CVE-2026-45840 (GCVE-0-2026-45840)

Vulnerability from cvelistv5 – Published: 2026-05-27 09:24 – Updated: 2026-05-27 09:24
VLAI
Title
openvswitch: cap upcall PID array size and pre-size vport replies
Summary
In the Linux kernel, the following vulnerability has been resolved: openvswitch: cap upcall PID array size and pre-size vport replies The vport netlink reply helpers allocate a fixed-size skb with nlmsg_new(NLMSG_DEFAULT_SIZE, ...) but serialize the full upcall PID array via ovs_vport_get_upcall_portids(). Since ovs_vport_set_upcall_portids() accepts any non-zero multiple of sizeof(u32) with no upper bound, a CAP_NET_ADMIN user can install a PID array large enough to overflow the reply buffer, causing nla_put() to fail with -EMSGSIZE and hitting BUG_ON(err < 0). On systems with unprivileged user namespaces enabled (e.g., Ubuntu default), this is reachable via unshare -Urn since OVS vport mutation operations use GENL_UNS_ADMIN_PERM. kernel BUG at net/openvswitch/datapath.c:2414! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI CPU: 1 UID: 0 PID: 65 Comm: poc Not tainted 7.0.0-rc7-00195-geb216e422044 #1 RIP: 0010:ovs_vport_cmd_set+0x34c/0x400 Call Trace: <TASK> genl_family_rcv_msg_doit (net/netlink/genetlink.c:1116) genl_rcv_msg (net/netlink/genetlink.c:1194) netlink_rcv_skb (net/netlink/af_netlink.c:2550) genl_rcv (net/netlink/genetlink.c:1219) netlink_unicast (net/netlink/af_netlink.c:1344) netlink_sendmsg (net/netlink/af_netlink.c:1894) __sys_sendto (net/socket.c:2206) __x64_sys_sendto (net/socket.c:2209) do_syscall_64 (arch/x86/entry/syscall_64.c:63) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) </TASK> Kernel panic - not syncing: Fatal exception Reject attempts to set more PIDs than nr_cpu_ids in ovs_vport_set_upcall_portids(), and pre-compute the worst-case reply size in ovs_vport_cmd_msg_size() based on that bound, similar to the existing ovs_dp_cmd_msg_size(). nr_cpu_ids matches the cap already used by the per-CPU dispatch configuration on the datapath side (ovs_dp_cmd_fill_info() serialises at most nr_cpu_ids PIDs), so the two sides stay consistent.
Severity
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 5cd667b0a4567048bb555927d6ee564f4e5620a9 , < f9ef3db77a383d66847fd082c2b437d8ae4d9c63 (git)
Affected: 5cd667b0a4567048bb555927d6ee564f4e5620a9 , < f99ac36b5d7c719d08a69fcdecce40f78a874e15 (git)
Affected: 5cd667b0a4567048bb555927d6ee564f4e5620a9 , < fa6e90bc443bed8dc0d55bc5ea5b27ffdfe37704 (git)
Affected: 5cd667b0a4567048bb555927d6ee564f4e5620a9 , < 1d6c02b86329883aa467a3a61f8d34369db73a2f (git)
Affected: 5cd667b0a4567048bb555927d6ee564f4e5620a9 , < 2091c6aa0df6aba47deb5c8ab232b1cb60af3519 (git)
Create a notification for this product.
