CVE-2025-13086

Name	CVE-2025-13086
Description	Improper validation of source IP addresses in OpenVPN version 2.6.0 through 2.7_rc1 allows an attacker to open a session from a different IP address which did not initiate the connection resulting in a denial of service for the originating client
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DSA-6069-1
Debian Bugs	1121086

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
openvpn (PTS)	bullseye	2.5.1-3	fixed
	bullseye (security)	2.5.1-3+deb11u2	fixed
	bookworm	2.6.3-1+deb12u3	vulnerable
	bookworm (security)	2.6.3-1+deb12u4	fixed
	trixie	2.6.14-1	vulnerable
	trixie (security)	2.6.14-1+deb13u1	fixed
	forky, sid	2.7.0~rc3-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin	Debian Bugs
openvpn	source	experimental	2.7.0~rc2-1
openvpn	source	bullseye	(not affected)
openvpn	source	bookworm	2.6.3-1+deb12u4	DSA-6069-1
openvpn	source	trixie	2.6.14-1+deb13u1	DSA-6069-1
openvpn	source	(unstable)	2.7.0~rc2-2		1121086

Notes

[bullseye] - openvpn <not-affected> (Vulnerable code not present)
https://community.openvpn.net/Security%20Announcements/CVE-2025-13086
Introduced with: https://github.com/OpenVPN/openvpn/commit/b364711486dc6371ad2659a5aa190941136f4f04 (v2.6_beta1)
Prerequisite: https://github.com/OpenVPN/openvpn/commit/68c01720eecc1772b3f648b9e043e396d943f632 (v2.6.15)
Fixed by: https://github.com/OpenVPN/openvpn/commit/18c483dd6031d86eb393527855734e8cd62fea19 (v2.7_rc2)
Fixed by: https://github.com/OpenVPN/openvpn/commit/fa6a1824b0f37bff137204156a74ca28cf5b6f83 (v2.6.16)