CVE-2026-35058
MediumCVSS 6.9Exploitation Probability (EPSS)
Low risk11th percentile - higher than 11% of all known CVEs
Summary
Improper validation of packet length during tls-crypt-v2 key extraction in OpenVPN versions 2.6.0 through 2.6.19 and 2.7_alpha1 through 2.7.1 allows authenticated attackers to trigger a fatal assertion and cause a denial of service via a specially crafted packet.
Risk Assessment
Attackers may exploit this vulnerability to disrupt the operation of the OpenVPN service, potentially leading to downtime for users.
Recommendation
It is recommended to update OpenVPN to the latest version to mitigate this vulnerability and to monitor logs for potential attack attempts.
Original NVD description (English source)
Improper validation of packet length during tls-crypt-v2 key extraction in OpenVPN 2.6.0 through 2.6.19 and 2.7_alpha1 through 2.7.1 allows authenticated attackers to trigger a fatal assertion and cause a denial of service via a specially crafted packet.

