CVE-2026-45918
Gravedad CVSS v3.1:
MEDIA
Tipo:
CWE-476
Desreferencia a puntero nulo (NULL)
Fecha de publicación:
27/05/2026
Última modificación:
24/06/2026
Descripción
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
ovpn: tcp - don&#39;t deref NULL sk_socket member after tcp_close()<br />
<br />
When deleting a peer in case of keepalive expiration, the peer is<br />
removed from the OpenVPN hashtable and is temporary inserted in a<br />
"release list" for further processing.<br />
<br />
This happens in:<br />
ovpn_peer_keepalive_work()<br />
unlock_ovpn(release_list)<br />
<br />
This processing includes detaching from the socket being used to<br />
talk to this peer, by restoring its original proto and socket<br />
ops/callbacks.<br />
<br />
In case of TCP it may happen that, while the peer is sitting in<br />
the release list, userspace decides to close the socket.<br />
This will result in a concurrent execution of:<br />
<br />
tcp_close(sk)<br />
__tcp_close(sk)<br />
sock_orphan(sk)<br />
sk_set_socket(sk, NULL)<br />
<br />
The last function call will set sk->sk_socket to NULL.<br />
<br />
When the releasing routine is resumed, ovpn_tcp_socket_detach()<br />
will attempt to dereference sk->sk_socket to restore its original<br />
ops member. This operation will crash due to sk->sk_socket being NULL.<br />
<br />
Fix this race condition by testing-and-accessing<br />
sk->sk_socket atomically under sk->sk_callback_lock.
Impacto
Puntuación base 3.x
5.50
Gravedad 3.x
MEDIA
Productos y versiones vulnerables
| CPE | Desde | Hasta |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.16 (incluyendo) | 6.18.14 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.19 (incluyendo) | 6.19.4 (excluyendo) |
Para consultar la lista completa de nombres de CPE con productos y versiones, ver esta página



