Network Device Vulnerability in Linux Kernel Open vSwitch by Linux Foundation
CVE-2026-31678

Currently unrated

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 25 April 2026

What is CVE-2026-31678?

A vulnerability has been identified in the Linux kernel's Open vSwitch component that can lead to race conditions involving network device management. Specifically, the function ovs_netdev_tunnel_destroy() may execute after a device has been detached via NETDEV_UNREGISTER, potentially causing concurrent readers to access a stale reference. To mitigate this issue, the reference to vport->dev should not be released prematurely within ovs_netdev_tunnel_destroy(). Instead, the dropping of this reference must be handled by the RCU callback in vport_netdev_free(), aligning with the handling observed in non-tunnel destroy processes. This adjustment minimizes the need for additional synchronization under the RTNL, which enhances overall system stability.

Affected Version(s)

Linux a9020fde67a6eb77f8130feff633189f99264db1 < 9d56aced21fb9c104e8a3f3be9b21fbafe448ffc

Linux a9020fde67a6eb77f8130feff633189f99264db1 < 42f0d3d81209654c08ffdde5a34b9b92d2645896

Linux a9020fde67a6eb77f8130feff633189f99264db1

References

https://git.kernel.org/stable/c/9d56aced21fb9c104e8a3f3be...

https://git.kernel.org/stable/c/42f0d3d81209654c08ffdde5a...

https://git.kernel.org/stable/c/bbe7bd722bfaea36aab3da6cc...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 25, 2026
Vulnerability Reserved
Mar 9, 2026

CVE-2026-31678 Data

JSON