CVE-2026-31678
Received Received - Intake
Use-After-Free Vulnerability in Linux Open vSwitch Tunnel Device Management

Publication date: 2026-04-25

Last updated on: 2026-05-06

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: openvswitch: defer tunnel netdev_put to RCU release ovs_netdev_tunnel_destroy() may run after NETDEV_UNREGISTER already detached the device. Dropping the netdev reference in destroy can race with concurrent readers that still observe vport->dev. Do not release vport->dev in ovs_netdev_tunnel_destroy(). Instead, let vport_netdev_free() drop the reference from the RCU callback, matching the non-tunnel destroy path and avoiding additional synchronization under RTNL.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-25
Last Modified
2026-05-06
Generated
2026-06-16
AI Q&A
2026-04-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-31678
Affected Vendors & Products
Showing 10 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.13 (inc) to 6.18.21 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.11 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.131 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.80 (exc)
linux linux_kernel From 4.3 (inc) to 6.1.168 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-367 The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability involves the Linux kernel's handling of Open vSwitch tunnel network devices. Specifically, the function ovs_netdev_tunnel_destroy() may execute after the network device has already been unregistered and detached, leading to a race condition. This happens because the function drops a reference to the network device while concurrent readers might still be accessing it, causing potential synchronization issues.

The fix defers releasing the network device reference to a Read-Copy-Update (RCU) callback in vport_netdev_free(), aligning with the non-tunnel destroy path and avoiding additional synchronization problems.

Impact Analysis

This vulnerability can cause race conditions in the kernel's network device handling, potentially leading to use-after-free errors or other synchronization issues. Such problems might result in system instability, crashes, or unexpected behavior in network operations involving Open vSwitch tunnels.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31678. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart