PatchSiren cyber security CVE debrief

CVE-2026-35058 OpenVPN CVE debrief

CVE-2026-35058 is a medium-severity vulnerability in OpenVPN, affecting versions 2.6.0 through 2.6.19 and 2.7_alpha1 through 2.7.1. The vulnerability is caused by improper validation of packet length during tls-crypt-v2 key extraction, allowing authenticated attackers to trigger a fatal assertion and cause a denial of service via a specially crafted packet. The CVSS score for this vulnerability is 6.9, indicating a medium severity.

Vendor: OpenVPN
Product: Unknown
CVSS: MEDIUM 6.9
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-06-08
Original CVE updated: 2026-06-09
Advisory published: 2026-06-08
Advisory updated: 2026-06-09

Who should care

Users of OpenVPN versions 2.6.0 through 2.6.19 and 2.7_alpha1 through 2.7.1 should be aware of this vulnerability and take steps to mitigate it.

Technical summary

The vulnerability is caused by improper validation of packet length during tls-crypt-v2 key extraction in OpenVPN. This allows authenticated attackers to trigger a fatal assertion and cause a denial of service via a specially crafted packet.

Defensive priority

High

Recommended defensive actions

Update to a fixed version of OpenVPN
Restrict access to OpenVPN to only trusted users

Evidence notes

The CVE record and NVD detail pages provide additional information about this vulnerability.

Official resources

CVE-2026-35058 CVE record
CVE.org
CVE-2026-35058 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected]
Source reference
[email protected]
Source reference
[email protected]
Source reference
af854a3a-2127-422b-91ae-364da2661108

CVE-2026-35058 was published on 2026-06-08T20:17:00.497Z and modified on 2026-06-09T02:08:28.150Z.