Description
In the Linux kernel, the following vulnerability has been resolved: openvswitch: defer tunnel netdev_put to RCU release ovs_netdev_tunnel_destroy() may run after NETDEV_UNREGISTER already detached the device. Dropping the netdev reference in destroy can race with concurrent readers that still observe vport->dev. Do not release vport->dev in ovs_netdev_tunnel_destroy(). Instead, let vport_netdev_free() drop the reference from the RCU callback, matching the non-tunnel destroy path and avoiding additional synchronization under RTNL.
References (6)
Core 6
Core References
Scores
CVSS v3
7.8
EPSS
0.0010
EPSS Percentile
0.9%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-367
Status
published
Products (21)
linux/Kernel
4.3.0 - 6.1.168linux
linux/Kernel
6.13.0 - 6.18.21linux
linux/Kernel
6.19.0 - 6.19.11linux
linux/Kernel
6.2.0 - 6.6.131linux
linux/Kernel
6.7.0 - 6.12.80linux
Linux/Linux
< 4.3
Linux/Linux
4.3
Linux/Linux
6.1.168 - 6.1.*
Linux/Linux
6.12.80 - 6.12.*
Linux/Linux
6.18.21 - 6.18.*
... and 11 more
Published
Apr 25, 2026
Tracked Since
Apr 25, 2026