CVE-2026-45840

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description An issue exists in the openvswitch component where vport netlink reply helpers allocate a fixed-size socket buffer (skb) using nlmsg new(NLMSG DEFAULT SIZE, ...), but serialize the full upcall PID array via ovs vport get upcall portids(). Because ovs vport set upcall portids() accepts any non-zero multiple of sizeof(u32) without an upper bound, a user with CAP NET ADMIN privileges can install a PID array large enough to overflow the reply buffer. This causes nla put() to fail with -EMSGSIZE, triggering a BUG ON(err < 0) and resulting in a kernel panic. On systems with unprivileged user namespaces enabled, this is reachable via unshare -Urn as OVS vport mutation operations use GENL UNS ADMIN PERM.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.