Home

Description

In the Linux kernel, the following vulnerability has been resolved: openvswitch: cap upcall PID array size and pre-size vport replies The vport netlink reply helpers allocate a fixed-size skb with nlmsg_new(NLMSG_DEFAULT_SIZE, ...) but serialize the full upcall PID array via ovs_vport_get_upcall_portids(). Since ovs_vport_set_upcall_portids() accepts any non-zero multiple of sizeof(u32) with no upper bound, a CAP_NET_ADMIN user can install a PID array large enough to overflow the reply buffer, causing nla_put() to fail with -EMSGSIZE and hitting BUG_ON(err < 0). On systems with unprivileged user namespaces enabled (e.g., Ubuntu default), this is reachable via unshare -Urn since OVS vport mutation operations use GENL_UNS_ADMIN_PERM. kernel BUG at net/openvswitch/datapath.c:2414! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI CPU: 1 UID: 0 PID: 65 Comm: poc Not tainted 7.0.0-rc7-00195-geb216e422044 #1 RIP: 0010:ovs_vport_cmd_set+0x34c/0x400 Call Trace: <TASK> genl_family_rcv_msg_doit (net/netlink/genetlink.c:1116) genl_rcv_msg (net/netlink/genetlink.c:1194) netlink_rcv_skb (net/netlink/af_netlink.c:2550) genl_rcv (net/netlink/genetlink.c:1219) netlink_unicast (net/netlink/af_netlink.c:1344) netlink_sendmsg (net/netlink/af_netlink.c:1894) __sys_sendto (net/socket.c:2206) __x64_sys_sendto (net/socket.c:2209) do_syscall_64 (arch/x86/entry/syscall_64.c:63) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) </TASK> Kernel panic - not syncing: Fatal exception Reject attempts to set more PIDs than nr_cpu_ids in ovs_vport_set_upcall_portids(), and pre-compute the worst-case reply size in ovs_vport_cmd_msg_size() based on that bound, similar to the existing ovs_dp_cmd_msg_size(). nr_cpu_ids matches the cap already used by the per-CPU dispatch configuration on the datapath side (ovs_dp_cmd_fill_info() serialises at most nr_cpu_ids PIDs), so the two sides stay consistent.

PUBLISHED Reserved 2026-05-13 | Published 2026-05-27 | Updated 2026-06-01 | Assigner Linux

Product status

Default status
unaffected

5cd667b0a4567048bb555927d6ee564f4e5620a9 (git) before 8d59b80e69dddb665eb2de36e62859ab2073470e
affected

5cd667b0a4567048bb555927d6ee564f4e5620a9 (git) before d9e47e29aacb9f8a9d59feb6ab5b128a9bbb40b0
affected

5cd667b0a4567048bb555927d6ee564f4e5620a9 (git) before b39f763d720d623218bc1d95ace6855d7b474e81
affected

5cd667b0a4567048bb555927d6ee564f4e5620a9 (git) before f9ef3db77a383d66847fd082c2b437d8ae4d9c63
affected

5cd667b0a4567048bb555927d6ee564f4e5620a9 (git) before f99ac36b5d7c719d08a69fcdecce40f78a874e15
affected

5cd667b0a4567048bb555927d6ee564f4e5620a9 (git) before fa6e90bc443bed8dc0d55bc5ea5b27ffdfe37704
affected

5cd667b0a4567048bb555927d6ee564f4e5620a9 (git) before 1d6c02b86329883aa467a3a61f8d34369db73a2f
affected

5cd667b0a4567048bb555927d6ee564f4e5620a9 (git) before 2091c6aa0df6aba47deb5c8ab232b1cb60af3519
affected

Default status
affected

3.17
affected

Any version before 3.17
unaffected

5.10.258 (semver)
unaffected

5.15.209 (semver)
unaffected

6.1.175 (semver)
unaffected

6.6.141 (semver)
unaffected

6.12.91 (semver)
unaffected

6.18.33 (semver)
unaffected

7.0.10 (semver)
unaffected

7.1-rc1 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/8d59b80e69dddb665eb2de36e62859ab2073470e

git.kernel.org/...c/d9e47e29aacb9f8a9d59feb6ab5b128a9bbb40b0

git.kernel.org/...c/b39f763d720d623218bc1d95ace6855d7b474e81

git.kernel.org/...c/f9ef3db77a383d66847fd082c2b437d8ae4d9c63

git.kernel.org/...c/f99ac36b5d7c719d08a69fcdecce40f78a874e15

git.kernel.org/...c/fa6e90bc443bed8dc0d55bc5ea5b27ffdfe37704

git.kernel.org/...c/1d6c02b86329883aa467a3a61f8d34369db73a2f

git.kernel.org/...c/2091c6aa0df6aba47deb5c8ab232b1cb60af3519

cve.org (CVE-2026-45840)

nvd.nist.gov (CVE-2026-45840)

Download JSON