6.9
CVE-2026-35058
- EPSS 0.32%
- Veröffentlicht 08.06.2026 19:29:56
- Zuletzt bearbeitet 09.06.2026 02:08:28
- Quelle security@openvpn.net
- CVE-Watchlists
- Unerledigt
Improper validation of packet length during tls-crypt-v2 key extraction in OpenVPN 2.6.0 through 2.6.19 and 2.7_alpha1 through 2.7.1 allows authenticated attackers to trigger a fatal assertion and cause a denial of service via a specially crafted packet.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerOpenVPN
≫
Produkt
OpenVPN
Default Statusunaffected
Version <=
2.6.19
Version
2.6.0
Status
affected
Version <=
2.7.1
Version
2.7_alpha1
Status
affected
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.32% | 0.233 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security@openvpn.net | 6.9 | 0 | 0 |
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
|
CWE-617 Reachable Assertion
The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.
https://community.openvpn.net/Security%20Announcements/CVE-2026-35058
https://community.openvpn.net/ReleaseHistory#openvpn-272-released-22-april-2026
https://community.openvpn.net/ReleaseHistory#openvpn-2620-released-22-april-2026
https://www.talosintelligence.com/vulnerability_reports/TALOS-2026-2381