{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-46165", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-05-13T15:03:33.102Z", "datePublished": "2026-05-28T09:36:20.855Z", "dateUpdated": "2026-05-28T09:36:20.855Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-28T09:36:20.855Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nopenvswitch: vport: fix self-deadlock on release of tunnel ports\n\nvports are used concurrently and protected by RCU, so netdev_put()\nmust happen after the RCU grace period. So, either in an RCU call or\nafter the synchronize_net(). The rtnl_delete_link() must happen under\nRTNL and so can't be executed in RCU context. Calling synchronize_net()\nwhile holding RTNL is not a good idea for performance and system\nstability under load in general, so calling netdev_put() in RCU call\nis the right solution here.\n\nHowever,\nwhen the device is deleted, rtnl_unlock() will call netdev_run_todo()\nand block until all the references are gone. In the current code this\nmeans that we never reach the call_rcu() and the vport is never freed\nand the reference is never released, causing a self-deadlock on device\nremoval.\n\nFix that by moving the rcu_call() before the rtnl_unlock(), so the\nscheduled RCU callback will be executed when synchronize_net() is\ncalled from the rtnl_unlock()->netdev_run_todo() while the RTNL itself\nis already released."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/openvswitch/vport-netdev.c"], "versions": [{"version": "42f0d3d81209654c08ffdde5a34b9b92d2645896", "lessThan": "c741433f6c8dcdecd1d9549d89053761fd1ea413", "status": "affected", "versionType": "git"}, {"version": "bbe7bd722bfaea36aab3da6cc60fb4a05c644643", "lessThan": "6522d59fb7de55ce0f0f285d962243ddffebb01f", "status": "affected", "versionType": "git"}, {"version": "98b726ab5e2a4811e27c28e4d041f75bba147eab", "lessThan": "3df75fff46b1517eb479d8e6b8e3500763715dd0", "status": "affected", "versionType": "git"}, {"version": "6931d21f87bc6d657f145798fad0bf077b82486c", "lessThan": "366c482965c673565ecb8bcfb15d5548f13a6a10", "status": "affected", "versionType": "git"}, {"version": "6931d21f87bc6d657f145798fad0bf077b82486c", "lessThan": "aa69918bd418e700309fdd08509dba324fb24296", "status": "affected", "versionType": "git"}, {"version": "9d56aced21fb9c104e8a3f3be9b21fbafe448ffc", "status": "affected", "versionType": "git"}, {"version": "b8c56a3fc5d879c0928f207a756b0f067f06c6a8", "status": "affected", "versionType": "git"}, {"version": "6.6.131", "lessThan": "6.6.140", "status": "affected", "versionType": "semver"}, {"version": "6.12.80", "lessThan": "6.12.88", "status": "affected", "versionType": "semver"}, {"version": "6.18.21", "lessThan": "6.18.30", "status": "affected", "versionType": "semver"}, {"version": "6.1.168", "lessThan": "6.2", "status": "affected", "versionType": "semver"}, {"version": "6.19.11", "lessThan": "6.20", "status": "affected", "versionType": "semver"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/openvswitch/vport-netdev.c"], "versions": [{"version": "7.0", "status": "affected"}, {"version": "0", "lessThan": "7.0", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.140", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.88", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.30", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0.7", "lessThanOrEqual": "7.0.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.1-rc3", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6.131", "versionEndExcluding": "6.6.140"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.12.80", "versionEndExcluding": "6.12.88"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.18.21", "versionEndExcluding": "6.18.30"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.0", "versionEndExcluding": "7.0.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.0", "versionEndExcluding": "7.1-rc3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1.168"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19.11"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/c741433f6c8dcdecd1d9549d89053761fd1ea413"}, {"url": "https://git.kernel.org/stable/c/6522d59fb7de55ce0f0f285d962243ddffebb01f"}, {"url": "https://git.kernel.org/stable/c/3df75fff46b1517eb479d8e6b8e3500763715dd0"}, {"url": "https://git.kernel.org/stable/c/366c482965c673565ecb8bcfb15d5548f13a6a10"}, {"url": "https://git.kernel.org/stable/c/aa69918bd418e700309fdd08509dba324fb24296"}], "title": "openvswitch: vport: fix self-deadlock on release of tunnel ports", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nopenvswitch: vport: fix self-deadlock on release of tunnel ports\n\nvports are used concurrently and protected by RCU, so netdev_put()\nmust happen after the RCU grace period. So, either in an RCU call or\nafter the synchronize_net(). The rtnl_delete_link() must happen under\nRTNL and so can't be executed in RCU context. Calling synchronize_net()\nwhile holding RTNL is not a good idea for performance and system\nstability under load in general, so calling netdev_put() in RCU call\nis the right solution here.\n\nHowever,\nwhen the device is deleted, rtnl_unlock() will call netdev_run_todo()\nand block until all the references are gone. In the current code this\nmeans that we never reach the call_rcu() and the vport is never freed\nand the reference is never released, causing a self-deadlock on device\nremoval.\n\nFix that by moving the rcu_call() before the rtnl_unlock(), so the\nscheduled RCU callback will be executed when synchronize_net() is\ncalled from the rtnl_unlock()->netdev_run_todo() while the RTNL itself\nis already released."}], "id": "CVE-2026-46165", "lastModified": "2026-05-28T13:44:01.663", "metrics": {}, "published": "2026-05-28T10:16:32.143", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/366c482965c673565ecb8bcfb15d5548f13a6a10"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/3df75fff46b1517eb479d8e6b8e3500763715dd0"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/6522d59fb7de55ce0f0f285d962243ddffebb01f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/aa69918bd418e700309fdd08509dba324fb24296"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c741433f6c8dcdecd1d9549d89053761fd1ea413"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{}

{"created": "2026-05-28T13:15:22.417601+00:00", "updated": "2026-05-28T13:15:22.417611+00:00", "vendors": [], "weaknesses": ["CWE-665"]}