CVE Catalog

CVE-2026-35058

MediumCVSS 6.9
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.04%

11th percentile - higher than 11% of all known CVEs

Summary

Improper validation of packet length during tls-crypt-v2 key extraction in OpenVPN versions 2.6.0 through 2.6.19 and 2.7_alpha1 through 2.7.1 allows authenticated attackers to trigger a fatal assertion and cause a denial of service via a specially crafted packet.

Risk Assessment

Attackers may exploit this vulnerability to disrupt the operation of the OpenVPN service, potentially leading to downtime for users.

Recommendation

It is recommended to update OpenVPN to the latest version to mitigate this vulnerability and to monitor logs for potential attack attempts.

Original NVD description (English source)

Improper validation of packet length during tls-crypt-v2 key extraction in OpenVPN 2.6.0 through 2.6.19 and 2.7_alpha1 through 2.7.1 allows authenticated attackers to trigger a fatal assertion and cause a denial of service via a specially crafted packet.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS