OpenVPN 2.7.2 Fixes Two Security Flaws and Improves Password Handling

OpenVPN, a widely adopted user-space VPN daemon that creates encrypted tunnels over IP networks, has released v2.7.2 as the second maintenance update to the 2.7 series.

The release fixes two CVEs. The first, CVE-2026-40215, addresses a race condition in the TLS handshake that could expose packet data from a previous handshake under specific conditions. The second, CVE-2026-35058, fixes a server-side ASSERT() triggered by a malformed packet carrying a valid tls-crypt-v2 key.

Beyond the security fixes, the main new feature is support in the management interface for very long passwords entered in base64-encoded multiline format. OpenVPN signals this capability to management clients through “management version 6.” The release also improves error messages for --verify-x509-name failures and clarifies logging when overlong usernames or passwords cannot be written to the TLS buffer.

Several bug fixes are included, too. OpenVPN now correctly prompts for a password from the management interface when a configuration file contains an inlined username but no password. On Windows, the release fixes DNSSEC flag handling, which was never applied due to a comparison bug that always evaluated false, and corrects the deinstallation progress bar behavior during adapter deletion.

For Linux users, there are no major Linux-specific feature additions in this release, but community-maintained packages remain available through the project’s documented package channels.

For more details, see the changelog.