CVE-2026-40215
MediumCVSS 6.1Exploitation Probability (EPSS)
Low risk38th percentile - higher than 38% of all known CVEs
Summary
A race condition in OpenVPN versions 2.6.0 through 2.6.19 and 2.7_alpha1 through 2.7.1 allows remote attackers to potentially cause a server crash or leak heap memory via a use-after-free triggered during TLS session promotion.
Risk Assessment
The organization may be exposed to server crashes and potential data leaks, which could lead to loss of confidentiality and availability of services.
Recommendation
It is recommended to update OpenVPN to the latest version to mitigate this vulnerability and to monitor server logs for potential attack attempts.
Original NVD description (English source)
A race condition in OpenVPN 2.6.0 through 2.6.19 and 2.7_alpha1 through 2.7.1 allows remote attackers to potentially cause a server crash or leak heap memory via a use-after-free triggered during TLS session promotion.

