CVE-2025-50054

Published Jun 20, 2025

Last updated 7 months ago

CVSS medium 5.5
OpenVPN
Tunneling protocol

Overview

Description
Buffer overflow in OpenVPN ovpn-dco-win version 1.3.0 and earlier and version 2.5.8 and earlier allows a local user process to send a too large control message buffer to the kernel driver resulting in a system crash
Source
security@openvpn.net
NVD status
Analyzed
Products
ovpn-dco-win

Risk scores

CVSS 3.1

Type
Secondary
Base score
5.5
Impact score
3.6
Exploitability score
1.8
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Severity
MEDIUM

Weaknesses

security@openvpn.net
CWE-122

Social media

Hype score
Not currently trending

  1. 🚨CVE-2025-50054: Buffer overflow in OpenVPN ovpn-dco-win version 1.3.0 and earlier and version 2.5.8 and earlier allows a local user process to send a too large control message buffer to the kernel driver resulting in a system crash ZoomEye Link: https://t.co/kKf49ZjVsI https

    @DarkWebInformer

    24 Jun 2025

    7274 Impressions

    28 Retweets

    79 Likes

    20 Bookmarks

    2 Replies

    0 Quotes

  2. ⚡️The vulnerability details are now available: https://t.co/6jhTlndvG9 🚨CRITICAL OpenVPN VULN ALERT🚨CVE-2025-50054: A nasty buffer overflow in OpenVPN's Windows driver lets local users CRASH systems with a single oversized control message. DoS attack risk—local or r

    @zoomeye_team

    24 Jun 2025

    728 Impressions

    4 Retweets

    14 Likes

    3 Bookmarks

    0 Replies

    0 Quotes

  3. ⚠️⚠️ CVE-2025-50054 OpenVPN Flaw allows Local Users to Crash Windows Systems 🎯3m+ Results are found on the https://t.co/pb16tGYaKe nearly year. 🔗FOFA Link: https://t.co/kGrppFzPuy FOFA Query:app="OPENVPN" 🔖Refer:https://t.co/uzDkNBsXw6 #OSINT #FOFA #CyberSecurity

    @fofabot

    24 Jun 2025

    1863 Impressions

    12 Retweets

    41 Likes

    13 Bookmarks

    2 Replies

    0 Quotes

  4. A flaw (CVE-2025-50054) in OpenVPN's Windows kernel driver allows unprivileged local users to crash systems. A patch is available in OpenVPN 2.7_alpha2 (test build). #OpenVPN #WindowsSecurity #DoSAttack #Vulnerability #Cybersecurity https://t.co/8PCtQRExsl

    @the_yellow_fall

    24 Jun 2025

    304 Impressions

    2 Retweets

    4 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  5. Wild: A newly found bug in OpenVPN for Windows (CVE-2025-50054) means even a non-admin user could potentially send your PC into a full crash by overflowing a driver buffer. Whoa. #Cybersecurity #Windows https://t.co/Vz1Zmvn88g https://t.co/7pSXoMJ0Hy

    @TweekFawkes

    23 Jun 2025

    32 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. OpenVPN 2.7_alpha2 launches June 19, 2025, fixing CVE-2025-50054 vulnerability that could crash Windows systems. New features include multi-socket support, TLS 1.3, and improved security on Windows. 🚀 #Security #Windows #Australia https://t.co/bGJSCQNe15

    @TweetThreatNews

    23 Jun 2025

    74 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  7. CVE-2025-50054 # critical buffer overflow vulnerability in OpenVPN’s data channel: https://t.co/RGO6rYc4i9

    @cyberbivash

    22 Jun 2025

    31 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. פרצת אבטחה לopenvpn והתיקון שיצא מתייחס לגרסת אלפא שעוד לא יציבה ולא מיועדת לסביבת Production. התיקון מגיע בגרסת 2.7 אלפה שתיים שמתקנת את CVE-2025-50054. פרצת האבטחה משפי

    @NirRoitman

    22 Jun 2025

    5 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. 🚨 Alerta OpenVPN! Nova versão 2.7_alpha2 corrige falha crítica (CVE-2025-50054) no driver Windows que pode causar crash no sistema. Atualize já e proteja sua rede! 🛡️ #OpenVPN #Segurança #Cibersegurança https://t.co/HgV5RoLBHA

