CVE Catalog

CVE-2026-45918

MediumCVSS 5.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.21%

11th percentile - higher than 11% of all known CVEs

Summary

A vulnerability has been identified in the Linux kernel within the OpenVPN module that may lead to system crashes. The issue occurs when removing a peer from the list during keepalive expiration while the socket is being closed simultaneously.

Risk Assessment

This vulnerability may lead to unexpected crashes of the OpenVPN application, potentially impacting the availability of network services within the organization.

Recommendation

It is recommended to update the Linux kernel to the latest version that includes a fix for this vulnerability. Additionally, monitoring and managing TCP connections in OpenVPN should be reinforced.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: ovpn: tcp - don't deref NULL sk_socket member after tcp_close() When deleting a peer in case of keepalive expiration, the peer is removed from the OpenVPN hashtable and is temporary inserted in a "release list" for further processing. This happens in: ovpn_peer_keepalive_work() unlock_ovpn(release_list) This processing includes detaching from the socket being used to talk to this peer, by restoring its original proto and socket ops/callbacks. In case of TCP it may happen that, while the peer is sitting in the release list, userspace decides to close the socket. This will result in a concurrent execution of: tcp_close(sk) __tcp_close(sk) sock_orphan(sk) sk_set_socket(sk, NULL) The last function call will set sk->sk_socket to NULL. When the releasing routine is resumed, ovpn_tcp_socket_detach() will attempt to dereference sk->sk_socket to restore its original ops member. This operation will crash due to sk->sk_socket being NULL. Fix this race condition by testing-and-accessing sk->sk_socket atomically under sk->sk_callback_lock.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS