VPN sessions. The vulnerability is limited to deployments with tls-crypt-v2 enabled and requires possession of a legitimate client key, constraining the attacker pool. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

Technical ContextAI

OpenVPN's tls-crypt-v2 feature, introduced in version 2.5, wraps TLS handshake traffic with a per-client pre-shared HMAC key to provide an obfuscation and access-control layer before TLS negotiation begins. The root cause class is CWE-617 (Reachable Assertion): an internal invariant enforced by an ASSERT() macro in the server's packet processing code can be violated by attacker-controlled input. Critically, the malformed packet must first pass the tls-crypt-v2 HMAC/decryption check - meaning only packets carrying a cryptographically valid tls-crypt-v2 key reach the vulnerable assertion. When the assertion fires, the server process aborts abnormally, producing a complete availability failure. The CVSS 4.0 vector (AV:N/AC:H/AT:P/PR:L/UI:P/VA:H/SA:H) confirms a network-reachable, high-availability-impact vulnerability where high complexity and present attack requirements reflect the need for precise packet construction and key possession. No CPE strings were included in the provided intelligence data.

RemediationAI

Upgrade OpenVPN to v2.6.20 (for the 2.6.x branch) or v2.7.2 (for the 2.7.x branch), both released 22 April 2026. The official GitHub release containing the fix is at https://github.com/OpenVPN/openvpn/releases/tag/v2.6.20. Ubuntu users should apply the package updates described in USN-8286-1 at https://ubuntu.com/security/notices/USN-8286-1. Windows community installers are available at https://openvpn.net/community-downloads/. For operators unable to patch immediately, disabling tls-crypt-v2 and reverting to tls-crypt or tls-auth removes the vulnerable code path entirely, though it eliminates per-client key isolation - a security regression that should be weighed against the DoS exposure. Alternatively, restricting which clients receive tls-crypt-v2 keys reduces the attacker pool but does not prevent exploitation by any current key holder. Firewall rules restricting OpenVPN port access to known client IP ranges provide additional perimeter reduction but cannot fully substitute for patching.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected
SUSE Linux Enterprise Module for Basesystem 15 SP7 Affected
SUSE Linux Enterprise Server 15 SP7 Affected
SUSE Linux Enterprise Server 16.0 Affected

Share

CVE-2026-35058 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy