Description
In the Linux kernel, the following vulnerability has been resolved:

openvswitch: defer tunnel netdev_put to RCU release

ovs_netdev_tunnel_destroy() may run after NETDEV_UNREGISTER already
detached the device. Dropping the netdev reference in destroy can race
with concurrent readers that still observe vport->dev.

Do not release vport->dev in ovs_netdev_tunnel_destroy(). Instead, let
vport_netdev_free() drop the reference from the RCU callback, matching
the non-tunnel destroy path and avoiding additional synchronization
under RTNL.
Published: 2026-04-25
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Kernel memory corruption or possible privilege escalation via use‑after‑free in Open vSwitch tunnel teardown
Action: Patch kernel
AI Analysis

Impact

The Linux kernel’s Open vSwitch code contains a flaw in which the netdev_put reference for a tunnel device is removed after the device has already been unregistered. This race condition can cause a use‑after‑free, allowing an attacker to corrupt kernel memory. If exploited, the corruption could lead to a kernel panic or provide a foothold for arbitrary kernel code execution. The weakness is classified as CWE‑367.

Affected Systems

Any Linux kernel that includes the Open vSwitch module before the fix is applied is affected. The advisory does not list version ranges, so all kernels containing the vulnerable destroy path are susceptible until the patch is deployed.

Risk and Exploitability

The CVSS score of 7.8 indicates high severity. The EPSS score of less than 1 % shows a low probability of exploitation and there are no known public exploits or KEV inclusion. Based on the description, it is inferred that an attacker would need local or privileged rights to trigger the Open vSwitch tunnel teardown, and because the flaw is a race condition, the outcome is non‑deterministic. Nonetheless, the potential for kernel restarts or privilege escalation warrants prompt action.

Generated by OpenCVE AI on April 29, 2026 at 01:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch that corrects the reference handling for Open vSwitch tunnels by upgrading to a kernel version that contains the fix.
  • If an upgrade is not immediately possible, unload or permanently block the openvswitch kernel module to eliminate the vulnerable code path.
  • After applying the patch or unloading the module, reboot the system to ensure all RCU callbacks have been processed and reference counts reset.

Generated by OpenCVE AI on April 29, 2026 at 01:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4561-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6238-1 linux security update
Debian DSA Debian DSA DSA-6243-1 linux security update
History

Wed, 06 May 2026 21:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*

Mon, 27 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Mon, 27 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-367
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Sat, 25 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: openvswitch: defer tunnel netdev_put to RCU release ovs_netdev_tunnel_destroy() may run after NETDEV_UNREGISTER already detached the device. Dropping the netdev reference in destroy can race with concurrent readers that still observe vport->dev. Do not release vport->dev in ovs_netdev_tunnel_destroy(). Instead, let vport_netdev_free() drop the reference from the RCU callback, matching the non-tunnel destroy path and avoiding additional synchronization under RTNL.
Title openvswitch: defer tunnel netdev_put to RCU release
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:13:31.430Z

Reserved: 2026-03-09T15:48:24.130Z

Link: CVE-2026-31678

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-25T09:16:01.437

Modified: 2026-05-06T21:28:02.227

Link: CVE-2026-31678

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-25T00:00:00Z

Links: CVE-2026-31678 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T01:45:26Z

Weaknesses