CVE-2026-45840

In the Linux kernel, the following vulnerability has been resolved: openvswitch: cap upcall PID array size and pre-size vport replies The vport netlink reply helpers allocate a fixed-size skb with nlmsg_new(NLMSG_DEFAULT_SIZE, ...) but serialize the full upcall PID array via ovs_vport_get_upcall_portids(). Since ovs_vport_set_upcall_portids() accepts any non-zero multiple of sizeof(u32) with no upper bound, a CAP_NET_ADMIN user can install a PID array large enough to overflow the reply buffer, causing nla_put() to fail with -EMSGSIZE and hitting BUG_ON(err < 0). On systems with unprivileged user namespaces enabled (e.g., Ubuntu default), this is reachable via unshare -Urn since OVS vport mutation operations use GENL_UNS_ADMIN_PERM. kernel BUG at net/openvswitch/datapath.c:2414! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI CPU: 1 UID: 0 PID: 65 Comm: poc Not tainted 7.0.0-rc7-00195-geb216e422044 #1 RIP: 0010:ovs_vport_cmd_set+0x34c/0x400 Call Trace: <TASK> genl_family_rcv_msg_doit (net/netlink/genetlink.c:1116) genl_rcv_msg (net/netlink/genetlink.c:1194) netlink_rcv_skb (net/netlink/af_netlink.c:2550) genl_rcv (net/netlink/genetlink.c:1219) netlink_unicast (net/netlink/af_netlink.c:1344) netlink_sendmsg (net/netlink/af_netlink.c:1894) __sys_sendto (net/socket.c:2206) __x64_sys_sendto (net/socket.c:2209) do_syscall_64 (arch/x86/entry/syscall_64.c:63) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) </TASK> Kernel panic - not syncing: Fatal exception Reject attempts to set more PIDs than nr_cpu_ids in ovs_vport_set_upcall_portids(), and pre-compute the worst-case reply size in ovs_vport_cmd_msg_size() based on that bound, similar to the existing ovs_dp_cmd_msg_size(). nr_cpu_ids matches the cap already used by the per-CPU dispatch configuration on the datapath side (ovs_dp_cmd_fill_info() serialises at most nr_cpu_ids PIDs), so the two sides stay consistent.
Configurations

Configuration 1 (hide)

OR cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

History

26 Jun 2026, 18:56

Type Values Removed Values Added
CPE cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
First Time Linux linux Kernel
Linux
References () https://git.kernel.org/stable/c/1d6c02b86329883aa467a3a61f8d34369db73a2f - () https://git.kernel.org/stable/c/1d6c02b86329883aa467a3a61f8d34369db73a2f - Patch
References () https://git.kernel.org/stable/c/2091c6aa0df6aba47deb5c8ab232b1cb60af3519 - () https://git.kernel.org/stable/c/2091c6aa0df6aba47deb5c8ab232b1cb60af3519 - Patch
References () https://git.kernel.org/stable/c/8d59b80e69dddb665eb2de36e62859ab2073470e - () https://git.kernel.org/stable/c/8d59b80e69dddb665eb2de36e62859ab2073470e - Patch
References () https://git.kernel.org/stable/c/b39f763d720d623218bc1d95ace6855d7b474e81 - () https://git.kernel.org/stable/c/b39f763d720d623218bc1d95ace6855d7b474e81 - Patch
References () https://git.kernel.org/stable/c/d9e47e29aacb9f8a9d59feb6ab5b128a9bbb40b0 - () https://git.kernel.org/stable/c/d9e47e29aacb9f8a9d59feb6ab5b128a9bbb40b0 - Patch
References () https://git.kernel.org/stable/c/f99ac36b5d7c719d08a69fcdecce40f78a874e15 - () https://git.kernel.org/stable/c/f99ac36b5d7c719d08a69fcdecce40f78a874e15 - Patch
References () https://git.kernel.org/stable/c/f9ef3db77a383d66847fd082c2b437d8ae4d9c63 - () https://git.kernel.org/stable/c/f9ef3db77a383d66847fd082c2b437d8ae4d9c63 - Patch
References () https://git.kernel.org/stable/c/fa6e90bc443bed8dc0d55bc5ea5b27ffdfe37704 - () https://git.kernel.org/stable/c/fa6e90bc443bed8dc0d55bc5ea5b27ffdfe37704 - Patch
CWE NVD-CWE-noinfo
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 5.5

01 Jun 2026, 17:17

Type Values Removed Values Added
References
  • () https://git.kernel.org/stable/c/8d59b80e69dddb665eb2de36e62859ab2073470e -
  • () https://git.kernel.org/stable/c/b39f763d720d623218bc1d95ace6855d7b474e81 -
  • () https://git.kernel.org/stable/c/d9e47e29aacb9f8a9d59feb6ab5b128a9bbb40b0 -

27 May 2026, 11:16

Type Values Removed Values Added
New CVE

Information

Published : 2026-05-27 11:16

Updated : 2026-06-26 18:56


NVD link : CVE-2026-45840

Mitre link : CVE-2026-45840

CVE.ORG link : CVE-2026-45840


JSON object : View

Products Affected

linux

  • linux_kernel