Impact
The flaw is a memory leak in OpenVPN's handling of the TLS‑Crypt‑V2 client key. This weakness, identified by CWE‑401 and CWE‑770, allows a remote attacker to exhaust the service’s memory over time and potentially cause a denial of service. The leak accumulates with each authenticated TLS‑Crypt‑V2 session, and no other system resources are affected directly, but the sustained leak could render the VPN service unavailable. The description states the leak is present in versions 2.5.0–2.5.11, 2.6.0–2.6.20 and 2.7_alpha1–2.7.4 and that an attacker must possess a valid TLS‑Crypt‑V2 client key, implying the attack requires prior authentication to the VPN.
Affected Systems
This vulnerability affects the OpenVPN product across multiple releases, specifically versions 2.5.0 to 2.5.11, 2.6.0 to 2.6.20, and 2.7_alpha1 to 2.7.4. Any deployment of OpenVPN using TLS‑Crypt‑V2 client keys while running any of these affected versions is at risk. No other vendors or product families are listed in the current data.
Risk and Exploitability
The CVSS score of 6.0 indicates a medium severity, and the EPSS score is not available, so current data do not quantify the likelihood of exploitation. The vulnerability is not present in CISA’s KEV catalog. Because an attacker must first acquire a valid TLS‑Crypt‑V2 client key, the attack vector is likely remote, authenticated. Once authenticated, the attacker can maintain sessions that trigger the memory leak, causing the service to run out of memory and fail, which constitutes a denial of service.
OpenCVE Enrichment
Debian DLA
Debian DSA