PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46165 Linux CVE debrief

A self-deadlock vulnerability exists in the Linux kernel's Open vSwitch (OVS) vport implementation during the release of tunnel ports. The issue stems from improper ordering of RCU callback scheduling relative to RTNL lock release when deleting tunnel vports. In the vulnerable code path, netdev_put() was scheduled via call_rcu() after rtnl_unlock(), but rtnl_unlock() invokes netdev_run_todo() which blocks until all references are released. Since the RCU callback (which releases the reference) cannot execute until after rtnl_unlock() returns, the system deadlocks: netdev_run_todo() waits for the reference, but the reference cannot be released until netdev_run_todo() completes. The fix reorders operations to schedule the RCU callback before rtnl_unlock(), allowing proper reference release when synchronize_net() is subsequently called. This vulnerability affects systems using Open vSwitch tunnel ports (VXLAN, GRE, Geneve, etc.) and could cause denial of service through kernel deadlock when tunnel interfaces are removed.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-28
Advisory published
2026-05-28
Advisory updated
2026-05-28

Who should care

Organizations running Linux kernels with Open vSwitch enabled, particularly those using software-defined networking (SDN) with tunnel overlays (VXLAN, GRE, Geneve), cloud infrastructure providers, network virtualization platforms, and Kubernetes clusters using OVS-based CNI plugins

Technical summary

The Open vSwitch kernel module's vport release path for tunnel ports contained a locking order violation between RCU and RTNL. When ovs_vport_del() is called to remove a tunnel vport, the code must release the network device reference via netdev_put() after an RCU grace period to satisfy RCU safety requirements, while also calling rtnl_delete_link() which requires RTNL. The original implementation scheduled the RCU callback after rtnl_unlock(), but rtnl_unlock() calls netdev_run_todo() which blocks until all netdev references reach zero. This creates unresolvable circular wait: netdev_run_todo() cannot complete without the RCU callback executing, but the RCU callback cannot execute until rtnl_unlock() returns. The fix moves call_rcu() before rtnl_unlock(), ensuring the RCU callback is already scheduled when netdev_run_todo() runs, allowing proper reference release via synchronize_net() after RTNL is dropped.

Defensive priority

high

Recommended defensive actions

  • Apply kernel updates containing the referenced stable commits when available from your Linux distribution
  • Prioritize patching on systems running Open vSwitch with tunnel ports (VXLAN, GRE, Geneve, IPsec tunnels)
  • Monitor for kernel deadlock symptoms during OVS tunnel interface removal operations
  • Review OVS configuration for unnecessary tunnel port churn that could trigger the vulnerable code path
  • Consider staging kernel updates during maintenance windows due to potential for denial of service on tunnel reconfiguration

Evidence notes

Vulnerability description sourced from official Linux kernel commit message. Multiple stable kernel branch commits identified (refs ref-4 through ref-8). CVE published 2026-05-28T10:16:32.143Z, modified 2026-05-28T13:44:01.663Z. No CVSS score or severity assigned by NVD at time of analysis (status: Awaiting Analysis).

Official resources

2026-05-28