OpenVPN Patches 7 Security Flaws, Server Crash Risk Confirmed
OpenVPN released version 2.7.5 of its open source VPN client/server on July 2, 2026, bringing fixes for seven security flaws. What do these vulnerabilities involve? What are the risks? Here’s what we know.
7 CVEs Fixed in OpenVPN
OpenVPN remains one of the most widely deployed open source VPN solutions, both for business remote access and for individuals running their own server. A wave of seven security fixes in a project like this is worth paying attention to.
Version 2.7.5, released by developer Frank Lichtenheld, fixes bugs affecting the server or the client depending on the case. According to the official changelog published on the project’s GitHub repository, the seven vulnerabilities fixed are as follows:
- CVE-2026-13379 (CVSS 8,6 / 10) : on Windows, state pollution of the
DNS SearchListsetting in theopenvpnservservice during connect and disconnect phases. Certain combinations of--dnsoptions and local DNS configuration could corrupt the machine’s existing DNS settings. - CVE-2026-12996 : a use-after-free flaw in the
ack_write_buf()function, triggerable by a synchronized sequence of packets on the control and authentication channel. - CVE-2026-13117 : a second use-after-free flaw, this time in
tls_wrap_reneg(), caused by an appropriate sequence of dynamictls-cryptcontrol packets. - CVE-2026-13122 : a server crash when receiving a malformed
auth-token, when the--auth-gen-token external-authoption is enabled. - CVE-2026-12932 : a memory leak in the handling of
tls-crypt-v2client keys, which could lead to memory exhaustion and then a server crash. - CVE-2026-13698 : another memory leak, triggered by specific
tls-crypt-v2packets, also with a risk of memory exhaustion and server crash (denial of service). - CVE-2026-11771 : an one-byte buffer overflow in the processing of NTLMv2 proxy responses.
Several of these bugs were reported by security researchers credited in the changelog, including Tristan Madani (@TristanInSec) for the NTLMv2 flaw, as well as Valton Tahiri and Max Fillinger for the memory leaks related to tls-crypt-v2.
My takeaway after reading this security bulletin is that most of these flaws do not lead to remote code execution, but rather to denial of service. Even if that is less severe, it is far from trivial: taking down a VPN server can disrupt users whenever it provides an organization’s remote access. This is not the first time OpenVPN has fixed this kind of issue either: in April 2025, the CVE-2025-2704 flaw could already crash a VPN server.
Some Bugs Were Deliberately Excluded
The bill could have been even higher with this new OpenVPN release. Indeed, several bugs were reported as security flaws, but the development team chose not to classify them as such. That is the case for the tun-mtu bug (reported by Haiyang Huang) or a multi-socket handling issue raised through the ZeroPath tool, ultimately considered bad code rather than an exploitable vulnerability.
If you use OpenVPN, I strongly recommend updating to 2.7.5. The MSI installer for the Windows client is available from the OpenVPN downloads page, and the Linux packages are available through the repositories.


