CVE-2026-31678
Use-After-Free Vulnerability in Linux Open vSwitch Tunnel Device Management
Publication date: 2026-04-25
Last updated on: 2026-04-27
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openvswitch | openvswitch | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves the Linux kernel's handling of Open vSwitch tunnel network devices. Specifically, the function ovs_netdev_tunnel_destroy() may execute after the network device has already been unregistered and detached, leading to a race condition. This happens because the function drops a reference to the network device while concurrent readers might still be accessing it, causing potential synchronization issues.
The fix defers releasing the network device reference to a Read-Copy-Update (RCU) callback in vport_netdev_free(), aligning with the non-tunnel destroy path and avoiding additional synchronization problems.
How can this vulnerability impact me? :
This vulnerability can cause race conditions in the kernel's network device handling, potentially leading to use-after-free errors or other synchronization issues. Such problems might result in system instability, crashes, or unexpected behavior in network operations involving Open vSwitch tunnels.