GHSA-478P-QCHQ-Q398
Vulnerability from github – Published: 2026-05-27 15:33 – Updated: 2026-05-27 15:33In the Linux kernel, the following vulnerability has been resolved:
ovpn: tcp - don't deref NULL sk_socket member after tcp_close()
When deleting a peer in case of keepalive expiration, the peer is removed from the OpenVPN hashtable and is temporary inserted in a "release list" for further processing.
This happens in: ovpn_peer_keepalive_work() unlock_ovpn(release_list)
This processing includes detaching from the socket being used to talk to this peer, by restoring its original proto and socket ops/callbacks.
In case of TCP it may happen that, while the peer is sitting in the release list, userspace decides to close the socket. This will result in a concurrent execution of:
tcp_close(sk) __tcp_close(sk) sock_orphan(sk) sk_set_socket(sk, NULL)
The last function call will set sk->sk_socket to NULL.
When the releasing routine is resumed, ovpn_tcp_socket_detach() will attempt to dereference sk->sk_socket to restore its original ops member. This operation will crash due to sk->sk_socket being NULL.
Fix this race condition by testing-and-accessing sk->sk_socket atomically under sk->sk_callback_lock.
{
"affected": [],
"aliases": [
"CVE-2026-45918"
],
"database_specific": {
"cwe_ids": [],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-27T14:17:06Z",
"severity": null
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\novpn: tcp - don\u0027t deref NULL sk_socket member after tcp_close()\n\nWhen deleting a peer in case of keepalive expiration, the peer is\nremoved from the OpenVPN hashtable and is temporary inserted in a\n\"release list\" for further processing.\n\nThis happens in:\novpn_peer_keepalive_work()\n unlock_ovpn(release_list)\n\nThis processing includes detaching from the socket being used to\ntalk to this peer, by restoring its original proto and socket\nops/callbacks.\n\nIn case of TCP it may happen that, while the peer is sitting in\nthe release list, userspace decides to close the socket.\nThis will result in a concurrent execution of:\n\ntcp_close(sk)\n __tcp_close(sk)\n sock_orphan(sk)\n sk_set_socket(sk, NULL)\n\nThe last function call will set sk-\u003esk_socket to NULL.\n\nWhen the releasing routine is resumed, ovpn_tcp_socket_detach()\nwill attempt to dereference sk-\u003esk_socket to restore its original\nops member. This operation will crash due to sk-\u003esk_socket being NULL.\n\nFix this race condition by testing-and-accessing\nsk-\u003esk_socket atomically under sk-\u003esk_callback_lock.",
"id": "GHSA-478p-qchq-q398",
"modified": "2026-05-27T15:33:16Z",
"published": "2026-05-27T15:33:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45918"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/94560267d6c41b1ff3fafbab726e3f8a55a6af34"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b9142cf4e066c825ec68752a7dcaceda700bbe26"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f998b2c4bec487063a586695159f9a1856e81c56"
}
],
"schema_version": "1.4.0",
"severity": []
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.