CVE-2026-45890 Linux CVE debrief

Who should care

Organizations running Xen virtualization infrastructure with Linux kernel-based dom0 hosts, particularly those with panic_on_warn enabled or hosting untrusted guest workloads

Technical summary

The xen-netback driver in the Linux kernel failed to validate that the requested number of queues was greater than zero when processing guest multi-queue configuration via xenbus. A zero value passed through to vzalloc() triggered a kernel warning via WARN_ON_ONCE. Systems with panic_on_warn enabled would experience kernel panics, allowing malicious guests to cause host denial of service. The vulnerability was fixed by adding a zero check matching the validation pattern already present in xen-blkback.

Defensive priority

medium

Recommended defensive actions

• Apply the relevant kernel patch from the stable kernel git repository to affected systems running Xen with xen-netback
• Review and update kernel configurations to ensure panic_on_warn is not enabled on production virtualization hosts unless specifically required
• Audit Xen guest configurations to ensure compliance with the Xen network interface specification requiring queue counts greater than zero
• Monitor kernel logs for WARN_ON_ONCE messages from __vmalloc_node_range that may indicate exploitation attempts
• Consider implementing additional input validation at the virtualization management layer to prevent zero-queue configurations from reaching the backend

Evidence notes

The vulnerability description indicates this was resolved in the Linux kernel with a patch that adds zero-queue validation to xen-netback's connect() function. Multiple stable kernel branches received backports. The issue affects Xen virtualization environments where guests can manipulate the multi-queue-num-queues xenbus key.

Official resources