CVE-2026-45918
Awaiting Analysis Awaiting Analysis - Queue
Race Condition in Linux Kernel OpenVPN TCP Socket Handling

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: ovpn: tcp - don't deref NULL sk_socket member after tcp_close() When deleting a peer in case of keepalive expiration, the peer is removed from the OpenVPN hashtable and is temporary inserted in a "release list" for further processing. This happens in: ovpn_peer_keepalive_work() unlock_ovpn(release_list) This processing includes detaching from the socket being used to talk to this peer, by restoring its original proto and socket ops/callbacks. In case of TCP it may happen that, while the peer is sitting in the release list, userspace decides to close the socket. This will result in a concurrent execution of: tcp_close(sk) __tcp_close(sk) sock_orphan(sk) sk_set_socket(sk, NULL) The last function call will set sk->sk_socket to NULL. When the releasing routine is resumed, ovpn_tcp_socket_detach() will attempt to dereference sk->sk_socket to restore its original ops member. This operation will crash due to sk->sk_socket being NULL. Fix this race condition by testing-and-accessing sk->sk_socket atomically under sk->sk_callback_lock.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-27
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-45918
EUVD
EUVD-2026-32384
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openvpn openvpn *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's OpenVPN TCP handling code. Specifically, when a peer connection is deleted due to keepalive expiration, the peer is moved to a release list for cleanup. During this cleanup, the code attempts to detach the socket by restoring its original protocol and socket operations. However, if the userspace closes the TCP socket concurrently, the socket pointer (sk_socket) can be set to NULL. The cleanup code then tries to dereference this NULL pointer, causing a crash. The root cause is a race condition where the socket pointer is accessed without proper synchronization.

Impact Analysis

This vulnerability can cause a crash in the OpenVPN TCP socket handling code within the Linux kernel. Such a crash could lead to denial of service (DoS) conditions, disrupting VPN connectivity and potentially affecting system stability or availability.

Mitigation Strategies

To mitigate this vulnerability, update the Linux kernel or OpenVPN software to a version where the race condition in ovpn_tcp_socket_detach() has been fixed.

The fix involves ensuring atomic access to sk->sk_socket under sk->sk_callback_lock to prevent dereferencing a NULL pointer.

Until an update is applied, consider monitoring and limiting TCP socket closures related to OpenVPN peers to reduce the chance of triggering the race condition.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45918. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart