Skip to main content

Linux Kernel CVE-2026-45840

| EUVDEUVD-2026-32166 MEDIUM
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-gcc5-89x5-vqqc
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

AV:L as exploitation requires a local shell; PR:L because Ubuntu-default unprivileged user namespaces allow any local user to reach CAP_NET_ADMIN via unshare; A:H for kernel panic causing total host availability loss; C:N and I:N as the only impact is a crash.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
6.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Red Hat
7.0 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 26, 2026 - 19:09 vuln.today
CVSS changed
Jun 26, 2026 - 19:07 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 11:16 nvd
MEDIUM 5.5
CVE Published
May 27, 2026 - 11:16 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

openvswitch: cap upcall PID array size and pre-size vport replies

The vport netlink reply helpers allocate a fixed-size skb with nlmsg_new(NLMSG_DEFAULT_SIZE, ...) but serialize the full upcall PID array via ovs_vport_get_upcall_portids(). Since ovs_vport_set_upcall_portids() accepts any non-zero multiple of sizeof(u32) with no upper bound, a CAP_NET_ADMIN user can install a PID array large enough to overflow the reply buffer, causing nla_put() to fail with -EMSGSIZE and hitting BUG_ON(err < 0). On systems with unprivileged user namespaces enabled (e.g., Ubuntu default), this is reachable via unshare -Urn since OVS vport mutation operations use GENL_UNS_ADMIN_PERM.

kernel BUG at net/openvswitch/datapath.c:2414! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI CPU: 1 UID: 0 PID: 65 Comm: poc Not tainted 7.0.0-rc7-00195-geb216e422044 #1 RIP: 0010:ovs_vport_cmd_set+0x34c/0x400 Call Trace: <TASK> genl_family_rcv_msg_doit (net/netlink/genetlink.c:1116) genl_rcv_msg (net/netlink/genetlink.c:1194) netlink_rcv_skb (net/netlink/af_netlink.c:2550) genl_rcv (net/netlink/genetlink.c:1219) netlink_unicast (net/netlink/af_netlink.c:1344) netlink_sendmsg (net/netlink/af_netlink.c:1894) __sys_sendto (net/socket.c:2206) __x64_sys_sendto (net/socket.c:2209) do_syscall_64 (arch/x86/entry/syscall_64.c:63) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) </TASK> Kernel panic - not syncing: Fatal exception

Reject attempts to set more PIDs than nr_cpu_ids in ovs_vport_set_upcall_portids(), and pre-compute the worst-case reply size in ovs_vport_cmd_msg_size() based on that bound, similar to the existing ovs_dp_cmd_msg_size(). nr_cpu_ids matches the cap already used by the per-CPU dispatch configuration on the datapath side (ovs_dp_cmd_fill_info() serialises at most nr_cpu_ids PIDs), so the two sides stay consistent.

AnalysisAI

Kernel panic in the Linux kernel's Open vSwitch (openvswitch) subsystem allows a low-privileged local user to crash the host kernel on Ubuntu-default and similar configurations. The vport netlink reply handler pre-allocates a fixed-size buffer but lacks an upper-bound check on the upcall PID array size, causing nla_put() to return -EMSGSIZE and BUG_ON(err < 0) to fire in ovs_vport_cmd_set(), triggering a kernel panic. On systems with unprivileged user namespaces enabled (Ubuntu default), any local user can reach this path via unshare -Urn without requiring elevated privileges. No public exploit has been identified at time of analysis, and EPSS at 0.02% reflects low current exploitation probability.

Technical ContextAI

Open vSwitch (OVS) in the Linux kernel uses Generic Netlink (genetlink) families for vport configuration, including setting the upcall PID array via ovs_vport_set_upcall_portids(). This function accepted any non-zero multiple of sizeof(u32) without an upper bound, allowing arbitrarily large PID arrays. The reply path in ovs_vport_cmd_get() and ovs_vport_cmd_set() pre-allocated skb space using nlmsg_new(NLMSG_DEFAULT_SIZE, ...) - a fixed allocation - then attempted to serialize the full PID array via ovs_vport_get_upcall_portids(). When the PID count exceeded the buffer capacity, nla_put() returned -EMSGSIZE, and the unchecked BUG_ON(err < 0) in ovs_vport_cmd_set() at net/openvswitch/datapath.c:2414 caused a fatal kernel exception. CWE was not formally assigned by NVD, but the root cause is an incorrect buffer size calculation (analogous to CWE-131) combined with a missing input bound check. The fix caps PID count to nr_cpu_ids (matching the per-CPU dispatch cap already in use on the datapath side) and pre-computes the worst-case reply size in ovs_vport_cmd_msg_size(). All affected systems are identified by CPE cpe:2.3:o:linux:linux_kernel:* from version 3.17 onward, the commit (5cd667b0a4567048bb555927d6ee564f4e5620a9) that introduced upcall PID array support.

RemediationAI

Upgrade to a patched kernel release: Linux 6.6.141, 6.12.91, 6.18.33, 7.0.10, or 7.1-rc1 or later, with fixes available at https://git.kernel.org/stable/c/1d6c02b86329883aa467a3a61f8d34369db73a2f and related stable backports. Distribution-specific updates from Ubuntu, Red Hat, SUSE, and Debian should be monitored for downstream packaging of these stable fixes. As a compensating control on Ubuntu, restrict unprivileged user namespaces via sysctl -w kernel.unprivileged_userns_clone=0 (Ubuntu-specific) or sysctl -w user.max_user_namespaces=0 (upstream Linux); note that this breaks browser sandboxing (Chrome, Firefox) and container runtimes relying on user namespaces, so evaluate application compatibility before applying. Alternatively, on hosts that do not require Open vSwitch, blocklisting the openvswitch kernel module (echo 'blacklist openvswitch' >> /etc/modprobe.d/ovs-block.conf && update-initramfs -u) prevents the vulnerable code path from being reached entirely, with the trade-off of disabling all OVS-based virtual switching and SDN functionality.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise Module for Basesystem 15 SP7 Affected
SUSE Linux Enterprise Server 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected

Share

CVE-2026-45840 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy