Race Condition Vulnerability in OpenVPN Product by OpenVPN Inc.
CVE-2026-40215

6.1MEDIUM

Key Information:

Vendor

Openvpn
Status
Openvpn
Vendor
CVE Published:
8 June 2026

What is CVE-2026-40215?

A race condition has been identified in OpenVPN versions 2.6.0 through 2.6.19 and 2.7_alpha1 through 2.7.1. This vulnerability arises from a use-after-free issue that occurs during the promotion of TLS sessions. Remote attackers could exploit this flaw, leading to potential server crashes or leakage of sensitive heap memory. Users of affected versions should be aware of this issue and take appropriate measures to mitigate potential risks.

Affected Version(s)

OpenVPN 2.6.0 <= 2.6.19

OpenVPN 2.7_alpha1 <= 2.7.1

References

https://community.openvpn.net/Security%20Announcements/CV...
vendor-advisory
https://community.openvpn.net/ReleaseHistory#openvpn-272-...
release-notes
https://community.openvpn.net/ReleaseHistory#openvpn-2620...
release-notes

CVSS V4

Score:
6.1
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.