CVE-2026-43254
Awaiting Analysis Awaiting Analysis - Queue
TCP Packet Handling Vulnerability in Linux Kernel OpenVPN

Publication date: 2026-05-06

Last updated on: 2026-05-06

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: ovpn: tcp - fix packet extraction from stream When processing TCP stream data in ovpn_tcp_recv, we receive large cloned skbs from __strp_rcv that may contain multiple coalesced packets. The current implementation has two bugs: 1. Header offset overflow: Using pskb_pull with large offsets on coalesced skbs causes skb->data - skb->head to exceed the u16 storage of skb->network_header. This causes skb_reset_network_header to fail on the inner decapsulated packet, resulting in packet drops. 2. Unaligned protocol headers: Extracting packets from arbitrary positions within the coalesced TCP stream provides no alignment guarantees for the packet data causing performance penalties on architectures without efficient unaligned access. Additionally, openvpn's 2-byte length prefix on TCP packets causes the subsequent 4-byte opcode and packet ID fields to be inherently misaligned. Fix both issues by allocating a new skb for each openvpn packet and using skb_copy_bits to extract only the packet content into the new buffer, skipping the 2-byte length prefix. Also, check the length before invoking the function that performs the allocation to avoid creating an invalid skb. If the packet has to be forwarded to userspace the 2-byte prefix can be pushed to the head safely, without misalignment. As a side effect, this approach also avoids the expensive linearization that pskb_pull triggers on cloned skbs with page fragments. In testing, this resulted in TCP throughput improvements of up to 74%.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-05-06
Generated
2026-05-07
AI Q&A
2026-05-06
EPSS Evaluated
N/A
NVD
CVE-2026-43254
EUVD
EUVD-2026-27815
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openvpn openvpn *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's handling of TCP stream data in the OpenVPN component (ovpn_tcp_recv). When processing large cloned socket buffers (skbs) that contain multiple coalesced packets, two main bugs occur:

  • Header offset overflow: Using pskb_pull with large offsets causes the network header offset to exceed its storage limit, leading to failures in resetting the network header and resulting in packet drops.
  • Unaligned protocol headers: Extracting packets from arbitrary positions within the TCP stream causes misalignment of packet data, which leads to performance penalties on architectures that do not support efficient unaligned access. Additionally, OpenVPN's 2-byte length prefix causes subsequent fields to be inherently misaligned.

The fix involves allocating a new skb for each OpenVPN packet and copying only the packet content (skipping the 2-byte length prefix) into this new buffer. This avoids misalignment and header offset issues, prevents invalid skb creation, and improves TCP throughput by up to 74%.


How can this vulnerability impact me? :

This vulnerability can cause packet drops due to header offset overflow and performance degradation due to unaligned protocol headers when processing TCP stream data in OpenVPN. Packet drops can lead to unreliable VPN connections, while performance penalties can reduce throughput and efficiency, especially on architectures sensitive to unaligned memory access.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability has been resolved in the Linux kernel by fixing the packet extraction process in ovpn_tcp_recv. To mitigate this vulnerability, you should update your Linux kernel to a version that includes this fix.

The fix involves allocating a new skb for each OpenVPN packet and using skb_copy_bits to extract only the packet content, avoiding header offset overflow and unaligned protocol headers.

Applying the updated kernel will also improve TCP throughput and prevent packet drops caused by the previous bugs.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart