Packet Length Validation Flaw in OpenVPN by OpenVPN Technologies
CVE-2026-35058

6.9MEDIUM

Key Information:

Vendor

Openvpn
Status
Openvpn
Vendor
CVE Published:
8 June 2026

What is CVE-2026-35058?

The vulnerability discovered in OpenVPN affects versions 2.6.0 through 2.6.19 and 2.7_alpha1 through 2.7.1, allowing authenticated attackers to exploit improper validation of packet length during TLS-crypt-v2 key extraction. This flaw can lead to a denial of service condition, enabling attackers to trigger fatal assertions through specially crafted packets, disrupting the service’s availability.

Affected Version(s)

OpenVPN 2.6.0 <= 2.6.19

OpenVPN 2.7_alpha1 <= 2.7.1

References

https://community.openvpn.net/Security%20Announcements/CV...
vendor-advisory
https://community.openvpn.net/ReleaseHistory#openvpn-272-...
release-notes
https://community.openvpn.net/ReleaseHistory#openvpn-2620...
release-notes

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.