Description
In the Linux kernel, the following vulnerability has been resolved:

ipvs: do not keep dest_dst if dev is going down

There is race between the netdev notifier ip_vs_dst_event()
and the code that caches dst with dev that is going down.
As the FIB can be notified for the closed device after our
handler finishes, it is possible valid route to be returned
and cached resuling in a leaked dev reference until the dest
is not removed.

To prevent new dest_dst to be attached to dest just after the
handler dropped the old one, add a netif_running() check
to make sure the notifier handler is not currently running
for device that is closing.
Published: 2026-05-27
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In Linux kernels that implement the IP Virtual Server (IPVS) subsystem, a race exists between the network device notifier ip_vs_dst_event() and the code that caches destination routes when a device is shut down. The race can cause the kernel to keep a stale reference to a device that has already been deactivated, potentially leading to instability or crashes when the reference is later accessed. The weakness is a resource‑leak race condition, reflected in CWE‑367.

Affected Systems

All Linux kernel releases that include the IPVS facility are affected. No specific version range is listed, but the fix was introduced in mainline after the referenced commits and is included in subsequent kernel releases.

Risk and Exploitability

The CVSS score of 5.5 indicates a moderate severity vulnerability. The EPSS score of less than 1% and absence from CISA's KEV catalog suggest that no public exploitation has been documented. The CVE description does not specify an attacker model or attack vector, but the issue arises when a network device being taken down is cached by IPVS, potentially resulting in a resource leak. While the exact impact on stability or availability is not detailed, a leaked reference could lead to kernel instability or crashes if accessed. Because the vulnerability manifests during normal kernel operations for systems using IPVS during device shutdown, no specific remote or elevated privileges are mentioned beyond host access, and the risk is primarily the accidental retention of a device reference until it is removed.

Generated by OpenCVE AI on May 28, 2026 at 16:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that contains the commit series adding the netif_running() check in the IPVS event handler.
  • After updating the kernel, restart any services that rely on IPVS or reinitialize IPVS to clear potentially stale destination entries.
  • Continuously monitor system logs for IPVS‑related errors or reference leaks; if such events persist, consider limiting or disabling IPVS route caching until the kernel patch is confirmed active.

Generated by OpenCVE AI on May 28, 2026 at 16:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-399

Thu, 28 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-367
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low

Wed, 27 May 2026 21:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-399

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ipvs: do not keep dest_dst if dev is going down There is race between the netdev notifier ip_vs_dst_event() and the code that caches dst with dev that is going down. As the FIB can be notified for the closed device after our handler finishes, it is possible valid route to be returned and cached resuling in a leaked dev reference until the dest is not removed. To prevent new dest_dst to be attached to dest just after the handler dropped the old one, add a netif_running() check to make sure the notifier handler is not currently running for device that is closing.
Title ipvs: do not keep dest_dst if dev is going down
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-27T12:17:33.337Z

Reserved: 2026-05-13T15:03:33.085Z

Link: CVE-2026-45917

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:06.587

Modified: 2026-06-17T10:52:43.653

Link: CVE-2026-45917

cve-icon Redhat

Severity : Low

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-45917 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T16:30:15Z

Weaknesses
  • CWE-367

    Time-of-check Time-of-use (TOCTOU) Race Condition