CVE-2026-43254
Analyzed Analyzed - Analysis Complete
TCP Packet Handling Vulnerability in Linux Kernel OpenVPN

Publication date: 2026-05-06

Last updated on: 2026-05-11

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: ovpn: tcp - fix packet extraction from stream When processing TCP stream data in ovpn_tcp_recv, we receive large cloned skbs from __strp_rcv that may contain multiple coalesced packets. The current implementation has two bugs: 1. Header offset overflow: Using pskb_pull with large offsets on coalesced skbs causes skb->data - skb->head to exceed the u16 storage of skb->network_header. This causes skb_reset_network_header to fail on the inner decapsulated packet, resulting in packet drops. 2. Unaligned protocol headers: Extracting packets from arbitrary positions within the coalesced TCP stream provides no alignment guarantees for the packet data causing performance penalties on architectures without efficient unaligned access. Additionally, openvpn's 2-byte length prefix on TCP packets causes the subsequent 4-byte opcode and packet ID fields to be inherently misaligned. Fix both issues by allocating a new skb for each openvpn packet and using skb_copy_bits to extract only the packet content into the new buffer, skipping the 2-byte length prefix. Also, check the length before invoking the function that performs the allocation to avoid creating an invalid skb. If the packet has to be forwarded to userspace the 2-byte prefix can be pushed to the head safely, without misalignment. As a side effect, this approach also avoids the expensive linearization that pskb_pull triggers on cloned skbs with page fragments. In testing, this resulted in TCP throughput improvements of up to 74%.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-05-11
Generated
2026-06-16
AI Q&A
2026-05-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-43254
EUVD
EUVD-2026-27815
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel From 6.19 (inc) to 6.19.6 (exc)
linux linux_kernel From 6.16 (inc) to 6.18.16 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-190 The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's handling of TCP stream data in the OpenVPN component (ovpn_tcp_recv). When processing large cloned socket buffers (skbs) that contain multiple coalesced packets, two main bugs occur:

  • Header offset overflow: Using pskb_pull with large offsets causes the network header offset to exceed its storage limit, leading to failures in resetting the network header and resulting in packet drops.
  • Unaligned protocol headers: Extracting packets from arbitrary positions within the TCP stream causes misalignment of packet data, which leads to performance penalties on architectures that do not support efficient unaligned access. Additionally, OpenVPN's 2-byte length prefix causes subsequent fields to be inherently misaligned.

The fix involves allocating a new skb for each OpenVPN packet and copying only the packet content (skipping the 2-byte length prefix) into this new buffer. This avoids misalignment and header offset issues, prevents invalid skb creation, and improves TCP throughput by up to 74%.

Impact Analysis

This vulnerability can cause packet drops due to header offset overflow and performance degradation due to unaligned protocol headers when processing TCP stream data in OpenVPN. Packet drops can lead to unreliable VPN connections, while performance penalties can reduce throughput and efficiency, especially on architectures sensitive to unaligned memory access.

Mitigation Strategies

The vulnerability has been resolved in the Linux kernel by fixing the packet extraction process in ovpn_tcp_recv. To mitigate this vulnerability, you should update your Linux kernel to a version that includes this fix.

The fix involves allocating a new skb for each OpenVPN packet and using skb_copy_bits to extract only the packet content, avoiding header offset overflow and unaligned protocol headers.

Applying the updated kernel will also improve TCP throughput and prevent packet drops caused by the previous bugs.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43254. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart