CVE-2026-45918 Overview
CVE-2026-45918 is a NULL pointer dereference race condition in the Linux kernel's OpenVPN data channel offload (ovpn) module. The flaw occurs in the TCP transport path when a peer is removed due to keepalive expiration while userspace concurrently closes the underlying socket. The race causes the kernel to dereference a sk_socket field that has already been set to NULL by tcp_close(), leading to a kernel crash.
Critical Impact
A local user able to control an OpenVPN TCP socket can trigger a kernel NULL pointer dereference, resulting in denial of service through a kernel oops or panic.
Affected Products
- Linux kernel branches containing the ovpn in-kernel OpenVPN data channel module
- Distributions shipping kernels prior to the fix commits referenced in the mainline tree
- Systems using OpenVPN over TCP transport with the kernel ovpn implementation
Discovery Timeline
- 2026-05-27 - CVE CVE-2026-45918 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-45918
Vulnerability Analysis
The vulnerability resides in the OpenVPN kernel module's peer teardown logic for TCP transports. When a peer's keepalive expires, ovpn_peer_keepalive_work() removes the peer from the OpenVPN hashtable and inserts it into a temporary release list. The release routine later calls ovpn_tcp_socket_detach() to restore the original proto and socket callback operations on the underlying struct sock.
During this window, userspace may invoke close() on the same TCP socket. The kernel path tcp_close() → __tcp_close() → sock_orphan() → sk_set_socket(sk, NULL) clears sk->sk_socket. When ovpn_tcp_socket_detach() resumes and reads sk->sk_socket to restore the original ops pointer, it dereferences NULL, crashing the kernel.
Root Cause
The root cause is a missing synchronization barrier between the deferred peer-release work and tcp_close(). Access to sk->sk_socket was not protected against concurrent nullification, producing a classic time-of-check to time-of-use race [CWE-476, CWE-362]. The fix tests and accesses sk->sk_socket atomically while holding sk->sk_callback_lock.
Attack Vector
A local attacker with the ability to establish or control an OpenVPN TCP session, and to close the socket at a precise moment during peer release, can trigger the dereference. The result is a kernel NULL pointer dereference leading to denial of service. No remote code execution path is described in the upstream commit.
// Patch description (no synthetic exploit code)
// Fix serializes access to sk->sk_socket under sk->sk_callback_lock
// See kernel commits 94560267d6c4, b9142cf4e066, f998b2c4bec4
Detection Methods for CVE-2026-45918
Indicators of Compromise
- Kernel oops or panic messages referencing ovpn_tcp_socket_detach in the call trace
- NULL pointer dereference faults occurring during OpenVPN peer keepalive expiration events
- Unexpected kernel crashes correlated with OpenVPN TCP client disconnects
Detection Strategies
- Monitor dmesg and /var/log/kern.log for oops traces containing ovpn_peer_keepalive_work or ovpn_tcp_socket_detach symbols
- Track kernel version inventory and flag hosts running ovpn-enabled kernels that predate the fix commits 94560267d6c4, b9142cf4e066, and f998b2c4bec4
- Correlate kernel crash telemetry with active OpenVPN TCP connection churn to identify exploitation attempts versus benign faults
Monitoring Recommendations
- Forward kernel ring buffer events to centralized logging and alert on ovpn module faults
- Audit which hosts load the ovpn kernel module via lsmod and prioritize them for patching
- Watch for repeated socket open/close patterns against OpenVPN TCP listeners that may indicate race exploitation attempts
How to Mitigate CVE-2026-45918
Immediate Actions Required
- Apply the upstream Linux kernel fix commits 94560267d6c4, b9142cf4e066, or f998b2c4bec4 from the stable tree
- Update to a distribution kernel that incorporates the fix and reboot affected systems
- Restrict local access on hosts running OpenVPN with the kernel ovpn module until patching is complete
Patch Information
The fix is available in the mainline and stable kernel trees. Refer to the Kernel Git Commit 94560267, Kernel Git Commit b9142cf4, and Kernel Git Commit f998b2c4. The patch wraps sk->sk_socket access in ovpn_tcp_socket_detach() with sk->sk_callback_lock to prevent the race against tcp_close().
Workarounds
- Use UDP transport instead of TCP for OpenVPN connections where operationally feasible
- Unload the ovpn kernel module on systems that do not require kernel-mode OpenVPN data channel offload
- Limit local user privileges to reduce the ability to manipulate OpenVPN sockets at the precise timing required to trigger the race
# Verify kernel version and check for the fix
uname -r
# Inspect whether the ovpn module is loaded
lsmod | grep ovpn
# Optionally unload the module if not required
sudo modprobe -r ovpn
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
