Improper input validation in Linux kernel - CVE-2026-45840
Published: May 28, 2026
Vulnerability identifier: #VU132656
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-45840
CWE-ID: CWE-20
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Linux Foundation
Affected software:
Linux kernel
Linux kernel
Detailed vulnerability description
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in the openvswitch vport netlink reply helpers when handling a crafted upcall PID array in vport mutation operations. A local user can supply an oversized PID array to trigger a kernel BUG and cause a denial of service.
On systems with unprivileged user namespaces enabled, the issue is reachable via unshare -Urn.
How to mitigate CVE-2026-45840
Install security update from vendor's repository.
Sources
- https://git.kernel.org/stable/c/1d6c02b86329883aa467a3a61f8d34369db73a2f
- https://git.kernel.org/stable/c/2091c6aa0df6aba47deb5c8ab232b1cb60af3519
- https://git.kernel.org/stable/c/f99ac36b5d7c719d08a69fcdecce40f78a874e15
- https://git.kernel.org/stable/c/f9ef3db77a383d66847fd082c2b437d8ae4d9c63
- https://git.kernel.org/stable/c/fa6e90bc443bed8dc0d55bc5ea5b27ffdfe37704