CVE-2026-35058

Awaiting Analysis Awaiting Analysis - Queue

Improper Packet Length Validation in OpenVPN Leads to DoS

Publication date: 2026-06-08

Last updated on: 2026-06-08

Assigner: OpenVPN Inc.

Description

Improper validation of packet length during tls-crypt-v2 key extraction in OpenVPN 2.6.0 through 2.6.19 and 2.7_alpha1 through 2.7.1 allows authenticated attackers to trigger a fatal assertion and cause a denial of service via a specially crafted packet.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-08

Last Modified

2026-06-08

Generated

2026-06-29

AI Q&A

2026-06-09

EPSS Evaluated

2026-06-27

NVD

CVE-2026-35058

EUVD

EUVD-2026-35197

Affected Vendors & Products

Vendor	Product	Version / Range
openvpn	openvpn	From 2.6.0 (inc) to 2.6.19 (inc)
openvpn	openvpn	From 2.7_alpha1 (inc) to 2.7.1 (inc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-617	The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.

Attack-Flow Graph

Compliance Impact

The provided information does not specify how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability can be detected by monitoring for abnormal OpenVPN server crashes or denial of service events triggered by specially crafted packets targeting the TLS Crypt v2 feature.

Detection involves identifying malicious packets that manipulate the Wrapped Key Content (WKC) length field to zero, causing assertion failures in the tls_crypt_unwrap() function.

Since the exploit requires a valid TLS Crypt v2 client key and a three-packet setup to establish session context, network traffic analysis tools can be used to capture and inspect OpenVPN control channel packets for suspicious sequences.

Specific commands are not provided in the available resources, but using packet capture tools like tcpdump or Wireshark to filter OpenVPN TLS Crypt v2 packets and looking for unusual WKC length fields or repeated assertion failures in OpenVPN logs can help detect exploitation attempts.

Mitigation Strategies

The immediate mitigation step is to apply the official patch released on April 26, 2026, which fixes the improper validation of packet length in the TLS Crypt v2 key extraction functionality.

Until the patch is applied, consider restricting access to the OpenVPN server to trusted clients only, as exploitation requires a valid TLS Crypt v2 client key.

Monitoring OpenVPN server logs for assertion failures and unusual disconnects can help identify ongoing exploitation attempts.

Additionally, ensure that OpenVPN versions are upgraded to 2.6.20 or later, or 2.7.2 or later, where the vulnerability is resolved.

Executive Summary

This vulnerability involves improper validation of packet length during the tls-crypt-v2 key extraction process in OpenVPN versions 2.6.0 through 2.6.19 and 2.7_alpha1 through 2.7.1.

An authenticated attacker can exploit this flaw by sending a specially crafted packet that triggers a fatal assertion, causing the OpenVPN service to crash.

This results in a denial of service condition.

Impact Analysis

The primary impact of this vulnerability is a denial of service (DoS) attack.

An attacker who is authenticated can cause the OpenVPN service to crash by sending a specially crafted packet, disrupting VPN connectivity and potentially affecting network availability.

Hi! I’m here to help you understand CVE-2026-35058. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70