Executive Summary

CVE-2026-39312 is a high-severity pre-authentication denial-of-service (DoS) vulnerability in SoftEther VPN Developer Edition version 5.2.5188 and likely earlier versions. It occurs because the vpnserver process improperly handles EAP-TLS fragment reassembly during PPP authentication over raw L2TP (UDP port 1701).

Specifically, the server reads a 32-bit TlsLength field from an attacker-controlled EAP-TLS packet and uses this value to allocate memory without validating an upper bound. An attacker can set this length to an extremely large value (0xFFFFFFFF), causing the memory allocation to fail and the vpnserver process to crash.

This crash terminates all active VPN sessions. The attack can be performed remotely without authentication by sending a single malformed EAP-TLS packet over raw L2TP, exploiting the lack of encryption and the use of a hardcoded default IPsec pre-shared key.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an unauthenticated remote attacker to cause a denial-of-service by crashing the SoftEther VPN server process.

• All active VPN sessions are terminated when the vpnserver process crashes.
• Although the server automatically restarts within a few seconds, a sustained attack can cause persistent service disruption.
• This results in loss of availability of the VPN service, potentially interrupting business operations and remote access.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for unusual crashes of the SoftEther VPN Developer Edition server process (vpnserver), especially those accompanied by the error message "Fatal Error: MallocEx() error: too large size."

Network detection involves capturing and analyzing UDP traffic on port 1701 (raw L2TP) for malformed EAP-TLS packets with suspicious characteristics such as a TLS Length field set to an abnormally large value (e.g., 0xFFFFFFFF).

Suggested commands to detect potential exploitation attempts include using packet capture tools like tcpdump or Wireshark to filter and inspect UDP port 1701 traffic:

• tcpdump -i <interface> udp port 1701 -w l2tp_capture.pcap
• wireshark l2tp_capture.pcap (then filter for EAP-TLS packets with abnormal TLS Length values)

Additionally, monitoring system logs for repeated vpnserver crashes or restarts within short intervals can indicate ongoing exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting or blocking unauthenticated UDP traffic on port 1701 to the SoftEther VPN server to prevent attackers from sending malformed EAP-TLS packets.

Replacing the hardcoded default IPsec pre-shared key (PSK) "vpn" with a strong, randomly generated key reduces the attack surface by preventing easy unauthorized access.

Since no patched versions currently exist, consider implementing network-level protections such as firewall rules or intrusion prevention systems to detect and block malformed L2TP/EAP-TLS packets.

Monitoring and alerting on vpnserver process crashes can help identify ongoing attacks and respond promptly.

Useful 0 Not Useful 0

Compliance Impact

CVE-2026-39312 is a denial-of-service vulnerability that allows an unauthenticated remote attacker to crash the SoftEther VPN Developer Edition server process, causing all active VPN sessions to be terminated.

While the vulnerability does not impact confidentiality or integrity directly, the high availability impact could affect compliance with standards and regulations such as GDPR or HIPAA, which require maintaining availability and reliability of critical systems.

Repeated denial-of-service attacks could disrupt secure VPN connectivity, potentially hindering secure access to sensitive data or systems, which may lead to non-compliance with availability and service continuity requirements in these regulations.

However, the CVE description and resources do not explicitly mention compliance implications or specific regulatory impacts.

Useful 0 Not Useful 0