CVE-2026-45840

Summary

In the Linux kernel, the following vulnerability has been resolved:

openvswitch: cap upcall PID array size and pre-size vport replies

The vport netlink reply helpers allocate a fixed-size skb with nlmsg_new(NLMSG_DEFAULT_SIZE, …) but serialize the full upcall PID array via ovs_vport_get_upcall_portids(). Since ovs_vport_set_upcall_portids() accepts any non-zero multiple of sizeof(u32) with no upper bound, a CAP_NET_ADMIN user can install a PID array large enough to overflow the reply buffer, causing nla_put() to fail with -EMSGSIZE and hitting BUG_ON(err < 0). On systems with unprivileged user namespaces enabled (e.g., Ubuntu default), this is reachable via unshare -Urn since OVS vport mutation operations use GENL_UNS_ADMIN_PERM.

kernel BUG at net/openvswitch/datapath.c:2414! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI CPU: 1 UID: 0 PID: 65 Comm: poc Not tainted 7.0.0-rc7-00195-geb216e422044 #1 RIP: 0010:ovs_vport_cmd_set+0x34c/0x400 Call Trace: <TASK> genl_family_rcv_msg_doit (net/netlink/genetlink.c:1116) genl_rcv_msg (net/netlink/genetlink.c:1194) netlink_rcv_skb (net/netlink/af_netlink.c:2550) genl_rcv (net/netlink/genetlink.c:1219) netlink_unicast (net/netlink/af_netlink.c:1344) netlink_sendmsg (net/netlink/af_netlink.c:1894) __sys_sendto (net/socket.c:2206) __x64_sys_sendto (net/socket.c:2209) do_syscall_64 (arch/x86/entry/syscall_64.c:63) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) </TASK> Kernel panic - not syncing: Fatal exception

Reject attempts to set more PIDs than nr_cpu_ids in ovs_vport_set_upcall_portids(), and pre-compute the worst-case reply size in ovs_vport_cmd_msg_size() based on that bound, similar to the existing ovs_dp_cmd_msg_size(). nr_cpu_ids matches the cap already used by the per-CPU dispatch configuration on the datapath side (ovs_dp_cmd_fill_info() serialises at most nr_cpu_ids PIDs), so the two sides stay consistent.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux5cd667b0a4567048bb555927d6ee564f4e5620a9 < 8d59b80e69dddb665eb2de36e62859ab2073470eaffected
LinuxLinux5cd667b0a4567048bb555927d6ee564f4e5620a9 < d9e47e29aacb9f8a9d59feb6ab5b128a9bbb40b0affected
LinuxLinux5cd667b0a4567048bb555927d6ee564f4e5620a9 < b39f763d720d623218bc1d95ace6855d7b474e81affected
LinuxLinux5cd667b0a4567048bb555927d6ee564f4e5620a9 < f9ef3db77a383d66847fd082c2b437d8ae4d9c63affected
LinuxLinux5cd667b0a4567048bb555927d6ee564f4e5620a9 < f99ac36b5d7c719d08a69fcdecce40f78a874e15affected
LinuxLinux5cd667b0a4567048bb555927d6ee564f4e5620a9 < fa6e90bc443bed8dc0d55bc5ea5b27ffdfe37704affected
LinuxLinux5cd667b0a4567048bb555927d6ee564f4e5620a9 < 1d6c02b86329883aa467a3a61f8d34369db73a2faffected
LinuxLinux5cd667b0a4567048bb555927d6ee564f4e5620a9 < 2091c6aa0df6aba47deb5c8ab232b1cb60af3519affected
LinuxLinux3.17affected
LinuxLinux0 < 3.17unaffected
LinuxLinux5.10.258 <= 5.10.*unaffected
LinuxLinux5.15.209 <= 5.15.*unaffected
LinuxLinux6.1.175 <= 6.1.*unaffected
LinuxLinux6.6.141 <= 6.6.*unaffected
LinuxLinux6.12.91 <= 6.12.*unaffected
LinuxLinux6.18.33 <= 6.18.*unaffected
LinuxLinux7.0.10 <= 7.0.*unaffected
LinuxLinux7.1 <= *unaffected

Weaknesses

References