Description
In the Linux kernel, the following vulnerability has been resolved:

ovpn: tcp - fix packet extraction from stream

When processing TCP stream data in ovpn_tcp_recv, we receive large
cloned skbs from __strp_rcv that may contain multiple coalesced packets.
The current implementation has two bugs:

1. Header offset overflow: Using pskb_pull with large offsets on
coalesced skbs causes skb->data - skb->head to exceed the u16 storage
of skb->network_header. This causes skb_reset_network_header to fail
on the inner decapsulated packet, resulting in packet drops.

2. Unaligned protocol headers: Extracting packets from arbitrary
positions within the coalesced TCP stream provides no alignment
guarantees for the packet data causing performance penalties on
architectures without efficient unaligned access. Additionally,
openvpn's 2-byte length prefix on TCP packets causes the subsequent
4-byte opcode and packet ID fields to be inherently misaligned.

Fix both issues by allocating a new skb for each openvpn packet and
using skb_copy_bits to extract only the packet content into the new
buffer, skipping the 2-byte length prefix. Also, check the length before
invoking the function that performs the allocation to avoid creating an
invalid skb.

If the packet has to be forwarded to userspace the 2-byte prefix can be
pushed to the head safely, without misalignment.

As a side effect, this approach also avoids the expensive linearization
that pskb_pull triggers on cloned skbs with page fragments. In testing,
this resulted in TCP throughput improvements of up to 74%.
Published: 2026-05-06
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel exposes a bug in the OpenVPN TCP transport handler when it receives a TCP stream that contains multiple coalesced OpenVPN packets. The handler copies packet data from arbitrary offsets inside the stream, which can cause an integer overflow on the skb network header length and dereference a corrupted pointer, leading to dropped packets. Additionally, because the packet length prefix and subsequent headers are misaligned, the copy operation can trigger expensive unaligned memory accesses, further degrading performance. Together, these flaws can result in significant packet loss and throughput reduction for unsuspecting OpenVPN clients and servers.

Affected Systems

All Linux kernel versions that include the OpenVPN TCP transport code are affected, since the flaw resides in a generic part of the kernel’s networking stack. Any system running an unpatched kernel that accepts OpenVPN traffic over TCP may experience packet loss or degraded throughput. No specific version ranges are listed, implying that all releases prior to the commit that introduced the fixed logic remain vulnerable.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity, while the EPSS score of < 1% reflects a very low likelihood of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that an attacker could trigger the bug by sending specially crafted OpenVPN packets over TCP, possibly from a remote source, causing repeated packet drops or excessive CPU usage. The exploitation does not require local or privileged access and does not lead to code execution, instead offering a denial‑of‑service surface.

Generated by OpenCVE AI on May 8, 2026 at 20:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that includes the ovpn_tcp_recv fixes in the referenced commit logs; the patch replaces the unsafe skb_pull logic with secure skb_copy_bits and eliminates the overflow and misalignment issues.
  • If a kernel upgrade cannot be performed immediately, restrict OpenVPN TCP traffic to trusted sources by configuring firewall rules or rate limiting the connection, thereby reducing the likelihood that crafted packets will reach the vulnerable code path.
  • Continuously monitor kernel logs such as dmesg or /var/log/kern.log for abnormal packet drop patterns or warnings related to ovpn_tcp_recv, and perform routine performance testing to verify that throughput has returned to pre‑vulnerability levels.

Generated by OpenCVE AI on May 8, 2026 at 20:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 18:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*

Fri, 08 May 2026 16:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119

Fri, 08 May 2026 13:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Thu, 07 May 2026 12:15:00 +0000

Type Values Removed Values Added
References

Wed, 06 May 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-190

Wed, 06 May 2026 12:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ovpn: tcp - fix packet extraction from stream When processing TCP stream data in ovpn_tcp_recv, we receive large cloned skbs from __strp_rcv that may contain multiple coalesced packets. The current implementation has two bugs: 1. Header offset overflow: Using pskb_pull with large offsets on coalesced skbs causes skb->data - skb->head to exceed the u16 storage of skb->network_header. This causes skb_reset_network_header to fail on the inner decapsulated packet, resulting in packet drops. 2. Unaligned protocol headers: Extracting packets from arbitrary positions within the coalesced TCP stream provides no alignment guarantees for the packet data causing performance penalties on architectures without efficient unaligned access. Additionally, openvpn's 2-byte length prefix on TCP packets causes the subsequent 4-byte opcode and packet ID fields to be inherently misaligned. Fix both issues by allocating a new skb for each openvpn packet and using skb_copy_bits to extract only the packet content into the new buffer, skipping the 2-byte length prefix. Also, check the length before invoking the function that performs the allocation to avoid creating an invalid skb. If the packet has to be forwarded to userspace the 2-byte prefix can be pushed to the head safely, without misalignment. As a side effect, this approach also avoids the expensive linearization that pskb_pull triggers on cloned skbs with page fragments. In testing, this resulted in TCP throughput improvements of up to 74%.
Title ovpn: tcp - fix packet extraction from stream
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:20:59.540Z

Reserved: 2026-05-01T14:12:55.996Z

Link: CVE-2026-43254

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T12:16:46.143

Modified: 2026-05-11T18:21:13.677

Link: CVE-2026-43254

cve-icon Redhat

Severity :

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43254 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T20:15:15Z

Weaknesses