CVE-2026-45840 Overview
CVE-2026-45840 is a Linux kernel vulnerability in the openvswitch (OVS) subsystem. The flaw exists in vport netlink reply helpers, which allocate a fixed-size socket buffer (skb) using nlmsg_new(NLMSG_DEFAULT_SIZE, ...) while serializing an unbounded upcall PID array via ovs_vport_get_upcall_portids(). A local user with CAP_NET_ADMIN can install a PID array large enough to overflow the reply buffer, triggering BUG_ON(err < 0) and causing a kernel panic. On systems with unprivileged user namespaces enabled, such as Ubuntu defaults, the issue is reachable through unshare -Urn because OVS vport mutation uses GENL_UNS_ADMIN_PERM.
Critical Impact
A local unprivileged user on systems with unprivileged user namespaces can trigger a kernel panic in ovs_vport_cmd_set, resulting in denial of service.
Affected Products
- Linux kernel (mainline) prior to the patched commits referenced in git.kernel.org/stable
- Linux distributions enabling unprivileged user namespaces by default (e.g., Ubuntu)
- Systems with the openvswitch kernel module loaded
Discovery Timeline
- 2026-05-27 - CVE-2026-45840 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-45840
Vulnerability Analysis
The vulnerability resides in net/openvswitch/datapath.c and the vport netlink interface. When the kernel builds a reply for vport commands, ovs_vport_cmd_msg_size() does not account for arbitrarily large upcall PID arrays. The ovs_vport_set_upcall_portids() function accepts any non-zero multiple of sizeof(u32) without an upper bound, allowing the configured PID array to exceed the pre-allocated reply buffer size of NLMSG_DEFAULT_SIZE.
During reply serialization, nla_put() fails with -EMSGSIZE, and the calling code reaches BUG_ON(err < 0) at net/openvswitch/datapath.c:2414. This triggers an invalid opcode exception and kernel panic. The kernel oops trace shows the fault path: ovs_vport_cmd_set → genl_family_rcv_msg_doit → genl_rcv_msg → netlink_rcv_skb → netlink_unicast → netlink_sendmsg → __sys_sendto.
Root Cause
The root cause is a missing bounds check on a user-controlled array size combined with a fixed-size reply buffer allocation. The producer side (ovs_vport_set_upcall_portids) accepts unbounded input, while the consumer side (ovs_vport_cmd_msg_size) assumes a default-sized skb will suffice. This input validation gap creates a Denial of Service via assertion failure [CWE-617].
Attack Vector
An attacker with CAP_NET_ADMIN in any user namespace, including one created via unshare -Urn on distributions enabling unprivileged user namespaces, sends a Generic Netlink message to the OVS datapath family. The message installs an oversized upcall PID array on a vport. A subsequent vport command that triggers a netlink reply will overflow the reply buffer and panic the kernel.
No verified public exploit code is published for this issue. Patch details are available in the upstream commits referenced below. See the Linux Kernel Commit f9ef3db for the canonical fix.
Detection Methods for CVE-2026-45840
Indicators of Compromise
- Kernel panic messages referencing ovs_vport_cmd_set+0x34c/0x400 at net/openvswitch/datapath.c:2414
- Unexpected invalid opcode: 0000 oops entries in kernel logs on hosts running openvswitch
- Process activity invoking unshare -Urn followed by Generic Netlink sendmsg traffic to the OVS family
Detection Strategies
- Monitor dmesg and journalctl -k for BUG_ON traces inside the openvswitch module
- Audit syscall telemetry for unshare(CLONE_NEWUSER|CLONE_NEWNET) calls followed by Netlink operations targeting OVS_VPORT_CMD_SET
- Alert on unexpected host reboots or kernel crash dumps on systems running Open vSwitch
Monitoring Recommendations
- Enable kdump to capture vmcore files when the OVS subsystem faults, preserving forensic evidence
- Track CAP_NET_ADMIN acquisition events via auditd rules on unshare and setns syscalls
- Correlate kernel crash events with preceding low-privilege user activity to identify abuse attempts
How to Mitigate CVE-2026-45840
Immediate Actions Required
- Apply the upstream Linux kernel patches referenced in the git.kernel.org/stable commits and reboot affected hosts
- Disable unprivileged user namespaces where feasible by setting kernel.unprivileged_userns_clone=0 or user.max_user_namespaces=0
- Unload the openvswitch kernel module on systems that do not require it: modprobe -r openvswitch
Patch Information
The fix rejects attempts to set more PIDs than nr_cpu_ids in ovs_vport_set_upcall_portids() and pre-computes the worst-case reply size in ovs_vport_cmd_msg_size() based on that bound. This mirrors the existing logic in ovs_dp_cmd_msg_size() and keeps the per-CPU dispatch path consistent. Patched commits include Linux Kernel Commit 1d6c02b, Linux Kernel Commit 2091c6a, Linux Kernel Commit f99ac36, Linux Kernel Commit f9ef3db, and Linux Kernel Commit fa6e90b.
Workarounds
- Restrict CAP_NET_ADMIN to trusted system services and avoid granting it to container workloads
- Disable unprivileged user namespaces via sysctl until kernel patches are deployed
- Block loading of the openvswitch module on hosts that do not run virtual switching workloads
# Disable unprivileged user namespaces (temporary mitigation)
sysctl -w kernel.unprivileged_userns_clone=0
sysctl -w user.max_user_namespaces=0
# Persist the setting
echo 'kernel.unprivileged_userns_clone=0' >> /etc/sysctl.d/99-cve-2026-45840.conf
echo 'user.max_user_namespaces=0' >> /etc/sysctl.d/99-cve-2026-45840.conf
sysctl --system
# Optionally blacklist openvswitch where unused
echo 'blacklist openvswitch' > /etc/modprobe.d/blacklist-openvswitch.conf
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
