CVE-2026-45917 Overview
CVE-2026-45917 is a race condition vulnerability in the Linux kernel's IP Virtual Server (IPVS) subsystem. The flaw exists between the netdev notifier ip_vs_dst_event() and the code path that caches destination entries (dest_dst) with a network device that is going down. When the Forwarding Information Base (FIB) notifies the IPVS handler after it has already finished executing for a closing device, a valid route can be returned and cached. This results in a leaked device reference that persists until the destination is removed.
Critical Impact
A race between the IPVS netdev notifier and destination caching logic can cause a leaked net_device reference, preventing proper teardown of network interfaces in affected Linux kernels.
Affected Products
- Linux kernel — IPVS subsystem (mainline)
- Linux kernel stable branches receiving backported fixes via commits 024eb0bd19f5, 64af43033503, 8fde939b0206, and bae53b3baf2f
- Distributions shipping vulnerable kernel versions prior to applying the upstream fix
Discovery Timeline
- 2026-05-27 - CVE-2026-45917 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-45917
Vulnerability Analysis
The vulnerability resides in the Linux kernel's IPVS load-balancing subsystem, specifically in the destination cache management logic. IPVS caches dest_dst structures, which hold route information including a reference to the underlying net_device. The netdev notifier handler ip_vs_dst_event() is responsible for releasing cached dest_dst entries when a device transitions to a closed state.
The race occurs because the FIB layer may emit route notifications for a closing device after the IPVS notifier has already processed the NETDEV_DOWN event. If concurrent traffic triggers route resolution and dest_dst caching during this window, a fresh dest_dst referencing the down-going device can be installed after the cleanup handler has already run.
Because IPVS holds a reference on the cached device, the device reference count never reaches zero. The kernel cannot complete the teardown of the interface until the IPVS destination entry itself is removed.
Root Cause
The root cause is a missing synchronization check between the notifier path and the caching path. Prior to the fix, the caching code did not consult the device's running state when attaching a new dest_dst. The patch introduces a netif_running() check so that destination caching is skipped when the notifier handler is processing, or has processed, the closure of the device.
Attack Vector
This is a local kernel reliability issue rather than a remote exploitation primitive. Triggering the race requires concurrent IPVS traffic and a netdev down event on a device used by an IPVS destination. The observable effect is a leaked net_device reference, which can manifest as interfaces that cannot be fully removed, namespaces that fail to be reclaimed, and resource accounting anomalies. The flaw is most relevant in container and Kubernetes environments where IPVS-based service load balancing interacts frequently with dynamic network interface creation and teardown.
The upstream commits referenced in the advisory describe the fix in prose. See the Kernel Git Commit Patch and the Kernel Git Commit Fix for the exact code changes.
Detection Methods for CVE-2026-45917
Indicators of Compromise
- Network interfaces that remain in a unregistering or refcount > 0 state long after a tear-down command, visible in dmesg as unregister_netdevice: waiting for <dev> to become free.
- Network namespaces that fail to be reclaimed after pod or container deletion in IPVS-mode Kubernetes clusters.
- Persistent IPVS destination entries (ipvsadm -Ln) referencing devices that have been administratively removed.
Detection Strategies
- Audit kernel logs for repeated unregister_netdevice warnings on hosts running kube-proxy in IPVS mode or other IPVS-based load balancers.
- Correlate netdev down events with subsequent IPVS destination activity to identify hosts experiencing the race window.
- Track running kernel versions across the fleet and flag hosts not yet carrying the stable backport commits listed in the Kernel Git Commit Update.
Monitoring Recommendations
- Monitor /proc/net/dev and netdev reference counters for interfaces that fail to unregister.
- Alert on growth in the number of stale IPVS destinations across worker nodes in container orchestration platforms.
- Collect kernel ring buffer messages centrally and search for ip_vs and unregister_netdevice strings.
How to Mitigate CVE-2026-45917
Immediate Actions Required
- Inventory all Linux hosts using IPVS, including Kubernetes nodes with kube-proxy --proxy-mode=ipvs, LVS directors, and custom load balancers.
- Plan and schedule kernel updates to versions containing the upstream fix commits referenced in the NVD entry.
- Reboot or perform live-patch updates on affected hosts after installing the patched kernel package.
Patch Information
The fix adds a netif_running() check to ensure new dest_dst entries are not attached to a destination while the netdev notifier is processing closure of the underlying device. The fix is distributed across the following upstream commits: Kernel Git Commit Update, Kernel Git Commit Fix, Kernel Git Commit Change, and Kernel Git Commit Patch. Apply the kernel package update from your distribution vendor once it incorporates these commits.
Workarounds
- Where feasible, switch kube-proxy from IPVS mode to iptables mode until patched kernels are deployed.
- Avoid frequent churn of network interfaces backing IPVS real servers on unpatched hosts.
- Drain workloads from affected nodes before tearing down interfaces to reduce the likelihood of triggering the race.
# Verify running kernel version and IPVS usage on a host
uname -r
lsmod | grep ip_vs
ipvsadm -Ln | head -20
# Check for stuck netdev unregister warnings
dmesg | grep -i 'unregister_netdevice'
# Apply distribution kernel update (example for Debian/Ubuntu)
sudo apt-get update && sudo apt-get install --only-upgrade linux-image-$(uname -r)
sudo reboot
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
