CVE-2026-45917 - Vulnerability Details

- ipvs: do not keep dest_dst if dev is going down

Description

In the Linux kernel, the following vulnerability has been resolved:

ipvs: do not keep dest_dst if dev is going down

There is race between the netdev notifier ip_vs_dst_event()
and the code that caches dst with dev that is going down.
As the FIB can be notified for the closed device after our
handler finishes, it is possible valid route to be returned
and cached resuling in a leaked dev reference until the dest
is not removed.

To prevent new dest_dst to be attached to dest just after the
handler dropped the old one, add a netif_running() check
to make sure the notifier handler is not currently running
for device that is closing.

Published: 2026-05-27

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

In Linux kernels that implement the IP Virtual Server (IPVS) subsystem, a race condition exists between the network device notifier ip_vs_dst_event() and the code that caches destination routes when a network device is shut down. The race can allow a valid route to be returned from the routing stack after the notifier has released its reference to the now‑down device. The kernel may then keep a stale reference to the device in the IPVS destination structure, which could lead to instability or a crash if the reference is accessed later. This vulnerability is a classic resource‑leak race condition (CWE‑362).

Affected Systems

All Linux kernel builds that include the IPVS facility are affected. No specific kernel version boundaries were enumerated in the CNA data; the patch that introduces a netif_running() check appears in the mainline after the referenced commits.

Risk and Exploitability

The CVE does not provide an EPSS score and is not listed in CISA's KEV catalog, suggesting no known public exploitation. The vulnerability requires control over network device shutdown timing and IPVS route updates, which generally needs elevated privileges. While the likelihood of successful exploitation is uncertain, the potential impact on system stability warrants prompt remediation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`7a4f0761fce32ff4918a7c23b08db564ad33092d`	affected	< 64af43033503458c46023e56d6ae7bb0f824b55f
`7a4f0761fce32ff4918a7c23b08db564ad33092d`	affected	< bae53b3baf2ff2f45f9205c438818fc055601a54
`7a4f0761fce32ff4918a7c23b08db564ad33092d`	affected	< 024eb0bd19f507e6e7f0c7a7e5506d66b5dc1d3e
`7a4f0761fce32ff4918a7c23b08db564ad33092d`	affected	< 8fde939b0206afc1d5846217a01a16b9bc8c7896

Linux

affected

Version	Status	Constraints
`2.6.39`	affected	—
`0`	unaffected	< 2.6.39
`6.12.75`	unaffected	≤ 6.12.*
`6.18.14`	unaffected	≤ 6.18.*
`6.19.4`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[7a4f0761fce32ff4918a7c23b08db564ad33092d,64af43033503458c46023e56d6ae7bb0f824b55f)`	affected	code_commit	—
`[7a4f0761fce32ff4918a7c23b08db564ad33092d,bae53b3baf2ff2f45f9205c438818fc055601a54)`	affected	code_commit	—
`[7a4f0761fce32ff4918a7c23b08db564ad33092d,024eb0bd19f507e6e7f0c7a7e5506d66b5dc1d3e)`	affected	code_commit	—
`[7a4f0761fce32ff4918a7c23b08db564ad33092d,8fde939b0206afc1d5846217a01a16b9bc8c7896)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`2.6.39`	affected	semver	—
`[0,2.6.39)`	unaffected	semver	—
`[6.12.75,6.13.0)`	unaffected	semver	—
`[6.18.14,6.19.0)`	unaffected	semver	—
`[6.19.4,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to a version that contains the commit series adding the netif_running() check in the IPVS event handler.
After performing the kernel upgrade, verify that the kernel has been reloaded and that no stale IPVS destination entries remain; reinitialize IPVS with the updated kernel.
Monitor kernel logs for any IPVS destination or device drop events following the upgrade; if such events persist, consider limiting IPVS route caching or disabling automatic route updates until the fix is confirmed active.

Generated by OpenCVE AI on May 27, 2026 at 20:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00018.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/024eb0bd19f507e6e7f0c7a7e5506d66b5dc1d3e
https://git.kernel.org/stable/c/64af43033503458c46023e56d6ae7bb0f824b55f
https://git.kernel.org/stable/c/8fde939b0206afc1d5846217a01a16b9bc8c7896
https://git.kernel.org/stable/c/bae53b3baf2ff2f45f9205c438818fc055601a54
https://lore.kernel.org/linux-cve-announce/2026052723-CVE-2026-45917-7597@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-45917
https://www.cve.org/CVERecord?id=CVE-2026-45917

History

Thu, 28 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-367
References		https://lore.kernel.org/linux-cve-announce/2026052723-CVE-2026-45917-7597@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-45917 https://www.cve.org/CVERecord?id=CVE-2026-45917
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Low`

Wed, 27 May 2026 21:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-362 CWE-399

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: ipvs: do not keep dest_dst if dev is going down There is race between the netdev notifier ip_vs_dst_event() and the code that caches dst with dev that is going down. As the FIB can be notified for the closed device after our handler finishes, it is possible valid route to be returned and cached resuling in a leaked dev reference until the dest is not removed. To prevent new dest_dst to be attached to dest just after the handler dropped the old one, add a netif_running() check to make sure the notifier handler is not currently running for device that is closing.
Title		ipvs: do not keep dest_dst if dev is going down
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/024eb0bd19f507e6e7f0c7a7e5506d66b5dc1d3e https://git.kernel.org/stable/c/64af43033503458c46023e56d6ae7bb0f824b55f https://git.kernel.org/stable/c/8fde939b0206afc1d5846217a01a16b9bc8c7896 https://git.kernel.org/stable/c/bae53b3baf2ff2f45f9205c438818fc055601a54

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T12:17:33.337Z

Updated: 2026-05-27T12:17:33.337Z

Reserved: 2026-05-13T15:03:33.085Z

Link: CVE-2026-45917

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:06.587

Modified: 2026-05-27T14:48:03.013

Link: CVE-2026-45917

Redhat

Severity : Low

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-45917 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-27T20:45:25Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object