CVE-2026-43254

EPSS 0.05%
Veröffentlicht 06.05.2026 11:28:43
Zuletzt bearbeitet 11.05.2026 18:21:13
Quelle 416baaa9-dc9f-4396-8d5f-8c081f
CVE-Watchlists
Login
Unerledigt
Login

ovpn: tcp - fix packet extraction from stream

In the Linux kernel, the following vulnerability has been resolved:

ovpn: tcp - fix packet extraction from stream

When processing TCP stream data in ovpn_tcp_recv, we receive large
cloned skbs from __strp_rcv that may contain multiple coalesced packets.
The current implementation has two bugs:

1. Header offset overflow: Using pskb_pull with large offsets on
   coalesced skbs causes skb->data - skb->head to exceed the u16 storage
   of skb->network_header. This causes skb_reset_network_header to fail
   on the inner decapsulated packet, resulting in packet drops.

2. Unaligned protocol headers: Extracting packets from arbitrary
   positions within the coalesced TCP stream provides no alignment
   guarantees for the packet data causing performance penalties on
   architectures without efficient unaligned access. Additionally,
   openvpn's 2-byte length prefix on TCP packets causes the subsequent
   4-byte opcode and packet ID fields to be inherently misaligned.

Fix both issues by allocating a new skb for each openvpn packet and
using skb_copy_bits to extract only the packet content into the new
buffer, skipping the 2-byte length prefix. Also, check the length before
invoking the function that performs the allocation to avoid creating an
invalid skb.

If the packet has to be forwarded to userspace the 2-byte prefix can be
pushed to the head safely, without misalignment.

As a side effect, this approach also avoids the expensive linearization
that pskb_pull triggers on cloned skbs with page fragments. In testing,
this resulted in TCP throughput improvements of up to 74%.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

NVD 3 VulnDex Vulnerability Enrichment 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Linux ≫ Linux Kernel Version >= 6.16 < 6.18.16

Linux ≫ Linux Kernel Version >= 6.19 < 6.19.6

Linux ≫ Linux Kernel Version7.0 Updaterc1

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.05%	0.154

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
416baaa9-dc9f-4396-8d5f-8c081fb06d67	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-190 Integer Overflow or Wraparound

The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.

https://git.kernel.org/stable/c/0315bec883c67fa1413c61e504a28dc5bd02eb37

Patch

https://git.kernel.org/stable/c/7dba6cd7fb168d7615194a631c9c100c1c224131

Patch

https://git.kernel.org/stable/c/d4f687fbbce45b5e88438e89b5e26c0c15847992

Patch

https://nvd.nist.gov/vuln/detail/CVE-2026-43254

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-43254

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-43254

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-43254