CVE-2026-31508

Home/CVE/In the Linux kernel, the following vulnerability has been resolved: net: openvswitch: Avoid releasing netdev before tea

CVE

In the Linux kernel, the following vulnerability has been resolved: net: openvswitch: Avoid releasing netdev before tea

In the Linux kernel, the following vulnerability has been resolved: net: openvswitch: Avoid releasing netdev before teardown completes The patch cited in the Fixes tag below changed the teardown code for OVS ports to no longer unconditionally take the RTNL. After this change, the netdev_destroy() callback can proceed immediately to the call_rcu() invocation if the IFF_OVS_DATAPATH flag is already cleared on the netdev. The ovs_netdev_detach_dev() function clears the flag before completing the unregistration, and if it gets preempted after clearing the flag (as can happen on an -rt kernel), netdev_destroy() can complete and the device can be freed before the unregistration completes.

This leads to a splat like: [ 998.393867] Oops: general protection fault, probably for non-canonical address 0xff00000001000239: 0000 [#1] SMP PTI [ 998.393877] CPU: 42 UID: 0 PID: 55177 Comm: ip Kdump: loaded Not tainted 6.12.0-211.1.1.el10_2.x86_64+rt #1 PREEMPT_RT [ 998.393886] Hardware name: Dell Inc. PowerEdge R740/0JMK61, BIOS 2.24.0 03/27/2025 [ 998.393889] RIP: 0010:dev_set_promiscuity+0x8d/0xa0 [ 998.393901] Code: 00 75 d8 48 8b 53 08 48 83 ba b0 02 00 75 ca 48 83 c4 08 5b c3 cc 48 83 bf 48 09 00 75 91 48 8b 47 08 <48> 83 b8 b0 02 00 74 97 eb 81 0f 1f 80 00 90 [ 998.393906] RSP: 0018:ffffce5864a5f6a0 EFLAGS: 00010246 [ 998.393912] RAX: ff00000000ffff89 RBX: ffff894d0adf5a05 RCX: 0000000000000000 [ 998.393917] RDX: 0000000000000000 RSI: 00000000ffffffff RDI: ffff894d0adf5a05 [ 998.393921] RBP: ffff894d19252000 R08: ffff894d19252000 R09: 0000000000000000 [ 998.393924] R10: ffff894d19252000 R11: ffff894d192521b8 R12: 0000000000000006 [ 998.393927] R13: ffffce5864a5f738 R14: 00000000ffffffe2 R15: 0000000000000000 [ 998.393931] FS: 00007fad61971800(0000) GS:ffff894cc0140000(0000) knlGS:0000000000000000 [ 998.393936] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 998.393940] CR2: 000055df0a2a6e40 CR3: 000000011c7fe003 CR4: 00000000007726f0 [ 998.393944] PKRU: 55555554 [ 998.393946] Call Trace: [ 998.393949] <TASK> [ 998.393952] ? show_trace_log_lvl+0x1b0/0x2f0 [ 998.393961] ? show_trace_log_lvl+0x1b0/0x2f0 [ 998.393975] ? dp_device_event+0x41/0x80 [openvswitch] [ 998.394009] ? __die_body.cold+0x8/0x12 [ 998.394016] ? die_addr+0x3c/0x60 [ 998.394027] ? exc_general_protection+0x16d/0x390 [ 998.394042] ? asm_exc_general_protection+0x26/0x30 [ 998.394058] ? dev_set_promiscuity+0x8d/0xa0 [ 998.394066] ? ovs_netdev_detach_dev+0x3a/0x80 [openvswitch] [ 998.394092] dp_device_event+0x41/0x80 [openvswitch] [ 998.394102] notifier_call_chain+0x5a/0xd0 [ 998.394106] unregister_netdevice_many_notify+0x51b/0xa60 [ 998.394110] rtnl_dellink+0x169/0x3e0 [ 998.394121] ? rt_mutex_slowlock.constprop.0+0x95/0xd0 [ 998.394125] rtnetlink_rcv_msg+0x142/0x3f0 [ 998.394128] ? avc_has_perm_noaudit+0x69/0xf0 [ 998.394130] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 [ 998.394132] netlink_rcv_skb+0x50/0x100 [ 998.394138] netlink_unicast+0x292/0x3f0 [ 998.394141] netlink_sendmsg+0x21b/0x470 [ 998.394145] ____sys_sendmsg+0x39d/0x3d0 [ 998.394149] ___sys_sendmsg+0x9a/0xe0 [ 998.394156] __sys_sendmsg+0x7a/0xd0 [ 998.394160] do_syscall_64+0x7f/0x170 [ 998.394162] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 998.394165] RIP: 0033:0x7fad61bf4724 [ 998.394188] Code: 89 02 b8 ff eb bb 66 2e 0f 1f 84 00 0f 1f 00 f3 0f 1e fa 80 3d c5 e9 0c 00 74 13 b8 2e 00 0f 05 <48> 3d 00 f0 ff 77 54 c3 0f 1f 00 48 83 ec 28 89 54 24 1c 48 89 [ 998.394189] RSP: 002b:00007ffd7e2f7cb8 EFLAGS: 00000202 ORIG_RAX: 000000000000002e [ 998.394191] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fad61bf4724 [ 998.394193] RDX: 0000000000000000 RSI: 00007ffd7e2f7d20 RDI: 0000000000000003 [ 998.394194] RBP: 00007ffd7e2f7d90 R08: 0000000000000010 R09: 000000000000003f [ 998.394195] R10: 000055df11558010 R11: 0000000000000202 R12: 00007ffd7e2 ---truncated---.

