Skip to main content

Linux Kernel CVE-2026-43254

| EUVDEUVD-2026-27815 HIGH
Integer Overflow or Wraparound (CWE-190)
2026-05-06 Linux GHSA-wp3j-57qp-wwvh
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 08, 2026 - 13:43 vuln.today
CVSS changed
May 08, 2026 - 13:22 NVD
7.5 (HIGH)
Patch available
May 06, 2026 - 13:32 EUVD
CVE Published
May 06, 2026 - 11:28 nvd
HIGH 7.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ovpn: tcp - fix packet extraction from stream

When processing TCP stream data in ovpn_tcp_recv, we receive large cloned skbs from __strp_rcv that may contain multiple coalesced packets. The current implementation has two bugs:

  1. Header offset overflow: Using pskb_pull with large offsets on

coalesced skbs causes skb->data - skb->head to exceed the u16 storage of skb->network_header. This causes skb_reset_network_header to fail on the inner decapsulated packet, resulting in packet drops.

  1. Unaligned protocol headers: Extracting packets from arbitrary

positions within the coalesced TCP stream provides no alignment guarantees for the packet data causing performance penalties on architectures without efficient unaligned access. Additionally, openvpn's 2-byte length prefix on TCP packets causes the subsequent 4-byte opcode and packet ID fields to be inherently misaligned.

Fix both issues by allocating a new skb for each openvpn packet and using skb_copy_bits to extract only the packet content into the new buffer, skipping the 2-byte length prefix. Also, check the length before invoking the function that performs the allocation to avoid creating an invalid skb.

If the packet has to be forwarded to userspace the 2-byte prefix can be pushed to the head safely, without misalignment.

As a side effect, this approach also avoids the expensive linearization that pskb_pull triggers on cloned skbs with page fragments. In testing, this resulted in TCP throughput improvements of up to 74%.

AnalysisAI

A denial-of-service vulnerability in the Linux kernel's OpenVPN TCP stream processing (ovpn_tcp_recv) allows remote unauthenticated attackers to cause packet drops and potential system unavailability through header offset overflow and misaligned protocol headers when handling coalesced TCP packets. The vulnerability affects Linux kernel versions containing commit 11851cbd60ea (OpenVPN driver) through 6.19.6, 6.18.16, and 7.0, with patches available in stable branches. EPSS score of 0.02% (4th percentile) suggests low observed exploitation probability despite the network-accessible attack vector and high availability impact (CVSS 7.5).

Technical ContextAI

This vulnerability affects the Linux kernel's in-tree OpenVPN TCP driver (ovpn module) introduced in commit 11851cbd60ea. The issue occurs in ovpn_tcp_recv when processing TCP stream data from __strp_rcv, which delivers large cloned socket buffers (skbs) containing multiple coalesced OpenVPN packets. Two distinct bugs exist: (1) using pskb_pull with large offsets causes skb->data - skb->head to overflow the u16 storage of skb->network_header, making skb_reset_network_header fail on decapsulated packets; (2) extracting packets from arbitrary stream positions combined with OpenVPN's 2-byte TCP length prefix causes 4-byte opcode and packet ID fields to become misaligned. The pskb_pull operation also triggers expensive linearization on cloned skbs with page fragments. These are implementation flaws in network packet parsing rather than memory corruption issues, though no formal CWE classification was assigned.

RemediationAI

Upgrade to patched Linux kernel versions: 6.18.16 or later for 6.18.x series, 6.19.6 or later for 6.19.x series, or 7.0 or later for mainline kernels. Patches are available in stable git branches via commits 7dba6cd7fb168d7615194a631c9c100c1c224131, d4f687fbbce45b5e88438e89b5e26c0c15847992, and 0315bec883c67fa1413c61e504a28dc5bd02eb37 at https://git.kernel.org/stable/. The fix allocates new skbs for each OpenVPN packet and uses skb_copy_bits to extract packet content, avoiding both header offset overflow and misalignment issues. If immediate patching is not feasible, disable the in-tree OpenVPN kernel driver (ovpn module) and migrate to userspace OpenVPN implementations (openvpn package), which are not affected by this vulnerability. Alternatively, configure OpenVPN to use UDP transport mode instead of TCP mode, though this changes protocol characteristics and may not suit all network environments (trade-off: UDP provides better performance but no guaranteed delivery). For systems where kernel OpenVPN TCP is required, implement rate limiting on VPN connection attempts to mitigate potential availability impact until patching is completed.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43254 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy