CVE Catalog

CVE-2026-40215

MediumCVSS 6.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.48%

38th percentile - higher than 38% of all known CVEs

Summary

A race condition in OpenVPN versions 2.6.0 through 2.6.19 and 2.7_alpha1 through 2.7.1 allows remote attackers to potentially cause a server crash or leak heap memory via a use-after-free triggered during TLS session promotion.

Risk Assessment

The organization may be exposed to server crashes and potential data leaks, which could lead to loss of confidentiality and availability of services.

Recommendation

It is recommended to update OpenVPN to the latest version to mitigate this vulnerability and to monitor server logs for potential attack attempts.

Original NVD description (English source)

A race condition in OpenVPN 2.6.0 through 2.6.19 and 2.7_alpha1 through 2.7.1 allows remote attackers to potentially cause a server crash or leak heap memory via a use-after-free triggered during TLS session promotion.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS