Cyber Resilience

CVE-2026-39312

HighPublic PoC

Published: 07 April 2026

Published
07 April 2026
Modified
14 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0039 60.4th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-39312 is a high-severity Memory Allocation with Excessive Size Value (CWE-789) vulnerability in Softether Softethervpn. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 39.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-39312 is a pre-authentication denial-of-service vulnerability affecting SoftEther VPN Developer Edition version 5.2.5188 and likely earlier versions of the Developer Edition. SoftEtherVPN is an open-source cross-platform multi-protocol VPN program. The flaw resides in the vpnserver process, which can be crashed by processing a malformed EAP-TLS packet sent over raw L2TP on UDP port 1701.

An unauthenticated remote attacker can exploit this vulnerability by transmitting a single malformed EAP-TLS packet, resulting in the vpnserver process termination and disruption of all active VPN sessions. The CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) reflects network accessibility, low attack complexity, no privileges or user interaction required, and high availability impact with no confidentiality or integrity effects. It maps to CWE-789.

Mitigation details are available in the SoftEtherVPN security advisory published on GitHub at https://github.com/SoftEtherVPN/SoftEtherVPN/security/advisories/GHSA-q5g3-qhc6-pr3h.

EU & UK References

Vulnerability details

SoftEtherVPN is a an open-source cross-platform multi-protocol VPN Program. In 5.2.5188 and earlier, a pre-authentication denial-of-service vulnerability exists in SoftEther VPN Developer Edition 5.2.5188 (and likely earlier versions of Developer Edition). An unauthenticated remote attacker can crash the vpnserver process…

more

by sending a single malformed EAP-TLS packet over raw L2TP (UDP/1701), terminating all active VPN sessions.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Vulnerability enables remote unauthenticated crash of vpnserver process via malformed packet, directly mapping to Endpoint Denial of Service through Application or System Exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-20048Shared CWE-789
CVE-2026-44375Shared CWE-789
CVE-2026-22026Shared CWE-789
CVE-2025-30211Shared CWE-789
CVE-2026-33524Shared CWE-789
CVE-2026-9538Shared CWE-789
CVE-2026-28253Shared CWE-789
CVE-2026-24158Shared CWE-789
CVE-2026-8485Shared CWE-789
CVE-2024-52791Shared CWE-789

Affected Assets

softether
softethervpn
≤ 5.2.5188

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation directly mitigates this CVE by applying patches to SoftEther VPN Developer Edition to fix the vpnserver crash from malformed EAP-TLS packets over L2TP.

prevent

Denial-of-service protection implements rate limiting and traffic filtering on UDP/1701 to block malformed packets that crash the vpnserver process.

prevent

Information input validation ensures the vpnserver rejects malformed EAP-TLS packets before processing, preventing the pre-authentication crash.

References