Description
Nord VPN 6.14.31 contains a denial of service vulnerability that allows unauthenticated attackers to crash the application by submitting an excessively long string in the password field. Attackers can paste a buffer of repeated characters into the password input field to trigger an application crash when attempting to authenticate.
Published: 2026-05-25
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

NordVPN version 6.14.31 contains a buffer overflow in its password entry field that allows an unauthenticated attacker to crash the client by submitting an excessively long string. The flaw occurs when the user attempts to authenticate with a repeated‑character buffer that exceeds the expected input size, causing the application to terminate and become unavailable. This weakness is categorized as CWE‑789, where unchecked input leads to resource exhaustion and loss of availability.

Affected Systems

The affected product is the NordVPN client for macOS, version 6.14.31 as identified in the vendor product group Nordvpn:NordVPN. Only the macOS version is mentioned in the advisory and registry data.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity. No EPSS data is available, so current exploitation probability is unknown. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the attack vector is remote and does not require authentication: an attacker can simply paste a large password string in the login window to trigger a crash, resulting in denial of service for the end user without affecting confidentiality, integrity, or privilege levels.

Generated by OpenCVE AI on May 25, 2026 at 15:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update NordVPN to the latest version that corrects the password field buffer handling
  • If an update is not immediately available, uninstall the current client and reinstall the most recent release to avoid running the vulnerable code
  • When possible, limit the maximum length of input that can be pasted into the password field to reduce the risk of a crash

Generated by OpenCVE AI on May 25, 2026 at 15:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 25 May 2026 14:30:00 +0000

Type Values Removed Values Added
Description Nord VPN 6.14.31 contains a denial of service vulnerability that allows unauthenticated attackers to crash the application by submitting an excessively long string in the password field. Attackers can paste a buffer of repeated characters into the password input field to trigger an application crash when attempting to authenticate.
Title Nord VPN 6.14.31 Denial of Service via Password Field
First Time appeared Nordvpn
Nordvpn nordvpn
Weaknesses CWE-789
CPEs cpe:2.3:a:nordvpn:nordvpn:*:*:*:*:*:macos:*:*
Vendors & Products Nordvpn
Nordvpn nordvpn
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Nordvpn Nordvpn
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-25T14:15:13.971Z

Reserved: 2026-05-25T13:35:56.999Z

Link: CVE-2018-25368

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-25T16:30:15Z

Weaknesses