OpenVPN 2.5.0-2.5.11/2.6.0-2.6.20/2.7.0-2.7.4 memory leak permits DoS
CVE-2026-13698 Published on July 6, 2026
A memory leak in OpenVPN version 2.5.0 through 2.5.11, 2.6.0 through 2.6.20 and 2.7_alpha1 through 2.7.4 allows remote attackers with a valid tls-crypt-v2 client key to potentially cause a denial of service
Weakness Types
What is a Memory Leak Vulnerability?
The software does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory. This is often triggered by improper handling of malformed data or unexpectedly interrupted sessions. In some languages, developers are responsible for tracking memory allocation and releasing the memory. If there are no more pointers or references to the memory, then it can no longer be tracked and identified for release.
CVE-2026-13698 has been classified to as a Memory Leak vulnerability or weakness.
Allocation of Resources Without Limits or Throttling
The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.
Products Associated with CVE-2026-13698
Want to know whenever a new CVE is published for OpenVPN? stack.watch will email you.
Affected Versions
OpenVPN:- Version 2.5.0, <= 2.5.11 is affected.
- Version 2.6.0, <= 2.6.20 is affected.
- Version 2.7_alpha1, <= 2.7.4 is affected.