{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-31508","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-03-09T15:48:24.106Z","datePublished":"2026-04-22T13:54:26.599Z","dateUpdated":"2026-05-11T22:10:08.934Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T22:10:08.934Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: openvswitch: Avoid releasing netdev before teardown completes\n\nThe patch cited in the Fixes tag below changed the teardown code for\nOVS ports to no longer unconditionally take the RTNL. After this change,\nthe netdev_destroy() callback can proceed immediately to the call_rcu()\ninvocation if the IFF_OVS_DATAPATH flag is already cleared on the\nnetdev.\n\nThe ovs_netdev_detach_dev() function clears the flag before completing\nthe unregistration, and if it gets preempted after clearing the flag (as\ncan happen on an -rt kernel), netdev_destroy() can complete and the\ndevice can be freed before the unregistration completes. This leads to a\nsplat like:\n\n[  998.393867] Oops: general protection fault, probably for non-canonical address 0xff00000001000239: 0000 [#1] SMP PTI\n[  998.393877] CPU: 42 UID: 0 PID: 55177 Comm: ip Kdump: loaded Not tainted 6.12.0-211.1.1.el10_2.x86_64+rt #1 PREEMPT_RT\n[  998.393886] Hardware name: Dell Inc. PowerEdge R740/0JMK61, BIOS 2.24.0 03/27/2025\n[  998.393889] RIP: 0010:dev_set_promiscuity+0x8d/0xa0\n[  998.393901] Code: 00 00 75 d8 48 8b 53 08 48 83 ba b0 02 00 00 00 75 ca 48 83 c4 08 5b c3 cc cc cc cc 48 83 bf 48 09 00 00 00 75 91 48 8b 47 08 <48> 83 b8 b0 02 00 00 00 74 97 eb 81 0f 1f 80 00 00 00 00 90 90 90\n[  998.393906] RSP: 0018:ffffce5864a5f6a0 EFLAGS: 00010246\n[  998.393912] RAX: ff00000000ffff89 RBX: ffff894d0adf5a05 RCX: 0000000000000000\n[  998.393917] RDX: 0000000000000000 RSI: 00000000ffffffff RDI: ffff894d0adf5a05\n[  998.393921] RBP: ffff894d19252000 R08: ffff894d19252000 R09: 0000000000000000\n[  998.393924] R10: ffff894d19252000 R11: ffff894d192521b8 R12: 0000000000000006\n[  998.393927] R13: ffffce5864a5f738 R14: 00000000ffffffe2 R15: 0000000000000000\n[  998.393931] FS:  00007fad61971800(0000) GS:ffff894cc0140000(0000) knlGS:0000000000000000\n[  998.393936] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  998.393940] CR2: 000055df0a2a6e40 CR3: 000000011c7fe003 CR4: 00000000007726f0\n[  998.393944] PKRU: 55555554\n[  998.393946] Call Trace:\n[  998.393949]  <TASK>\n[  998.393952]  ? show_trace_log_lvl+0x1b0/0x2f0\n[  998.393961]  ? show_trace_log_lvl+0x1b0/0x2f0\n[  998.393975]  ? dp_device_event+0x41/0x80 [openvswitch]\n[  998.394009]  ? __die_body.cold+0x8/0x12\n[  998.394016]  ? die_addr+0x3c/0x60\n[  998.394027]  ? exc_general_protection+0x16d/0x390\n[  998.394042]  ? asm_exc_general_protection+0x26/0x30\n[  998.394058]  ? dev_set_promiscuity+0x8d/0xa0\n[  998.394066]  ? ovs_netdev_detach_dev+0x3a/0x80 [openvswitch]\n[  998.394092]  dp_device_event+0x41/0x80 [openvswitch]\n[  998.394102]  notifier_call_chain+0x5a/0xd0\n[  998.394106]  unregister_netdevice_many_notify+0x51b/0xa60\n[  998.394110]  rtnl_dellink+0x169/0x3e0\n[  998.394121]  ? rt_mutex_slowlock.constprop.0+0x95/0xd0\n[  998.394125]  rtnetlink_rcv_msg+0x142/0x3f0\n[  998.394128]  ? avc_has_perm_noaudit+0x69/0xf0\n[  998.394130]  ? __pfx_rtnetlink_rcv_msg+0x10/0x10\n[  998.394132]  netlink_rcv_skb+0x50/0x100\n[  998.394138]  netlink_unicast+0x292/0x3f0\n[  998.394141]  netlink_sendmsg+0x21b/0x470\n[  998.394145]  ____sys_sendmsg+0x39d/0x3d0\n[  998.394149]  ___sys_sendmsg+0x9a/0xe0\n[  998.394156]  __sys_sendmsg+0x7a/0xd0\n[  998.394160]  do_syscall_64+0x7f/0x170\n[  998.394162]  entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[  998.394165] RIP: 0033:0x7fad61bf4724\n[  998.394188] Code: 89 02 b8 ff ff ff ff eb bb 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 80 3d c5 e9 0c 00 00 74 13 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 