Description
SoftEtherVPN is a an open-source cross-platform multi-protocol VPN Program. Versions 5.02.5184 to 5.02.5187 are vulnerable to NULL dereference in `DeleteIPv6DefaultRouterInRA` called by `StorePacket`. Before dereferencing, `DeleteIPv6DefaultRouterInRA` does not account for `ParsePacket` returning NULL, resulting in the program crashing. A patched version does not exist at this time.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/SoftEtherVPN/SoftEtherVPN/security/advisories/GHSA-xw53-587j-mqh6
Various Sources x_refsource_misc
https://github.com/SoftEtherVPN/SoftEtherVPN/blob/7006539732c0231d7723623cc8732f94ba2b8c54/src/Cedar/Hub.c#L5112C1-L5116C29
Various Sources x_refsource_misc
https://github.com/SoftEtherVPN/SoftEtherVPN/blob/master/src/Mayaqua/TcpIp.c#L1633
Scores
CVSS v3
3.1
EPSS
0.0017
EPSS Percentile
37.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-476
Status
published
Products (1)
SoftEtherVPN/SoftEtherVPN
>= 5.02.5184, <= 5.02.5187
Published
Apr 16, 2025
Tracked Since
Feb 18, 2026