Home / mailings [USN-8540-1] OpenVPN vulnerabilities
Posted on 14 July 2026
Ubuntu Security==========================================================================Ubuntu Security Notice USN-8540-1
July 14, 2026
openvpn vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 26.04 LTS
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
Summary:
Several security issues were fixed in OpenVPN.
Software Description:
- openvpn: virtual private network software
Details:
It was discovered that OpenVPN had a 1-byte buffer overrun when handling
NTLMv2 proxy responses. An attacker could use this issue to cause a denial
of service or possibly execute arbitrary code. This issue only affected
Ubuntu 24.04 LTS and Ubuntu 26.04 LTS. (CVE-2026-11771)
It was discovered that OpenVPN incorrectly handled metadata when extracting
tls-crypt-v2 client keys. An attacker could possibly use this issue to
obtain sensitive information. (CVE-2026-12932)
It was discovered that OpenVPN had a use-after-free in the ack_write_buf
handling. An attacker could use this issue to cause OpenVPN to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2026-12996)
It was discovered that OpenVPN had a use-after-free in the tls_wrap_reneg
handling. An attacker could use this issue to cause OpenVPN to crash,
resulting in a denial of service, or possibly execute arbitrary code. This
issue only affected Ubuntu 24.04 LTS and Ubuntu 26.04 LTS. (CVE-2026-13117)
It was discovered that OpenVPN incorrectly validated authentication tokens
when external authentication was enabled. A remote attacker could possibly
use this issue to cause OpenVPN to crash, resulting in a denial of service.
This issue only affected Ubuntu 24.04 LTS and Ubuntu 26.04 LTS.
(CVE-2026-13122)
It was discovered that OpenVPN had a memory leak when handling tls-crypt-v2
client keys. A remote attacker with a valid tls-crypt-v2 client key could
possibly use this issue to cause OpenVPN to consume excessive resources,
leading to a denial of service. (CVE-2026-13698)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 26.04 LTS
openvpn 2.7.0-1ubuntu1.2
Ubuntu 24.04 LTS
openvpn 2.6.19-0ubuntu0.24.04.3
Ubuntu 22.04 LTS
openvpn 2.5.11-0ubuntu0.22.04.4
After a standard system update you need to restart OpenVPN to make all
the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8540-1
CVE-2026-11771, CVE-2026-12932, CVE-2026-12996, CVE-2026-13117,
CVE-2026-13122, CVE-2026-13698
Package Information:
https://launchpad.net/ubuntu/+source/openvpn/2.7.0-1ubuntu1.2
https://launchpad.net/ubuntu/+source/openvpn/2.6.19-0ubuntu0.24.04.3
https://launchpad.net/ubuntu/+source/openvpn/2.5.11-0ubuntu0.22.04.4
--===============8792550401344261405==Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
