HIGH
openvswitch Tunnel Race
CVE-2026-31678
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI6.6MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: openvswitch: defer tunnel netdev_put to RCU release ovs_netdev_tunnel_destroy() may run after NETDEV_UNREGISTER already detached the device. Dropping the netdev reference in destroy can race with concurrent readers that still observe vport->dev. Do not release vport->dev in ovs_netdev_tunnel_destroy(). Instead, let vport_netdev_free() drop the reference from the RCU callback, matching the non-tunnel destroy path and avoiding additional synchronization under RTNL.
02KernelScan AI Analysis
Risk summary
A race condition in Open vSwitch tunnel destruction leads to use-after-free when concurrent RCU readers access the netdev structure after its reference is dropped. On default kernels, CAP_NET_ADMIN is obtainable via user namespaces, allowing unprivileged local users to reach the vulnerable tunnel destruction path. Successful exploitation can result in kernel memory corruption, information disclosure, or system crash.
Vulnerability analysis
The vulnerability stems from ovs_netdev_tunnel_destroy() releasing the netdev reference while RCU readers may still observe vport->dev. The race occurs between NETDEV_UNREGISTER detaching the device and the premature netdev_put(), allowing concurrent readers to access stale or freed memory. The fix defers the netdev_put() to the RCU callback in vport_netdev_free(), aligning with the non-tunnel path and ensuring proper RCU synchronization. Because Open vSwitch vport operations check capabilities against the current network namespace, unprivileged attackers can create user namespaces, gain CAP_NET_ADMIN, and trigger the vulnerable tunnel destruction code path.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.1 | 6.1.168 | 9d56aced21fb |
| 6.12 | 6.12.80 | bbe7bd722bfa |
| 6.18 | 6.18.21 | 98b726ab5e2a |
| 6.19 | 6.19.11 | b8c56a3fc5d8 |
| 6.6 | 6.6.131 | 42f0d3d81209 |
| mainline | 7.0 | 6931d21f87bc |