CVE-2026-46165: In the Linux kernel, the following vulnerability has been resolved: openvswitch: vport: fix self-deadlock on release of tunnel ports vports are used...

Description

In the Linux kernel, the following vulnerability has been resolved: openvswitch: vport: fix self-deadlock on release of tunnel ports vports are used concurrently and protected by RCU, so netdev_put() must happen after the RCU grace period. So, either in an RCU call or after the synchronize_net(). The rtnl_delete_link() must happen under RTNL and so can't be executed in RCU context. Calling synchronize_net() while holding RTNL is not a good idea for performance and system stability under load in general, so calling netdev_put() in RCU call is the right solution here. However, when the device is deleted, rtnl_unlock() will call netdev_run_todo() and block until all the references are gone. In the current code this means that we never reach the call_rcu() and the vport is never freed and the reference is never released, causing a self-deadlock on device removal. Fix that by moving the rcu_call() before the rtnl_unlock(), so the scheduled RCU callback will be executed when synchronize_net() is called from the rtnl_unlock()->netdev_run_todo() while the RTNL itself is already released.

Metrics

CVSS 3.1

5.5/10

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS Probability

0.10%

1.0th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-667

Affected Software

Vendor	Product	Versions	Update
Linux	Linux Kernel	>= 6.1.168, < 6.1.175	—
Linux	Linux Kernel	>= 6.6.131, < 6.6.140	—
Linux	Linux Kernel	>= 6.12.80, < 6.12.88	—
Linux	Linux Kernel	>= 6.18.21, < 6.18.30	—
Linux	Linux Kernel	>= 6.19.11, < 7.0	—
Linux	Linux Kernel	>= 7.0.1, < 7.0.7	—
Linux	Linux Kernel	7.0	—
Linux	Linux Kernel	7.1	Rc1

References

Timeline

Published: May 28, 2026
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2026-46165?

In the Linux kernel, the following vulnerability has been resolved: openvswitch: vport: fix self-deadlock on release of tunnel ports vports are used concurrently and protected by RCU, so netdev_put() must happen after the RCU grace period. So, either in an RCU call or after the synchronize_net(). The rtnl_delete_link() must happen under RTNL and so can't be executed in RCU context. Calling synchronize_net() while holding RTNL is not a good idea for performance and system stability under load in general, so calling netdev_put() in RCU call is the right solution here. However, when the device is deleted, rtnl_unlock() will call netdev_run_todo() and block until all the references are gone. In the current code this means that we never reach the call_rcu() and the vport is never freed and the reference is never released, causing a self-deadlock on device removal. Fix that by moving the rcu_call() before the rtnl_unlock(), so the scheduled RCU callback will be executed when synchronize_net() is called from the rtnl_unlock()->netdev_run_todo() while the RTNL itself is already released.

How severe is CVE-2026-46165?

CVE-2026-46165 has a CVSS score of 5.5/10 (MEDIUM severity). The EPSS model estimates a 0.10% probability of exploitation in the next 30 days.

How do I fix CVE-2026-46165?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.