CVE-2026-35058

EUVD-2026-35197
Improper validation of packet length during tls-crypt-v2 key extraction in OpenVPN 2.6.0 through 2.6.19 and 2.7_alpha1 through 2.7.1 allows authenticated attackers to trigger a fatal assertion and cause a denial of service via a specially crafted packet.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
OpenVPNCNA
6.9 MEDIUM
NETWORK
HIGH
LOW
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 10%
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
openvpnopenvpn
2.6.0 ≤
𝑥
≤ 2.6.19
CNA
openvpnopenvpn
𝑥
≤ 2.7.1
CNA
Debian logo
Debian Releases
Debian Product
Codename
openvpn
bookworm
vulnerable
bookworm (security)
2.6.14-0+deb12u1
fixed
bullseye
vulnerable
bullseye (security)
vulnerable
forky
2.7.3-1
fixed
sid
2.7.3-1
fixed
trixie
vulnerable
trixie (security)
2.6.14-1+deb13u2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
openvpn
bionic
needs-triage
focal
needs-triage
jammy
Fixed 2.5.11-0ubuntu0.22.04.3
released
noble
Fixed 2.6.19-0ubuntu0.24.04.2
released
questing
Fixed 2.6.19-0ubuntu0.25.10.2
released
resolute
Fixed 2.7.0-1ubuntu1.1
released
trusty
needs-triage
xenial
needs-triage
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
openvpn
Amazon Linux 2023
0:2.6.12-1.amzn2023.0.4
fixed
openvpn-debuginfo
Amazon Linux 2023
0:2.6.12-1.amzn2023.0.4
fixed
openvpn-debugsource
Amazon Linux 2023
0:2.6.12-1.amzn2023.0.4
fixed
openvpn-devel
Amazon Linux 2023
0:2.6.12-1.amzn2023.0.4
fixed
Common Weakness Enumeration
Vulnerability Media Exposure
References
https://community.openvpn.net/ReleaseHistory#openvpn-2620-released-22-april-2026
https://community.openvpn.net/ReleaseHistory#openvpn-272-released-22-april-2026
https://community.openvpn.net/Security%20Announcements/CVE-2026-35058
https://www.talosintelligence.com/vulnerability_reports/TALOS-2026-2381