{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39312", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-06T19:31:07.265Z", "datePublished": "2026-04-07T16:52:08.172Z", "dateUpdated": "2026-04-07T17:27:16.498Z"}, "containers": {"cna": {"title": "Pre-Auth EAP-TLS DoS on SoftEther VPN Developer Edition", "problemTypes": [{"descriptions": [{"cweId": "CWE-789", "lang": "en", "description": "CWE-789: Memory Allocation with Excessive Size Value", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/SoftEtherVPN/SoftEtherVPN/security/advisories/GHSA-q5g3-qhc6-pr3h", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/SoftEtherVPN/SoftEtherVPN/security/advisories/GHSA-q5g3-qhc6-pr3h"}], "affected": [{"vendor": "SoftEtherVPN", "product": "SoftEtherVPN", "versions": [{"version": "<= 5.2.5188", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T16:52:08.172Z"}, "descriptions": [{"lang": "en", "value": "SoftEtherVPN is a an open-source cross-platform multi-protocol VPN Program. In 5.2.5188 and earlier, a pre-authentication denial-of-service vulnerability exists in SoftEther VPN Developer Edition 5.2.5188 (and likely earlier versions of Developer Edition). An unauthenticated remote attacker can crash the vpnserver process by sending a single malformed EAP-TLS packet over raw L2TP (UDP/1701), terminating all active VPN sessions."}], "source": {"advisory": "GHSA-q5g3-qhc6-pr3h", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/SoftEtherVPN/SoftEtherVPN/security/advisories/GHSA-q5g3-qhc6-pr3h", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T17:27:13.530375Z", "id": "CVE-2026-39312", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T17:27:16.498Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39312", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-07T17:27:13.530375Z"}}}], "references": [{"url": "https://github.com/SoftEtherVPN/SoftEtherVPN/security/advisories/GHSA-q5g3-qhc6-pr3h", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T17:27:08.391Z"}}], "cna": {"title": "Pre-Auth EAP-TLS DoS on SoftEther VPN Developer Edition", "source": {"advisory": "GHSA-q5g3-qhc6-pr3h", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "SoftEtherVPN", "product": "SoftEtherVPN", "versions": [{"status": "affected", "version": "<= 5.2.5188"}]}], "references": [{"url": "https://github.com/SoftEtherVPN/SoftEtherVPN/security/advisories/GHSA-q5g3-qhc6-pr3h", "name": "https://github.com/SoftEtherVPN/SoftEtherVPN/security/advisories/GHSA-q5g3-qhc6-pr3h", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "SoftEtherVPN is a an open-source cross-platform multi-protocol VPN Program. In 5.2.5188 and earlier, a pre-authentication denial-of-service vulnerability exists in SoftEther VPN Developer Edition 5.2.5188 (and likely earlier versions of Developer Edition). An unauthenticated remote attacker can crash the vpnserver process by sending a single malformed EAP-TLS packet over raw L2TP (UDP/1701), terminating all active VPN sessions."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-789", "description": "CWE-789: Memory Allocation with Excessive Size Value"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T16:52:08.172Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39312", "state": "PUBLISHED", "dateUpdated": "2026-04-07T17:27:16.498Z", "dateReserved": "2026-04-06T19:31:07.265Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-07T16:52:08.172Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "SoftEtherVPN is a an open-source cross-platform multi-protocol VPN Program. In 5.2.5188 and earlier, a pre-authentication denial-of-service vulnerability exists in SoftEther VPN Developer Edition 5.2.5188 (and likely earlier versions of Developer Edition). An unauthenticated remote attacker can crash the vpnserver process by sending a single malformed EAP-TLS packet over raw L2TP (UDP/1701), terminating all active VPN sessions."}], "id": "CVE-2026-39312", "lastModified": "2026-04-08T21:27:00.663", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-07T17:16:36.920", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/SoftEtherVPN/SoftEtherVPN/security/advisories/GHSA-q5g3-qhc6-pr3h"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/SoftEtherVPN/SoftEtherVPN/security/advisories/GHSA-q5g3-qhc6-pr3h"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-789"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.2.5188]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "SoftEtherVPN", "source": "cna", "vendor": "SoftEtherVPN"}, "product": "softethervpn", "vendor": "softethervpn"}], "analysis": {"en": {"generated_at": "2026-04-07T22:05:50.675150+00:00", "value": {"mitigation_remediation": ["Upgrade SoftEther VPN Developer Edition to a version newer than 5.2.5188 where the issue is fixed.", "If a newer version is unavailable, disable the L2TP protocol or block UDP port 1701 to prevent the attack vector.", "After applying a patch or disabling L2TP, restart the vpnserver process to ensure the changes take effect.", "Monitor VPN logs for any attempts to send malformed EAP-TLS packets and verify that the service remains stable."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "SoftEther VPN Developer Edition versions 5.2.5188 and earlier are affected.", "description_and_impact": "A malformed EAP\u2011TLS packet sent over raw L2TP/UDP port 1701 can crash the SoftEther vpnserver process before any authentication occurs, terminating all active VPN sessions and disrupting service availability for all users.", "risk_and_exploitability": "The vulnerability scores a CVSS v3.1 of 7.5, indicating high severity. An attacker only needs remote network access to deliver a crafted packet; no credentials are required. While an EPSS score is not available and the vulnerability is not listed in CISA\u2019s KEV catalog, the combination of an unauthenticated remote trigger and the potential to deny service across an entire VPN infrastructure makes it a significant risk to availability."}}}}, "created": "2026-04-08T19:36:33.863664+00:00", "updated": "2026-04-08T19:47:36.748014+00:00", "vendors": ["softethervpn", "softethervpn$PRODUCT$softethervpn"]}