CVE-2025-15497

Publication date 30 January 2026

Last updated 4 February 2026

Ubuntu priority

Description

Insufficient epoch key slot processing in OpenVPN 2.7_alpha1 through 2.7_rc5 allows remote authenticated users to trigger an assert resulting in a denial of service

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
openvpn	25.10 questing	Not affected
	24.04 LTS noble	Not affected
	22.04 LTS jammy	Not affected
	20.04 LTS focal	Not affected
	18.04 LTS bionic	Not affected
	16.04 LTS xenial	Not affected
	14.04 LTS trusty	Not affected

How can I get the fixes?
What do statuses mean?
Patch details

Notes

mdeslaur

introduced in 2.7_alpha1

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
openvpn	Upstream: e0e0720

References

MITRE
NVD
Launchpad
Debian

Other references

https://www.cve.org/CVERecord?id=CVE-2025-15497
https://community.openvpn.net/Security%20Announcements/CVE-2025-15497