In the Linux kernel, the following vulnerability has been resolved:
ovpn: tcp - don't deref NULL sksocket member after tcpclose()
When deleting a peer in case of keepalive expiration, the peer is removed from the OpenVPN hashtable and is temporary inserted in a "release list" for further processing.
This happens in: ovpnpeerkeepalivework() unlockovpn(release_list)
This processing includes detaching from the socket being used to talk to this peer, by restoring its original proto and socket ops/callbacks.
In case of TCP it may happen that, while the peer is sitting in the release list, userspace decides to close the socket. This will result in a concurrent execution of:
tcp_close(sk) __tcpclose(sk) sockorphan(sk) sksetsocket(sk, NULL)
The last function call will set sk->sk_socket to NULL.
When the releasing routine is resumed, ovpntcpsocketdetach() will attempt to dereference sk->sksocket to restore its original ops member. This operation will crash due to sk->sk_socket being NULL.
Fix this race condition by testing-and-accessing sk->sksocket atomically under sk->skcallback_lock.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45918.json",
"cna_assigner": "Linux"
}