Race Condition in OpenVPN Leads to Server Crash or Memory Leak

Publication date: 2026-06-08

Last updated on: 2026-06-08

Assigner: OpenVPN Inc.

Description

A race condition in OpenVPN 2.6.0 through 2.6.19 and 2.7_alpha1 through 2.7.1 allows remote attackers to potentially cause a server crash or leak heap memory via a use-after-free triggered during TLS session promotion.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-08

Last Modified

2026-06-08

Generated

2026-06-29

AI Q&A

2026-06-09

EPSS Evaluated

2026-06-27

NVD

CVE-2026-40215

Affected Vendors & Products

Vendor	Product	Version / Range
openvpn	openvpn	From 2.6.0 (inc) to 2.6.19 (inc)
openvpn	openvpn	From 2.7_alpha1 (inc) to 2.7.1 (inc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-416	The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
CWE-125	The product reads data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

Executive Summary

This vulnerability is a race condition found in OpenVPN versions 2.6.0 through 2.6.19 and 2.7_alpha1 through 2.7.1. It allows remote attackers to potentially cause a server crash or leak heap memory. The issue arises from a use-after-free error triggered during the TLS session promotion process.

Impact Analysis

The vulnerability can impact you by allowing remote attackers to cause a denial of service through a server crash or potentially leak sensitive information from the server's memory. This could disrupt VPN services and expose data stored in heap memory.

Hi! I’m here to help you understand CVE-2026-40215. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70