Skip to main content

Linux Kernel CVE-2026-45918

| EUVDEUVD-2026-32384 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-478p-qchq-q398
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
4.7 MEDIUM

Race condition timing requirement justifies AC:H over NVD's AC:L; local low-privilege access required; impact is availability-only via kernel crash, no confidentiality or integrity loss.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 24, 2026 - 17:40 vuln.today
CVSS changed
Jun 24, 2026 - 17:38 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
MEDIUM 5.5
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

ovpn: tcp - don't deref NULL sk_socket member after tcp_close()

When deleting a peer in case of keepalive expiration, the peer is removed from the OpenVPN hashtable and is temporary inserted in a "release list" for further processing.

This happens in: ovpn_peer_keepalive_work() unlock_ovpn(release_list)

This processing includes detaching from the socket being used to talk to this peer, by restoring its original proto and socket ops/callbacks.

In case of TCP it may happen that, while the peer is sitting in the release list, userspace decides to close the socket. This will result in a concurrent execution of:

tcp_close(sk) __tcp_close(sk) sock_orphan(sk) sk_set_socket(sk, NULL)

The last function call will set sk->sk_socket to NULL.

When the releasing routine is resumed, ovpn_tcp_socket_detach() will attempt to dereference sk->sk_socket to restore its original ops member. This operation will crash due to sk->sk_socket being NULL.

Fix this race condition by testing-and-accessing sk->sk_socket atomically under sk->sk_callback_lock.

AnalysisAI

NULL pointer dereference in the Linux kernel's ovpn (in-kernel OpenVPN) TCP socket handling causes a local denial of service via kernel crash. The race condition - between keepalive-driven peer release and concurrent userspace socket closure via tcp_close() - allows a low-privileged local user to trigger a kernel crash when ovpn attempts to dereference a NULL sk->sk_socket pointer during socket detachment. No public exploit has been identified and EPSS stands at 0.02% (4th percentile), reflecting narrow real-world exploitability constrained by the specific configuration and timing required.

Technical ContextAI

The Linux kernel's ovpn module implements the OpenVPN data channel natively in kernel space, supporting both UDP and TCP transports. This vulnerability (CWE-476: NULL Pointer Dereference) arises in the TCP socket handling path - specifically ovpn_tcp_socket_detach() - during peer cleanup triggered by keepalive expiration. The race window opens across two concurrent code paths: the ovpn keepalive worker (ovpn_peer_keepalive_work()) moves a peer to a release list and later attempts to restore the socket's original proto and socket ops/callbacks, while simultaneously a userspace call to tcp_close() → __tcp_close() → sock_orphan() sets sk->sk_socket to NULL via sk_set_socket(). Without atomic protection around the access to sk->sk_socket, the release routine dereferences a NULL pointer and crashes. The upstream fix serializes access to sk->sk_socket under sk->sk_callback_lock, eliminating the race. Affected CPE: cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* from commit 11851cbd60ea1e5abbd97619d69845ead99303d6 onward across three stable branches.

RemediationAI

Upgrade to a patched kernel version: Linux 6.18.14, 6.19.4, or 7.0, which correspond to fix commits 94560267d6c41b1ff3fafbab726e3f8a55a6af34, b9142cf4e066c825ec68752a7dcaceda700bbe26, and f998b2c4bec487063a586695159f9a1856e81c56 respectively at https://git.kernel.org/stable/c/. If an immediate kernel upgrade is not feasible, switching ovpn tunnels from TCP to UDP transport sidesteps the vulnerable tcp_close() code path entirely - note this changes transport-layer behavior and may affect firewall/NAT traversal in environments that block UDP. A second workaround is disabling keepalive on ovpn peers, which prevents the ovpn_peer_keepalive_work() path from running concurrently with socket closure, though this reduces dead-peer detection capability and may cause stale tunnel entries. No patch has been confirmed for the Linux 6.16 stable branch specifically per available data - users on that branch should migrate to a patched stable series (6.18.14+). Advisory references: https://nvd.nist.gov/vuln/detail/CVE-2026-45918.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Not-Affected

Share

CVE-2026-45918 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy