CVE-2026-45929 - Vulnerability Details

- ovpn: fix possible use-after-free in ovpn_net_xmit

Description

In the Linux kernel, the following vulnerability has been resolved:

ovpn: fix possible use-after-free in ovpn_net_xmit

When building the skb_list in ovpn_net_xmit, skb_share_check will free
the original skb if it is shared. The current implementation continues
to use the stale skb pointer for subsequent operations:
- peer lookup,
- skb_dst_drop (even though all segments produced by skb_gso_segment
will have a dst attached),
- ovpn_peer_stats_increment_tx.

Fix this by moving the peer lookup and skb_dst_drop before segmentation
so that the original skb is still valid when used. Return early if all
segments fail skb_share_check and the list ends up empty.
Also switch ovpn_peer_stats_increment_tx to use skb_list.next; the next
patch fixes the stats logic.

Published: 2026-05-27

Score: 7.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A use‑after‑free flaw exists in the Linux kernel’s OpenVPN packet handling code. When ovpn_net_xmit builds a socket‑buffer list, skb_share_check may free a shared buffer while the code continues to use the stale pointer for peer lookup, destination dropping, and statistics updates. The resulting kernel memory corruption can lead to kernel‑level compromise; while the official description does not detail a specific exploitation method, it is inferred that an attacker could potentially trigger this corruption by crafting malformed OpenVPN packets.

Affected Systems

All Linux kernel builds that do not contain the patch introduced in commit 3e4fbcb4e078915367ba5576cd70d76dbc970f95 are affected. Any distribution running an unpatched kernel with the OpenVPN module is potentially vulnerable whenever it accepts OpenVPN traffic over the kernel networking stack.

Risk and Exploitability

The CVSS score of 7.8 indicates high severity, but the EPSS score is below 1 % and the vulnerability is not in CISA’s KEV catalog, suggesting limited public exploitation. The possibility of exploitation via crafted OpenVPN packets is inferred from the code behavior; no confirmed public exploits exist. Timely remediation is advised to prevent possible kernel‑level compromise.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`08857b5ec5d91d83e69e40a36554a8c7557b7301`	affected	< 3e4fbcb4e078915367ba5576cd70d76dbc970f95
`08857b5ec5d91d83e69e40a36554a8c7557b7301`	affected	< 442915c96a9bff1c7080e2aedabb1c03faa28d81
`08857b5ec5d91d83e69e40a36554a8c7557b7301`	affected	< a5ec7baa44ea3a1d6aa0ca31c0ad82edf9affe41

Linux

affected

Version	Status	Constraints
`6.16`	affected	—
`0`	unaffected	< 6.16
`6.18.14`	unaffected	≤ 6.18.*
`6.19.4`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[08857b5ec5d91d83e69e40a36554a8c7557b7301,3e4fbcb4e078915367ba5576cd70d76dbc970f95)`	affected	code_commit	—
`[08857b5ec5d91d83e69e40a36554a8c7557b7301,442915c96a9bff1c7080e2aedabb1c03faa28d81)`	affected	code_commit	—
`[08857b5ec5d91d83e69e40a36554a8c7557b7301,a5ec7baa44ea3a1d6aa0ca31c0ad82edf9affe41)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.16`	affected	generic	—
`[0,6.16)`	unaffected	generic	—
`[6.18.14,6.18.*]`	unaffected	generic	—
`[6.19.4,6.19.*]`	unaffected	generic	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that includes the fix from commit 3e4fbcb4e078915367ba5576cd70d76dbc970f95 or later, which addresses the CWE‑825 use‑after‑free flaw.
If an update cannot be applied immediately, block or restrict incoming OpenVPN traffic until a patched kernel is installed.
Continuously monitor kernel logs for panics or abnormal behavior that may indicate exploitation attempts.

Generated by OpenCVE AI on May 30, 2026 at 13:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00157.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/3e4fbcb4e078915367ba5576cd70d76dbc970f95
https://git.kernel.org/stable/c/442915c96a9bff1c7080e2aedabb1c03faa28d81
https://git.kernel.org/stable/c/a5ec7baa44ea3a1d6aa0ca31c0ad82edf9affe41
https://lore.kernel.org/linux-cve-announce/2026052726-CVE-2026-45929-609a@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-45929
https://www.cve.org/CVERecord?id=CVE-2026-45929

History

Sat, 30 May 2026 11:00:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Thu, 28 May 2026 15:15:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-416

Thu, 28 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-825
References		https://lore.kernel.org/linux-cve-announce/2026052726-CVE-2026-45929-609a@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-45929 https://www.cve.org/CVERecord?id=CVE-2026-45929

Wed, 27 May 2026 16:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: ovpn: fix possible use-after-free in ovpn_net_xmit When building the skb_list in ovpn_net_xmit, skb_share_check will free the original skb if it is shared. The current implementation continues to use the stale skb pointer for subsequent operations: - peer lookup, - skb_dst_drop (even though all segments produced by skb_gso_segment will have a dst attached), - ovpn_peer_stats_increment_tx. Fix this by moving the peer lookup and skb_dst_drop before segmentation so that the original skb is still valid when used. Return early if all segments fail skb_share_check and the list ends up empty. Also switch ovpn_peer_stats_increment_tx to use skb_list.next; the next patch fixes the stats logic.
Title		ovpn: fix possible use-after-free in ovpn_net_xmit
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/3e4fbcb4e078915367ba5576cd70d76dbc970f95 https://git.kernel.org/stable/c/442915c96a9bff1c7080e2aedabb1c03faa28d81 https://git.kernel.org/stable/c/a5ec7baa44ea3a1d6aa0ca31c0ad82edf9affe41

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T12:17:47.891Z

Updated: 2026-05-30T10:45:55.720Z

Reserved: 2026-05-13T15:03:33.086Z

Link: CVE-2026-45929

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:08.833

Modified: 2026-05-30T11:17:15.860

Link: CVE-2026-45929

Redhat

Severity :

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-45929 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-30T13:15:24Z

Weaknesses

CWE-825
Expired Pointer Dereference

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object