Skip to main content

Linux Kernel EUVDEUVD-2026-32383

| CVE-2026-45917 MEDIUM
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-rhv7-mr5p-cgr8
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
4.7 MEDIUM

Race condition requires specific timing of device shutdown concurrent with IPVS caching, warranting AC:H; local access and low privilege confirmed; availability-only impact with no confidentiality or integrity effect.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 24, 2026 - 19:51 vuln.today
CVSS changed
Jun 24, 2026 - 17:38 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
MEDIUM 5.5
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

ipvs: do not keep dest_dst if dev is going down

There is race between the netdev notifier ip_vs_dst_event() and the code that caches dst with dev that is going down. As the FIB can be notified for the closed device after our handler finishes, it is possible valid route to be returned and cached resuling in a leaked dev reference until the dest is not removed.

To prevent new dest_dst to be attached to dest just after the handler dropped the old one, add a netif_running() check to make sure the notifier handler is not currently running for device that is closing.

AnalysisAI

Reference leak in the Linux kernel IPVS (IP Virtual Server) subsystem allows a local low-privileged user to trigger a race condition between the netdev notifier handler and destination cache update logic, potentially causing kernel resource exhaustion. When a network device is shutting down, the FIB routing subsystem may return a valid route after ip_vs_dst_event() finishes processing, allowing that route to be cached against a closing device and leaking a device reference until the IPVS destination is removed. This is a medium-severity availability issue with no public exploit identified at time of analysis and a very low EPSS score of 0.02% (5th percentile), indicating it is not currently a prioritized exploitation target.

Technical ContextAI

IPVS is a Linux kernel transport-layer load balancing module integrated into the netfilter framework, present since Linux 2.6.x (CPE: cpe:2.3:o:linux:linux_kernel:*). The vulnerability stems from a TOCTOU race condition between two asynchronous kernel paths: the netdev notifier ip_vs_dst_event() - which is supposed to flush cached destinations when a device goes down - and the IPVS destination cache population path. Because the FIB (Forwarding Information Base) can still return valid routes for a device after the notifier handler has completed but before the device is fully deregistered, IPVS may cache a new dest_dst pointing to the dying device, incrementing its reference count without a corresponding release. The fix adds a netif_running() check to short-circuit caching when the device is in a shutdown state. Although CWE is listed as N/A by NVD, the closest classification is CWE-362 (Concurrent Execution Using Shared Resource with Improper Synchronization - Race Condition) combined with CWE-401 (Missing Release of Memory after Effective Lifetime). The metadata tags listing 'Information Disclosure' conflict with the CVSS vector (C:N, I:N, A:H) and appear to be erroneous - this is a pure availability/resource-leak issue.

RemediationAI

Upgrade to a patched Linux kernel version: 6.12.75, 6.18.14, 6.19.4, or 7.0, as documented in EUVD-2026-32383 and the upstream stable commits at https://git.kernel.org/stable/c/024eb0bd19f507e6e7f0c7a7e5506d66b5dc1d3e and related links. Distribution-specific backported packages (RHEL, Debian, Ubuntu, SUSE) should be applied via standard package manager updates once released by the respective vendor. If immediate kernel upgrade is not feasible, a targeted workaround is to unload or disable the IPVS kernel module (ip_vs) if load balancing via IPVS is not operationally required - this eliminates the vulnerable code path entirely but will disable any ipvs-based services such as LVS/keepalived clusters or kube-proxy in IPVS mode in Kubernetes. Restricting local user access to non-administrative accounts reduces exposure given the PR:L requirement. No generic compensating controls are sufficient substitutes for the patch.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected

Share

EUVD-2026-32383 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy