CVE-2025-40087

Resolution: Won’t Fix
The fix is not available upstream and is unlikely ever to be provided.

This is not a backdoor or vulnerability that allows attackers to gain root or execute code in the kernel.

• At worst, it may allow an attacker to fingerprint that an OpenVPN service is running and discover its endpoints.
• This could help facilitate DDoS or brute-force attempts, but it does not impact kernel memory safety.

Why the CVSS Score Looks Inflated

• The CVSS calculator assumes confidentiality, integrity, and availability impacts are “High” for any network-level information leak. That automatically inflates the score to 9.8 Critical, even though the practical effect is limited to reconnaissance.

Some distribution security teams (e.g. Ubuntu) have therefore assigned it a Medium priority instead.