CVE-2026-43254 Overview
CVE-2026-43254 affects the Linux kernel's ovpn (OpenVPN) module, specifically in the ovpn_tcp_recv function that processes TCP stream data. The flaw involves incorrect packet extraction from coalesced socket buffers (skbs) received from __strp_rcv. Two distinct issues exist: a header offset overflow when pskb_pull is invoked with large offsets on coalesced skbs, and unaligned protocol headers caused by OpenVPN's 2-byte length prefix on TCP packets. The overflow causes skb->data - skb->head to exceed the u16 storage of skb->network_header, leading to packet drops during decapsulation.
Critical Impact
Packet drops on the inner decapsulated packet break OpenVPN TCP transport reliability and degrade throughput on affected kernels.
Affected Products
- Linux kernel versions containing the ovpn TCP transport implementation
- Systems using OpenVPN over TCP through the in-kernel ovpn module
- Distributions shipping kernels prior to commits 0315bec8, 7dba6cd7, and d4f687fb
Discovery Timeline
- 2026-05-06 - CVE-2026-43254 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-43254
Vulnerability Analysis
The defect resides in ovpn_tcp_recv, the receive path for OpenVPN TCP transport in the Linux kernel ovpn module. The function receives large cloned skbs from __strp_rcv that may contain multiple coalesced OpenVPN packets within a single TCP stream segment. The implementation uses pskb_pull to advance past prior packets and reach the next OpenVPN frame.
This approach fails on two fronts. First, advancing skb->data through large offsets on coalesced skbs pushes the difference skb->data - skb->head beyond what the u16 field skb->network_header can store. As a result, skb_reset_network_header fails on the inner decapsulated packet and the packet is dropped. Second, extracting packets from arbitrary positions within the coalesced TCP stream offers no alignment guarantees. OpenVPN's 2-byte length prefix forces the subsequent 4-byte opcode and packet ID fields into misaligned positions, causing performance penalties on architectures without efficient unaligned access.
Root Cause
The root cause combines a kernel data-structure size limit with a protocol layout choice. The skb->network_header field is constrained to 16 bits, while pskb_pull on coalesced skbs can produce offsets that exceed this range. The 2-byte length prefix in OpenVPN's TCP framing also breaks natural 4-byte alignment for downstream header fields.
Attack Vector
The condition is triggered by normal TCP stream processing when peer traffic arrives as coalesced segments containing multiple OpenVPN packets. No authenticated exploitation primitive is documented in the advisory; the observable effect is packet drops and degraded throughput. The fix delivered measured TCP throughput improvements of up to 74% in testing.
The corrected implementation allocates a new skb for each OpenVPN packet and uses skb_copy_bits to extract only the packet content into the new buffer, skipping the 2-byte length prefix. The patch also validates length before allocation to avoid creating invalid skbs and avoids the expensive linearization that pskb_pull triggers on cloned skbs with page fragments.
Detection Methods for CVE-2026-43254
Indicators of Compromise
- Unexplained packet drops on OpenVPN TCP tunnels using the in-kernel ovpn module
- Reduced TCP throughput on VPN tunnels relative to expected baseline
- Kernel log entries related to skb_reset_network_header failures on the ovpn receive path
Detection Strategies
- Inventory kernel versions across Linux fleets and compare against the patched commits 0315bec8, 7dba6cd7, and d4f687fb
- Monitor VPN throughput metrics and compare TCP versus UDP transport performance to surface degradation patterns consistent with this defect
- Correlate OpenVPN client reconnection events with kernel ovpn warnings in centralized logs
Monitoring Recommendations
- Forward kernel ring buffer (dmesg) and /var/log/messages to a centralized logging or SIEM system for ovpn module messages
- Track OpenVPN session metrics including packet loss counters and tunnel reset frequency
- Alert on sustained TCP retransmission rates on hosts running the in-kernel ovpn module
How to Mitigate CVE-2026-43254
Immediate Actions Required
- Identify Linux hosts running the ovpn kernel module with OpenVPN over TCP transport
- Schedule kernel updates on affected hosts to a release that includes the upstream fix
- Where immediate patching is not feasible, evaluate switching OpenVPN tunnels to UDP transport to bypass the affected code path
Patch Information
The fix is committed in the upstream Linux kernel under three references: Kernel Git Commit 0315be, Kernel Git Commit 7dba6c, and Kernel Git Commit d4f687f. The patch replaces the pskb_pull-based extraction with per-packet skb allocation using skb_copy_bits, eliminating both the header offset overflow and the alignment issues. Apply distribution-provided kernel updates that include these commits.
Workarounds
- Use OpenVPN over UDP transport on affected kernels until updated kernel packages are deployed
- Restrict ovpn TCP usage to controlled test environments while patches are validated
- Run vendor stable kernel branches that backport the referenced commits rather than custom or out-of-tree builds
# Verify kernel version and reload after upgrade
uname -r
sudo apt-get update && sudo apt-get install --only-upgrade linux-image-$(uname -r | sed 's/-generic//')-generic
sudo reboot
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
