CVE-2026-45929
Analyzed Analyzed - Analysis Complete

Use-After-Free in OpenVPN Kernel Module

Vulnerability report for CVE-2026-45929, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-05-27

Last updated on: 2026-06-25

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: ovpn: fix possible use-after-free in ovpn_net_xmit When building the skb_list in ovpn_net_xmit, skb_share_check will free the original skb if it is shared. The current implementation continues to use the stale skb pointer for subsequent operations: - peer lookup, - skb_dst_drop (even though all segments produced by skb_gso_segment will have a dst attached), - ovpn_peer_stats_increment_tx. Fix this by moving the peer lookup and skb_dst_drop before segmentation so that the original skb is still valid when used. Return early if all segments fail skb_share_check and the list ends up empty. Also switch ovpn_peer_stats_increment_tx to use skb_list.next; the next patch fixes the stats logic.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-27
Last Modified
2026-06-25
Generated
2026-07-06
AI Q&A
2026-05-27
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.19 (inc) to 6.19.4 (exc)
linux linux_kernel From 6.16 (inc) to 6.18.14 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a use-after-free issue in the Linux kernel's ovpn_net_xmit function. When building the skb_list, the function skb_share_check may free the original skb if it is shared, but the code continues to use the freed (stale) skb pointer for further operations such as peer lookup, skb_dst_drop, and ovpn_peer_stats_increment_tx. This improper use of a freed pointer can lead to undefined behavior or crashes.

The fix involves reordering operations so that peer lookup and skb_dst_drop occur before segmentation, ensuring the original skb is still valid when used. Additionally, the code returns early if all segments fail skb_share_check, preventing use of an empty list, and adjusts stats logic to use the next skb in the list.

Impact Analysis

This use-after-free vulnerability can cause the Linux kernel to behave unpredictably, potentially leading to system crashes, memory corruption, or security issues such as privilege escalation or denial of service. Since it involves network packet processing in the ovpn module, it could affect systems using OpenVPN or similar VPN implementations relying on this kernel code.

Mitigation Strategies

To mitigate this vulnerability, update the Linux kernel to a version where the ovpn_net_xmit use-after-free issue has been fixed. The fix involves changes to the ovpn_net_xmit function to avoid using a stale skb pointer after skb_share_check frees the original skb.

Specifically, ensure your kernel includes the patch that moves the peer lookup and skb_dst_drop operations before segmentation, and that it returns early if all segments fail skb_share_check. This prevents use-after-free conditions in the ovpn module.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45929. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart