Description
A memory leak in OpenVPN version 2.5.0 through 2.5.11, 2.6.0 through 2.6.20 and 2.7_alpha1 through 2.7.4 allows remote attackers with a valid tls-crypt-v2 client key to potentially cause a denial of service
Published: 2026-07-06
Score: 6 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is a memory leak in OpenVPN's handling of the TLS‑Crypt‑V2 client key. This weakness, identified by CWE‑401 and CWE‑770, allows a remote attacker to exhaust the service’s memory over time and potentially cause a denial of service. The leak accumulates with each authenticated TLS‑Crypt‑V2 session, and no other system resources are affected directly, but the sustained leak could render the VPN service unavailable. The description states the leak is present in versions 2.5.0–2.5.11, 2.6.0–2.6.20 and 2.7_alpha1–2.7.4 and that an attacker must possess a valid TLS‑Crypt‑V2 client key, implying the attack requires prior authentication to the VPN.

Affected Systems

This vulnerability affects the OpenVPN product across multiple releases, specifically versions 2.5.0 to 2.5.11, 2.6.0 to 2.6.20, and 2.7_alpha1 to 2.7.4. Any deployment of OpenVPN using TLS‑Crypt‑V2 client keys while running any of these affected versions is at risk. No other vendors or product families are listed in the current data.

Risk and Exploitability

The CVSS score of 6.0 indicates a medium severity, and the EPSS score is not available, so current data do not quantify the likelihood of exploitation. The vulnerability is not present in CISA’s KEV catalog. Because an attacker must first acquire a valid TLS‑Crypt‑V2 client key, the attack vector is likely remote, authenticated. Once authenticated, the attacker can maintain sessions that trigger the memory leak, causing the service to run out of memory and fail, which constitutes a denial of service.

Generated by OpenCVE AI on July 7, 2026 at 05:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a patched OpenVPN version that resolves the memory leak (consult the vendor for the most recent stable release).
  • If an upgrade is not feasible immediately, replace or regenerate TLS‑Crypt‑V2 client keys and enforce strict key rotation to limit the window of attack.
  • Implement memory usage monitoring and automatic service restarts when resource thresholds are exceeded to prevent prolonged outages.

Generated by OpenCVE AI on July 7, 2026 at 05:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4666-1 openvpn security update
Debian DSA Debian DSA DSA-6376-1 openvpn security update
History

Tue, 07 Jul 2026 06:15:00 +0000

Type Values Removed Values Added
Title Memory Leak Causing Remote Denial of Service in OpenVPN

Mon, 06 Jul 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 06 Jul 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Openvpn
Openvpn openvpn
Vendors & Products Openvpn
Openvpn openvpn

Mon, 06 Jul 2026 14:30:00 +0000

Type Values Removed Values Added
Description A memory leak in OpenVPN version 2.5.0 through 2.5.11, 2.6.0 through 2.6.20 and 2.7_alpha1 through 2.7.4 allows remote attackers with a valid tls-crypt-v2 client key to potentially cause a denial of service
Weaknesses CWE-401
CWE-770
References
Metrics cvssV4_0

{'score': 6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: OpenVPN

Published:

Updated: 2026-07-06T15:28:16.081Z

Reserved: 2026-06-29T11:47:58.522Z

Link: CVE-2026-13698

cve-icon Vulnrichment

Updated: 2026-07-06T15:28:10.841Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-07T06:00:13Z

Weaknesses
  • CWE-401

    Missing Release of Memory after Effective Lifetime

  • CWE-770

    Allocation of Resources Without Limits or Throttling