HIGH · CVSS 7.8 EPSS 0.00017

Schedule remediation

CVSS base score ≥ 7.0

Sigma rules0 YARA rules0

Look this up elsewhere - one-click external pivots

NVD CVE.org CISA Vulners Exploit-DB GitHub PoC VulnCheck KEV GreyNoise

▸ How to read a CVE - triage first, then detect and patch

This page is every public fact about CVE-2026-31508, cross-linked. Its job is to answer one question fast - does this need my attention now? - and then hand you the two things you do about it. Here is how an analyst reads it.

Triage: should I act now? Four signals, and they are not interchangeable:

CVSSseverity - how bad it is IF exploited, 0-10. A high CVSS alone is not urgency; a flaw can be a perfect 10 and never actually be attacked. EPSSprobability - a model’s estimate of the chance it is exploited in the next 30 days, 0-1. This is the “will it actually happen” signal. CISA KEVconfirmed - it is being exploited in the wild right now. The strongest signal on the page; KEV beats any score. Weaponisedavailability - public exploits / PoCs, and especially Metasploit modules rated Excellent / Great. Reliable, packaged exploit code means low-skill attackers can use it today.

How they combine: KEV, or a dependable Metasploit module, means patch now regardless of CVSS. High CVSS + low EPSS + no exploit is real but not an emergency - schedule it. Low CVSS but KEV-listed still gets patched now. The verdict above already weighed these for you; this is how it got there.

Then what - two workflows:

Detectwhen you cannot patch today, follow this CVE to the ATT&CK techniques it enables, then Build a SIEM detection (the green button) - author a rule, test it in Atomic, deploy it. That buys visibility while the patch waits. PatchAffected products / packages tell you if you are exposed; Fixed versions by distribution and Vendor advisories give the exact version that closes it.

Reading order for the panels below: verdict + badges, then Public exploits / Metasploit (is it weaponised), then ATT&CK techniques + Sigma / IDS rules (can I detect it), then Affected products / packages + Fixed versions (am I exposed, what patches it), then Threat actors / IOCs (who uses it), then Scoring & timeline / references (the evidence).

View attack path from CVE-2026-31508

◆

ATT&CK techniques

Techniques this CVE enables - linked via CWECAPECATT&CK. High◆ = named directly in ATT&CK or Nuclei templates.

T1068 · Exploitation for Privilege Escalation

▤ Build a SIEM detection for these techniques

▤

Affected Products & Versions

linux kernel>= 5.10.248 and < 5.10.253
linux kernel>= 5.15.198 and < 5.15.203
linux kernel>= 6.1.160 and < 6.1.168
linux kernel>= 6.6.120 and < 6.6.131
linux kernel>= 6.12.64 and < 6.12.80
linux kernel>= 6.18.4 and < 6.18.21
linux kernel>= 6.19.1 and < 6.19.11
linux kernelall versions

📦

Fixed versions by distribution

The package version that resolves this CVE on each Linux distribution, from the vendor’s published security data. fixed in shows a patched version exists; open means the package is listed as affected with no fix yet.
rhel 9kernel fixed in 0:5.14.0-687.15.1.el9_8
rhel 9kernel-64k open
rhel 9kernel-64k-core open
rhel 9kernel-64k-debug open
rhel 9kernel-64k-debug-core open
rhel 9kernel-64k-debug-devel open
rhel 9kernel-64k-debug-devel-matched open
rhel 9kernel-64k-debug-modules open
rhel 9kernel-64k-debug-modules-core open
rhel 9kernel-64k-debug-modules-extra open
rhel 9kernel-64k-devel open
rhel 9kernel-64k-devel-matched open
rhel 9kernel-64k-modules open
rhel 9kernel-64k-modules-core open
rhel 9kernel-64k-modules-extra fixed in 0:5.14.0-687.15.1.el9_8
rhel 9kernel-abi-stablelists open
rhel 9kernel-core fixed in 0:5.14.0-687.15.1.el9_8
rhel 9kernel-debug fixed in 0:5.14.0-687.15.1.el9_8
rhel 9kernel-debug-core fixed in 0:5.14.0-687.15.1.el9_8
rhel 9kernel-debug-devel fixed in 0:5.14.0-687.15.1.el9_8
rhel 9kernel-debug-devel-matched fixed in 0:5.14.0-687.15.1.el9_8
rhel 9kernel-debug-modules fixed in 0:5.14.0-687.15.1.el9_8
rhel 9kernel-debug-modules-core open
rhel 9kernel-debug-modules-extra open
rhel 9kernel-debug-uki-virt fixed in 0:5.14.0-687.15.1.el9_8
rhel 9kernel-devel fixed in 0:5.14.0-687.15.1.el9_8
rhel 9kernel-devel-matched fixed in 0:5.14.0-687.15.1.el9_8
rhel 9kernel-modules open
rhel 9kernel-modules-core open
rhel 9kernel-modules-extra open
rhel 9kernel-rt open
rhel 9kernel-rt-64k fixed in 0:5.14.0-687.15.1.el9_8
rhel 9kernel-rt-64k-core fixed in 0:5.14.0-687.15.1.el9_8
rhel 9kernel-rt-64k-debug fixed in 0:5.14.0-687.15.1.el9_8
rhel 9kernel-rt-64k-debug-core fixed in 0:5.14.0-687.15.1.el9_8
rhel 9kernel-rt-64k-debug-devel open
rhel 9kernel-rt-64k-debug-modules fixed in 0:5.14.0-687.15.1.el9_8
rhel 9kernel-rt-64k-debug-modules-core fixed in 0:5.14.0-687.15.1.el9_8
rhel 9kernel-rt-64k-debug-modules-extra fixed in 0:5.14.0-687.15.1.el9_8
rhel 9kernel-rt-64k-devel fixed in 0:5.14.0-687.15.1.el9_8
rhel 9kernel-rt-64k-modules open
rhel 9kernel-rt-64k-modules-core open
rhel 9kernel-rt-64k-modules-extra open
rhel 9kernel-rt-core fixed in 0:5.14.0-687.15.1.el9_8
rhel 9kernel-rt-debug fixed in 0:5.14.0-687.15.1.el9_8
rhel 9kernel-rt-debug-core fixed in 0:5.14.0-687.15.1.el9_8
rhel 9kernel-rt-debug-devel fixed in 0:5.14.0-687.15.1.el9_8
rhel 9kernel-rt-debug-modules open
rhel 9kernel-rt-debug-modules-core open
rhel 9kernel-rt-debug-modules-extra fixed in 0:5.14.0-687.15.1.el9_8
rhel 9kernel-rt-devel open
rhel 9kernel-rt-modules open
rhel 9kernel-rt-modules-core fixed in 0:5.14.0-687.15.1.el9_8
rhel 9kernel-rt-modules-extra fixed in 0:5.14.0-687.15.1.el9_8
rhel 9kernel-tools open
rhel 9kernel-tools-libs fixed in 0:5.14.0-687.15.1.el9_8
rhel 9kernel-tools-libs-devel fixed in 0:5.14.0-687.15.1.el9_8
rhel 9kernel-uki-virt open
rhel 9kernel-uki-virt-addons open
rhel 9kernel-zfcpdump open
rhel 9kernel-zfcpdump-core fixed in 0:5.14.0-687.15.1.el9_8
rhel 9kernel-zfcpdump-devel fixed in 0:5.14.0-687.15.1.el9_8
rhel 9kernel-zfcpdump-devel-matched open
rhel 9kernel-zfcpdump-modules fixed in 0:5.14.0-687.15.1.el9_8
rhel 9kernel-zfcpdump-modules-core fixed in 0:5.14.0-687.15.1.el9_8
rhel 9kernel-zfcpdump-modules-extra fixed in 0:5.14.0-687.15.1.el9_8
rhel 9libperf open
rhel 9perf fixed in 0:5.14.0-687.15.1.el9_8
rhel 9python3-perf open
rhel 9rtla fixed in 0:5.14.0-687.15.1.el9_8
rhel 9rv open
suse sle15cluster-md-kmp-default open
suse sle15dlm-kmp-default open
suse sle15gfs2-kmp-default open
suse sle15kernel-default open
suse sle15kernel-default-base open
suse sle15kernel-default-devel open
suse sle15kernel-default-extra open
suse sle15kernel-default-livepatch open
suse sle15kernel-default-livepatch-devel open

