CVE-2023-35838 Overview
CVE-2023-35838 affects the WireGuard client version 0.5.3 on Windows. The client configures the operating system and firewall in a way that blocks traffic to local networks using non-RFC1918 IP addresses. An adjacent network attacker can abuse this misconfiguration to selectively block VPN-tunneled traffic to chosen IP addresses and services while the VPN remains active. The issue is part of the broader TunnelCrack Security Analysis research, which uses this CVE ID to refer generally to the "LocalNet attack resulting in the blocking of traffic." The weakness is classified under [CWE-610] (Externally Controlled Reference to a Resource in Another Sphere).
Critical Impact
An adjacent attacker on the victim's local network can cause selective denial of service for specific destination IPs while the WireGuard tunnel is active.
Affected Products
- WireGuard for Windows 0.5.3
- Microsoft Windows (all supported versions running the affected client)
- Environments where users connect to untrusted local networks using WireGuard
Discovery Timeline
- 2023-08-09 - CVE-2023-35838 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2023-35838
Vulnerability Analysis
The WireGuard Windows client applies firewall and routing rules intended to prevent local network traffic from leaking outside the VPN tunnel. The implementation assumes local networks use RFC1918 private address ranges such as 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. When an attacker-controlled Wi-Fi or wired network advertises a non-RFC1918 subnet, the client's rules cause matching traffic to be blocked rather than routed correctly through the tunnel.
The result is targeted availability loss. An adversary connected to the same access network as the victim can force specific destination addresses or services to become unreachable, even with the VPN reportedly active and connected. Confidentiality and integrity of tunneled data are not affected by this specific CVE.
Root Cause
The root cause is insecure default configuration of the host firewall and routing policy. The client trusts router-supplied network parameters when constructing local-network exception rules. Because non-RFC1918 ranges are treated as legitimate local networks, malicious DHCP or router advertisements can manipulate the firewall scope. This maps to [CWE-610], where a resource reference is controlled by an external entity.
Attack Vector
Exploitation requires adjacent network access and minimal user interaction, typically the victim connecting to a hostile network. The attacker operates a rogue access point or DHCP server that assigns a non-RFC1918 subnet covering the target IP addresses. The WireGuard client installs firewall rules that block traffic to that subnet, achieving the LocalNet effect. Full technical detail is published in the TunnelCrack Security Analysis. Related vendor guidance is available in the SonicWall Vulnerability Advisory SNWLID-2023-0015.
Detection Methods for CVE-2023-35838
Indicators of Compromise
- DHCP leases on client systems assigning non-RFC1918 subnets such as public IP ranges to a local interface.
- Windows Filtering Platform (WFP) rules added by WireGuard that scope to attacker-controlled non-private CIDR blocks.
- Sudden unreachability of specific public destinations only while the WireGuard tunnel is up.
Detection Strategies
- Inspect endpoint network configuration for adapter subnets outside RFC1918 ranges when connected to untrusted Wi-Fi.
- Correlate VPN connection events with DHCP option logs and routing table changes on Windows hosts.
- Compare expected destination reachability before and after VPN establishment to flag selective traffic blocking.
Monitoring Recommendations
- Centralize Windows DHCP client and WFP filter events for review across mobile and remote endpoints.
- Alert on WireGuard client version 0.5.3 still deployed in the environment.
- Monitor for repeated, location-specific VPN reachability failures reported by end users.
How to Mitigate CVE-2023-35838
Immediate Actions Required
- Upgrade the WireGuard Windows client to a version newer than 0.5.3 that addresses the LocalNet attack class.
- Inventory endpoints running wireguard:wireguard 0.5.3 and prioritize remote and travel-use laptops.
- Educate users about the risks of connecting to untrusted public Wi-Fi while relying on VPN protection.
Patch Information
Review the WireGuard Official Website for the current Windows client release and changelog. Organizations using SonicWall products that bundle or reference WireGuard components should consult the SonicWall Vulnerability Advisory SNWLID-2023-0015 for fixed versions and configuration guidance.
Workarounds
- Restrict VPN use to known, trusted networks until clients are upgraded.
- Disable local network access on the VPN client where the feature is configurable.
- Enforce always-on VPN policies that drop traffic to non-tunneled destinations.
- Deploy host firewall policy that blocks adapter configurations using non-RFC1918 ranges on untrusted SSIDs.
# Configuration example: identify WireGuard 0.5.3 installations on Windows
Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* `
| Where-Object { $_.DisplayName -like 'WireGuard*' -and $_.DisplayVersion -eq '0.5.3' } `
| Select-Object DisplayName, DisplayVersion, InstallLocation
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
