CVE-2026-13698

Summary

A memory leak in OpenVPN version 2.5.0 through 2.5.11, 2.6.0 through 2.6.20 and 2.7_alpha1 through 2.7.4 allows remote attackers with a valid tls-crypt-v2 client key to potentially cause a denial of service

Affected Software

VendorProductVersion RangeStatus
OpenVPNOpenVPN2.5.0 <= 2.5.11affected
OpenVPNOpenVPN2.6.0 <= 2.6.20affected
OpenVPNOpenVPN2.7_alpha1 <= 2.7.4affected

Weaknesses

  • CWE-401: CWE-401 Missing release of memory after effective lifetime
  • CWE-770: CWE-770 Allocation of resources without limits or throttling

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References