CVE-2026-45929

Severity CVSS v4.0:
Pending analysis
Type:
CWE-416 Use After Free
Publication date:
27/05/2026
Last modified:
25/06/2026

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ovpn: fix possible use-after-free in ovpn_net_xmit<br /> <br /> When building the skb_list in ovpn_net_xmit, skb_share_check will free<br /> the original skb if it is shared. The current implementation continues<br /> to use the stale skb pointer for subsequent operations:<br /> - peer lookup,<br /> - skb_dst_drop (even though all segments produced by skb_gso_segment<br /> will have a dst attached),<br /> - ovpn_peer_stats_increment_tx.<br /> <br /> Fix this by moving the peer lookup and skb_dst_drop before segmentation<br /> so that the original skb is still valid when used. Return early if all<br /> segments fail skb_share_check and the list ends up empty.<br /> Also switch ovpn_peer_stats_increment_tx to use skb_list.next; the next<br /> patch fixes the stats logic.

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.16 (including) 6.18.14 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.19 (including) 6.19.4 (excluding)