CVE-2026-45929 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

ovpn: fix possible use-after-free in ovpn_net_xmit

When building the skb_list in ovpn_net_xmit, skb_share_check will free
the original skb if it is shared. The current implementation continues
to use the stale skb pointer for subsequent operations:
- peer lookup,
- skb_dst_drop (even though all segments produced by skb_gso_segment
will have a dst attached),
- ovpn_peer_stats_increment_tx.

Fix this by moving the peer lookup and skb_dst_drop before segmentation
so that the original skb is still valid when used. Return early if all
segments fail skb_share_check and the list ends up empty.
Also switch ovpn_peer_stats_increment_tx to use skb_list.next; the next
patch fixes the stats logic.

Published: 2026-05-27

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A use‑after‑free flaw exists in the Linux kernel’s openvpn packet handling code. When a socket buffer is shared, the system prematurely frees its memory yet continues to operate on the stale pointer during subsequent processing steps, such as peer lookup and destination resolution. This kernel‑level memory corruption can allow an attacker to manipulate a victim’s kernel memory or cause arbitrary code execution if the attacker can supply crafted VPN traffic.

Affected Systems

All Linux kernel builds that lack the patch introduced in commit 3e4fbcb4e078915367ba5576cd70d76dbc970f95. The vulnerability is present across distributions that ship unpatched kernel versions; affected vendors include all Linux kernel maintainers. Precise impacted versions are not enumerated in the advisory, but any kernel before the fix may be susceptible.

Risk and Exploitability

No CVSS score or EPSS data are currently available, and the vulnerability is not listed in CISA’s KEV catalog. Nonetheless, the memory‑corruption nature of the flaw suggests a high impact if exploited. Attackers are likely to target systems that accept untrusted OpenVPN traffic; the attack can be executed remotely by sending malicious packets or locally via privileged operations. The lack of publicly available exploitation reports indicates that exploitation may still be in the research phase, but the potential for severe compromise warrants prompt remediation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`08857b5ec5d91d83e69e40a36554a8c7557b7301`	affected	< 3e4fbcb4e078915367ba5576cd70d76dbc970f95
`08857b5ec5d91d83e69e40a36554a8c7557b7301`	affected	< 442915c96a9bff1c7080e2aedabb1c03faa28d81
`08857b5ec5d91d83e69e40a36554a8c7557b7301`	affected	< a5ec7baa44ea3a1d6aa0ca31c0ad82edf9affe41

Linux

affected

Version	Status	Constraints
`6.16`	affected	—
`0`	unaffected	< 6.16
`6.18.14`	unaffected	≤ 6.18.*
`6.19.4`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to a version that incorporates the fix from commit 3e4fbcb4e078915367ba5576cd70d76dbc970f95 or later.
If a kernel update is not immediately available, block or restrict incoming OpenVPN traffic until an updated kernel can be installed.
Monitor system logs for unusual kernel panics or behavior that could indicate exploitation attempts.

Generated by OpenCVE AI on May 27, 2026 at 16:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/3e4fbcb4e078915367ba5576cd70d76dbc970f95
https://git.kernel.org/stable/c/442915c96a9bff1c7080e2aedabb1c03faa28d81
https://git.kernel.org/stable/c/a5ec7baa44ea3a1d6aa0ca31c0ad82edf9affe41

History

Wed, 27 May 2026 16:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: ovpn: fix possible use-after-free in ovpn_net_xmit When building the skb_list in ovpn_net_xmit, skb_share_check will free the original skb if it is shared. The current implementation continues to use the stale skb pointer for subsequent operations: - peer lookup, - skb_dst_drop (even though all segments produced by skb_gso_segment will have a dst attached), - ovpn_peer_stats_increment_tx. Fix this by moving the peer lookup and skb_dst_drop before segmentation so that the original skb is still valid when used. Return early if all segments fail skb_share_check and the list ends up empty. Also switch ovpn_peer_stats_increment_tx to use skb_list.next; the next patch fixes the stats logic.
Title		ovpn: fix possible use-after-free in ovpn_net_xmit
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/3e4fbcb4e078915367ba5576cd70d76dbc970f95 https://git.kernel.org/stable/c/442915c96a9bff1c7080e2aedabb1c03faa28d81 https://git.kernel.org/stable/c/a5ec7baa44ea3a1d6aa0ca31c0ad82edf9affe41

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T12:17:47.891Z

Updated: 2026-05-27T12:17:47.891Z

Reserved: 2026-05-13T15:03:33.086Z

Link: CVE-2026-45929

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:08.833

Modified: 2026-05-27T14:48:03.013

Link: CVE-2026-45929

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-27T16:30:36Z

Weaknesses

CWE-416

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object