From patchwork Sun Apr 26 15:42:31 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4909 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:66c6:b0:84a:48f:a1fd with SMTP id x6csp5588347mal; Sun, 26 Apr 2026 08:42:58 -0700 (PDT) X-Forwarded-Encrypted: i=2; AFNElJ+ap82Xke5+/WbpQ8Ip2w9pG82sBhcs2smEyvE9IahiPDGvs8WMdou3QSvq8RlUQwIRnDfCehDvZQY=@openvpn.net X-Received: by 2002:a05:6808:19a0:b0:47b:bd7b:10de with SMTP id 5614622812f47-47bbd7b9337mr9212519b6e.7.1777218177870; Sun, 26 Apr 2026 08:42:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1777218177; cv=none; d=google.com; s=arc-20240605; b=QiQItHmrm57G+TdbZirjOB19RsBpV14VhXefBfuXtnwkByNSUjp+yGxnAuxZPs8wh8 IHeKM6Ad/6t/xM6h4c+rX09NPPrKJe/UY7kCZYc8x/zUV5nc80T5B7QkbQrL+AhA1vyc JHzvCwMF5DLTKZsG/fWn9zrFx/eZNiqk3cc3oYZrLhblY5GdQIRjilwqa0TJEphAdAJe mqzr5xPZIa12XWUWcWnMED6p9VW+/KAwQ/e4iH3Ak6i1ixxAWwdN9rbDIRh0y0300xIq +ihPmBYETyktTHeB1m2V9dQtZ51Gt9Z83tvAdLk+2eexpZKJ0UB/pdf8C852+qzBcTGB PxUg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:subject:mime-version:message-id :to:from:date:dkim-signature:dkim-signature:dkim-signature; bh=7KpidTaEVR4PNqCh8oAzrXoqMdTEd+MI4QXvZfZku98=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=a4NS4Rsq8qyK6gAaT8GI6ZXw46UnFahqyRLU5/4Fc29grEFDbT9XquBLhctCaFIcs0 Ul36DhT27p/EApDokIcDWS79vwdoUvrdijd+ERnohjy6gO2hS6wTg3ZF6H2xhUho/8vx LTSK7aHJPJewzlZA6uZ4CySA8OCliXMN6tbYJR4Tcxsxfd07ISH1rOuUCaNYYrqUfJUd hGbkEjG1M++YmkOakkFigtIkWa+uAQP+MvjUc9fXmLmb1cEl1cNTU4adwDYd2XFPZlik 582VJOFC7z1syvQLBq2vZ4YJBudqNvNeSv7/vVZqbehcs5bMY8HiM4d/aJmPclmtAxgZ L6Gw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=QwuBZZG1; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=RrfQVWoA; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=i8ss8wwa; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 5614622812f47-479db94b31csi13079141b6e.67.2026.04.26.08.42.57 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sun, 26 Apr 2026 08:42:57 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=QwuBZZG1; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=RrfQVWoA; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=i8ss8wwa; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Type:List-Subscribe:List-Help: List-Post:List-Archive:List-Unsubscribe:List-Id:Subject:MIME-Version: Message-ID:To:From:Date:Sender:Reply-To:Cc:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Owner; bh=7KpidTaEVR4PNqCh8oAzrXoqMdTEd+MI4QXvZfZku98=; b=QwuBZZG1j3dxz2GMHJUmj7GpnP 2k1DFxv1wxvnQwYIaZlmduW0RiAuoGXH3xQODdUDsY8fAwm2doiZ4nscgqzN9uPUK1UF31pHDI0FB rxm6eHHizuUr48kWaDMvOu2aMo4P1xt0pGBq3Aw/8zRwMS08+I+QRiK8tb/XWyeaSBkI=; Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1wH1d8-0007SG-FU; Sun, 26 Apr 2026 15:42:46 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1wH1d6-0007S6-Pc for openvpn-devel@lists.sourceforge.net; Sun, 26 Apr 2026 15:42:44 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:MIME-Version:Message-ID:Subject:To: From:Date:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=74hZ+XIlT8L64wq4NVbEv0TEjYQ8eDR9u6gXemP3vfM=; b=RrfQVWoAJxgZIf7TAZUKykbFox A3BNi41CMaQfCLvvTozen4mSDbe7EGEJo73w15Aet2IKFjnBDJf2X+GFAIz5Uzg2oCUCqYrF+a37j BjSW4sp/6IVGqoxmbZPT5LZp7jpvFwPl6pzu1FUg2zRh9iv6kuYFif3OGmQdUFuQKkuw=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:MIME-Version:Message-ID:Subject:To:From:Date:Sender:Reply-To :Cc:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=74hZ+XIlT8L64wq4NVbEv0TEjYQ8eDR9u6gXemP3vfM=; b=i 8ss8wwaYpiWbjYnKSC/XjooQvx9iEem3giYGXN4Dq18jBoi/7eEHAxFHbRORExOnk+rwr575a/umf upwpqiopuy4lDCIHLApaycjVTBQezJwAaxX7O4FG9gyw6+rPIl5BO95ldPoi09TnIUMZBOr0dx003 OiTT5bkuLiwjnUDY=; Received: from chekov.greenie.muc.de ([193.149.48.178]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1wH1d5-0005nL-0j for openvpn-devel@lists.sourceforge.net; Sun, 26 Apr 2026 15:42:44 +0000 Received: from chekov.greenie.muc.de (localhost [IPv6:0:0:0:0:0:0:0:1]) by chekov.greenie.muc.de (8.18.1/8.18.1) with ESMTPS id 63QFgVva046343 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO) for ; Sun, 26 Apr 2026 17:42:31 +0200 (CEST) (envelope-from gert@chekov.greenie.muc.de) Received: (from gert@localhost) by chekov.greenie.muc.de (8.18.1/8.18.1/Submit) id 63QFgVlV046342 for openvpn-devel@lists.sourceforge.net; Sun, 26 Apr 2026 17:42:31 +0200 (CEST) (envelope-from gert) Date: Sun, 26 Apr 2026 17:42:31 +0200 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Message-ID: MIME-Version: 1.0 X-mgetty-docs: http://mgetty.greenie.net/ X-Spam-Score: 0.0 (/) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-1.