DescriptionOpenVPN version 2.3.12 and newer is vulnerable to unauthenticated Denial of Service of server via received large control packet. Note that this issue is fixed in 2.3.15 and 2.4.2.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
openvpn (PTS)buster2.4.7-1+deb10u1fixed
bookworm, bookworm (security)2.6.3-1+deb12u2fixed
sid, trixie2.6.9-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
openvpnsourcewheezy(not affected)
openvpnsourcejessie(not affected)


[jessie] - openvpn <not-affected> (Vulnerable code introduced later)
[wheezy] - openvpn <not-affected> (Vulnerable code introduced later) (master) (2.4.x) (2.3.x)
Introduced in: (2.4.0)
Introduced in (backported to 2.3.12):

Search for package or bug name: Reporting problems