CVE-2026-31678
Published: 25 April 2026
Summary
CVE-2026-31678 is a high-severity Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 1.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the race condition by requiring timely identification, reporting, and correction of the kernel flaw through application of upstream patches deferring netdev_put to RCU.
Vulnerability scanning detects affected Linux kernels with vulnerable Open vSwitch tunnel support and mandates remediation within defined time frames to prevent exploitation.
Memory protection mechanisms mitigate potential memory corruption such as use-after-free resulting from the netdev reference race during tunnel device destruction.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel race condition (use-after-free in OVS tunnel device handling) directly enables privilege escalation from low-privileged local access to full system compromise.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: openvswitch: defer tunnel netdev_put to RCU release ovs_netdev_tunnel_destroy() may run after NETDEV_UNREGISTER already detached the device. Dropping the netdev reference in destroy can race with concurrent readers that still observe…
more
vport->dev. Do not release vport->dev in ovs_netdev_tunnel_destroy(). Instead, let vport_netdev_free() drop the reference from the RCU callback, matching the non-tunnel destroy path and avoiding additional synchronization under RTNL.
Deeper analysisAI
CVE-2026-31678 is a race condition vulnerability in the Linux kernel's Open vSwitch (Open vSwitch) implementation, specifically in the handling of tunnel network devices. The issue arises in ovs_netdev_tunnel_destroy(), which may execute after NETDEV_UNREGISTER has detached the device, allowing a race where dropping the netdev reference conflicts with concurrent readers still accessing vport->dev. This affects Linux kernel versions incorporating Open vSwitch with tunnel support.
A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L) and no user interaction (UI:N), as indicated by its CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Successful exploitation could result in high impacts to confidentiality, integrity, and availability, potentially through memory corruption such as use-after-free scenarios during device destruction and reference counting.
Mitigation involves applying the upstream kernel patches provided in the referenced stable commits, which defer the netdev_put operation from ovs_netdev_tunnel_destroy() to an RCU callback in vport_netdev_free(). This aligns the tunnel path with the non-tunnel destroy behavior, eliminating the race without requiring additional RTNL synchronization. Security practitioners should update affected Linux kernels to versions including these fixes: https://git.kernel.org/stable/c/42f0d3d81209654c08ffdde5a34b9b92d2645896, https://git.kernel.org/stable/c/6931d21f87bc6d657f145798fad0bf077b82486c, https://git.kernel.org/stable/c/98b726ab5e2a4811e27c28e4d041f75bba147eab, https://git.kernel.org/stable/c/9d56aced21fb9c104e8a3f3be9b21fbafe448ffc, and https://git.kernel.org/stable/c/b8c56a3fc5d879c0928f207a756b0f067f06c6a8.
Details
- CWE(s)