CVE-2023-46850

Publication date 15 November 2023

Last updated 24 July 2024


Ubuntu priority

Cvss 3 Severity Score

9.8 · Critical

Score breakdown

Use after free in OpenVPN version 2.6.0 to 2.6.6 may lead to undefined behavoir, leaking memory buffers or remote execution when sending network buffers to a remote peer.

Read the notes from the security team

Status

Package Ubuntu Release Status
openvpn 23.10 mantic
Fixed 2.6.5-0ubuntu1.1
23.04 lunar
Fixed 2.6.1-1ubuntu1.1
22.04 LTS jammy
Not affected
20.04 LTS focal
Not affected
18.04 LTS bionic
Not affected
16.04 LTS xenial
Not affected
14.04 LTS trusty
Not affected

Notes


mdeslaur

2.6.0+ only

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
openvpn

Severity score breakdown

Parameter Value
Base score 9.8 · Critical
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Scope Unchanged
Confidentiality High
Integrity impact High
Availability impact High
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H