-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hello!
Two CVEs have been published for OpenVPN. These also affect OpenVPN-NL
2.5. A new 2.5 release and a 2.6 release are currently in the works.
CVE-2026-35058: A malicious user with a valid tls-crypt-v2 client key
can crash the server by sending a crafted packet.
CVE-2026-40215: A possible use-after-free read on the server if
handshake packets arrive with very specific timing.
Best regards,
Max Fillinger
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEpK49A7EHchkpcCjYxU5xiqPE8EQFAmnrbu4ACgkQxU5xiqPE
8ER1xA//RZZAHKZ2Fs1w9ttqqJFcrB4ZB7BimdWLlC/TpTEk5oWmGUyp9UYEzj3l
wwopEQe54aahTMRXtbs2ddgPwnO+H4L7CHCY1BS/HfQIgTls6aQMvUAsjQSHbR1S
vPWx5mET33CytBnq1Mq98Fvxi+MpGtJyqPW76xr4R/TaQTN+aKw0CrNy/Qp6xlPL
RmLM6SOL6UgpaqxCnAN3IdhsDYuHp8h3wE+GOWRTAC2AaXjYfnEE+eMZYGvKinz7
yoLAltWro6SJ++8+x0FixLgesGNbUBpknHXhPoO13fLT2EIxXRT1CQ20B0H91s3r
buzZSu/gT1rX6cPPtTeSLoJdDz2kPkdU+pqrPJychoiZaInUhww6H4pAu2CvSv1f
IHukUEEe7SkRSYF45GiYIMrdngXYQomu/J/oj7LrvjW02MlQIZGdrG/gSYoU1lWJ
POp3t72VsTBpRts8vq1SeFBFb6SOLqtPpt/cb14o26j3uG5KtCnClytn+zswx5ak
nT0yuceO1agRW5kFA+xZwA2LbaHojy3WwepM+jt0BKLpSiNTYRBkO8jv9M2QMgkb
Eyk7nrIySe5GwkIG05m4jE6RUFp6q5ZfWZNMueNvaMJCxdTWIhtyxdjJKgU5ut6t
E5ZdI7blvuPyJEXEx+QLYkiXlI67CXuGEAHYyCPP5IDUGPj/zbY=
=B3W7
-----END PGP SIGNATURE-----
