{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31678", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.130Z", "datePublished": "2026-04-25T08:46:54.476Z", "dateUpdated": "2026-05-11T22:13:31.430Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:13:31.430Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nopenvswitch: defer tunnel netdev_put to RCU release\n\novs_netdev_tunnel_destroy() may run after NETDEV_UNREGISTER already\ndetached the device. Dropping the netdev reference in destroy can race\nwith concurrent readers that still observe vport->dev.\n\nDo not release vport->dev in ovs_netdev_tunnel_destroy(). Instead, let\nvport_netdev_free() drop the reference from the RCU callback, matching\nthe non-tunnel destroy path and avoiding additional synchronization\nunder RTNL."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/openvswitch/vport-netdev.c"], "versions": [{"version": "a9020fde67a6eb77f8130feff633189f99264db1", "lessThan": "9d56aced21fb9c104e8a3f3be9b21fbafe448ffc", "status": "affected", "versionType": "git"}, {"version": "a9020fde67a6eb77f8130feff633189f99264db1", "lessThan": "42f0d3d81209654c08ffdde5a34b9b92d2645896", "status": "affected", "versionType": "git"}, {"version": "a9020fde67a6eb77f8130feff633189f99264db1", "lessThan": "bbe7bd722bfaea36aab3da6cc60fb4a05c644643", "status": "affected", "versionType": "git"}, {"version": "a9020fde67a6eb77f8130feff633189f99264db1", "lessThan": "98b726ab5e2a4811e27c28e4d041f75bba147eab", "status": "affected", "versionType": "git"}, {"version": "a9020fde67a6eb77f8130feff633189f99264db1", "lessThan": "b8c56a3fc5d879c0928f207a756b0f067f06c6a8", "status": "affected", "versionType": "git"}, {"version": "a9020fde67a6eb77f8130feff633189f99264db1", "lessThan": "6931d21f87bc6d657f145798fad0bf077b82486c", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/openvswitch/vport-netdev.c"], "versions": [{"version": "4.3", "status": "affected"}, {"version": "0", "lessThan": "4.3", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.168", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.131", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.80", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.21", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.11", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.3", "versionEndExcluding": "6.1.168"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.3", "versionEndExcluding": "6.6.131"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.3", "versionEndExcluding": "6.12.80"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.3", "versionEndExcluding": "6.18.21"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.3", "versionEndExcluding": "6.19.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.3", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/9d56aced21fb9c104e8a3f3be9b21fbafe448ffc"}, {"url": "https://git.kernel.org/stable/c/42f0d3d81209654c08ffdde5a34b9b92d2645896"}, {"url": "https://git.kernel.org/stable/c/bbe7bd722bfaea36aab3da6cc60fb4a05c644643"}, {"url": "https://git.kernel.org/stable/c/98b726ab5e2a4811e27c28e4d041f75bba147eab"}, {"url": "https://git.kernel.org/stable/c/b8c56a3fc5d879c0928f207a756b0f067f06c6a8"}, {"url": "https://git.kernel.org/stable/c/6931d21f87bc6d657f145798fad0bf077b82486c"}], "title": "openvswitch: defer tunnel netdev_put to RCU release", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "4EB455B5-6DF4-474E-9AFE-9C1854DD0CDC", "versionEndExcluding": "6.1.168", "versionStartIncluding": "4.3", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "CE6ED4D4-0046-4573-BFA9-D64143B6A89F", "versionEndExcluding": "6.6.131", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "97EB19EC-A11E-49C6-9D2F-6F6EC6CB98B6", "versionEndExcluding": "6.12.80", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "ED39847A-3B46-4729-B7CA-B2C30B9FA8FE", "versionEndExcluding": "6.18.21", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "4CA2E747-A9EC-4518-9AA2-B4247FC748B7", "versionEndExcluding": "6.19.11", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nopenvswitch: defer tunnel netdev_put to RCU release\n\novs_netdev_tunnel_destroy() may run after NETDEV_UNREGISTER already\ndetached the device. Dropping the netdev reference in destroy can race\nwith concurrent readers that still observe vport->dev.\n\nDo not release vport->dev in ovs_netdev_tunnel_destroy(). Instead, let\nvport_netdev_free() drop the reference from the RCU callback, matching\nthe non-tunnel destroy path and avoiding additional synchronization\nunder RTNL."}], "id": "CVE-2026-31678", "lastModified": "2026-05-06T21:28:02.227", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}]}, "published": "2026-04-25T09:16:01.437", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/42f0d3d81209654c08ffdde5a34b9b92d2645896"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/6931d21f87bc6d657f145798fad0bf077b82486c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/98b726ab5e2a4811e27c28e4d041f75bba147eab"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/9d56aced21fb9c104e8a3f3be9b21fbafe448ffc"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/b8c56a3fc5d879c0928f207a756b0f067f06c6a8"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/bbe7bd722bfaea36aab3da6cc60fb4a05c644643"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-367"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: openvswitch: defer tunnel netdev_put to RCU release", "id": "2461761", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461761"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-367", "details": ["A flaw was found in the Linux kernel's Open vSwitch (OVS) component. A race condition can occur during the destruction of a network device (netdev) tunnel, where the `ovs_netdev_tunnel_destroy()` function may attempt to release a device reference while other parts of the system are still actively using it. This timing issue, or race condition, could lead to system instability or a denial of service (DoS) due to improper resource handling."], "name": "CVE-2026-31678", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31678\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31678\nhttps://lore.kernel.org/linux-cve-announce/2026042544-CVE-2026-31678-79f5@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[a9020fde67a6eb77f8130feff633189f99264db1,9d56aced21fb9c104e8a3f3be9b21fbafe448ffc)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[a9020fde67a6eb77f8130feff633189f99264db1,42f0d3d81209654c08ffdde5a34b9b92d2645896)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[a9020fde67a6eb77f8130feff633189f99264db1,bbe7bd722bfaea36aab3da6cc60fb4a05c644643)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[a9020fde67a6eb77f8130feff633189f99264db1,98b726ab5e2a4811e27c28e4d041f75bba147eab)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[a9020fde67a6eb77f8130feff633189f99264db1,b8c56a3fc5d879c0928f207a756b0f067f06c6a8)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[a9020fde67a6eb77f8130feff633189f99264db1,6931d21f87bc6d657f145798fad0bf077b82486c)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "4.3"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,4.3)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.168,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.131,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.80,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.21,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.11,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-29T01:36:59.250840+00:00", "value": {"mitigation_remediation": ["Apply the vendor patch that corrects the reference handling for Open\u202fvSwitch tunnels by upgrading to a kernel version that contains the fix.", "If an upgrade is not immediately possible, unload or permanently block the openvswitch kernel module to eliminate the vulnerable code path.", "After applying the patch or unloading the module, reboot the system to ensure all RCU callbacks have been processed and reference counts reset."], "summary": {"action": "Patch kernel", "impact": "Kernel memory corruption or possible privilege escalation via use\u2011after\u2011free in Open\u202fvSwitch tunnel teardown"}, "threat_synthesis": {"affected_systems": "Any Linux kernel that includes the Open\u202fvSwitch module before the fix is applied is affected. The advisory does not list version ranges, so all kernels containing the vulnerable destroy path are susceptible until the patch is deployed.", "description_and_impact": "The Linux kernel\u2019s Open\u202fvSwitch code contains a flaw in which the netdev_put reference for a tunnel device is removed after the device has already been unregistered. This race condition can cause a use\u2011after\u2011free, allowing an attacker to corrupt kernel memory. If exploited, the corruption could lead to a kernel panic or provide a foothold for arbitrary kernel code execution. The weakness is classified as CWE\u2011367.", "risk_and_exploitability": "The CVSS score of 7.8 indicates high severity. The EPSS score of less than 1\u202f% shows a low probability of exploitation and there are no known public exploits or KEV inclusion. Based on the description, it is inferred that an attacker would need local or privileged rights to trigger the Open\u202fvSwitch tunnel teardown, and because the flaw is a race condition, the outcome is non\u2011deterministic. Nonetheless, the potential for kernel restarts or privilege escalation warrants prompt action."}}}}, "created": "2026-04-27T19:15:11.611280+00:00", "updated": "2026-04-29T01:45:26.021043+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}