CVE-2026-43254 (GCVE-0-2026-43254)

Vulnerability from cvelistv5 – Published: 2026-05-06 11:28 – Updated: 2026-05-08 12:41
VLAI?
Title
ovpn: tcp - fix packet extraction from stream
Summary
In the Linux kernel, the following vulnerability has been resolved: ovpn: tcp - fix packet extraction from stream When processing TCP stream data in ovpn_tcp_recv, we receive large cloned skbs from __strp_rcv that may contain multiple coalesced packets. The current implementation has two bugs: 1. Header offset overflow: Using pskb_pull with large offsets on coalesced skbs causes skb->data - skb->head to exceed the u16 storage of skb->network_header. This causes skb_reset_network_header to fail on the inner decapsulated packet, resulting in packet drops. 2. Unaligned protocol headers: Extracting packets from arbitrary positions within the coalesced TCP stream provides no alignment guarantees for the packet data causing performance penalties on architectures without efficient unaligned access. Additionally, openvpn's 2-byte length prefix on TCP packets causes the subsequent 4-byte opcode and packet ID fields to be inherently misaligned. Fix both issues by allocating a new skb for each openvpn packet and using skb_copy_bits to extract only the packet content into the new buffer, skipping the 2-byte length prefix. Also, check the length before invoking the function that performs the allocation to avoid creating an invalid skb. If the packet has to be forwarded to userspace the 2-byte prefix can be pushed to the head safely, without misalignment. As a side effect, this approach also avoids the expensive linearization that pskb_pull triggers on cloned skbs with page fragments. In testing, this resulted in TCP throughput improvements of up to 74%.
Severity ?
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 11851cbd60ea1e5abbd97619d69845ead99303d6 , < 0315bec883c67fa1413c61e504a28dc5bd02eb37 (git)
Affected: 11851cbd60ea1e5abbd97619d69845ead99303d6 , < 7dba6cd7fb168d7615194a631c9c100c1c224131 (git)
Affected: 11851cbd60ea1e5abbd97619d69845ead99303d6 , < d4f687fbbce45b5e88438e89b5e26c0c15847992 (git)
Create a notification for this product.
    Linux Linux Affected: 6.16
Unaffected: 0 , < 6.16 (semver)
Unaffected: 6.18.16 , ≤ 6.18.* (semver)
Unaffected: 6.19.6 , ≤ 6.19.* (semver)
Unaffected: 7.0 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ovpn/tcp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0315bec883c67fa1413c61e504a28dc5bd02eb37",
              "status": "affected",
              "version": "11851cbd60ea1e5abbd97619d69845ead99303d6",
              "versionType": "git"
            },
            {
              "lessThan": "7dba6cd7fb168d7615194a631c9c100c1c224131",
              "status": "affected",
              "version": "11851cbd60ea1e5abbd97619d69845ead99303d6",
              "versionType": "git"
            },
            {
              "lessThan": "d4f687fbbce45b5e88438e89b5e26c0c15847992",
              "status": "affected",
              "version": "11851cbd60ea1e5abbd97619d69845ead99303d6",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ovpn/tcp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.16"
            },
            {
              "lessThan": "6.16",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.16",
                  "versionStartIncluding": "6.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.6",
                  "versionStartIncluding": "6.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "6.16",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\novpn: tcp - fix packet extraction from stream\n\nWhen processing TCP stream data in ovpn_tcp_recv, we receive large\ncloned skbs from __strp_rcv that may contain multiple coalesced packets.\nThe current implementation has two bugs:\n\n1. Header offset overflow: Using pskb_pull with large offsets on\n   coalesced skbs causes skb-\u003edata - skb-\u003ehead to exceed the u16 storage\n   of skb-\u003enetwork_header. This causes skb_reset_network_header to fail\n   on the inner decapsulated packet, resulting in packet drops.\n\n2. Unaligned protocol headers: Extracting packets from arbitrary\n   positions within the coalesced TCP stream provides no alignment\n   guarantees for the packet data causing performance penalties on\n   architectures without efficient unaligned access. Additionally,\n   openvpn\u0027s 2-byte length prefix on TCP packets causes the subsequent\n   4-byte opcode and packet ID fields to be inherently misaligned.\n\nFix both issues by allocating a new skb for each openvpn packet and\nusing skb_copy_bits to extract only the packet content into the new\nbuffer, skipping the 2-byte length prefix. Also, check the length before\ninvoking the function that performs the allocation to avoid creating an\ninvalid skb.\n\nIf the packet has to be forwarded to userspace the 2-byte prefix can be\npushed to the head safely, without misalignment.\n\nAs a side effect, this approach also avoids the expensive linearization\nthat pskb_pull triggers on cloned skbs with page fragments. In testing,\nthis resulted in TCP throughput improvements of up to 74%."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-08T12:41:37.366Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0315bec883c67fa1413c61e504a28dc5bd02eb37"
        },
        {
          "url": "https://git.kernel.org/stable/c/7dba6cd7fb168d7615194a631c9c100c1c224131"
        },
        {
          "url": "https://git.kernel.org/stable/c/d4f687fbbce45b5e88438e89b5e26c0c15847992"
        }
      ],
      "title": "ovpn: tcp - fix packet extraction from stream",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-43254",
    "datePublished": "2026-05-06T11:28:43.871Z",
    "dateReserved": "2026-05-01T14:12:55.996Z",
    "dateUpdated": "2026-05-08T12:41:37.366Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-43254",
      "date": "2026-05-09",
      "epss": "0.00038",
      "percentile": "0.11282"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-43254\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-05-06T12:16:46.143\",\"lastModified\":\"2026-05-08T13:16:47.717\",\"vulnStatus\":\"Undergoing Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\novpn: tcp - fix packet extraction from stream\\n\\nWhen processing TCP stream data in ovpn_tcp_recv, we receive large\\ncloned skbs from __strp_rcv that may contain multiple coalesced packets.\\nThe current implementation has two bugs:\\n\\n1. Header offset overflow: Using pskb_pull with large offsets on\\n   coalesced skbs causes skb-\u003edata - skb-\u003ehead to exceed the u16 storage\\n   of skb-\u003enetwork_header. This causes skb_reset_network_header to fail\\n   on the inner decapsulated packet, resulting in packet drops.\\n\\n2. Unaligned protocol headers: Extracting packets from arbitrary\\n   positions within the coalesced TCP stream provides no alignment\\n   guarantees for the packet data causing performance penalties on\\n   architectures without efficient unaligned access. Additionally,\\n   openvpn\u0027s 2-byte length prefix on TCP packets causes the subsequent\\n   4-byte opcode and packet ID fields to be inherently misaligned.\\n\\nFix both issues by allocating a new skb for each openvpn packet and\\nusing skb_copy_bits to extract only the packet content into the new\\nbuffer, skipping the 2-byte length prefix. Also, check the length before\\ninvoking the function that performs the allocation to avoid creating an\\ninvalid skb.\\n\\nIf the packet has to be forwarded to userspace the 2-byte prefix can be\\npushed to the head safely, without misalignment.\\n\\nAs a side effect, this approach also avoids the expensive linearization\\nthat pskb_pull triggers on cloned skbs with page fragments. In testing,\\nthis resulted in TCP throughput improvements of up to 74%.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/0315bec883c67fa1413c61e504a28dc5bd02eb37\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/7dba6cd7fb168d7615194a631c9c100c1c224131\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/d4f687fbbce45b5e88438e89b5e26c0c15847992\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.