7.8
/ 10
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Description
In the Linux kernel, the following vulnerability has been resolved:
ovpn: fix possible use-after-free in ovpn_net_xmit
When building the skb_list in ovpn_net_xmit, skb_share_check will free
the original skb if it is shared. The current implementation continues
to use the stale skb pointer for subsequent operations:
- peer lookup,
- skb_dst_drop (even though all segments produced by skb_gso_segment
will have a dst attached),
- ovpn_peer_stats_increment_tx.
Fix this by moving the peer lookup and skb_dst_drop before segmentation
so that the original skb is still valid when used. Return early if all
segments fail skb_share_check and the list ends up empty.
Also switch ovpn_peer_stats_increment_tx to use skb_list.next; the next
patch fixes the stats logic.
ovpn: fix possible use-after-free in ovpn_net_xmit
When building the skb_list in ovpn_net_xmit, skb_share_check will free
the original skb if it is shared. The current implementation continues
to use the stale skb pointer for subsequent operations:
- peer lookup,
- skb_dst_drop (even though all segments produced by skb_gso_segment
will have a dst attached),
- ovpn_peer_stats_increment_tx.
Fix this by moving the peer lookup and skb_dst_drop before segmentation
so that the original skb is still valid when used. Return early if all
segments fail skb_share_check and the list ends up empty.
Also switch ovpn_peer_stats_increment_tx to use skb_list.next; the next
patch fixes the stats logic.
Basic Information
ID
CVE-2026-45929
Source
Linux
Published
May 27, 2026 at 12:17
Modified
May 30, 2026 at 10:45
Affected Product
Vendor
Linux
Product
Linux
Version
08857b5ec5d91d83e69e40a36554a8c7557b7301
Affected Versions
Linux Linux 08857b5ec5d91d83e69e40a36554a8c7557b7301
Linux Linux 08857b5ec5d91d83e69e40a36554a8c7557b7301
Linux Linux 08857b5ec5d91d83e69e40a36554a8c7557b7301
Linux Linux 6.16
Linux Linux 08857b5ec5d91d83e69e40a36554a8c7557b7301
Linux Linux 08857b5ec5d91d83e69e40a36554a8c7557b7301
Linux Linux 6.16