Description
VPN Browser+ 1.1.0.0 contains a denial of service vulnerability that allows unauthenticated attackers to crash the application by submitting oversized input through the search functionality. Attackers can paste a large buffer of characters into the search bar to trigger an unhandled exception that terminates the application.
Published: 2026-04-04
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

The vulnerability in VPN Browser+ 1.1.0.0 allows an unauthenticated user to trigger a denial of service by submitting an oversized search query. The input is not properly validated, causing an unhandled exception that crashes the application. As a result, users lose the ability to use the application and may lose VPN connectivity until the program is restarted.

Affected Systems

VPN Browser+ version 1.1.0.0 is affected. The issue originates from the search functionality of this specific version; no other product versions are listed as impacted.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity. No EPSS score is provided, and the vulnerability is not listed in the CISA KEV catalog. Because authentication is not required, the flaw is trivially reachable from any user accessing the application. Attacking the search box with a large string is likely the exploitation path and can be performed without privileged access.

Generated by OpenCVE AI on April 4, 2026 at 18:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest VPN Browser+ update that addresses the denial of service vulnerability.
  • If an update is unavailable, disable the search functionality or restrict its use to prevent oversized input.
  • Enable application logging to capture crash events and review logs regularly for unexpected activity.
  • Limit user privileges to reduce the potential impact of a denial of service event.

Generated by OpenCVE AI on April 4, 2026 at 18:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft
Microsoft vpn Browser+
Vendors & Products Microsoft
Microsoft vpn Browser+

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 04 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
References

Sat, 04 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Description Microsoft VPN Browser+ 1.1.0.0 contains a denial of service vulnerability that allows unauthenticated attackers to crash the application by submitting oversized input through the search functionality. Attackers can paste a large buffer of characters into the search bar to trigger an unhandled exception that terminates the application. VPN Browser+ 1.1.0.0 contains a denial of service vulnerability that allows unauthenticated attackers to crash the application by submitting oversized input through the search functionality. Attackers can paste a large buffer of characters into the search bar to trigger an unhandled exception that terminates the application.
Title Microsoft VPN Browser+ 1.1.0.0 Denial of Service VPN Browser+ 1.1.0.0 Denial of Service

Sat, 04 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Microsoft VPN Browser+ 1.1.0.0 contains a denial of service vulnerability that allows unauthenticated attackers to crash the application by submitting oversized input through the search functionality. Attackers can paste a large buffer of characters into the search bar to trigger an unhandled exception that terminates the application.
Title Microsoft VPN Browser+ 1.1.0.0 Denial of Service
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Microsoft Vpn Browser+
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-06T15:28:31.164Z

Reserved: 2026-04-04T13:17:12.919Z

Link: CVE-2018-25241

cve-icon Vulnrichment

Updated: 2026-04-06T15:22:56.416Z

cve-icon NVD

Status : Deferred

Published: 2026-04-04T14:16:19.623

Modified: 2026-04-16T16:15:56.380

Link: CVE-2018-25241

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T21:57:46Z

Weaknesses