github OpenVPN/openvpn v2.6.21

latest release: v2.7.5
4 hours ago

Security fixes:

  • Fix use-after-free bug in ack_write_buf(), triggerable by a well-timed
    sequence of control channel + authentication packets (CVE-2026-12996)

    Bug found by multiple researchers:

  • Fix use-after-free bug in tls_wrap_reneg(), triggerable by suitable
    sequence of dynamic tls-crypt control-channel packets (CVE-2026-13117)

    Bug found by multiple researchers:

    • Trace37 Labs (github.com/trace37labs)
    • Haiyang Huang
  • Fix server crash on reception of suitably malformed auth-token, if
    --auth-gen-token external-auth is active (CVE-2026-13122)

    Bug found by Haiyang Huang.

  • Fix memory-leak in tls-crypt-v2 client key handling that could lead
    to out-of-memory situations and subsequent server crashes (CVE-2026-12932)

    Bug found by Valton Tahiri.

  • Fix possible 1-byte buffer overrun on NTLMv2 proxy responses.
    (CVE-2026-11771)

    Bug found by Tristan Madani (@TristanInSec).

  • Fix another memory leak on reception of suitable tls-crypt-v2 packets
    that could lead to an out of memory situation and server crash
    (CVE-2026-13698)

    Bug found by Max Fillinger. Overlaps with a report
    from Valton Tahiri that we believe to
    be fixed by this bugfix as well.

Bugfixes:

  • Windows: fix plugin trusted-dir check prefix bypass
    (this fixes a bug in the path checking logic we do on Windows for
    "is loading a plugin from this path allowed?", but since we could
    not find a way to exploit this unless starting with admin privs or
    a social engineering attack, not classified as a security fix)

  • options: fix use-after-free of DNS options on client connect
    (using suitable --dns or --dhcp-option DNS options in a server
    config - not pushed, but applying to the server itself - triggers a
    double free() and use-after-free condition, possibly crashing the
    server) (Github: OpenVPN/openvpn#1060)

  • Null-terminate tls-crypt client keys when testing - non-exploitable
    strlen() on a buffer that is not null-terminated

  • Ensure pushed tun-mtu is no lower than TUN_MTU_MIN - this fixes a bug
    where a server can push a suitable combination of options and make the
    client ASSERT().

    (Reported as security issue by Haiyang Huang,
    but it was decided that the server always has means to make the client
    "not function properly", and it can not be exploited beyond that)

For details see Changes.rst

Windows Client: Community MSI installer for Windows client can be found at Community Downloads.

Linux Packages: Instructions for installing community-maintained Linux packages can be found in the Community Wiki.

Full Changelog: v2.6.20...v2.6.21

Don't miss a new openvpn release

NewReleases is sending notifications on new releases.