Main Vulnerability Database Vulnerabilities #VU82951

Use-after-free in OpenVPN for Windows - CVE-2023-46850

Published: November 10, 2023

Vulnerability identifier: #VU82951

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2023-46850

CWE-ID: CWE-416

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: OpenVPN

Affected software:
OpenVPN for Windows

Detailed vulnerability description

The vulnerability allows a remote user to gain access to sensitive information.

The vulnerability exists due to openvpn incorrectly uses a send buffer after it has been freed. Under certain circumstances the freed memory can be sent to the client peer, resulting in information disclosure. The vulnerability affects TLS configuration.

How to mitigate CVE-2023-46850

Install updates from vendor's website.

Sources

https://github.com/OpenVPN/openvpn/blob/v2.6.7/Changes.rst

Use-after-free in OpenVPN for Windows - CVE-2023-46850

Detailed vulnerability description

How to mitigate CVE-2023-46850

Sources

Please verify you're human