CVE-2023-46850 — Use After Free in Access Server

CWE-416 — Use After Free8 documents7 sources

Severity

9.8CRITICALNVD

OSV7.5

EPSS

2.0%

top 16.15%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openvpn Openvpn Access Server Openvpn Access Server +3 more

Timeline

PublishedNov 11

Latest updateSep 12

Description

Use after free in OpenVPN version 2.6.0 to 2.6.6 may lead to undefined behavoir, leaking memory buffers or remote execution when sending network buffers to a remote peer.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages6 packages

▶NVDopenvpn/openvpn_access_server2.12.0 — 2.12.2+1

▶Debianopenvpn/openvpn< 2.6.3-1+deb12u2+2

▶Ubuntuopenvpn/openvpn< 2.6.5-0ubuntu1.1

▶NVDopenvpn/openvpn2.6.0 — 2.6.6

▶CVEListV5openvpn/openvpn_22.6.0 — 2.6.6

Also affects: Debian Linux 12.0, Fedora 39

🔴Vulnerability Details

OSV

openvpn vulnerabilities↗2023-11-16

▶

GHSA

GHSA-jg57-vh55-3g23: Use after free in OpenVPN version 2↗2023-11-11

▶

OSV

CVE-2023-46850: Use after free in OpenVPN version 2↗2023-11-11

▶

CVEList

CVE-2023-46850: Use after free in OpenVPN version 2↗2023-11-11

▶

📋Vendor Advisories

CISA ICS

Siemens SINEMA↗2024-09-12

▶

Ubuntu

OpenVPN vulnerabilities↗2023-11-16

▶

Debian

CVE-2023-46850: openvpn - Use after free in OpenVPN version 2.6.0 to 2.6.6 may lead to undefined behavoir,...↗2023

▶