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Hi, unlike normal "patch on the list (directly or via gerrit), ACK/+2 in public, commit + merge info on the list", patches that carry a CVE tag are handled privately. Whether or not this is always necessa [...] Content analysis details: (0.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- X-Headers-End: 1wH1d5-0005nL-0j Subject: [Openvpn-devel] non-public patches in recent releases (CVEs) X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1863548328000016198?= X-GMAIL-MSGID: =?utf-8?q?1863548328000016198?= Hi, unlike normal "patch on the list (directly or via gerrit), ACK/+2 in public, commit + merge info on the list", patches that carry a CVE tag are handled privately. Whether or not this is always necessary could certainly be debated, but however, in the last releases (2.7.2, 2.6.20, and master) we had two of them. To enable verification that the source has what was discussed and approved, I'll attach the patches plus the relevant commit IDs. commit 64fae9d82989ede6c92e230c594ab9335c05df8d (master) commit 4a2c827c2536aa03a1d6c7cc916689a46c067187 (release/2.7) commit 4472265ea2d18b88bb5f59fb30d4067a0323aff5 (release/2.6) Author: Arne Schwabe Date: Fri Apr 10 16:59:53 2026 +0200 Ensure that buffer of freed session are not used CVE: 2026-40215 commit fa129d7153f7292f7b6f7341601ae97d5c47e36e (master) commit 607e2fcb9cbcff785abfa372c7a59029767b5ed9 (release/2.7) commit 0dc820fe1d0de369d101702151fa06fff0eb360c (release/2.6) Author: Steffan Karger Date: Sun Apr 12 13:37:56 2026 +0200 tls-crypt-v2: Avoid interpreting opcode as part of WKc CVE: 2026-35058 Details in the commit logs, and on the web https://community.openvpn.net/Security%20Announcements/CVE-2026-40215 https://community.openvpn.net/Security%20Announcements/CVE-2026-35058 both are not of the "the world will end" category, but the ASSERT() one is nasty as you can make a remote server stop itself *iff* tls-crypt-v2 is used, and you can create a sufficiently-malformed packet, signed with a valid tls-crypt-v2 client key. So, you should see that you upgrade *your servers*. Clients are not affected. gert From 64fae9d82989ede6c92e230c594ab9335c05df8d Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Fri, 10 Apr 2026 16:59:53 +0200 Subject: [PATCH 2/2] Ensure that buffer of freed session are not used In a race condition an old TLS session could still try to send a packet but also get replaced by a new session. In this case, the buffer of the new session is still referenced. Add the check_session_buf_not_used function to mitigate this problem. Also make the check if the to_link pointer is in one of the memory regions a bit better even though this not make a difference with the way we use these structs. But better safe than sorry. A better solution to remove the TM_INITIAL state and handle reconnecting session in their own complete tls_multi is a more involved fix that requires a lot more refactoring. CVE: 2026-40215 Reported-By: XlabAI Team of Tencent Xuanwu Lab (xlabai@tencent.com) Reported-By: Guannan Wang (wgnbuaa@gmail.com Reported-By: Zhanpeng Liu (pkugenuine@gmail.com) Reported-By: Guancheng Li (lgcpku@gmail.com) Signed-off-by: Arne Schwabe Change-Id: I7c5fa2a7a2563b7a8955d386411f3ceffe5b092f Private-URL: https://github.com/OpenVPN/openvpn-private-issues/issues/112 Acked-by: Gert Doering Signed-off-by: Gert Doering --- src/openvpn/ssl.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 5868d531..d332359c 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -3290,6 +3290,7 @@ tls_multi_process(struct tls_multi *multi, struct buffer *to_link, if (i == TM_ACTIVE && ks_lame->state >= S_GENERATED_KEYS && !multi->opt.single_session) { + check_session_buf_not_used(to_link, session); move_session(multi, TM_LAME_DUCK, TM_ACTIVE, true); } else @@ -3363,6 +3364,7 @@ tls_multi_process(struct tls_multi *multi, struct buffer *to_link, */ if (TLS_AUTHENTICATED(multi, &multi->session[TM_INITIAL].key[KS_PRIMARY])) { + check_session_buf_not_used(to_link, &multi->session[TM_ACTIVE]); move_session(multi, TM_ACTIVE, TM_INITIAL, true); tas = tls_authentication_status(multi); msg(D_TLS_DEBUG_LOW, -- 2.53.0