Linux Linux Affected: 3.17
Unaffected: 0 , < 3.17 (semver)
Unaffected: 6.6.141 , ≤ 6.6.* (semver)
Unaffected: 6.12.91 , ≤ 6.12.* (semver)
Unaffected: 6.18.33 , ≤ 6.18.* (semver)
Unaffected: 7.0.10 , ≤ 7.0.* (semver)
Unaffected: 7.1-rc1 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/openvswitch/datapath.c",
            "net/openvswitch/vport.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f9ef3db77a383d66847fd082c2b437d8ae4d9c63",
              "status": "affected",
              "version": "5cd667b0a4567048bb555927d6ee564f4e5620a9",
              "versionType": "git"
            },
            {
              "lessThan": "f99ac36b5d7c719d08a69fcdecce40f78a874e15",
              "status": "affected",
              "version": "5cd667b0a4567048bb555927d6ee564f4e5620a9",
              "versionType": "git"
            },
            {
              "lessThan": "fa6e90bc443bed8dc0d55bc5ea5b27ffdfe37704",
              "status": "affected",
              "version": "5cd667b0a4567048bb555927d6ee564f4e5620a9",
              "versionType": "git"
            },
            {
              "lessThan": "1d6c02b86329883aa467a3a61f8d34369db73a2f",
              "status": "affected",
              "version": "5cd667b0a4567048bb555927d6ee564f4e5620a9",
              "versionType": "git"
            },
            {
              "lessThan": "2091c6aa0df6aba47deb5c8ab232b1cb60af3519",
              "status": "affected",
              "version": "5cd667b0a4567048bb555927d6ee564f4e5620a9",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/openvswitch/datapath.c",
            "net/openvswitch/vport.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.17"
            },
            {
              "lessThan": "3.17",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.141",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.91",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.33",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.141",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.91",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.33",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.10",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1-rc1",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nopenvswitch: cap upcall PID array size and pre-size vport replies\n\nThe vport netlink reply helpers allocate a fixed-size skb with\nnlmsg_new(NLMSG_DEFAULT_SIZE, ...) but serialize the full upcall PID\narray via ovs_vport_get_upcall_portids().  Since\novs_vport_set_upcall_portids() accepts any non-zero multiple of\nsizeof(u32) with no upper bound, a CAP_NET_ADMIN user can install a PID\narray large enough to overflow the reply buffer, causing nla_put() to\nfail with -EMSGSIZE and hitting BUG_ON(err \u003c 0).  On systems with\nunprivileged user namespaces enabled (e.g., Ubuntu default), this is\nreachable via unshare -Urn since OVS vport mutation operations use\nGENL_UNS_ADMIN_PERM.\n\n kernel BUG at net/openvswitch/datapath.c:2414!\n Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI\n CPU: 1 UID: 0 PID: 65 Comm: poc Not tainted 7.0.0-rc7-00195-geb216e422044 #1\n RIP: 0010:ovs_vport_cmd_set+0x34c/0x400\n Call Trace:\n  \u003cTASK\u003e\n  genl_family_rcv_msg_doit (net/netlink/genetlink.c:1116)\n  genl_rcv_msg (net/netlink/genetlink.c:1194)\n  netlink_rcv_skb (net/netlink/af_netlink.c:2550)\n  genl_rcv (net/netlink/genetlink.c:1219)\n  netlink_unicast (net/netlink/af_netlink.c:1344)\n  netlink_sendmsg (net/netlink/af_netlink.c:1894)\n  __sys_sendto (net/socket.c:2206)\n  __x64_sys_sendto (net/socket.c:2209)\n  do_syscall_64 (arch/x86/entry/syscall_64.c:63)\n  entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n  \u003c/TASK\u003e\n Kernel panic - not syncing: Fatal exception\n\nReject attempts to set more PIDs than nr_cpu_ids in\novs_vport_set_upcall_portids(), and pre-compute the worst-case reply\nsize in ovs_vport_cmd_msg_size() based on that bound, similar to the\nexisting ovs_dp_cmd_msg_size().  nr_cpu_ids matches the cap already\nused by the per-CPU dispatch configuration on the datapath side\n(ovs_dp_cmd_fill_info() serialises at most nr_cpu_ids PIDs), so the\ntwo sides stay consistent."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-27T09:24:39.478Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f9ef3db77a383d66847fd082c2b437d8ae4d9c63"
        },
        {
          "url": "https://git.kernel.org/stable/c/f99ac36b5d7c719d08a69fcdecce40f78a874e15"
        },
        {
          "url": "https://git.kernel.org/stable/c/fa6e90bc443bed8dc0d55bc5ea5b27ffdfe37704"
        },
        {
          "url": "https://git.kernel.org/stable/c/1d6c02b86329883aa467a3a61f8d34369db73a2f"
        },
        {
          "url": "https://git.kernel.org/stable/c/2091c6aa0df6aba47deb5c8ab232b1cb60af3519"
        }
      ],
      "title": "openvswitch: cap upcall PID array size and pre-size vport replies",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-45840",
    "datePublished": "2026-05-27T09:24:39.478Z",
    "dateReserved": "2026-05-13T15:03:33.077Z",
    "dateUpdated": "2026-05-27T09:24:39.478Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-45840",
      "date": "2026-05-27",
      "epss": "0.00018",
      "percentile": "0.05085"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-45840\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-05-27T11:16:23.363\",\"lastModified\":\"2026-05-27T14:48:03.013\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nopenvswitch: cap upcall PID array size and pre-size vport replies\\n\\nThe vport netlink reply helpers allocate a fixed-size skb with\\nnlmsg_new(NLMSG_DEFAULT_SIZE, ...) but serialize the full upcall PID\\narray via ovs_vport_get_upcall_portids().  Since\\novs_vport_set_upcall_portids() accepts any non-zero multiple of\\nsizeof(u32) with no upper bound, a CAP_NET_ADMIN user can install a PID\\narray large enough to overflow the reply buffer, causing nla_put() to\\nfail with -EMSGSIZE and hitting BUG_ON(err \u003c 0).  On systems with\\nunprivileged user namespaces enabled (e.g., Ubuntu default), this is\\nreachable via unshare -Urn since OVS vport mutation operations use\\nGENL_UNS_ADMIN_PERM.\\n\\n kernel BUG at net/openvswitch/datapath.c:2414!\\n Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI\\n CPU: 1 UID: 0 PID: 65 Comm: poc Not tainted 7.0.0-rc7-00195-geb216e422044 #1\\n RIP: 0010:ovs_vport_cmd_set+0x34c/0x400\\n Call Trace:\\n  \u003cTASK\u003e\\n  genl_family_rcv_msg_doit (net/netlink/genetlink.c:1116)\\n  genl_rcv_msg (net/netlink/genetlink.c:1194)\\n  netlink_rcv_skb (net/netlink/af_netlink.c:2550)\\n  genl_rcv (net/netlink/genetlink.c:1219)\\n  netlink_unicast (net/netlink/af_netlink.c:1344)\\n  netlink_sendmsg (net/netlink/af_netlink.c:1894)\\n  __sys_sendto (net/socket.c:2206)\\n  __x64_sys_sendto (net/socket.c:2209)\\n  do_syscall_64 (arch/x86/entry/syscall_64.c:63)\\n  entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\\n  \u003c/TASK\u003e\\n Kernel panic - not syncing: Fatal exception\\n\\nReject attempts to set more PIDs than nr_cpu_ids in\\novs_vport_set_upcall_portids(), and pre-compute the worst-case reply\\nsize in ovs_vport_cmd_msg_size() based on that bound, similar to the\\nexisting ovs_dp_cmd_msg_size().  nr_cpu_ids matches the cap already\\nused by the per-CPU dispatch configuration on the datapath side\\n(ovs_dp_cmd_fill_info() serialises at most nr_cpu_ids PIDs), so the\\ntwo sides stay consistent.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/1d6c02b86329883aa467a3a61f8d34369db73a2f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/2091c6aa0df6aba47deb5c8ab232b1cb60af3519\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/f99ac36b5d7c719d08a69fcdecce40f78a874e15\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/f9ef3db77a383d66847fd082c2b437d8ae4d9c63\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/fa6e90bc443bed8dc0d55bc5ea5b27ffdfe37704\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.