Packages
- openvpn - virtual private network software
Details
It was discovered that OpenVPN had a 1-byte buffer overrun when handling
NTLMv2 proxy responses. An attacker could use this issue to cause a denial
of service or possibly execute arbitrary code. This issue only affected
Ubuntu 24.04 LTS and Ubuntu 26.04 LTS. (CVE-2026-11771)
It was discovered that OpenVPN incorrectly handled metadata when extracting
tls-crypt-v2 client keys. An attacker could possibly use this issue to
obtain sensitive information. (CVE-2026-12932)
It was discovered that OpenVPN had a use-after-free in the ack_write_buf
handling. An attacker could use this issue to cause OpenVPN to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2026-12996)
It was discovered that OpenVPN had a use-after-free in the tls_wrap_reneg
handling. An attacker could use this issue to...
It was discovered that OpenVPN had a 1-byte buffer overrun when handling
NTLMv2 proxy responses. An attacker could use this issue to cause a denial
of service or possibly execute arbitrary code. This issue only affected
Ubuntu 24.04 LTS and Ubuntu 26.04 LTS. (CVE-2026-11771)
It was discovered that OpenVPN incorrectly handled metadata when extracting
tls-crypt-v2 client keys. An attacker could possibly use this issue to
obtain sensitive information. (CVE-2026-12932)
It was discovered that OpenVPN had a use-after-free in the ack_write_buf
handling. An attacker could use this issue to cause OpenVPN to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2026-12996)
It was discovered that OpenVPN had a use-after-free in the tls_wrap_reneg
handling. An attacker could use this issue to cause OpenVPN to crash,
resulting in a denial of service, or possibly execute arbitrary code. This
issue only affected Ubuntu 24.04 LTS and Ubuntu 26.04 LTS. (CVE-2026-13117)
It was discovered that OpenVPN incorrectly validated authentication tokens
when external authentication was enabled. A remote attacker could possibly
use this issue to cause OpenVPN to crash, resulting in a denial of service.
This issue only affected Ubuntu 24.04 LTS and Ubuntu 26.04 LTS.
(CVE-2026-13122)
It was discovered that OpenVPN had a memory leak when handling tls-crypt-v2
client keys. A remote attacker with a valid tls-crypt-v2 client key could
possibly use this issue to cause OpenVPN to consume excessive resources,
leading to a denial of service. (CVE-2026-13698)
Update instructions
After a standard system update you need to restart OpenVPN to make all the necessary changes.
Learn more about how to get the fixes.The problem can be corrected by updating your system to the following package versions:
| Ubuntu Release | Package Version | ||
|---|---|---|---|
| 26.04 LTS resolute | openvpn – 2.7.0-1ubuntu1.2 | ||
| 24.04 LTS noble | openvpn – 2.6.19-0ubuntu0.24.04.3 | ||
| 22.04 LTS jammy | openvpn – 2.5.11-0ubuntu0.22.04.4 | ||
Reduce your security exposure
Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.