CVE-2018-9336

NONE EPSS 44.6%
Published May 1, 20188y ago · Modified Jun 17, 20262w ago
Find Similar
Published May 1, 2018 8y ago
Last Modified Jun 17, 2026 2w ago

Description

openvpnserv.exe (aka the interactive service helper) in OpenVPN 2.4.x before 2.4.6 allows a local attacker to cause a double-free of memory by sending a malformed request to the interactive service. This could cause a denial-of-service through memory corruption or possibly have unspecified other impact including privilege escalation.

Threat Intelligence

EPSS Exploit Probability
44.6% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-415

Affected Products 6

VendorProductVersionRange
openvpnopenvpn*≥2.4.0  –  <2.4.6
slackwareslackware_linux13.0any
slackwareslackware_linux13.1any
slackwareslackware_linux13.37any
slackwareslackware_linux14.0any
slackwareslackware_linux14.1any

References 5

  • slackware.com http://www.slackware.com/security/viewer.php?l=slackware-security&y=2018&m=slackware-security.568761
    Mailing ListThird Party Advisory
  • community.openvpn.net https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24
    Release NotesVendor Advisory
  • github.com https://github.com/OpenVPN/openvpn/commit/1394192b210cb3c6624a7419bcf3ff966742e79b
    PatchThird Party Advisory
  • github.com https://github.com/OpenVPN/openvpn/releases/tag/v2.4.6
    Release NotesThird Party Advisory
  • tenable.com https://www.tenable.com/security/research/tra-2018-09
    ExploitThird Party Advisory

Remediation

  • github.com https://github.com/OpenVPN/openvpn/commit/1394192b210cb3c6624a7419bcf3ff966742e79b
    PatchThird Party Advisory