CVE-2026-45890
Awaiting Analysis Awaiting Analysis - Queue
Denial of Service in Linux Kernel Xen Netback

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: xen-netback: reject zero-queue configuration from guest A malicious or buggy Xen guest can write "0" to the xenbus key "multi-queue-num-queues". The connect() function in the backend only validates the upper bound (requested_num_queues > xenvif_max_queues) but not zero, allowing requested_num_queues=0 to reach vzalloc(array_size(0, sizeof(struct xenvif_queue))), which triggers WARN_ON_ONCE(!size) in __vmalloc_node_range(). On systems with panic_on_warn=1, this allows a guest-to-host denial of service. The Xen network interface specification requires the queue count to be "greater than zero". Add a zero check to match the validation already present in xen-blkback, which has included this guard since its multi-queue support was added.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-27
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-45890
EUVD
EUVD-2026-32356
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
xen xen *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's Xen network backend (xen-netback). A malicious or buggy Xen guest can set the "multi-queue-num-queues" key to zero, which is not properly validated by the backend. The connect() function only checks if the requested number of queues exceeds the maximum allowed but does not check if it is zero. This leads to an invalid memory allocation call with zero size, triggering a warning in the kernel.

Because the Xen network interface specification requires the queue count to be greater than zero, this zero value is invalid. The lack of validation can cause the system to hit a WARN_ON_ONCE condition in the kernel's memory allocation code.

On systems configured with panic_on_warn=1, this warning causes the host system to panic, resulting in a denial of service (DoS) from the guest to the host.

Impact Analysis

This vulnerability can allow a malicious or buggy Xen guest to cause a denial of service (DoS) on the host system by triggering a kernel panic.

Specifically, by setting the multi-queue number of queues to zero, the guest can cause the host kernel to hit a warning that, if configured to panic on warnings, will crash the host system.

This can disrupt services running on the host and affect availability.

Mitigation Strategies

To mitigate this vulnerability, ensure that your Linux kernel is updated with the patch that adds a zero check for the 'multi-queue-num-queues' key in the xen-netback backend.

This patch prevents a malicious or buggy Xen guest from setting the queue count to zero, which can cause a guest-to-host denial of service on systems with panic_on_warn=1.

Additionally, verify that the Xen network interface configuration complies with the specification requiring the queue count to be greater than zero.

Detection Guidance

This vulnerability involves a Xen guest writing a zero value to the xenbus key "multi-queue-num-queues", which is invalid according to the Xen network interface specification.

To detect this vulnerability on your system, you can check the value of the "multi-queue-num-queues" key in the xenbus for any guest domains. A zero value indicates the presence of the problematic configuration.

Suggested commands to detect this condition include inspecting the xenstore keys for each guest domain. For example:

  • Use the xenstore-ls command to list the xenbus keys for a specific domain: xenstore-ls /local/domain/<domid>/device/vif/<vifid>/multi-queue-num-queues
  • Alternatively, use xenstore-read to read the specific key: xenstore-read /local/domain/<domid>/device/vif/<vifid>/multi-queue-num-queues

If the output is "0", this indicates the guest is requesting zero queues, which triggers the vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45890. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart