{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-46165","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-05-13T15:03:33.102Z","datePublished":"2026-05-28T09:36:20.855Z","dateUpdated":"2026-06-14T17:59:29.913Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-06-14T17:59:29.913Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nopenvswitch: vport: fix self-deadlock on release of tunnel ports\n\nvports are used concurrently and protected by RCU, so netdev_put()\nmust happen after the RCU grace period.  So, either in an RCU call or\nafter the synchronize_net().  The rtnl_delete_link() must happen under\nRTNL and so can't be executed in RCU context.  Calling synchronize_net()\nwhile holding RTNL is not a good idea for performance and system\nstability under load in general, so calling netdev_put() in RCU call\nis the right solution here.\n\nHowever,\nwhen the device is deleted, rtnl_unlock() will call netdev_run_todo()\nand block until all the references are gone.  In the current code this\nmeans that we never reach the call_rcu() and the vport is never freed\nand the reference is never released, causing a self-deadlock on device\nremoval.\n\nFix that by moving the rcu_call() before the rtnl_unlock(), so the\nscheduled RCU callback will be executed when synchronize_net() is\ncalled from the rtnl_unlock()->netdev_run_todo() while the RTNL itself\nis already released."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/openvswitch/vport-netdev.c"],"versions":[{"version":"9d56aced21fb9c104e8a3f3be9b21fbafe448ffc","lessThan":"8ae6c15fc473c9ad03b0173330cce9a092c76154","status":"affected","versionType":"git"},{"version":"42f0d3d81209654c08ffdde5a34b9b92d2645896","lessThan":"c741433f6c8dcdecd1d9549d89053761fd1ea413","status":"affected","versionType":"git"},{"version":"bbe7bd722bfaea36aab3da6cc60fb4a05c644643","lessThan":"6522d59fb7de55ce0f0f285d962243ddffebb01f","status":"affected","versionType":"git"},{"version":"98b726ab5e2a4811e27c28e4d041f75bba147eab","lessThan":"3df75fff46b1517eb479d8e6b8e3500763715dd0","status":"affected","versionType":"git"},{"version":"6931d21f87bc6d657f145798fad0bf077b82486c","lessThan":"366c482965c673565ecb8bcfb15d5548f13a6a10","status":"affected","versionType":"git"},{"version":"6931d21f87bc6d657f145798fad0bf077b82486c","lessThan":"aa69918bd418e700309fdd08509dba324fb24296","status":"affected","versionType":"git"},{"version":"b8c56a3fc5d879c0928f207a756b0f067f06c6a8","status":"affected","versionType":"git"},{"version":"6.1.168","lessThan":"6.1.175","status":"affected","versionType":"semver"},{"version":"6.6.131","lessThan":"6.6.140","status":"affected","versionType":"semver"},{"version":"6.12.80","lessThan":"6.12.88","status":"affected","versionType":"semver"},{"version":"6.18.21","lessThan":"6.18.30","status":"affected","versionType":"semver"},{"version":"6.19.11","lessThan":"6.20","status":"affected","versionType":"semver"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/openvswitch/vport-netdev.c"],"versions":[{"version":"7.0","status":"affected"},{"version":"0","lessThan":"7.0","status":"unaffected","versionType":"semver"},{"version":"6.1.175","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.140","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.88","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.30","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"7.0.7","lessThanOrEqual":"7.0.*","status":"unaffected","versionType":"semver"},{"version":"7.1","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1.168","versionEndExcluding":"6.1.175"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6.131","versionEndExcluding":"6.6.140"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.12.80","versionEndExcluding":"6.12.88"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.18.21","versionEndExcluding":"6.18.30"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"7.0","versionEndExcluding":"7.0.7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"7.0","versionEndExcluding":"7.1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19.11"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/8ae6c15fc473c9ad03b0173330cce9a092c76154"},{"url":"https://git.kernel.org/stable/c/c741433f6c8dcdecd1d9549d89053761fd1ea413"},{"url":"https://git.kernel.org/stable/c/6522d59fb7de55ce0f0f285d962243ddffebb01f"},{"url":"https://git.kernel.org/stable/c/3df75fff46b1517eb479d8e6b8e3500763715dd0"},{"url":"https://git.kernel.org/stable/c/366c482965c673565ecb8bcfb15d5548f13a6a10"},{"url":"https://git.kernel.org/stable/c/aa69918bd418e700309fdd08509dba324fb24296"}],"title":"openvswitch: vport: fix self-deadlock on release of tunnel ports","x_generator":{"engine":"bippy-1.2.0"}}}}