CVE-2026-45929
Awaiting Analysis Awaiting Analysis - Queue
Use-After-Free in OpenVPN Kernel Module

Publication date: 2026-05-27

Last updated on: 2026-05-30

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: ovpn: fix possible use-after-free in ovpn_net_xmit When building the skb_list in ovpn_net_xmit, skb_share_check will free the original skb if it is shared. The current implementation continues to use the stale skb pointer for subsequent operations: - peer lookup, - skb_dst_drop (even though all segments produced by skb_gso_segment will have a dst attached), - ovpn_peer_stats_increment_tx. Fix this by moving the peer lookup and skb_dst_drop before segmentation so that the original skb is still valid when used. Return early if all segments fail skb_share_check and the list ends up empty. Also switch ovpn_peer_stats_increment_tx to use skb_list.next; the next patch fixes the stats logic.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-30
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-45929
EUVD
EUVD-2026-32213
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a use-after-free issue in the Linux kernel's ovpn_net_xmit function. When building the skb_list, the function skb_share_check may free the original skb if it is shared, but the code continues to use the freed (stale) skb pointer for further operations such as peer lookup, skb_dst_drop, and ovpn_peer_stats_increment_tx. This improper use of a freed pointer can lead to undefined behavior or crashes.

The fix involves reordering operations so that peer lookup and skb_dst_drop occur before segmentation, ensuring the original skb is still valid when used. Additionally, the code returns early if all segments fail skb_share_check, preventing use of an empty list, and adjusts stats logic to use the next skb in the list.

Impact Analysis

This use-after-free vulnerability can cause the Linux kernel to behave unpredictably, potentially leading to system crashes, memory corruption, or security issues such as privilege escalation or denial of service. Since it involves network packet processing in the ovpn module, it could affect systems using OpenVPN or similar VPN implementations relying on this kernel code.

Mitigation Strategies

To mitigate this vulnerability, update the Linux kernel to a version where the ovpn_net_xmit use-after-free issue has been fixed. The fix involves changes to the ovpn_net_xmit function to avoid using a stale skb pointer after skb_share_check frees the original skb.

Specifically, ensure your kernel includes the patch that moves the peer lookup and skb_dst_drop operations before segmentation, and that it returns early if all segments fail skb_share_check. This prevents use-after-free conditions in the ovpn module.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45929. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart