CVE-2018-9336: Double Free

Q: What is CVE-2018-9336?

CVE-2018-9336 is a vulnerability in OpenVPN 2.4.x before 2.4.6 that allows a local attacker to cause a double-free of memory, potentially leading to denial-of-service or other impacts.

Q: How severe is CVE-2018-9336?

CVE-2018-9336 has a severity rating of 7.8 (High).

Q: Which software versions are affected by CVE-2018-9336?

OpenVPN 2.4.x before 2.4.6 and Slackware Linux versions 13.0, 13.1, 13.37, 14.0, and 14.1 are affected by CVE-2018-9336.

Q: How can CVE-2018-9336 be fixed?

To fix CVE-2018-9336, users should upgrade to OpenVPN version 2.4.6 or later.

Q: Where can I find more information about CVE-2018-9336?

More information about CVE-2018-9336 can be found at the following references: Slackware Security Advisory, OpenVPN Wiki, and OpenVPN GitHub commit.

Published May 1, 2018

Updated

openvpnserv.exe (aka the interactive service helper) in OpenVPN 2.4.x before 2.4.6 allows a local attacker to cause a double-free of memory by sending a malformed request to the interactive service. This could cause a denial-of-service through memory corruption or possibly have unspecified other impact including privilege escalation.

Affected Software

6 affected components

OpenVPN OpenVPN>=2.4.0<2.4.6

Slackware Slackware Linux=13.0

Slackware Slackware Linux=13.1

Slackware Slackware Linux=13.37

Slackware Slackware Linux=14.0

Slackware Slackware Linux=14.1

Remediation

Patch Available

https://github.com/OpenVPN/openvpn/commit/1394192b210cb3c6624a7419bcf3ff966742e79b

Event History

May 1, 2018

CVE Published

via MITRE·06:00 PM

Data Sourced

via MITRE·06:00 PM

Description

Frequently Asked Questions

What is CVE-2018-9336?

CVE-2018-9336 is a vulnerability in OpenVPN 2.4.x before 2.4.6 that allows a local attacker to cause a double-free of memory, potentially leading to denial-of-service or other impacts.

How severe is CVE-2018-9336?

CVE-2018-9336 has a severity rating of 7.8 (High).

Which software versions are affected by CVE-2018-9336?