OpenVPN Race Condition Vulnerability in TLS Session Promotion Allowing Server Crash or Memory Leak

Vulnerability

A race condition vulnerability has been identified in OpenVPN versions 2.6.0 through 2.6.19 and 2.7_alpha1 through 2.7.1. This vulnerability allows remote attackers to potentially cause a server crash or leak heap memory by exploiting a use-after-free condition during the promotion of TLS sessions.

Impact

Exploitation of this vulnerability can lead to a server crash or unauthorized memory access, potentially allowing for further exploitation.

Added: Jun 8, 2026, 9:22 PM

Updated: Jun 8, 2026, 9:22 PM

Vulnerability Rating

Custom Algorithm

spread

7.6

impact

5.0

exploitability

6.4

remediation

0.0

relevance

9.4

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.6

impact

5.0

exploitability

6.4

remediation

0.0

relevance

9.4

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

OpenVPN Race Condition Vulnerability in TLS Session Promotion Allowing Server Crash or Memory Leak

Vulnerability

Impact

Affected Products

OpenVPN

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating