OpenVPN Race Condition Remediation
-
At the end of April, OpenVPN
announced CVE-2026-40215, a race condition vulnerability in the TLS handshake process that could lead to packet data leakage from a previous handshake under specific circumstances. This vulnerability affects OpenVPN versions 2.6.0 through 2.6.19. pfSense Plus version 26.03 shipped with OpenVPN version 2.6.16, which contains this vulnerability.To address this issue, Netgate
has released OpenVPN version 2.6.20 to pfSense Plus repositories. Follow the steps below to update your OpenVPN installation.Update Instructions
Option 1: SSH or Console
-
Log in to your pfSense Plus instance using the root account
-
Select option 8 from the menu to open a shell
-
Execute the following command:
pkg upgrade -y
-
Once the upgrade completes, log in to the webGUI and navigate to Status > Services
-
Click the Restart button for each running OpenVPN instance
Option 2: WebGUI
-
Log in to your pfSense Plus instance using the root account
-
Navigate to Diagnostics > Command Prompt
-
Enter the following command:
pkg upgrade -y
-
Once the upgrade completes, navigate to Status > Services
-
Click the Restart button for each running OpenVPN instance
Verification
After completing these steps, your pfSense Plus instance will be patched against CVE-2026-40215. No further action is required.
Note: If you have not yet installed or upgraded to pfSense Plus version 26.03, this patch will be automatically included when you install or upgrade.
-
-
P pfGeorge pinned this topic on
-
S SteveITS referenced this topic
-
G Gertjan referenced this topic
-
@pfGeorge my pfSense+ boxes are updated, any change to fix this also von 2.8.1?
-
Thanks for the clear write-up and step‑by‑step instructions. Updates like this are easy to miss in smaller environments, so having the exact commands and restart steps laid out for patching OpenVPN on pfSense Plus really helps avoid unnecessary risk.
-
@pfGeorge any update for 2.8.1?
-
This is available in the 2.8.1 repo now.
-
@stephenw10 yes, I can confirm that, thank you.
Installed packages to be UPGRADED: openvpn: 2.6.16 -> 2.6.20 [pfSense] Installed packages to be REINSTALLED: pfSense-pkg-openvpn-client-export-1.9.13 [pfSense] -
@stephenw10 Yep. You can also check it via diganostic and execute in command:
openvpn --version
The output should show version 2.6.20 or higher
If not you can run pkg upgrade -y openvpn
Several of my pfsense 2.8.1 instances already updated themselves. I had to manually update one.
-
@Darkk said in OpenVPN Race Condition Remediation:
Several of my pfsense 2.8.1 instances already updated themselves.
Reinstall openvpn-client-export update it also.
