CVE-2026-40215 PUBLISHED

Assigner: OpenVPN
Reserved: 13.04.2026 Published: 08.06.2026 Updated: 08.06.2026

A race condition in OpenVPN 2.6.0 through 2.6.19 and 2.7_alpha1 through 2.7.1 allows remote attackers to potentially cause a server crash or leak heap memory via a use-after-free triggered during TLS session promotion.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:H/SC:L/SI:N/SA:L
CVSS Score: 6.1

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	Low
Attack Complexity	High	Integrity	None	Integrity	None
Attack Requirements	None	Availability	High	Availability	Low
Privileges Required	Low
User Interaction	None

CVSS 4.0

Product Status

Vendor	OpenVPN
Product	OpenVPN
Versions	Default: unaffected affected from 2.6.0 to 2.6.19 (incl.) affected from 2.7_alpha1 to 2.7.1 (incl.)

References

https://community.openvpn.net/Security%20Announcements/CVE-2026-40215
https://community.openvpn.net/ReleaseHistory#openvpn-272-released-22-april-2026
https://community.openvpn.net/ReleaseHistory#openvpn-2620-released-22-april-2026

Problem Types

CWE-125 Out-of-bounds read CWE
CWE-416 Use after free CWE