Description
NordVPN 6.19.6 contains a denial of service vulnerability that allows local attackers to crash the application by submitting an excessively long string in the email input field. Attackers can paste a buffer of 100,000 characters into the email field during login to trigger an application crash.
Published: 2026-03-21
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via local email field buffer overflow
Action: Patch Update
AI Analysis

Impact

A local attacker can cause the NordVPN client to crash by entering an excessively long string—over 100,000 characters—into the email input field during the login process. The overflow triggers a buffer corruption that terminates the application, resulting in loss of availability without compromising data integrity or confidentiality.

Affected Systems

The vulnerability specifically affects the Windows version 6.19.6 of the NordVPN client. Other product versions are listed in the CPE data, but the official description only identifies 6.19.6 as impacted.

Risk and Exploitability

The flaw has a CVSS score of 6.9, indicating moderate severity. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog. Because the exploit requires local access and manual input of an oversized email string, the attack vector is local and non-remote. An attacker with local privileges can easily trigger the crash, leading to repeated service disruption. The risk is therefore moderate but notable for environments where NordVPN usability is essential.

Generated by OpenCVE AI on March 21, 2026 at 14:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update NordVPN to the latest version (6.19.7 or newer) as soon as it becomes available.
  • If an update is unavailable, avoid using the login email field or terminate the application after troubleshooting to prevent repeated crashes.
  • Keep the host operating system updated to mitigate related buffer‑overflow exploitation vectors.
  • Check NordVPN’s support channels for additional guidance and confirm that the issue is resolved in subsequent releases.

Generated by OpenCVE AI on March 21, 2026 at 14:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:nordvpn:nordvpn:*:*:*:*:*:windows:*:*

Mon, 23 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 21 Mar 2026 13:00:00 +0000

Type Values Removed Values Added
Description NordVPN 6.19.6 contains a denial of service vulnerability that allows local attackers to crash the application by submitting an excessively long string in the email input field. Attackers can paste a buffer of 100,000 characters into the email field during login to trigger an application crash.
Title NordVPN 6.19.6 Denial of Service via Email Field Buffer Overflow
First Time appeared Nordvpn
Nordvpn nordvpn
Weaknesses CWE-1260
CPEs cpe:2.3:a:nordvpn:nordvpn:3.3.10:*:*:*:*:macos:*:*
cpe:2.3:a:nordvpn:nordvpn:6.12.7.0:*:*:*:*:windows:*:*
cpe:2.3:a:nordvpn:nordvpn:6.14.28.0:*:*:*:*:*:*:*
cpe:2.3:a:nordvpn:nordvpn:6.19.6:*:*:*:*:*:*:*
Vendors & Products Nordvpn
Nordvpn nordvpn
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Nordvpn Nordvpn
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-23T15:38:06.456Z

Reserved: 2026-03-21T12:40:32.843Z

Link: CVE-2019-25572

cve-icon Vulnrichment

Updated: 2026-03-23T15:38:01.912Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-21T13:16:21.200

Modified: 2026-04-15T17:12:40.193

Link: CVE-2019-25572

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:47:11Z

Weaknesses