Race Condition in Open vSwitch Tunnel Destruction via Netdev Release
CVE-2026-31678 Published on April 25, 2026
openvswitch: defer tunnel netdev_put to RCU release
In the Linux kernel, the following vulnerability has been resolved:
openvswitch: defer tunnel netdev_put to RCU release
ovs_netdev_tunnel_destroy() may run after NETDEV_UNREGISTER already
detached the device. Dropping the netdev reference in destroy can race
with concurrent readers that still observe vport->dev.
Do not release vport->dev in ovs_netdev_tunnel_destroy(). Instead, let
vport_netdev_free() drop the reference from the RCU callback, matching
the non-tunnel destroy path and avoiding additional synchronization
under RTNL.
Products Associated with CVE-2026-31678
Want to know whenever a new CVE is published for Linux Kernel? stack.watch will email you.
Affected Versions
Linux:- Version a9020fde67a6eb77f8130feff633189f99264db1 and below 9d56aced21fb9c104e8a3f3be9b21fbafe448ffc is affected.
- Version a9020fde67a6eb77f8130feff633189f99264db1 and below 42f0d3d81209654c08ffdde5a34b9b92d2645896 is affected.
- Version a9020fde67a6eb77f8130feff633189f99264db1 and below bbe7bd722bfaea36aab3da6cc60fb4a05c644643 is affected.
- Version a9020fde67a6eb77f8130feff633189f99264db1 and below 98b726ab5e2a4811e27c28e4d041f75bba147eab is affected.
- Version a9020fde67a6eb77f8130feff633189f99264db1 and below b8c56a3fc5d879c0928f207a756b0f067f06c6a8 is affected.
- Version a9020fde67a6eb77f8130feff633189f99264db1 and below 6931d21f87bc6d657f145798fad0bf077b82486c is affected.
- Version 4.3 is affected.
- Before 4.3 is unaffected.
- Version 6.1.168, <= 6.1.* is unaffected.
- Version 6.6.131, <= 6.6.* is unaffected.
- Version 6.12.80, <= 6.12.* is unaffected.
- Version 6.18.21, <= 6.18.* is unaffected.
- Version 6.19.11, <= 6.19.* is unaffected.
- Version 7.0, <= * is unaffected.