HIGHCVE-2026-31678Published Modified CNA Linux
CVE-2026-31678: openvswitch: defer tunnel netdev_put to RCU release
In the Linux kernel, the following vulnerability has been resolved: openvswitch: defer tunnel netdev_put to RCU release ovs_netdev_tunnel_destroy() may run after NETDEV_UNREGISTER already detached the device. Dropping the netdev reference in destroy can race with concurrent readers that still observe vport->dev. Do not release vport->dev in ovs_netdev_tunnel_destroy(). Instead, let vport_netdev_free() drop the reference from the RCU callback, matching the non-tunnel destroy path and avoiding additional synchronization under RTNL.
Metrics
- CVSS v3.1
- 7.8
- Severity
- HIGH
- Fixed in
- 0
- Affected Products
- 2
Fix available
042f0d3d81209654c08ffdde5a34b9b92d26458966.1.1686.6.1316.12.806.18.216.19.116931d21f87bc6d657f145798fad0bf077b82486c7.098b726ab5e2a4811e27c28e4d041f75bba147eab9d56aced21fb9c104e8a3f3be9b21fbafe448ffcb8c56a3fc5d879c0928f207a756b0f067f06c6a8bbe7bd722bfaea36aab3da6cc60fb4a05c644643
Affected packages
- Linux / Linux< 9d56aced21fb9c104e8a3f3be9b21fbafe448ffc (from a9020fde67a6eb77f8130feff633189f99264db1) · < 42f0d3d81209654c08ffdde5a34b9b92d2645896 (from a9020fde67a6eb77f8130feff633189f99264db1) · < bbe7bd722bfaea36aab3da6cc60fb4a05c644643 (from a9020fde67a6eb77f8130feff633189f99264db1) · < 98b726ab5e2a4811e27c28e4d041f75bba147eab (from a9020fde67a6eb77f8130feff633189f99264db1) · < b8c56a3fc5d879c0928f207a756b0f067f06c6a8 (from a9020fde67a6eb77f8130feff633189f99264db1) · < 6931d21f87bc6d657f145798fad0bf077b82486c (from a9020fde67a6eb77f8130feff633189f99264db1)
- Linux / Linux4.3Fixed in 0, 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, 7.0
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H