▣

Scoring & Timeline

7.8

HIGH · CVSS v3.1 · 416baaa9-dc9f-4396-8d5f-8c081fb06d67

View on NVD

Attack Vector

Network Adjacent Local Physical

Attack Complexity

Low High

Privileges Required

None Low High

User Interaction

None Required

Scope

Unchanged Changed

Confidentiality

None Low High

Integrity

None Low High

Availability

None Low High

Published to NVD22 Apr 2026 · 02:16 PM

CVSS VectorCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

⚑

Vendor Advisories

rhsaRHSA-2026:25217Important
rhsaRHSA-2026:25028Moderate
rhsaRHSA-2026:25218Moderate
msrcCVE-2026-31508

🔗

References & Sources

Source URLs (vendor pages, mailing lists, write-ups). Exploit/PoC links are in their own section above to avoid duplication.

https://git.kernel.org/stable/c/33609454be4f582e686a4bf13d4482a5ca0f6c4bPatch

https://git.kernel.org/stable/c/43579baa17270aa51f93eb09b6e4af6e047b7f6ePatch

https://git.kernel.org/stable/c/4c3e25a7b711a402fcbbbcfbbdf2868ece1ae7c8Patch

https://git.kernel.org/stable/c/5fdeaf591a0942772c2d18ff3563697a49ad01c6Patch

https://git.kernel.org/stable/c/755a6300afbd743cda4b102f24f343380ec0e0ffPatch

https://git.kernel.org/stable/c/7c770dadfda5cbbde6aa3c4363ed513f1d212bf8Patch

Show all 8 references

https://git.kernel.org/stable/c/95265232b49765a4d00f4d028c100bb7185600f4Patch

https://git.kernel.org/stable/c/df3c95be76103604e752131d9495a24814915ecePatch