CVE-2025-12106
Published: 01 December 2025
Description
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Security Summary
CVE-2025-12106 is a vulnerability caused by insufficient argument validation in OpenVPN versions 2.7_alpha1 through 2.7_rc1. The flaw enables an attacker to trigger a heap buffer over-read during IP address parsing. Published on 2025-12-01, it carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H) and maps to CWE-126 (Buffer Over-read).
The vulnerability can be exploited by a remote, unauthenticated attacker over the network with low complexity and no user interaction required. Exploitation leads to high confidentiality impact, potentially allowing sensitive data exposure from heap memory, and high availability impact, such as server crashes or denial of service.
Mitigation details are provided in advisories from the OpenVPN community at https://community.openvpn.net/Security%20Announcements/CVE-2025-12106 and the mailing list announcement at https://www.mail-archive.com/openvpn-announce@lists.sourceforge.net/msg00152.html.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
CVE enables remote unauthenticated exploitation of OpenVPN (public-facing remote service) for heap over-read (info disclosure) and DoS via application crash.