{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-43254","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-05-01T14:12:55.996Z","datePublished":"2026-05-06T11:28:43.871Z","dateUpdated":"2026-05-11T22:20:59.540Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T22:20:59.540Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\novpn: tcp - fix packet extraction from stream\n\nWhen processing TCP stream data in ovpn_tcp_recv, we receive large\ncloned skbs from __strp_rcv that may contain multiple coalesced packets.\nThe current implementation has two bugs:\n\n1. Header offset overflow: Using pskb_pull with large offsets on\n   coalesced skbs causes skb->data - skb->head to exceed the u16 storage\n   of skb->network_header. This causes skb_reset_network_header to fail\n   on the inner decapsulated packet, resulting in packet drops.\n\n2. Unaligned protocol headers: Extracting packets from arbitrary\n   positions within the coalesced TCP stream provides no alignment\n   guarantees for the packet data causing performance penalties on\n   architectures without efficient unaligned access. Additionally,\n   openvpn's 2-byte length prefix on TCP packets causes the subsequent\n   4-byte opcode and packet ID fields to be inherently misaligned.\n\nFix both issues by allocating a new skb for each openvpn packet and\nusing skb_copy_bits to extract only the packet content into the new\nbuffer, skipping the 2-byte length prefix. Also, check the length before\ninvoking the function that performs the allocation to avoid creating an\ninvalid skb.\n\nIf the packet has to be forwarded to userspace the 2-byte prefix can be\npushed to the head safely, without misalignment.\n\nAs a side effect, this approach also avoids the expensive linearization\nthat pskb_pull triggers on cloned skbs with page fragments. In testing,\nthis resulted in TCP throughput improvements of up to 74%."}],"metrics":[{"cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH"}}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/ovpn/tcp.c"],"versions":[{"version":"11851cbd60ea1e5abbd97619d69845ead99303d6","lessThan":"0315bec883c67fa1413c61e504a28dc5bd02eb37","status":"affected","versionType":"git"},{"version":"11851cbd60ea1e5abbd97619d69845ead99303d6","lessThan":"7dba6cd7fb168d7615194a631c9c100c1c224131","status":"affected","versionType":"git"},{"version":"11851cbd60ea1e5abbd97619d69845ead99303d6","lessThan":"d4f687fbbce45b5e88438e89b5e26c0c15847992","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/ovpn/tcp.c"],"versions":[{"version":"6.16","status":"affected"},{"version":"0","lessThan":"6.16","status":"unaffected","versionType":"semver"},{"version":"6.18.16","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19.6","lessThanOrEqual":"6.19.*","status":"unaffected","versionType":"semver"},{"version":"7.0","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.16","versionEndExcluding":"6.18.16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.16","versionEndExcluding":"6.19.6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.16","versionEndExcluding":"7.0"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/0315bec883c67fa1413c61e504a28dc5bd02eb37"},{"url":"https://git.kernel.org/stable/c/7dba6cd7fb168d7615194a631c9c100c1c224131"},{"url":"https://git.kernel.org/stable/c/d4f687fbbce45b5e88438e89b5e26c0c15847992"}],"title":"ovpn: tcp - fix packet extraction from stream","x_generator":{"engine":"bippy-1.2.0"}}}}