CVE-2026-45918 - Vulnerability Details

- ovpn: tcp - don't deref NULL sk_socket member after tcp_close()

Description

In the Linux kernel, the following vulnerability has been resolved:

ovpn: tcp - don't deref NULL sk_socket member after tcp_close()

When deleting a peer in case of keepalive expiration, the peer is
removed from the OpenVPN hashtable and is temporary inserted in a
"release list" for further processing.

This happens in:
ovpn_peer_keepalive_work()
unlock_ovpn(release_list)

This processing includes detaching from the socket being used to
talk to this peer, by restoring its original proto and socket
ops/callbacks.

In case of TCP it may happen that, while the peer is sitting in
the release list, userspace decides to close the socket.
This will result in a concurrent execution of:

tcp_close(sk)
__tcp_close(sk)
sock_orphan(sk)
sk_set_socket(sk, NULL)

The last function call will set sk->sk_socket to NULL.

When the releasing routine is resumed, ovpn_tcp_socket_detach()
will attempt to dereference sk->sk_socket to restore its original
ops member. This operation will crash due to sk->sk_socket being NULL.

Fix this race condition by testing-and-accessing
sk->sk_socket atomically under sk->sk_callback_lock.

Published: 2026-05-27

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a race condition in the OpenVPN TCP implementation within the Linux kernel that can lead to a NULL pointer dereference. When a peer is removed due to keepalive expiration while its socket is closed in userspace, the cleanup code attempts to access sk->sk_socket after it has been set to NULL by tcp_close(). This results in a kernel crash and causes a denial of service. The weakness is due to improper synchronization between kernel network stack operations and userspace socket lifecycle events.

Affected Systems

Any Linux distribution that includes the Linux kernel before the fix identified by commit 94560267d6c41b1ff3fafbab726e3f8a55a6af34 (or the subsequent merge commit b9142cf4e066c825ec68752a7dcaceda700bbe26) is affected. Distributions running a kernel that still contains the earlier OpenVPN TCP code will be vulnerable. The issue does not affect userland OpenVPN binaries directly; it is a kernel-level race in the TCP subsystem.

Risk and Exploitability

Because the bug causes a kernel panic, the impact is a definite denial of service. The CVSS score is not publicly published, and EPSS data are unavailable, so the likelihood of exploitation is unclear. The vulnerability is not listed in the CISA KEV catalog, indicating that no public exploits are known. An attacker would need to trigger the specific race condition by having a racer between the keepalive cleanup path and a userspace socket close—this may require privileged access to the OpenVPN process or a remote client that can force keepalive timeouts. While the attack complexity is moderate, the severe impact warrants prompt attention.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`11851cbd60ea1e5abbd97619d69845ead99303d6`	affected	< f998b2c4bec487063a586695159f9a1856e81c56
`11851cbd60ea1e5abbd97619d69845ead99303d6`	affected	< b9142cf4e066c825ec68752a7dcaceda700bbe26
`11851cbd60ea1e5abbd97619d69845ead99303d6`	affected	< 94560267d6c41b1ff3fafbab726e3f8a55a6af34

Linux

affected

Version	Status	Constraints
`6.16`	affected	—
`0`	unaffected	< 6.16
`6.18.14`	unaffected	≤ 6.18.*
`6.19.4`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[11851cbd60ea1e5abbd97619d69845ead99303d6,f998b2c4bec487063a586695159f9a1856e81c56)`	affected	code_commit	—
`[11851cbd60ea1e5abbd97619d69845ead99303d6,b9142cf4e066c825ec68752a7dcaceda700bbe26)`	affected	code_commit	—
`[11851cbd60ea1e5abbd97619d69845ead99303d6,94560267d6c41b1ff3fafbab726e3f8a55a6af34)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.16`	affected	generic	—
`[0,6.16)`	unaffected	generic	—
`[6.18.14,6.19.0)`	unaffected	semver	—
`[6.19.4,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply a kernel update that includes the OpenVPN TCP NULL dereference fix (commit 94560267d6c41b1ff3fafbab726e3f8a55a6af34).
After the update, restart the OpenVPN service to ensure new kernel code is in use.
Monitor system logs for unexpected kernel panics or OpenVPN crashes to confirm the patch is effective.

Generated by OpenCVE AI on May 27, 2026 at 16:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/94560267d6c41b1ff3fafbab726e3f8a55a6af34
https://git.kernel.org/stable/c/b9142cf4e066c825ec68752a7dcaceda700bbe26
https://git.kernel.org/stable/c/f998b2c4bec487063a586695159f9a1856e81c56

History

Wed, 27 May 2026 17:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-476 CWE-674

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: ovpn: tcp - don't deref NULL sk_socket member after tcp_close() When deleting a peer in case of keepalive expiration, the peer is removed from the OpenVPN hashtable and is temporary inserted in a "release list" for further processing. This happens in: ovpn_peer_keepalive_work() unlock_ovpn(release_list) This processing includes detaching from the socket being used to talk to this peer, by restoring its original proto and socket ops/callbacks. In case of TCP it may happen that, while the peer is sitting in the release list, userspace decides to close the socket. This will result in a concurrent execution of: tcp_close(sk) __tcp_close(sk) sock_orphan(sk) sk_set_socket(sk, NULL) The last function call will set sk->sk_socket to NULL. When the releasing routine is resumed, ovpn_tcp_socket_detach() will attempt to dereference sk->sk_socket to restore its original ops member. This operation will crash due to sk->sk_socket being NULL. Fix this race condition by testing-and-accessing sk->sk_socket atomically under sk->sk_callback_lock.
Title		ovpn: tcp - don't deref NULL sk_socket member after tcp_close()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/94560267d6c41b1ff3fafbab726e3f8a55a6af34 https://git.kernel.org/stable/c/b9142cf4e066c825ec68752a7dcaceda700bbe26 https://git.kernel.org/stable/c/f998b2c4bec487063a586695159f9a1856e81c56

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T12:17:34.500Z

Updated: 2026-05-27T12:17:34.500Z

Reserved: 2026-05-13T15:03:33.085Z

Link: CVE-2026-45918

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:06.690

Modified: 2026-05-27T14:48:03.013

Link: CVE-2026-45918

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-27T18:45:39Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object