Description
A race condition in OpenVPN 2.6.0 through 2.6.19 and 2.7_alpha1 through 2.7.1 allows remote attackers to potentially cause a server crash or leak heap memory via a use-after-free triggered during TLS session promotion.
Published: 2026-06-08
Score: 6.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is a race condition in OpenVPN versions 2.6.0 through 2.6.19 and 2.7_alpha1 through 2.7.1 that can be triggered during TLS session promotion. It leads to a use‑after‑free vulnerability that may cause a server crash or leak heap memory. The primary impact is a denial of service, with the possibility of memory disclosure exposing sensitive information.

Affected Systems

The affected software is the OpenVPN server component, bundled as the OpenVPN application. All releases from 2.6.0 up to and including 2.6.19, and from 2.7_alpha1 through 2.7.1 contain this unpatched race condition. Any system running these versions in a networked environment is potentially vulnerable until the product is updated.

Risk and Exploitability

The CVSS score of 6.1 places the issue in the medium severity band, while the EPSS score is not available and the vulnerability is not currently listed in the CISA KEV catalog. The likely attack vector is remote, as the exploit requires an attacker to send crafted traffic that forces TLS session promotion while the race condition is active. Addressing the flaw by applying a vendor‑issued patch is the recommended remediation.

Generated by OpenCVE AI on June 8, 2026 at 22:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to OpenVPN 2.6.20 or later, or to 2.7.2 or later, depending on your release branch.
  • If an immediate upgrade is not feasible, restrict or block client connections that could trigger TLS session promotion until the patch is applied.
  • Monitor server logs and system metrics for signs of crashes or abnormal memory usage and apply additional controls to limit potentially malicious traffic.

Generated by OpenCVE AI on June 8, 2026 at 22:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6289-1 openvpn security update
Ubuntu USN Ubuntu USN USN-8286-1 OpenVPN vulnerabilities
History

Mon, 08 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Title OpenVPN TLS Session Promotion Race Condition Causing Crash or Memory Leak

Mon, 08 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Openvpn
Openvpn openvpn
Vendors & Products Openvpn
Openvpn openvpn

Mon, 08 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description A race condition in OpenVPN 2.6.0 through 2.6.19 and 2.7_alpha1 through 2.7.1 allows remote attackers to potentially cause a server crash or leak heap memory via a use-after-free triggered during TLS session promotion.
Weaknesses CWE-125
CWE-416
References
Metrics cvssV4_0

{'score': 6.1, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:H/SC:L/SI:N/SA:L'}

Subscriptions

Openvpn Openvpn
cve-icon MITRE

Status: PUBLISHED

Assigner: OpenVPN

Published:

Updated: 2026-06-08T19:59:20.481Z

Reserved: 2026-04-13T10:28:10.354Z

Link: CVE-2026-40215

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-08T21:16:45.453

Modified: 2026-06-09T02:08:28.150

Link: CVE-2026-40215

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T23:00:17Z

Weaknesses