openvswitch: cap upcall PID array size and pre-size vport replies
Summary
| CVE | CVE-2026-45840 |
|---|---|
| State | PUBLISHED |
| Assigner | Linux |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-05-27 11:16:23 UTC |
| Updated | 2026-06-01 17:17:12 UTC |
| Description | In the Linux kernel, the following vulnerability has been resolved: openvswitch: cap upcall PID array size and pre-size vport replies The vport netlink reply helpers allocate a fixed-size skb with nlmsg_new(NLMSG_DEFAULT_SIZE, ...) but serialize the full upcall PID array via ovs_vport_get_upcall_portids(). Since ovs_vport_set_upcall_portids() accepts any non-zero multiple of sizeof(u32) with no upper bound, a CAP_NET_ADMIN user can install a PID array large enough to overflow the reply buffer, causing nla_put() to fail with -EMSGSIZE and hitting BUG_ON(err < 0). On systems with unprivileged user namespaces enabled (e.g., Ubuntu default), this is reachable via unshare -Urn since OVS vport mutation operations use GENL_UNS_ADMIN_PERM. kernel BUG at net/openvswitch/datapath.c:2414! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI CPU: 1 UID: 0 PID: 65 Comm: poc Not tainted 7.0.0-rc7-00195-geb216e422044 #1 RIP: 0010:ovs_vport_cmd_set+0x34c/0x400 Call Trace: <TASK> genl_family_rcv_msg_doit (net/netlink/genetlink.c:1116) genl_rcv_msg (net/netlink/genetlink.c:1194) netlink_rcv_skb (net/netlink/af_netlink.c:2550) genl_rcv (net/netlink/genetlink.c:1219) netlink_unicast (net/netlink/af_netlink.c:1344) netlink_sendmsg (net/netlink/af_netlink.c:1894) __sys_sendto (net/socket.c:2206) __x64_sys_sendto (net/socket.c:2209) do_syscall_64 (arch/x86/entry/syscall_64.c:63) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) </TASK> Kernel panic - not syncing: Fatal exception Reject attempts to set more PIDs than nr_cpu_ids in ovs_vport_set_upcall_portids(), and pre-compute the worst-case reply size in ovs_vport_cmd_msg_size() based on that bound, similar to the existing ovs_dp_cmd_msg_size(). nr_cpu_ids matches the cap already used by the per-CPU dispatch configuration on the datapath side (ovs_dp_cmd_fill_info() serialises at most nr_cpu_ids PIDs), so the two sides stay consistent. |
Risk And Classification
EPSS: 0.000180000 probability, percentile 0.050770000 (date 2026-06-01)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Linux | Linux | affected 5cd667b0a4567048bb555927d6ee564f4e5620a9 8d59b80e69dddb665eb2de36e62859ab2073470e git | Not specified |
| CNA | Linux | Linux | affected 5cd667b0a4567048bb555927d6ee564f4e5620a9 d9e47e29aacb9f8a9d59feb6ab5b128a9bbb40b0 git | Not specified |
| CNA | Linux | Linux | affected 5cd667b0a4567048bb555927d6ee564f4e5620a9 b39f763d720d623218bc1d95ace6855d7b474e81 git | Not specified |
| CNA | Linux | Linux | affected 5cd667b0a4567048bb555927d6ee564f4e5620a9 f9ef3db77a383d66847fd082c2b437d8ae4d9c63 git | Not specified |
| CNA | Linux | Linux | affected 5cd667b0a4567048bb555927d6ee564f4e5620a9 f99ac36b5d7c719d08a69fcdecce40f78a874e15 git | Not specified |
| CNA | Linux | Linux | affected 5cd667b0a4567048bb555927d6ee564f4e5620a9 fa6e90bc443bed8dc0d55bc5ea5b27ffdfe37704 git | Not specified |
| CNA | Linux | Linux | affected 5cd667b0a4567048bb555927d6ee564f4e5620a9 1d6c02b86329883aa467a3a61f8d34369db73a2f git | Not specified |
| CNA | Linux | Linux | affected 5cd667b0a4567048bb555927d6ee564f4e5620a9 2091c6aa0df6aba47deb5c8ab232b1cb60af3519 git | Not specified |
| CNA | Linux | Linux | affected 3.17 | Not specified |
| CNA | Linux | Linux | unaffected 3.17 semver | Not specified |
| CNA | Linux | Linux | unaffected 5.10.258 5.10.* semver | Not specified |
| CNA | Linux | Linux | unaffected 5.15.209 5.15.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.1.175 6.1.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.6.141 6.6.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.12.91 6.12.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.18.33 6.18.* semver | Not specified |
| CNA | Linux | Linux | unaffected 7.0.10 7.0.* semver | Not specified |
| CNA | Linux | Linux | unaffected 7.1-rc1 * original_commit_for_fix | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| git.kernel.org/stable/c/b39f763d720d623218bc1d95ace6855d7b474e81 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/1d6c02b86329883aa467a3a61f8d34369db73a2f | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/fa6e90bc443bed8dc0d55bc5ea5b27ffdfe37704 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/2091c6aa0df6aba47deb5c8ab232b1cb60af3519 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/d9e47e29aacb9f8a9d59feb6ab5b128a9bbb40b0 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/f99ac36b5d7c719d08a69fcdecce40f78a874e15 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/f9ef3db77a383d66847fd082c2b437d8ae4d9c63 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/8d59b80e69dddb665eb2de36e62859ab2073470e | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.