Skip to main content

Softethervpn CVE-2026-39312

| EUVDEUVD-2026-19804 HIGH
Memory Allocation with Excessive Size Value (CWE-789)
2026-04-07 security-advisories@github.com
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Apr 07, 2026 - 17:22 euvd
EUVD-2026-19804
Analysis Generated
Apr 07, 2026 - 17:22 vuln.today
CVE Published
Apr 07, 2026 - 17:16 nvd
HIGH 7.5

DescriptionGitHub Advisory

SoftEtherVPN is a an open-source cross-platform multi-protocol VPN Program. In 5.2.5188 and earlier, a pre-authentication denial-of-service vulnerability exists in SoftEther VPN Developer Edition 5.2.5188 (and likely earlier versions of Developer Edition). An unauthenticated remote attacker can crash the vpnserver process by sending a single malformed EAP-TLS packet over raw L2TP (UDP/1701), terminating all active VPN sessions.

AnalysisAI

Remote unauthenticated denial-of-service in SoftEther VPN Developer Edition 5.2.5188 and earlier allows attackers to crash the vpnserver process and terminate all active VPN sessions by sending a single malformed EAP-TLS packet over raw L2TP (UDP port 1701). This pre-authentication vulnerability requires no privileges or user interaction (CVSS vector AV:N/AC:L/PR:N/UI:N), enabling trivial service disruption. No public exploit identified at time of analysis, though the attack mechanism is well-documented in vendor advisory GHSA-q5g3-qhc6-pr3h.

Technical ContextAI

This vulnerability stems from improper memory allocation handling (CWE-789) in SoftEther VPN's EAP-TLS implementation when processing L2TP packets. SoftEther VPN is a multi-protocol open-source VPN solution supporting SSL-VPN, L2TP/IPsec, OpenVPN, and MS-SSTP protocols. The flaw exists in the Developer Edition's L2TP server component, which listens on UDP port 1701 for incoming connections. EAP-TLS (Extensible Authentication Protocol - Transport Layer Security) is used for authentication in L2TP/IPsec VPN tunnels. The memory allocation error occurs during pre-authentication packet parsing, before credential validation, allowing the malformed packet to trigger a process crash. This affects the vpnserver daemon that handles all VPN connection multiplexing, making it a single point of failure for all concurrent sessions.

RemediationAI

Users of SoftEther VPN Developer Edition 5.2.5188 or earlier should immediately upgrade to a patched version once released by the vendor. At the time of this analysis, no specific patched version number has been independently confirmed in available data sources. Organizations should monitor the GitHub Security Advisory at https://github.com/SoftEtherVPN/SoftEtherVPN/security/advisories/GHSA-q5g3-qhc6-pr3h for updated patch information and release announcements. As an interim mitigation, administrators should implement network-level access controls restricting UDP port 1701 access to trusted IP ranges only, implement rate-limiting on L2TP connections, or disable L2TP protocol support if alternative VPN protocols can be used. For production environments, consider migrating from Developer Edition to stable release branches if compatible with operational requirements. Deploy network monitoring to detect potential exploit attempts characterized by malformed EAP-TLS packets or unexpected vpnserver process crashes.

Share

CVE-2026-39312 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy