CVE-2026-43254 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

ovpn: tcp - fix packet extraction from stream

When processing TCP stream data in ovpn_tcp_recv, we receive large
cloned skbs from __strp_rcv that may contain multiple coalesced packets.
The current implementation has two bugs:

1. Header offset overflow: Using pskb_pull with large offsets on
coalesced skbs causes skb->data - skb->head to exceed the u16 storage
of skb->network_header. This causes skb_reset_network_header to fail
on the inner decapsulated packet, resulting in packet drops.

2. Unaligned protocol headers: Extracting packets from arbitrary
positions within the coalesced TCP stream provides no alignment
guarantees for the packet data causing performance penalties on
architectures without efficient unaligned access. Additionally,
openvpn's 2-byte length prefix on TCP packets causes the subsequent
4-byte opcode and packet ID fields to be inherently misaligned.

Fix both issues by allocating a new skb for each openvpn packet and
using skb_copy_bits to extract only the packet content into the new
buffer, skipping the 2-byte length prefix. Also, check the length before
invoking the function that performs the allocation to avoid creating an
invalid skb.

If the packet has to be forwarded to userspace the 2-byte prefix can be
pushed to the head safely, without misalignment.

As a side effect, this approach also avoids the expensive linearization
that pskb_pull triggers on cloned skbs with page fragments. In testing,
this resulted in TCP throughput improvements of up to 74%.

Published: 2026-05-06

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

In the Linux kernel, the OpenVPN TCP transport handling function ovpn_tcp_recv contains two critical bugs. The first bug causes a header offset overflow when pulling a large offset from a coalesced TCP buffer, which can corrupt internal header pointers and lead to dropped packets. The second bug extracts packets from arbitrary positions within the TCP stream without alignment guarantees, resulting in inefficient memory access and potential performance degradation. Together, these flaws can be triggered by specially crafted OpenVPN packets, causing repeated packet drops or resource exhaustion, and thus a denial‑of‑service attack surface.

Affected Systems

All Linux kernel builds that support OpenVPN over TCP are affected, as the flaw exists in the kernel's generic packet processing path for this transport mode. Any system running an unpatched kernel that accepts OpenVPN TCP traffic may experience packet loss or degraded throughput; no specific version range is listed, so all prior releases before the patch are vulnerable.

Risk and Exploitability

No CVSS or EPSS score is published, and the vulnerability is not listed in the CISA KEV catalog. The risk is primarily denial of service; the description does not indicate any memory corruption that would crash the kernel or provide code execution. An attacker could send crafted OpenVPN packets over TCP to trigger the header offset overflow or misaligned access, causing packet drops or CPU load, but an exploitation condition does not seem to require privileged or local access.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`11851cbd60ea1e5abbd97619d69845ead99303d6`	affected	< 0315bec883c67fa1413c61e504a28dc5bd02eb37
`11851cbd60ea1e5abbd97619d69845ead99303d6`	affected	< 7dba6cd7fb168d7615194a631c9c100c1c224131
`11851cbd60ea1e5abbd97619d69845ead99303d6`	affected	< d4f687fbbce45b5e88438e89b5e26c0c15847992

Linux

affected

Version	Status	Constraints
`6.16`	affected	—
`0`	unaffected	< 6.16
`6.18.16`	unaffected	≤ 6.18.*
`6.19.6`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[11851cbd60ea1e5abbd97619d69845ead99303d6,0315bec883c67fa1413c61e504a28dc5bd02eb37)`	affected	code_commit	—
`[11851cbd60ea1e5abbd97619d69845ead99303d6,7dba6cd7fb168d7615194a631c9c100c1c224131)`	affected	code_commit	—
`[11851cbd60ea1e5abbd97619d69845ead99303d6,d4f687fbbce45b5e88438e89b5e26c0c15847992)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.16`	affected	generic	—
`[0,6.16)`	unaffected	generic	—
`[6.18.16,6.19.0)`	unaffected	semver	—
`[6.19.6,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that includes the ovpn_tcp_recv fixes referenced in the commit logs; this change allocates a fresh skb for each OpenVPN packet and safely copies packet data, eliminating the overflow and alignment issues.
If a kernel upgrade is not immediately possible, restrict OpenVPN TCP traffic to trusted sources using firewall rules (e.g., iptables or nftables) or limit the connection rate to reduce the opportunity for crafted packets to be delivered.
Continuously monitor kernel logs (dmesg, /var/log/kern.log) for abnormal packet drop patterns or warnings related to ovpn_tcp_recv, and perform routine performance testing to verify throughput improvements and absence of packet loss.

Generated by OpenCVE AI on May 6, 2026 at 16:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/0315bec883c67fa1413c61e504a28dc5bd02eb37
https://git.kernel.org/stable/c/7dba6cd7fb168d7615194a631c9c100c1c224131
https://git.kernel.org/stable/c/d4f687fbbce45b5e88438e89b5e26c0c15847992

History

Wed, 06 May 2026 16:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-119 CWE-190

Wed, 06 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: ovpn: tcp - fix packet extraction from stream When processing TCP stream data in ovpn_tcp_recv, we receive large cloned skbs from __strp_rcv that may contain multiple coalesced packets. The current implementation has two bugs: 1. Header offset overflow: Using pskb_pull with large offsets on coalesced skbs causes skb->data - skb->head to exceed the u16 storage of skb->network_header. This causes skb_reset_network_header to fail on the inner decapsulated packet, resulting in packet drops. 2. Unaligned protocol headers: Extracting packets from arbitrary positions within the coalesced TCP stream provides no alignment guarantees for the packet data causing performance penalties on architectures without efficient unaligned access. Additionally, openvpn's 2-byte length prefix on TCP packets causes the subsequent 4-byte opcode and packet ID fields to be inherently misaligned. Fix both issues by allocating a new skb for each openvpn packet and using skb_copy_bits to extract only the packet content into the new buffer, skipping the 2-byte length prefix. Also, check the length before invoking the function that performs the allocation to avoid creating an invalid skb. If the packet has to be forwarded to userspace the 2-byte prefix can be pushed to the head safely, without misalignment. As a side effect, this approach also avoids the expensive linearization that pskb_pull triggers on cloned skbs with page fragments. In testing, this resulted in TCP throughput improvements of up to 74%.
Title		ovpn: tcp - fix packet extraction from stream
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/0315bec883c67fa1413c61e504a28dc5bd02eb37 https://git.kernel.org/stable/c/7dba6cd7fb168d7615194a631c9c100c1c224131 https://git.kernel.org/stable/c/d4f687fbbce45b5e88438e89b5e26c0c15847992

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-06T11:28:43.871Z

Updated: 2026-05-06T11:28:43.871Z

Reserved: 2026-05-01T14:12:55.996Z

Link: CVE-2026-43254

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-06T12:16:46.143

Modified: 2026-05-06T13:07:51.607

Link: CVE-2026-43254

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-06T19:00:05Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object