Resolution: Won’t Fix
The fix is not available upstream and is unlikely ever to be provided.
This is not a backdoor or vulnerability that allows attackers to gain root or execute code in the kernel.
- At worst, it may allow an attacker to fingerprint that an OpenVPN service is running and discover its endpoints.
- This could help facilitate DDoS or brute-force attempts, but it does not impact kernel memory safety.
Why the CVSS Score Looks Inflated
- The CVSS calculator assumes confidentiality, integrity, and availability impacts are “High” for any network-level information leak. That automatically inflates the score to 9.8 Critical, even though the practical effect is limited to reconnaissance.
Some distribution security teams (e.g. Ubuntu) have therefore assigned it a Medium priority instead.