CVE-2026-11604
Awaiting Analysis Awaiting Analysis - Queue

Heap-based Buffer Overflow in OpenVPN ovpn-dco-win

Vulnerability report for CVE-2026-11604, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: OpenVPN Inc.

Description

An incorrect buffer size calculation in the epoch key generator in OpenVPN ovpn-dco-win version 2.0.0 through 2.8.3 allows a remote authenticated peer to trigger a heap-based buffer overflow and kernel memory corruption via a crafted data packet, resulting in a system crash (denial of service).

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-07-01
AI Q&A
2026-06-11
EPSS Evaluated
2026-06-30
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
openvpn ovpn-dco-win From 2.0.0 (inc) to 2.8.3 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
CWE-131 The product does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow.
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is an incorrect buffer size calculation in the epoch key generator component of OpenVPN ovpn-dco-win versions 2.0.0 through 2.8.3. It allows a remote authenticated peer to send a specially crafted data packet that triggers a heap-based buffer overflow and kernel memory corruption.

As a result, this can cause the system to crash, leading to a denial of service.

Impact Analysis

The primary impact of this vulnerability is that an attacker who is a remote authenticated peer can cause a system crash by exploiting the heap-based buffer overflow and kernel memory corruption.

This results in a denial of service condition, potentially disrupting normal operations and availability of the affected system.

Mitigation Strategies

To mitigate the vulnerability CVE-2026-11604 in OpenVPN ovpn-dco-win, users should update to the latest patched versions of the software, such as versions 1.3.3, 2.5.9, or later.

These updates address issues related to routing loops, iroute removal, and peer context management that could lead to memory leaks, race conditions, or unauthorized access, thereby reducing the risk of exploitation.

Compliance Impact

The provided information does not specify how the vulnerability in OpenVPN ovpn-dco-win affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11604. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart