CVE-2026-45890
Description
In the Linux kernel, the following vulnerability has been resolved:
xen-netback: reject zero-queue configuration from guest
A malicious or buggy Xen guest can write "0" to the xenbus key "multi-queue-num-queues". The connect() function in the backend only validates the upper bound (requested_num_queues > xenvif_max_queues) but not zero, allowing requested_num_queues=0 to reach vzalloc(array_size(0, sizeof(struct xenvif_queue))), which triggers WARN_ON_ONCE(!size) in __vmalloc_node_range().
On systems with panic_on_warn=1, this allows a guest-to-host denial of service.
The Xen network interface specification requires the queue count to be "greater than zero".
Add a zero check to match the validation already present in xen-blkback, which has included this guard since its multi-queue support was added.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A malicious Xen guest can trigger a kernel warning and denial of service in xen-netback by setting the queue count to zero.
Vulnerability
The Linux kernel's xen-netback driver fails to validate that the value of the xenbus key multi-queue-num-queues is greater than zero. The connect() function only checks the upper bound (requested_num_queues > xenvif_max_queues), allowing a guest to write 0. This leads to vzalloc(array_size(0, sizeof(struct xenvif_queue))), which triggers WARN_ON_ONCE(!size) in __vmalloc_node_range(). All kernels with xen-netback multi-queue support are affected before the fix [1][2].
Exploitation
An attacker must be a malicious or buggy Xen guest with the ability to write to the multi-queue-num-queues xenbus key. During connection setup, the guest sets this key to 0. No authentication or additional privileges are required. The backend driver processes the value without a zero-check, leading to the warning.
Impact
On systems where panic_on_warn=1, the WARN_ON_ONCE triggers a kernel panic, causing a denial of service of the host. The attacker does not gain code execution or data access; the impact is limited to a guest-to-host DoS.
Mitigation
The fix adds a zero check to connect(), matching the validation already present in xen-blkback. The fix is included in the stable kernel commits [1][2]. Users should update to a kernel containing these commits. If an immediate update is not possible, ensure panic_on_warn is not set to 1 or apply the patch manually.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
166d1dc8014334xen-netback: reject zero-queue configuration from guest
1 file changed · +3 −3
drivers/net/xen-netback/xenbus.c+3 −3 modifieddiff --git a/drivers/net/xen-netback/xenbus.c b/drivers/net/xen-netback/xenbus.c index a78a25b872409a..61b547aab286a2 100644 --- a/drivers/net/xen-netback/xenbus.c +++ b/drivers/net/xen-netback/xenbus.c @@ -735,10 +735,11 @@ static void connect(struct backend_info *be) */ requested_num_queues = xenbus_read_unsigned(dev->otherend, "multi-queue-num-queues", 1); - if (requested_num_queues > xenvif_max_queues) { + if (requested_num_queues > xenvif_max_queues || + requested_num_queues == 0) { /* buggy or malicious guest */ xenbus_dev_fatal(dev, -EINVAL, - "guest requested %u queues, exceeding the maximum of %u.", + "guest requested %u queues, but valid range is 1 - %u.", requested_num_queues, xenvif_max_queues); return; } -- cgit 1.3-korg
d99f69ddc70fxen-netback: reject zero-queue configuration from guest
1 file changed · +3 −3
drivers/net/xen-netback/xenbus.c+3 −3 modifieddiff --git a/drivers/net/xen-netback/xenbus.c b/drivers/net/xen-netback/xenbus.c index a78a25b872409a..61b547aab286a2 100644 --- a/drivers/net/xen-netback/xenbus.c +++ b/drivers/net/xen-netback/xenbus.c @@ -735,10 +735,11 @@ static void connect(struct backend_info *be) */ requested_num_queues = xenbus_read_unsigned(dev->otherend, "multi-queue-num-queues", 1); - if (requested_num_queues > xenvif_max_queues) { + if (requested_num_queues > xenvif_max_queues || + requested_num_queues == 0) { /* buggy or malicious guest */ xenbus_dev_fatal(dev, -EINVAL, - "guest requested %u queues, exceeding the maximum of %u.", + "guest requested %u queues, but valid range is 1 - %u.", requested_num_queues, xenvif_max_queues); return; } -- cgit 1.3-korg
