CVE-2026-35058

UNKNOWN 0.0

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Improper validation of packet length during tls-crypt-v2 key extraction in OpenVPN 2.6.0 through 2.6.19 and 2.7_alpha1 through 2.7.1 allows authenticated attackers to trigger a fatal assertion and cause a denial of service via a specially crafted packet.

CWE	CWE-617
Vendor	openvpn
Product	openvpn
Published	Jun 8, 2026
Last Updated	Jun 8, 2026

Stay Ahead of the Next One

Get instant alerts for openvpn openvpn

Be the first to know when new unknown vulnerabilities affecting openvpn openvpn are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

OpenVPN / OpenVPN

2.6.0 ≤ 2.6.19 2.7_alpha1 ≤ 2.7.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

community.openvpn.net: https://community.openvpn.net/Security%20Announcements/CVE-2026-35058 community.openvpn.net: https://community.openvpn.net/ReleaseHistory#openvpn-272-released-22-april-2026 community.openvpn.net: https://community.openvpn.net/ReleaseHistory#openvpn-2620-released-22-april-2026 talosintelligence.com: https://www.talosintelligence.com/vulnerability_reports/TALOS-2026-2381