The OpenVPN community project team is proud to release OpenVPN 2.6.21.
This is a bugfix release fixing several security issues.
Security fixes:
* Fix use-after-free bug in ack_write_buf(), triggerable by a well-timed
sequence of control channel +
authentication packets (CVE-2026-12996)
Bug found by multiple researchers:
* 章鱼哥 (www.aipyaipy.com)
* Haiyang Huang
* Haruki Oyama (Waseda University)
* Fix use-after-free bug in tls_wrap_reneg(), triggerable by suitable sequence
of dynamic tls-crypt
control-channel packets (CVE-2026-13117)
Bug found by multiple researchers:
* Trace37 Labs (github.com/trace37labs)
* Haiyang Huang
* Fix server crash on reception of suitably malformed auth-token, if
--auth-gen-token external-auth is
active (CVE-2026-13122)
Bug found by Haiyang Huang.
* Fix memory-leak in tls-crypt-v2 client key handling that could lead to
out-of-memory situations and
subsequent server crashes (CVE-2026-12932)
Bug found by Valton Tahiri.
* Fix possible 1-byte buffer overrun on NTLMv2 proxy responses. (CVE-2026-11771)
Bug found by Tristan Madani (@TristanInSec).
* Fix another memory leak on reception of suitable tls-crypt-v2 packets that
could lead to an out of memory
situation and server crash (CVE-2026-13698)
Bug found by Max Fillinger. Overlaps with a report from Valton Tahiri that we
believe to be fixed by this
bugfix as well.
Bugfixes:
* Windows: fix plugin trusted-dir check prefix bypass (this fixes a bug in the
path checking logic we do on
Windows for "is loading a plugin from this path allowed?", but since we could
not find a way to exploit
this unless starting with admin privs or a social engineering attack, not
classified as a security fix)
* options: fix use-after-free of DNS options on client connect (using suitable
--dns or --dhcp-option DNS
options in a server config - not pushed, but applying to the server itself -
triggers a double free() and
use-after-free condition, possibly crashing the server) (Github:
OpenVPN/openvpn#1060)
* Null-terminate tls-crypt client keys when testing - non-exploitable strlen()
on a buffer that is not
null-terminated
* Ensure pushed tun-mtu is no lower than TUN_MTU_MIN - this fixes a bug where a
server can push a suitable
combination of options and make the client ASSERT().
(Reported as security issue by Haiyang Huang, but it was decided that the
server always has means to make
the client "not function properly", and it can not be exploited beyond that)
More details can be found in the Changes document:
<https://github.com/OpenVPN/openvpn/blob/v2.6.21/Changes.rst>
Source code and Windows installers can be downloaded from our download page:
<https://community.openvpn.net/Downloads>
Packages for Debian, Ubuntu, Fedora, RHEL, and openSUSE are available in the
various
official Community repositories:
<https://community.openvpn.net/Pages/OpenVPN%20software%20repos>
Kind regards,
--
Frank Lichtenheld
_______________________________________________
Openvpn-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-users