OpenVPN Bug Lets Attackers Crash Windows Systems

A critical OpenVPN bug lets attackers crash Windows systems by exploiting a buffer overflow flaw in the ovpn-dco-win driver. The vulnerability, tracked as CVE-2025-50054, affects driver versions up to 1.3.0 and OpenVPN versions through 2.5.8. Unprivileged local users can trigger system crashes by sending oversized control message buffers to the driver.

Security researchers confirmed that the OpenVPN bug lets attackers cause heap-based buffer overflows, leading to denial-of-service conditions. While the flaw doesn’t compromise data integrity or confidentiality, it disrupts system availability.

The OpenVPN team issued version 2.7_alpha2, which patches this vulnerability and introduces multiple improvements. The ovpn-dco-win driver, now the default, processes VPN traffic in the Windows kernel to boost performance. OpenVPN also removed support for the wintun driver in this release.

Until stable updates become available, experts advise administrators to restrict local driver access. Users can download patched alpha builds for Windows in multiple formats.

Critical OpenVPN Driver Vulnerability Allows Attackers to Crash Windows Systems