CVE-2026-45918
Severity CVSS v4.0:
Pending analysis
Type:
CWE-476
NULL Pointer Dereference
Publication date:
27/05/2026
Last modified:
24/06/2026
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
ovpn: tcp - don&#39;t deref NULL sk_socket member after tcp_close()<br />
<br />
When deleting a peer in case of keepalive expiration, the peer is<br />
removed from the OpenVPN hashtable and is temporary inserted in a<br />
"release list" for further processing.<br />
<br />
This happens in:<br />
ovpn_peer_keepalive_work()<br />
unlock_ovpn(release_list)<br />
<br />
This processing includes detaching from the socket being used to<br />
talk to this peer, by restoring its original proto and socket<br />
ops/callbacks.<br />
<br />
In case of TCP it may happen that, while the peer is sitting in<br />
the release list, userspace decides to close the socket.<br />
This will result in a concurrent execution of:<br />
<br />
tcp_close(sk)<br />
__tcp_close(sk)<br />
sock_orphan(sk)<br />
sk_set_socket(sk, NULL)<br />
<br />
The last function call will set sk->sk_socket to NULL.<br />
<br />
When the releasing routine is resumed, ovpn_tcp_socket_detach()<br />
will attempt to dereference sk->sk_socket to restore its original<br />
ops member. This operation will crash due to sk->sk_socket being NULL.<br />
<br />
Fix this race condition by testing-and-accessing<br />
sk->sk_socket atomically under sk->sk_callback_lock.
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.16 (including) | 6.18.14 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.19 (including) | 6.19.4 (excluding) |
To consult the complete list of CPE names with products and versions, see this page



