PT-2026-43796 · Linux · Linux
Published
2026-05-27
·
Updated
2026-05-27
·
CVE-2026-45929
CVSS v3.1
7.8
High
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
In the Linux kernel, the following vulnerability has been resolved:
ovpn: fix possible use-after-free in ovpn net xmit
When building the skb list in ovpn net xmit, skb share check will free
the original skb if it is shared. The current implementation continues
to use the stale skb pointer for subsequent operations:
- peer lookup,
- skb dst drop (even though all segments produced by skb gso segment will have a dst attached),
- ovpn peer stats increment tx.
Fix this by moving the peer lookup and skb dst drop before segmentation
so that the original skb is still valid when used. Return early if all
segments fail skb share check and the list ends up empty.
Also switch ovpn peer stats increment tx to use skb list.next; the next
patch fixes the stats logic.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Linux