CVE-2026-45918 Linux CVE debrief

Who should care

Organizations running Linux kernels with the ovpn (kernel-mode OpenVPN) module enabled, particularly those using TCP-based OpenVPN connections. Cloud providers and hosting platforms offering OpenVPN services with kernel acceleration. Embedded systems and network appliances using kernel-mode OpenVPN.

Technical summary

The vulnerability exists in the kernel's ovpn (OpenVPN) driver when handling TCP socket teardown. The race occurs between ovpn_peer_keepalive_work() moving a peer to a release list and concurrent tcp_close() from userspace. The sock_orphan() call in tcp_close() sets sk->sk_socket to NULL, which ovpn_tcp_socket_detach() later dereferences without checking. The fix implements atomic test-and-access under sk->sk_callback_lock to safely handle the potentially NULL sk_socket member.

Defensive priority

high

Recommended defensive actions

• Apply kernel patches from stable kernel.org commits when available for your distribution
• Monitor distribution security advisories for updated kernel packages containing the ovpn TCP fix
• If running OpenVPN in kernel mode (ovpn) with TCP transport, consider temporarily using UDP transport if feasible to avoid the vulnerable code path
• Review kernel logs for ovpn-related crashes that may indicate exploitation attempts
• Ensure timely kernel updates on systems using kernel-mode OpenVPN (ovpn) with TCP connections

Evidence notes

CVE description confirms kernel crash via NULL pointer dereference in ovpn TCP socket detach path. Three kernel.org stable commits provided as references. No CVSS score or severity assigned by NVD at time of disclosure.

Official resources