PatchSiren cyber security CVE debrief
CVE-2026-11604 OpenVPN CVE debrief
CVE-2026-11604 is a medium-severity vulnerability in OpenVPN ovpn-dco-win versions 2.0.0 through 2.8.3. An incorrect buffer size calculation in the epoch key generator allows a remote authenticated peer to trigger a heap-based buffer overflow and kernel memory corruption via a crafted data packet, resulting in a system crash (denial of service). The CVSS score for this vulnerability is 5.6, indicating a medium severity level.
- Vendor
- OpenVPN
- Product
- ovpn-dco-win
- CVSS
- MEDIUM 5.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-11
Who should care
Users of OpenVPN ovpn-dco-win versions 2.0.0 through 2.8.3 should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability is caused by an incorrect buffer size calculation in the epoch key generator of OpenVPN ovpn-dco-win. This allows a remote authenticated peer to send a crafted data packet that triggers a heap-based buffer overflow and kernel memory corruption, leading to a system crash.
Defensive priority
Medium
Recommended defensive actions
- Update to a version of OpenVPN ovpn-dco-win that is not vulnerable.
- Restrict access to the OpenVPN ovpn-dco-win service to only trusted peers.
Evidence notes
The CVE was published on 2026-06-10T22:16:55.643Z and last modified on 2026-06-11T15:21:30.653Z. The vendor is listed as Unknown Vendor, but evidence suggests the product is OpenVPN.
Official resources
CVE-2026-11604 was published on 2026-06-10T22:16:55.643Z and last modified on 2026-06-11T15:21:30.653Z.