    @fernandokarl

    22 Jun 2025

    49 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  10. OpenVPNのWindows向けデータチャネルオフロードドライバーにバッファオーバーフローの脆弱性(CVE-2025-50054)が発見され、ローカル攻撃者が細工した制御メッセージを送信することでWindowsをクラッシュさせる恐

    @yousukezan

    21 Jun 2025

    600 Impressions

    0 Retweets

    2 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  11. CVE-2025-50054 Buffer overflow in OpenVPN ovpn-dco-win version 1.3.0 and earlier and version 2.5.8 and earlier allows a local user process to send a too large control message buffer… https://t.co/Umkv12EosK

    @CVEnew

    21 Jun 2025

    331 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  12. ⭕ OpenVPN Driver Vulnerability Allows Attackers to Crash Windows Systems Read more: https://t.co/lEGho3SKHv Summary ======== 1. A critical OpenVPN Windows driver flaw (CVE-2025-50054) allowed local attackers to crash systems. 2. The vulnerability enabled denial-of-service

    @The_Cyber_News

    21 Jun 2025

    845 Impressions

    6 Retweets

    13 Likes

    4 Bookmarks

    0 Replies

    0 Quotes

  13. CVE-2025-50054 Buffer Overflow in OpenVPN ovpn-dco-win Kernel Driver Enables Local System Crash https://t.co/A78BrdqFm5

