CVE-2026-45929
HighCVSS 7.8Exploitation Probability (EPSS)
Low risk5th percentile - higher than 5% of all known CVEs
Summary
A vulnerability in the Linux kernel has been fixed in the ovpn module, which could lead to a use-after-free condition in the ovpn_net_xmit function. The issue stemmed from improper pointer management during operations on packet segments.
Risk Assessment
Exploitation of this vulnerability could lead to unpredictable system behavior, including potential crashes or security breaches, posing a threat to the integrity and availability of services.
Recommendation
It is recommended to update the Linux kernel to the latest version to mitigate this vulnerability and to monitor the system for unauthorized activities.
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: ovpn: fix possible use-after-free in ovpn_net_xmit When building the skb_list in ovpn_net_xmit, skb_share_check will free the original skb if it is shared. The current implementation continues to use the stale skb pointer for subsequent operations: - peer lookup, - skb_dst_drop (even though all segments produced by skb_gso_segment will have a dst attached), - ovpn_peer_stats_increment_tx. Fix this by moving the peer lookup and skb_dst_drop before segmentation so that the original skb is still valid when used. Return early if all segments fail skb_share_check and the list ends up empty. Also switch ovpn_peer_stats_increment_tx to use skb_list.next; the next patch fixes the stats logic.

