Tech News

OpenVPN Patches 7 Security Flaws, Server Crash Risk Confirmed

OpenVPN released version 2.7.5 of its open source VPN client/server on July 2, 2026, bringing fixes for seven security flaws. What do these vulnerabilities involve? What are the risks? Here’s what we know.

7 CVEs Fixed in OpenVPN

OpenVPN remains one of the most widely deployed open source VPN solutions, both for business remote access and for individuals running their own server. A wave of seven security fixes in a project like this is worth paying attention to.

Version 2.7.5, released by developer Frank Lichtenheld, fixes bugs affecting the server or the client depending on the case. According to the official changelog published on the project’s GitHub repository, the seven vulnerabilities fixed are as follows:

  • CVE-2026-13379 (CVSS 8,6 / 10) : on Windows, state pollution of the DNS SearchList setting in the openvpnserv service during connect and disconnect phases. Certain combinations of --dns options and local DNS configuration could corrupt the machine’s existing DNS settings.
  • CVE-2026-12996 : a use-after-free flaw in the ack_write_buf() function, triggerable by a synchronized sequence of packets on the control and authentication channel.
  • CVE-2026-13117 : a second use-after-free flaw, this time in tls_wrap_reneg(), caused by an appropriate sequence of dynamic tls-crypt control packets.
  • CVE-2026-13122 : a server crash when receiving a malformed auth-token, when the --auth-gen-token external-auth option is enabled.
  • CVE-2026-12932 : a memory leak in the handling of tls-crypt-v2 client keys, which could lead to memory exhaustion and then a server crash.
  • CVE-2026-13698 : another memory leak, triggered by specific tls-crypt-v2 packets, also with a risk of memory exhaustion and server crash (denial of service).
  • CVE-2026-11771 : an one-byte buffer overflow in the processing of NTLMv2 proxy responses.

Several of these bugs were reported by security researchers credited in the changelog, including Tristan Madani (@TristanInSec) for the NTLMv2 flaw, as well as Valton Tahiri and Max Fillinger for the memory leaks related to tls-crypt-v2.

My takeaway after reading this security bulletin is that most of these flaws do not lead to remote code execution, but rather to denial of service. Even if that is less severe, it is far from trivial: taking down a VPN server can disrupt users whenever it provides an organization’s remote access. This is not the first time OpenVPN has fixed this kind of issue either: in April 2025, the CVE-2025-2704 flaw could already crash a VPN server.

Some Bugs Were Deliberately Excluded

The bill could have been even higher with this new OpenVPN release. Indeed, several bugs were reported as security flaws, but the development team chose not to classify them as such. That is the case for the tun-mtu bug (reported by Haiyang Huang) or a multi-socket handling issue raised through the ZeroPath tool, ultimately considered bad code rather than an exploitable vulnerability.

If you use OpenVPN, I strongly recommend updating to 2.7.5. The MSI installer for the Windows client is available from the OpenVPN downloads page, and the Linux packages are available through the repositories.

Source : OpenVPN - Release v2.7.5 (official changelog)

author avatar
Florian Burnel Co-founder of IT-Connect
Systems and network engineer, co-founder of IT-Connect and Microsoft MVP "Cloud and Datacenter Management". I'd like to share my experience and discoveries through my articles. I'm a generalist with a particular interest in Microsoft solutions and scripting. Enjoy your reading.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.