CVE-2024-1305 Overview
CVE-2024-1305 is an integer overflow vulnerability [CWE-190] in the OpenVPN tap-windows6 driver versions 9.26 and earlier. The driver fails to properly validate the size data of incoming write operations. Attackers can exploit this flaw to overflow kernel memory buffers, resulting in a bug check or arbitrary code execution in kernel space. Because tap-windows6 runs as a Windows kernel-mode driver, successful exploitation grants ring-0 privileges on the affected host. The OpenVPN project tracks the issue in its CVE-2024-1305 advisory.
Critical Impact
Successful exploitation enables arbitrary code execution in Windows kernel space, allowing full system compromise and bypass of endpoint protection boundaries.
Affected Products
- OpenVPN tap-windows6 driver version 9.26
- OpenVPN tap-windows6 driver versions earlier than 9.26
- Windows hosts running OpenVPN community builds that bundle vulnerable tap-windows6 versions
Discovery Timeline
- 2024-07-08 - CVE-2024-1305 published to the National Vulnerability Database (NVD)
- 2025-08-22 - Last updated in NVD database
Technical Details for CVE-2024-1305
Vulnerability Analysis
The tap-windows6 driver implements a virtual TAP network adapter used by OpenVPN to inject and receive Ethernet frames on Windows. The driver exposes I/O control and write interfaces that accept buffers from user mode. In affected versions, the driver does not correctly validate the size of incoming write operations before copying data into kernel buffers. The size handling triggers an integer overflow condition, after which subsequent length checks pass even though the actual buffer copy exceeds allocated memory. The result is a kernel-mode buffer overflow that corrupts adjacent memory structures.
Because the vulnerability resides in a signed kernel driver loaded at boot, exploitation provides direct kernel execution. An attacker who controls a local process, or who can route crafted frames through a network path the driver processes, can trigger the overflow. Reliable exploitation yields code execution at IRQL levels that bypass standard user-mode mitigations.
Root Cause
The root cause is an integer overflow [CWE-190] in the size validation logic for write operations. The driver computes buffer length using arithmetic that wraps around when supplied with large or crafted values, defeating the bounds check that follows. The subsequent memory copy uses the attacker-influenced length, producing an out-of-bounds write into kernel pool memory.
Attack Vector
The attack vector is network-adjacent through the TAP adapter interface, with no authentication or user interaction required. An attacker triggers the flaw by sending oversized or malformed write payloads to the driver's exposed interface. The vulnerability produces either an immediate bug check (BSOD) or, with a tuned payload, arbitrary kernel code execution that can disable security agents and persist below the operating system.
No verified public proof-of-concept code is associated with this CVE. Refer to the OpenVPN community advisory and the OpenVPN users mailing list discussion for technical context.
Detection Methods for CVE-2024-1305
Indicators of Compromise
- Unexpected BugCheck events referencing tap0901.sys in the Windows System event log
- Loaded driver image tap0901.sys reporting a file version at or below 9.26
- Kernel pool corruption crash dumps where the faulting module is the TAP driver
- New or unsigned drivers loaded shortly after tap0901.sys activity, indicating possible post-exploitation persistence
Detection Strategies
- Inventory installed OpenVPN packages and query tap0901.sys file version across managed Windows endpoints
- Correlate kernel crash telemetry with TAP adapter I/O activity to surface exploitation attempts
- Hunt for processes opening handles to \\.\Global\TAP device names followed by abnormal write sizes
Monitoring Recommendations
- Forward Windows kernel crash dumps and WER reports to a centralized log pipeline for analysis
- Alert on driver load events (Sysmon Event ID 6) where tap0901.sys version is less than 9.26.0.0
- Monitor for privilege escalation chains that originate from processes interacting with the TAP adapter
How to Mitigate CVE-2024-1305
Immediate Actions Required
- Upgrade tap-windows6 to version 9.27 or later, distributed with current OpenVPN community packages
- Identify and remove orphaned tap-windows6 installations left by uninstalled VPN clients
- Restrict local user accounts that can load or interact with kernel drivers on sensitive hosts
Patch Information
OpenVPN addressed the integer overflow in tap-windows6 releases following version 9.26. Administrators should deploy the latest OpenVPN Windows installer, which packages the fixed driver, and reboot affected hosts to ensure the vulnerable image is unloaded. Patch details and download links are published in the OpenVPN CVE-2024-1305 advisory.
Workarounds
- Uninstall OpenVPN and the tap-windows6 driver on hosts that do not require the TAP adapter
- Block non-administrative users from creating handles to the TAP device through Windows access control lists
- Apply Windows Defender Application Control or WDAC policies to prevent loading of out-of-date tap0901.sys images
# Verify installed tap-windows6 driver version on Windows (PowerShell)
Get-WmiObject Win32_PnPSignedDriver |
Where-Object { $_.DeviceName -like '*TAP-Windows*' } |
Select-Object DeviceName, DriverVersion, DriverProviderName
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
