{ "public_date" : "2026-05-06T00:00:00Z", "bugzilla" : { "description" : "kernel: ovpn: tcp - fix packet extraction from stream", "id" : "2467175", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2467175" }, "cwe" : "CWE-190", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\novpn: tcp - fix packet extraction from stream\nWhen processing TCP stream data in ovpn_tcp_recv, we receive large\ncloned skbs from __strp_rcv that may contain multiple coalesced packets.\nThe current implementation has two bugs:\n1. Header offset overflow: Using pskb_pull with large offsets on\ncoalesced skbs causes skb->data - skb->head to exceed the u16 storage\nof skb->network_header. This causes skb_reset_network_header to fail\non the inner decapsulated packet, resulting in packet drops.\n2. Unaligned protocol headers: Extracting packets from arbitrary\npositions within the coalesced TCP stream provides no alignment\nguarantees for the packet data causing performance penalties on\narchitectures without efficient unaligned access. Additionally,\nopenvpn's 2-byte length prefix on TCP packets causes the subsequent\n4-byte opcode and packet ID fields to be inherently misaligned.\nFix both issues by allocating a new skb for each openvpn packet and\nusing skb_copy_bits to extract only the packet content into the new\nbuffer, skipping the 2-byte length prefix. Also, check the length before\ninvoking the function that performs the allocation to avoid creating an\ninvalid skb.\nIf the packet has to be forwarded to userspace the 2-byte prefix can be\npushed to the head safely, without misalignment.\nAs a side effect, this approach also avoids the expensive linearization\nthat pskb_pull triggers on cloned skbs with page fragments. In testing,\nthis resulted in TCP throughput improvements of up to 74%.", "A flaw was found in the Linux kernel's handling of OpenVPN (ovpn) TCP network traffic. This vulnerability occurs when the kernel processes multiple network packets that have been combined into a single stream. An attacker could exploit this by sending specially crafted TCP packets, leading to issues such as dropped packets and reduced network performance, effectively causing a denial of service." ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-43254\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-43254\nhttps://lore.kernel.org/linux-cve-announce/2026050604-CVE-2026-43254-1146@gregkh/T" ], "name" : "CVE-2026-43254", "csaw" : false }