OpenVPN releases security updates patching HMAC bypass, buffer over-read, and Windows DoS flaws
Take action: Plan a quick update of your OpenVPN to version 2.6.17 (stable) or 2.7_rc3 (development) to fix three interesting security flaws. This is not critical, but a wise choice to patch, since OpenVPN is exposed to the internet and someone will find an exploit.
Learn More
OpenVPN has released security updates for both its stable 2.6 branch and development 2.7 branch, patching three vulnerabilities that could compromise VPN security and availability. The vulnerabilities affect multiple versions of OpenVPN, and patches are available in versions 2.6.17 and 2.7_rc3.
Vulnerabilities summary:
- CVE-2025-13086 (CVSS score 9.1), a logic flaw in the HMAC verification process during the three-way handshake. This vulnerability stems from an inverted memcmp() call in the verification code, which causes the system to incorrectly accept all HMAC cookies regardless of their validity. This programming error effectively breaks source IP address validation, allowing attackers to open TLS sessions and consume server state from IP addresses that never initiated a legitimate connection. This vulnerability affects OpenVPN versions 2.6.0 through 2.6.15 and 2.7_alpha1 through 2.7_rc1, and has been fixed in versions 2.6.16 and 2.7_rc2.
- CVE-2025-12106 (CVSS score 9.1), affects only the development 2.7 branch. This IPv6 address parsing flaw can cause a buffer over-read on invalid input due to a missing address family check in the get_addr_generic socket function. When the system attempts to parse routes or endpoints, it may copy address data of the wrong type without proper validation, resulting in reading beyond allocated memory boundaries. This memory safety issue could potentially lead to information disclosure or system instability. The vulnerability is present in OpenVPN versions 2.7_alpha1 through 2.7_rc1 and has been patched in version 2.7_rc2.
- CVE-2025-13751 (CVSS score not assigned), is a Windows-specific local denial-of-service issue affecting the interactive service component. This flaw involves an erroneous error-handling routine where the service incorrectly terminates completely when encountering certain error conditions, rather than logging the error and continuing normal operations. Any authenticated local user on a Windows system can trigger this vulnerability, causing the OpenVPN service to exit. Once the service terminates, all VPN connections cease to function until the service is manually restarted or the system is rebooted. This vulnerability requires local access and does not affect the confidentiality or integrity of data, but is an availability risk and hassle multi-user Windows environments. This issue affects OpenVPN versions 2.6.0 through 2.6.16 and 2.7_alpha1 through 2.7_rc2, and has been resolved in versions 2.6.17 and 2.7_rc3.
Organizations using OpenVPN on the stable 2.6 branch should upgrade to version 2.6.17. Those using the development 2.7 branch should update to version 2.7_rc3, which includes fixes for all three vulnerabilities.
