Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

CVE-2026-45918

Gravedad CVSS v3.1:
MEDIA
Tipo:
CWE-476 Desreferencia a puntero nulo (NULL)
Fecha de publicación:
27/05/2026
Última modificación:
24/06/2026

Descripción

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ovpn: tcp - don&amp;#39;t deref NULL sk_socket member after tcp_close()<br /> <br /> When deleting a peer in case of keepalive expiration, the peer is<br /> removed from the OpenVPN hashtable and is temporary inserted in a<br /> "release list" for further processing.<br /> <br /> This happens in:<br /> ovpn_peer_keepalive_work()<br /> unlock_ovpn(release_list)<br /> <br /> This processing includes detaching from the socket being used to<br /> talk to this peer, by restoring its original proto and socket<br /> ops/callbacks.<br /> <br /> In case of TCP it may happen that, while the peer is sitting in<br /> the release list, userspace decides to close the socket.<br /> This will result in a concurrent execution of:<br /> <br /> tcp_close(sk)<br /> __tcp_close(sk)<br /> sock_orphan(sk)<br /> sk_set_socket(sk, NULL)<br /> <br /> The last function call will set sk-&gt;sk_socket to NULL.<br /> <br /> When the releasing routine is resumed, ovpn_tcp_socket_detach()<br /> will attempt to dereference sk-&gt;sk_socket to restore its original<br /> ops member. This operation will crash due to sk-&gt;sk_socket being NULL.<br /> <br /> Fix this race condition by testing-and-accessing<br /> sk-&gt;sk_socket atomically under sk-&gt;sk_callback_lock.

Productos y versiones vulnerables

CPE Desde Hasta
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.16 (incluyendo) 6.18.14 (excluyendo)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.19 (incluyendo) 6.19.4 (excluyendo)