CVE-2026-45918

Source
https://cve.org/CVERecord?id=CVE-2026-45918
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45918.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-45918
Downstream
Published
2026-05-27T12:17:34.500Z
Modified
2026-07-08T08:13:33.570905446Z
Summary
ovpn: tcp - don't deref NULL sk_socket member after tcp_close()
Details

In the Linux kernel, the following vulnerability has been resolved:

ovpn: tcp - don't deref NULL sksocket member after tcpclose()

When deleting a peer in case of keepalive expiration, the peer is removed from the OpenVPN hashtable and is temporary inserted in a "release list" for further processing.

This happens in: ovpnpeerkeepalivework() unlockovpn(release_list)

This processing includes detaching from the socket being used to talk to this peer, by restoring its original proto and socket ops/callbacks.

In case of TCP it may happen that, while the peer is sitting in the release list, userspace decides to close the socket. This will result in a concurrent execution of:

tcp_close(sk) __tcpclose(sk) sockorphan(sk) sksetsocket(sk, NULL)

The last function call will set sk->sk_socket to NULL.

When the releasing routine is resumed, ovpntcpsocketdetach() will attempt to dereference sk->sksocket to restore its original ops member. This operation will crash due to sk->sk_socket being NULL.

Fix this race condition by testing-and-accessing sk->sksocket atomically under sk->skcallback_lock.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45918.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
11851cbd60ea1e5abbd97619d69845ead99303d6
Fixed
f998b2c4bec487063a586695159f9a1856e81c56
Fixed
b9142cf4e066c825ec68752a7dcaceda700bbe26
Fixed
94560267d6c41b1ff3fafbab726e3f8a55a6af34

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45918.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.16.0
Fixed
6.18.14
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
6.19.4

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45918.json"