In the Linux kernel, the following vulnerability has been resolved: ovpn: fix possible use-after-free in ovpnnetxmit When building the skblist in ovpnnetxmit, skbsharecheck will free the original skb if it is shared. The current implementation continues to use the stale skb pointer for subsequent operations: - peer lookup, - skbdstdrop (even though all segments produced by skbgsosegment will have a dst attached), - ovpnpeerstatsincrementtx. Fix this by moving the peer lookup and skbdstdrop before segmentation so that the original skb is still valid when used. Return early if all segments fail skbsharecheck and the list ends up empty. Also switch ovpnpeerstatsincrementtx to use skblist.next; the next patch fixes the stats logic.