CVE-2026-31678

HIGH

openvswitch: defer tunnel netdev_put to RCU release

Title source: cna
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: openvswitch: defer tunnel netdev_put to RCU release ovs_netdev_tunnel_destroy() may run after NETDEV_UNREGISTER already detached the device. Dropping the netdev reference in destroy can race with concurrent readers that still observe vport->dev. Do not release vport->dev in ovs_netdev_tunnel_destroy(). Instead, let vport_netdev_free() drop the reference from the RCU callback, matching the non-tunnel destroy path and avoiding additional synchronization under RTNL.

Scores

CVSS v3 7.8
EPSS 0.0010
EPSS Percentile 0.9%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-367
Status published
Products (21)
linux/Kernel 4.3.0 - 6.1.168linux
linux/Kernel 6.13.0 - 6.18.21linux
linux/Kernel 6.19.0 - 6.19.11linux
linux/Kernel 6.2.0 - 6.6.131linux
linux/Kernel 6.7.0 - 6.12.80linux
Linux/Linux < 4.3
Linux/Linux 4.3
Linux/Linux 6.1.168 - 6.1.*
Linux/Linux 6.12.80 - 6.12.*
Linux/Linux 6.18.21 - 6.18.*
... and 11 more
Published Apr 25, 2026
Tracked Since Apr 25, 2026