Cyber Resilience

CVE-2026-31678

High

Published: 25 April 2026

Published
25 April 2026
Modified
06 May 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 2.7th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31678 is a high-severity Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-31678 is a race condition vulnerability in the Linux kernel's Open vSwitch (Open vSwitch) implementation, specifically in the handling of tunnel network devices. The issue arises in ovs_netdev_tunnel_destroy(), which may execute after NETDEV_UNREGISTER has detached the device, allowing a race where dropping the netdev reference conflicts with concurrent readers still accessing vport->dev. This affects Linux kernel versions incorporating Open vSwitch with tunnel support.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L) and no user interaction (UI:N), as indicated by its CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Successful exploitation could result in high impacts to confidentiality, integrity, and availability, potentially through memory corruption such as use-after-free scenarios during device destruction and reference counting.

Mitigation involves applying the upstream kernel patches provided in the referenced stable commits, which defer the netdev_put operation from ovs_netdev_tunnel_destroy() to an RCU callback in vport_netdev_free(). This aligns the tunnel path with the non-tunnel destroy behavior, eliminating the race without requiring additional RTNL synchronization. Security practitioners should update affected Linux kernels to versions including these fixes: https://git.kernel.org/stable/c/42f0d3d81209654c08ffdde5a34b9b92d2645896, https://git.kernel.org/stable/c/6931d21f87bc6d657f145798fad0bf077b82486c, https://git.kernel.org/stable/c/98b726ab5e2a4811e27c28e4d041f75bba147eab, https://git.kernel.org/stable/c/9d56aced21fb9c104e8a3f3be9b21fbafe448ffc, and https://git.kernel.org/stable/c/b8c56a3fc5d879c0928f207a756b0f067f06c6a8.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: openvswitch: defer tunnel netdev_put to RCU release ovs_netdev_tunnel_destroy() may run after NETDEV_UNREGISTER already detached the device. Dropping the netdev reference in destroy can race with concurrent readers that still observe…

more

vport->dev. Do not release vport->dev in ovs_netdev_tunnel_destroy(). Instead, let vport_netdev_free() drop the reference from the RCU callback, matching the non-tunnel destroy path and avoiding additional synchronization under RTNL.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel race condition (use-after-free in OVS tunnel device handling) directly enables privilege escalation from low-privileged local access to full system compromise.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2026-23275Same product: Linux Linux Kernel
CVE-2026-23437Same product: Linux Linux Kernel
CVE-2026-43019Same product: Linux Linux Kernel
CVE-2026-23158Same product: Linux Linux Kernel
CVE-2025-21893Same product: Linux Linux Kernel
CVE-2026-31446Same product: Linux Linux Kernel
CVE-2026-31656Same product: Linux Linux Kernel
CVE-2026-23004Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
7.0 · 4.3 — 6.1.168 · 6.2 — 6.6.131 · 6.7 — 6.12.80

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the race condition by requiring timely identification, reporting, and correction of the kernel flaw through application of upstream patches deferring netdev_put to RCU.

prevent

Vulnerability scanning detects affected Linux kernels with vulnerable Open vSwitch tunnel support and mandates remediation within defined time frames to prevent exploitation.

prevent

Memory protection mechanisms mitigate potential memory corruption such as use-after-free resulting from the netdev reference race during tunnel device destruction.

References