CVE-2026-39312
Pre-Auth DoS in SoftEther VPN via Malformed EAP-TLS Packet
Publication date: 2026-04-07
Last updated on: 2026-04-14
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| softether | softethervpn | to 5.2.5188 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-789 | The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-39312 is a high-severity pre-authentication denial-of-service (DoS) vulnerability in SoftEther VPN Developer Edition version 5.2.5188 and likely earlier versions. It occurs because the vpnserver process improperly handles EAP-TLS fragment reassembly during PPP authentication over raw L2TP (UDP port 1701).
Specifically, the server reads a 32-bit TlsLength field from an attacker-controlled EAP-TLS packet and uses this value to allocate memory without validating an upper bound. An attacker can set this length to an extremely large value (0xFFFFFFFF), causing the memory allocation to fail and the vpnserver process to crash.
This crash terminates all active VPN sessions. The attack can be performed remotely without authentication by sending a single malformed EAP-TLS packet over raw L2TP, exploiting the lack of encryption and the use of a hardcoded default IPsec pre-shared key.
How can this vulnerability impact me? :
This vulnerability allows an unauthenticated remote attacker to cause a denial-of-service by crashing the SoftEther VPN server process.
- All active VPN sessions are terminated when the vpnserver process crashes.
- Although the server automatically restarts within a few seconds, a sustained attack can cause persistent service disruption.
- This results in loss of availability of the VPN service, potentially interrupting business operations and remote access.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unusual crashes of the SoftEther VPN Developer Edition server process (vpnserver), especially those accompanied by the error message "Fatal Error: MallocEx() error: too large size."
Network detection involves capturing and analyzing UDP traffic on port 1701 (raw L2TP) for malformed EAP-TLS packets with suspicious characteristics such as a TLS Length field set to an abnormally large value (e.g., 0xFFFFFFFF).
Suggested commands to detect potential exploitation attempts include using packet capture tools like tcpdump or Wireshark to filter and inspect UDP port 1701 traffic:
- tcpdump -i <interface> udp port 1701 -w l2tp_capture.pcap
- wireshark l2tp_capture.pcap (then filter for EAP-TLS packets with abnormal TLS Length values)
Additionally, monitoring system logs for repeated vpnserver crashes or restarts within short intervals can indicate ongoing exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting or blocking unauthenticated UDP traffic on port 1701 to the SoftEther VPN server to prevent attackers from sending malformed EAP-TLS packets.
Replacing the hardcoded default IPsec pre-shared key (PSK) "vpn" with a strong, randomly generated key reduces the attack surface by preventing easy unauthorized access.
Since no patched versions currently exist, consider implementing network-level protections such as firewall rules or intrusion prevention systems to detect and block malformed L2TP/EAP-TLS packets.
Monitoring and alerting on vpnserver process crashes can help identify ongoing attacks and respond promptly.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-39312 is a denial-of-service vulnerability that allows an unauthenticated remote attacker to crash the SoftEther VPN Developer Edition server process, causing all active VPN sessions to be terminated.
While the vulnerability does not impact confidentiality or integrity directly, the high availability impact could affect compliance with standards and regulations such as GDPR or HIPAA, which require maintaining availability and reliability of critical systems.
Repeated denial-of-service attacks could disrupt secure VPN connectivity, potentially hindering secure access to sensitive data or systems, which may lead to non-compliance with availability and service continuity requirements in these regulations.
However, the CVE description and resources do not explicitly mention compliance implications or specific regulatory impacts.