48 83 ec 28 89 54 24 1c 48 89\n[  998.394189] RSP: 002b:00007ffd7e2f7cb8 EFLAGS: 00000202 ORIG_RAX: 000000000000002e\n[  998.394191] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fad61bf4724\n[  998.394193] RDX: 0000000000000000 RSI: 00007ffd7e2f7d20 RDI: 0000000000000003\n[  998.394194] RBP: 00007ffd7e2f7d90 R08: 0000000000000010 R09: 000000000000003f\n[  998.394195] R10: 000055df11558010 R11: 0000000000000202 R12: 00007ffd7e2\n---truncated---"}],"metrics":[{"cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH"}}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/openvswitch/vport-netdev.c"],"versions":[{"version":"b823c3344d5446b720227ba561df10a4f0add515","lessThan":"df3c95be76103604e752131d9495a24814915ece","status":"affected","versionType":"git"},{"version":"052e5db5be4576e0a8ef1460b210da5f328f4cd1","lessThan":"33609454be4f582e686a4bf13d4482a5ca0f6c4b","status":"affected","versionType":"git"},{"version":"c98263d5ace597c096a7a60aeef790da7b54979e","lessThan":"5fdeaf591a0942772c2d18ff3563697a49ad01c6","status":"affected","versionType":"git"},{"version":"0fc642f011cb7a7eff41109e66d3b552e9f4d795","lessThan":"4c3e25a7b711a402fcbbbcfbbdf2868ece1ae7c8","status":"affected","versionType":"git"},{"version":"5116f61ab11846844585c9082c547c4ccd97ff1a","lessThan":"43579baa17270aa51f93eb09b6e4af6e047b7f6e","status":"affected","versionType":"git"},{"version":"f31557fb1b35332cca9994aa196cef284bcf3807","lessThan":"95265232b49765a4d00f4d028c100bb7185600f4","status":"affected","versionType":"git"},{"version":"5498227676303e3ffa9a3a46214af96bc3e81314","lessThan":"755a6300afbd743cda4b102f24f343380ec0e0ff","status":"affected","versionType":"git"},{"version":"5498227676303e3ffa9a3a46214af96bc3e81314","lessThan":"7c770dadfda5cbbde6aa3c4363ed513f1d212bf8","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/openvswitch/vport-netdev.c"],"versions":[{"version":"6.19","status":"affected"},{"version":"0","lessThan":"6.19","status":"unaffected","versionType":"semver"},{"version":"5.10.253","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.203","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.168","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.131","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.80","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.21","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19.11","lessThanOrEqual":"6.19.*","status":"unaffected","versionType":"semver"},{"version":"7.0","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.10.248","versionEndExcluding":"5.10.253"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15.198","versionEndExcluding":"5.15.203"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1.160","versionEndExcluding":"6.1.168"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6.120","versionEndExcluding":"6.6.131"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.12.64","versionEndExcluding":"6.12.80"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.18.4","versionEndExcluding":"6.18.21"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.11"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/df3c95be76103604e752131d9495a24814915ece"},{"url":"https://git.kernel.org/stable/c/33609454be4f582e686a4bf13d4482a5ca0f6c4b"},{"url":"https://git.kernel.org/stable/c/5fdeaf591a0942772c2d18ff3563697a49ad01c6"},{"url":"https://git.kernel.org/stable/c/4c3e25a7b711a402fcbbbcfbbdf2868ece1ae7c8"},{"url":"https://git.kernel.org/stable/c/43579baa17270aa51f93eb09b6e4af6e047b7f6e"},{"url":"https://git.kernel.org/stable/c/95265232b49765a4d00f4d028c100bb7185600f4"},{"url":"https://git.kernel.org/stable/c/755a6300afbd743cda4b102f24f343380ec0e0ff"},{"url":"https://git.kernel.org/stable/c/7c770dadfda5cbbde6aa3c4363ed513f1d212bf8"}],"title":"net: openvswitch: Avoid releasing netdev before teardown completes","x_generator":{"engine":"bippy-1.2.0"}}}}