    @VulmonFeeds

    20 Jun 2025

    91 Impressions

    1 Retweet

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. In the Linux kernel, the following vulnerability has been resolved: mm/slab: Add alloc_tagging_slab_free_hook for memcg_alloc_abort_single When CONFIG_MEM_ALLOC_PROFILING_DEBUG is enabled, the following warning may be noticed: [ 3959.023862] ------------[ cut here ]------------ [ 3959.023891] alloc_tag was not cleared (got tag for lib/xarray.c:378) [ 3959.023947] WARNING: ./include/linux/alloc_tag.h:155 at alloc_tag_add+0x128/0x178, CPU#6: mkfs.ntfs/113998 [ 3959.023978] Modules linked in: dns_resolver tun brd overlay exfat btrfs blake2b libblake2b xor xor_neon raid6_pq loop sctp ip6_udp_tunnel udp_tunnel ext4 crc16 mbcache jbd2 rfkill sunrpc vfat fat sg fuse nfnetlink sr_mod virtio_gpu cdrom drm_client_lib virtio_dma_buf drm_shmem_helper drm_kms_helper ghash_ce drm sm4 backlight virtio_net net_failover virtio_scsi failover virtio_console virtio_blk virtio_mmio dm_mirror dm_region_hash dm_log dm_multipath dm_mod i2c_dev aes_neon_bs aes_ce_blk [last unloaded: hwpoison_inject] [ 3959.024170] CPU: 6 UID: 0 PID: 113998 Comm: mkfs.ntfs Kdump: loaded Tainted: G W 6.19.0-rc7+ #7 PREEMPT(voluntary) [ 3959.024182] Tainted: [W]=WARN [ 3959.024186] Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022 [ 3959.024192] pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 3959.024199] pc : alloc_tag_add+0x128/0x178 [ 3959.024207] lr : alloc_tag_add+0x128/0x178 [ 3959.024214] sp : ffff80008b696d60 [ 3959.024219] x29: ffff80008b696d60 x28: 0000000000000000 x27: 0000000000000240 [ 3959.024232] x26: 0000000000000000 x25: 0000000000000240 x24: ffff800085d17860 [ 3959.024245] x23: 0000000000402800 x22: ffff0000c0012dc0 x21: 00000000000002d0 [ 3959.024257] x20: ffff0000e6ef3318 x19: ffff800085ae0410 x18: 0000000000000000 [ 3959.024269] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 [ 3959.024281] x14: 0000000000000000 x13: 0000000000000001 x12: ffff600064101293 [ 3959.024292] x11: 1fffe00064101292 x10: ffff600064101292 x9 : dfff800000000000 [ 3959.024305] x8 : 00009fff9befed6e x7 : ffff000320809493 x6 : 0000000000000001 [ 3959.024316] x5 : ffff000320809490 x4 : ffff600064101293 x3 : ffff800080691838 [ 3959.024328] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0000d5bcd640 [ 3959.024340] Call trace: [ 3959.024346] alloc_tag_add+0x128/0x178 (P) [ 3959.024355] __alloc_tagging_slab_alloc_hook+0x11c/0x1a8 [ 3959.024362] kmem_cache_alloc_lru_noprof+0x1b8/0x5e8 [ 3959.024369] xas_alloc+0x304/0x4f0 [ 3959.024381] xas_create+0x1e0/0x4a0 [ 3959.024388] xas_store+0x68/0xda8 [ 3959.024395] __filemap_add_folio+0x5b0/0xbd8 [ 3959.024409] filemap_add_folio+0x16c/0x7e0 [ 3959.024416] __filemap_get_folio_mpol+0x2dc/0x9e8 [ 3959.024424] iomap_get_folio+0xfc/0x180 [ 3959.024435] __iomap_get_folio+0x2f8/0x4b8 [ 3959.024441] iomap_write_begin+0x198/0xc18 [ 3959.024448] iomap_write_iter+0x2ec/0x8f8 [ 3959.024454] iomap_file_buffered_write+0x19c/0x290 [ 3959.024461] blkdev_write_iter+0x38c/0x978 [ 3959.024470] vfs_write+0x4d4/0x928 [ 3959.024482] ksys_write+0xfc/0x1f8 [ 3959.024489] __arm64_sys_write+0x74/0xb0 [ 3959.024496] invoke_syscall+0xd4/0x258 [ 3959.024507] el0_svc_common.constprop.0+0xb4/0x240 [ 3959.024514] do_el0_svc+0x48/0x68 [ 3959.024520] el0_svc+0x40/0xf8 [ 3959.024526] el0t_64_sync_handler+0xa0/0xe8 [ 3959.024533] el0t_64_sync+0x1ac/0x1b0 [ 3959.024540] ---[ end trace 0000000000000000 ]--- When __memcg_slab_post_alloc_hook() fails, there are two different free paths depending on whether size == 1 or size != 1. In the kmem_cache_free_bulk() path, we do call alloc_tagging_slab_free_hook(). However, in memcg_alloc_abort_single() we don't, the above warning will be triggered on the next allocation. Therefore, add alloc_tagging_slab_free_hook() to the memcg_alloc_abort_single() path.CVE-2026-23219
  2. Insufficient epoch key slot processing in OpenVPN 2.7_alpha1 through 2.7_rc5 allows remote authenticated users to trigger an assert resulting in a denial of serviceCVE-2025-15497
  3. TrustTunnel is an open-source VPN protocol with a rule bypass issue in versions prior to 0.9.115. In `tls_listener.rs`, `TlsListener::listen()` peeks 1024 bytes and calls `extract_client_random(...)`. If `parse_tls_plaintext` fails (for example, a fragmented/partial ClientHello split across TCP writes), `extract_client_random` returns `None`. In `rules.rs`, `RulesEngine::evaluate` only evaluates `client_random_prefix` when `client_random` is `Some(...)`. As a result, when extraction fails (`client_random == None`), any rule that relies on `client_random_prefix` matching is skipped and evaluation falls through to later rules. As an important semantics note: `client_random_prefix` is a match condition only. It does not mean "block non-matching prefixes" by itself. A rule with `client_random_prefix = ...` triggers its `action` only when the prefix matches (and the field is available to evaluate). Non-matches (or `None`) simply do not match that rule and continue to fall through. The vulnerability is fixed in version 0.9.115.CVE-2026-24904
  4. Improper validation of source IP addresses in OpenVPN version 2.6.0 through 2.6.15 and 2.7_alpha1 through 2.7_rc1 allows an attacker to open a session from a different IP address which did not initiate the connection resulting in a denial of service for the originating clientCVE-2025-13086
  5. Interactive service agent in OpenVPN version 2.5.0 through 2.6.16 and 2.7_alpha1 through 2.7_rc2 on Windows allows a local authenticated user to connect to the service and trigger an error causing a local denial of service.CVE-2025-13751

References

Sources include official advisories and independent security research.