Critical vulnerability in OpenVPN Windows driver enables system crashes

OpenVPN has addressed a critical buffer overflow vulnerability in its Windows Data Channel Offload (DCO) driver that allows local attackers to crash systems by sending oversized control messages to the kernel driver. 

The vulnerability is tracked as CVE-2025-50054 (CVSS score 9.8) - Buffer overflow vulnerability in OpenVPN ovpn-dco-win driver. The vulnerability affects the ovpn-dco-win driver versions 1.3.0 and earlier and version 2.5.8 and earlier, allowing a local user process to send a too large control message buffer to the kernel driver resulting in a system crash. 

The ovpn-dco-win driver, which stands for "OpenVPN Data Channel Offload for Windows," has been the default virtual network adapter in OpenVPN since version 2.6. Unlike traditional approaches, the DCO driver processes VPN traffic directly in the Windows kernel rather than sending data back and forth between user and kernel space, resulting in substantially improved performance.

The vulnerability can be exploited by unprivileged processes, meaning attackers don't need administrative privileges to crash the system. This significantly lowers the barrier for exploitation, as any local user or malicious application running with standard user privileges could potentially trigger the buffer overflow.

Affected versions:

• OpenVPN ovpn-dco-win driver version 1.3.0 and earlier
• OpenVPN ovpn-dco-win driver version 2.5.8 and earlier
• OpenVPN GUI for Windows versions 2.6.0-I005 through 2.6.14-I001
• OpenVPN GUI version 2.7_alpha1-I001

Patched versions:

• OpenVPN GUI version 2.6.14-I002 and newer
• OpenVPN GUI version 2.7_alpha2-I001 and newer

Security experts recommend that users of affected versions update to patched versions as soon as stable releases become available.