Debian Openvpn vulnerabilities

CVE-2025-2704 [HIGH] CVE-2025-2704: openvpn - OpenVPN version 2.6.1 through 2.6.13 in server mode using TLS-crypt-v2 allows re... OpenVPN version 2.6.1 through 2.6.13 in server mode using TLS-crypt-v2 allows remote attackers to trigger a denial of service by corrupting and replaying network packets in the early handshake phase Scope: local bookworm: resolved (fixed in 2.6.3-1+deb12u3) bullseye: resolved forky: resolved (fixed in 2.6.14-1) sid: resolved (fixed in 2.6.14-1) trixie: resolved (fixed

CVE-2025-13086 [MEDIUM] CVE-2025-13086: openvpn - Improper validation of source IP addresses in OpenVPN version 2.6.0 through 2.6.... Improper validation of source IP addresses in OpenVPN version 2.6.0 through 2.6.15 and 2.7_alpha1 through 2.7_rc1 allows an attacker to open a session from a different IP address which did not initiate the connection resulting in a denial of service for the originating client Scope: local bookworm: resolved (fixed in 2.6.3-1+deb12u4) bullseye: resolved forky: reso

CVE-2025-12106 [CRITICAL] CVE-2025-12106: openvpn - Insufficient argument validation in OpenVPN 2.7_alpha1 through 2.7_rc1 allows an... Insufficient argument validation in OpenVPN 2.7_alpha1 through 2.7_rc1 allows an attacker to trigger a heap buffer over-read when parsing IP addresses Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2025-15497 [LOW] CVE-2025-15497: openvpn - Insufficient epoch key slot processing in OpenVPN 2.7_alpha1 through 2.7_rc5 all... Insufficient epoch key slot processing in OpenVPN 2.7_alpha1 through 2.7_rc5 allows remote authenticated users to trigger an assert resulting in a denial of service Scope: local bookworm: resolved bullseye: resolved forky: resolved (fixed in 2.7.0~rc5-1) sid: resolved (fixed in 2.7.0~rc5-1) trixie: resolved

CVE-2025-13751 [LOW] CVE-2025-13751: openvpn - Interactive service agent in OpenVPN version 2.5.0 through 2.6.16 and 2.7_alpha1... Interactive service agent in OpenVPN version 2.5.0 through 2.6.16 and 2.7_alpha1 through 2.7_rc2 on Windows allows a local authenticated user to connect to the service and trigger an error causing a local denial of service. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2025-10680 [HIGH] CVE-2025-10680: openvpn - OpenVPN 2.7_alpha1 through 2.7_beta1 on POSIX based platforms allows a remote au... OpenVPN 2.7_alpha1 through 2.7_beta1 on POSIX based platforms allows a remote authenticated server to inject shell commands via DNS variables when --dns-updown is in use Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2024-5594 [CRITICAL] CVE-2024-5594: openvpn - OpenVPN before 2.6.11 does not santize PUSH_REPLY messages properly which an att... OpenVPN before 2.6.11 does not santize PUSH_REPLY messages properly which an attacker controlling the server can use to inject unexpected arbitrary data ending up in client logs. Scope: local bookworm: resolved (fixed in 2.6.3-1+deb12u3) bullseye: resolved (fixed in 2.5.1-3+deb11u1) forky: resolved (fixed in 2.6.11-1) sid: resolved (fixed in 2.6.11-1) trixie: reso

CVE-2024-28882 [MEDIUM] CVE-2024-28882: openvpn - OpenVPN from 2.6.0 through 2.6.10 in a server role accepts multiple exit notific... OpenVPN from 2.6.0 through 2.6.10 in a server role accepts multiple exit notifications from authenticated clients which will extend the validity of a closing session Scope: local bookworm: resolved (fixed in 2.6.3-1+deb12u3) bullseye: resolved forky: resolved (fixed in 2.6.11-1) sid: resolved (fixed in 2.6.11-1) trixie: resolved (fixed in 2.6.11-1)

