PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-45929 Linux CVE debrief

A use-after-free vulnerability exists in the Linux kernel's OpenVPN (ovpn) driver within the `ovpn_net_xmit` function. The flaw occurs during packet transmission when building a socket buffer (skb) list: `skb_share_check` may free the original skb if it is shared, but subsequent operations—including peer lookup, `skb_dst_drop`, and `ovpn_peer_stats_increment_tx`—continue to use the now-stale pointer. The fix reorders operations to perform peer lookup and `skb_dst_drop` before segmentation, ensuring the original skb remains valid when accessed. Additionally, the patch adds early return handling if all segments fail `skb_share_check` and leaves the list empty, and updates `ovpn_peer_stats_increment_tx` to use `skb_list.next` for improved stats logic.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

Linux kernel maintainers and distribution security teams responsible for kernel package updates; network administrators deploying OpenVPN with kernel acceleration (ovpn-dco/ovpn); security operations teams monitoring for kernel-level memory corruption indicators; and organizations running edge networking infrastructure with high-throughput VPN requirements.

Technical summary

The vulnerability is a use-after-free (UAF) in the OpenVPN kernel driver's packet transmission path. The root cause is improper handling of shared socket buffers (skbs) during Generic Segmentation Offload (GSO) operations. When `skb_share_check` determines an skb is shared and must be duplicated, it frees the original skb; however, the code continued to reference this freed memory for peer lookup, destination cache dropping, and statistics incrementing. The fix implements a defensive code reordering: peer lookup and `skb_dst_drop` are now executed on the original skb before `skb_gso_segment` is called, guaranteeing pointer validity. The patch also introduces a guard clause to handle the edge case where all segments fail sharing checks, preventing operations on an empty list. Finally, the statistics function is modified to iterate via `skb_list.next` rather than the original skb pointer, decoupling stats collection from the potentially freed object.

Defensive priority

medium

Recommended defensive actions

  • Apply the relevant stable kernel patches from the Linux kernel stable tree (commits 3e4fbcb4e078915367ba5576cd70d76dbc970f95, 442915c96a9bff1c7080e2aedabb1c03faa28d81, and a5ec7baa44ea3a1d6aa0ca31c0ad82edf9affe41) to all
  • Review systems running OpenVPN kernel driver (ovpn) implementations, particularly those handling high-throughput or shared socket buffer scenarios
  • Monitor kernel stable tree announcements for backported fixes to currently supported LTS kernel branches
  • If immediate patching is not feasible, assess whether OpenVPN kernel acceleration can be temporarily disabled in favor of userspace-only operation
  • Validate fix deployment by verifying the presence of reordered skb operations in ovpn_net_xmit and the early-return path for empty segment lists

Evidence notes

The vulnerability description and resolution are sourced from the official CVE record and NVD entry. Three kernel.org stable tree commits are referenced as the authoritative fix sources. The vendor is identified as the Linux Kernel project based on the source domain evidence, though marked for review due to low confidence in automated vendor attribution.

Official resources

The vulnerability was disclosed via the Linux kernel stable tree with patches published on 2026-05-27. The CVE record was published the same day at 14:17:08 UTC and modified at 14:48:03 UTC. No known exploitation in the wild has been att...