CVE-2026-31678

Summary

In the Linux kernel, the following vulnerability has been resolved:

openvswitch: defer tunnel netdev_put to RCU release

ovs_netdev_tunnel_destroy() may run after NETDEV_UNREGISTER already detached the device. Dropping the netdev reference in destroy can race with concurrent readers that still observe vport->dev.

Do not release vport->dev in ovs_netdev_tunnel_destroy(). Instead, let vport_netdev_free() drop the reference from the RCU callback, matching the non-tunnel destroy path and avoiding additional synchronization under RTNL.

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxa9020fde67a6eb77f8130feff633189f99264db1 < 9d56aced21fb9c104e8a3f3be9b21fbafe448ffcaffected
LinuxLinuxa9020fde67a6eb77f8130feff633189f99264db1 < 42f0d3d81209654c08ffdde5a34b9b92d2645896affected
LinuxLinuxa9020fde67a6eb77f8130feff633189f99264db1 < bbe7bd722bfaea36aab3da6cc60fb4a05c644643affected
LinuxLinuxa9020fde67a6eb77f8130feff633189f99264db1 < 98b726ab5e2a4811e27c28e4d041f75bba147eabaffected
LinuxLinuxa9020fde67a6eb77f8130feff633189f99264db1 < b8c56a3fc5d879c0928f207a756b0f067f06c6a8affected
LinuxLinuxa9020fde67a6eb77f8130feff633189f99264db1 < 6931d21f87bc6d657f145798fad0bf077b82486caffected
LinuxLinux4.3affected
LinuxLinux0 < 4.3unaffected
LinuxLinux6.1.168 <= 6.1.*unaffected
LinuxLinux6.6.131 <= 6.6.*unaffected
LinuxLinux6.12.80 <= 6.12.*unaffected
LinuxLinux6.18.21 <= 6.18.*unaffected
LinuxLinux6.19.11 <= 6.19.*unaffected
LinuxLinux7.0 <= *unaffected

Weaknesses

References