CVE-2024-4877 [HIGH] CVE-2024-4877: openvpn - OpenVPN version 2.4.0 through 2.6.10 on Windows allows an external, lesser privi... OpenVPN version 2.4.0 through 2.6.10 on Windows allows an external, lesser privileged process to create a named pipe which the OpenVPN GUI component would connect to allowing it to escalate its privileges Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2024-27459 [HIGH] CVE-2024-27459: openvpn - The interactive service in OpenVPN 2.6.9 and earlier allows an attacker to send ... The interactive service in OpenVPN 2.6.9 and earlier allows an attacker to send data causing a stack overflow which can be used to execute arbitrary code with more privileges. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2024-24974 [HIGH] CVE-2024-24974: openvpn - The interactive service in OpenVPN 2.6.9 and earlier allows the OpenVPN service ... The interactive service in OpenVPN 2.6.9 and earlier allows the OpenVPN service pipe to be accessed remotely, which allows a remote attacker to interact with the privileged OpenVPN interactive service. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2024-27903 [CRITICAL] CVE-2024-27903: openvpn - OpenVPN plug-ins on Windows with OpenVPN 2.6.9 and earlier could be loaded from ... OpenVPN plug-ins on Windows with OpenVPN 2.6.9 and earlier could be loaded from any directory, which allows an attacker to load an arbitrary plug-in which can be used to interact with the privileged OpenVPN interactive service. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2023-46850 [CRITICAL] CVE-2023-46850: openvpn - Use after free in OpenVPN version 2.6.0 to 2.6.6 may lead to undefined behavoir,... Use after free in OpenVPN version 2.6.0 to 2.6.6 may lead to undefined behavoir, leaking memory buffers or remote execution when sending network buffers to a remote peer. Scope: local bookworm: resolved (fixed in 2.6.3-1+deb12u2) bullseye: resolved forky: resolved (fixed in 2.6.7-1) sid: resolved (fixed in 2.6.7-1) trixie: resolved (fixed in 2.6.7-1)

CVE-2023-46849 [HIGH] CVE-2023-46849: openvpn - Using the --fragment option in certain configuration setups OpenVPN version 2.6.... Using the --fragment option in certain configuration setups OpenVPN version 2.6.0 to 2.6.6 allows an attacker to trigger a divide by zero behaviour which could cause an application crash, leading to a denial of service. Scope: local bookworm: resolved (fixed in 2.6.3-1+deb12u2) bullseye: resolved forky: resolved (fixed in 2.6.7-1) sid: resolved (fixed in 2.6.7-1) tr

CVE-2022-0547 [CRITICAL] CVE-2022-0547: openvpn - OpenVPN 2.1 until v2.4.12 and v2.5.6 may enable authentication bypass in externa... OpenVPN 2.1 until v2.4.12 and v2.5.6 may enable authentication bypass in external authentication plug-ins when more than one of them makes use of deferred authentication replies, which allows an external user to be granted access with only partially correct credentials. Scope: local bookworm: resolved (fixed in 2.5.6-1) bullseye: resolved (fixed in 2.5.1-3+deb11u1

CVE-2021-3606 [HIGH] CVE-2021-3606: openvpn - OpenVPN before version 2.5.3 on Windows allows local users to load arbitrary dyn... OpenVPN before version 2.5.3 on Windows allows local users to load arbitrary dynamic loadable libraries via an OpenSSL configuration file if present, which allows the user to run arbitrary code with the same privilege level as the main OpenVPN process (openvpn.exe). Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2020-15078 [HIGH] CVE-2020-15078: openvpn - OpenVPN 2.5.1 and earlier versions allows a remote attackers to bypass authentic... OpenVPN 2.5.1 and earlier versions allows a remote attackers to bypass authentication and access control channel data on servers configured with deferred authentication, which can be used to potentially trigger further information leaks. Scope: local bookworm: resolved (fixed in 2.5.1-2) bullseye: resolved (fixed in 2.5.1-2) forky: resolved (fixed in 2.5.1-2) sid: r

CVE-2020-11810 [LOW] CVE-2020-11810: openvpn - An issue was discovered in OpenVPN 2.4.x before 2.4.9. An attacker can inject a ... An issue was discovered in OpenVPN 2.4.x before 2.4.9. An attacker can inject a data channel v2 (P_DATA_V2) packet using a victim's peer-id. Normally such packets are dropped, but if this packet arrives before the data channel crypto parameters have been initialized, the victim's connection will be dropped. This requires careful timing due to the small time window (u

CVE-2018-9336 [HIGH] CVE-2018-9336: openvpn - openvpnserv.exe (aka the interactive service helper) in OpenVPN 2.4.x before 2.4... openvpnserv.exe (aka the interactive service helper) in OpenVPN 2.4.x before 2.4.6 allows a local attacker to cause a double-free of memory by sending a malformed request to the interactive service. This could cause a denial-of-service through memory corruption or possibly have unspecified other impact including privilege escalation. Scope: local bookworm: resolved bu

CVE-2017-12166 [CRITICAL] CVE-2017-12166: openvpn - OpenVPN versions before 2.3.3 and 2.4.x before 2.4.4 are vulnerable to a buffer ... OpenVPN versions before 2.3.3 and 2.4.x before 2.4.4 are vulnerable to a buffer overflow vulnerability when key-method 1 is used, possibly resulting in code execution. Scope: local bookworm: resolved (fixed in 2.4.4-1) bullseye: resolved (fixed in 2.4.4-1) forky: resolved (fixed in 2.4.4-1) sid: resolved (fixed in 2.4.4-1) trixie: resolved (fixed in 2.4.4-1)