654780dee9eaxen-netback: reject zero-queue configuration from guest
1 file changed · +3 −3
drivers/net/xen-netback/xenbus.c+3 −3 modifieddiff --git a/drivers/net/xen-netback/xenbus.c b/drivers/net/xen-netback/xenbus.c index a78a25b872409a..61b547aab286a2 100644 --- a/drivers/net/xen-netback/xenbus.c +++ b/drivers/net/xen-netback/xenbus.c @@ -735,10 +735,11 @@ static void connect(struct backend_info *be) */ requested_num_queues = xenbus_read_unsigned(dev->otherend, "multi-queue-num-queues", 1); - if (requested_num_queues > xenvif_max_queues) { + if (requested_num_queues > xenvif_max_queues || + requested_num_queues == 0) { /* buggy or malicious guest */ xenbus_dev_fatal(dev, -EINVAL, - "guest requested %u queues, exceeding the maximum of %u.", + "guest requested %u queues, but valid range is 1 - %u.", requested_num_queues, xenvif_max_queues); return; } -- cgit 1.3-korg
ec4859ac5c93xen-netback: reject zero-queue configuration from guest
1 file changed · +3 −3
drivers/net/xen-netback/xenbus.c+3 −3 modifieddiff --git a/drivers/net/xen-netback/xenbus.c b/drivers/net/xen-netback/xenbus.c index a78a25b872409a..61b547aab286a2 100644 --- a/drivers/net/xen-netback/xenbus.c +++ b/drivers/net/xen-netback/xenbus.c @@ -735,10 +735,11 @@ static void connect(struct backend_info *be) */ requested_num_queues = xenbus_read_unsigned(dev->otherend, "multi-queue-num-queues", 1); - if (requested_num_queues > xenvif_max_queues) { + if (requested_num_queues > xenvif_max_queues || + requested_num_queues == 0) { /* buggy or malicious guest */ xenbus_dev_fatal(dev, -EINVAL, - "guest requested %u queues, exceeding the maximum of %u.", + "guest requested %u queues, but valid range is 1 - %u.", requested_num_queues, xenvif_max_queues); return; } -- cgit 1.3-korg
ce66d6786de4xen-netback: reject zero-queue configuration from guest
1 file changed · +3 −3
drivers/net/xen-netback/xenbus.c+3 −3 modifieddiff --git a/drivers/net/xen-netback/xenbus.c b/drivers/net/xen-netback/xenbus.c index 001636901ddae2..a972b05da96fc6 100644 --- a/drivers/net/xen-netback/xenbus.c +++ b/drivers/net/xen-netback/xenbus.c @@ -735,10 +735,11 @@ static void connect(struct backend_info *be) */ requested_num_queues = xenbus_read_unsigned(dev->otherend, "multi-queue-num-queues", 1); - if (requested_num_queues > xenvif_max_queues) { + if (requested_num_queues > xenvif_max_queues || + requested_num_queues == 0) { /* buggy or malicious guest */ xenbus_dev_fatal(dev, -EINVAL, - "guest requested %u queues, exceeding the maximum of %u.", + "guest requested %u queues, but valid range is 1 - %u.", requested_num_queues, xenvif_max_queues); return; } -- cgit 1.3-korg
787bfa423228xen-netback: reject zero-queue configuration from guest
1 file changed · +3 −3
drivers/net/xen-netback/xenbus.c+3 −3 modifieddiff --git a/drivers/net/xen-netback/xenbus.c b/drivers/net/xen-netback/xenbus.c index e85b3c5d4acce0..5b78d9172aac96 100644 --- a/drivers/net/xen-netback/xenbus.c +++ b/drivers/net/xen-netback/xenbus.c @@ -735,10 +735,11 @@ static void connect(struct backend_info *be) */ requested_num_queues = xenbus_read_unsigned(dev->otherend, "multi-queue-num-queues", 1); - if (requested_num_queues > xenvif_max_queues) { + if (requested_num_queues > xenvif_max_queues || + requested_num_queues == 0) { /* buggy or malicious guest */ xenbus_dev_fatal(dev, -EINVAL, - "guest requested %u queues, exceeding the maximum of %u.", + "guest requested %u queues, but valid range is 1 - %u.", requested_num_queues, xenvif_max_queues); return; } -- cgit 1.3-korg
2993e0f904c4xen-netback: reject zero-queue configuration from guest
1 file changed · +3 −3
drivers/net/xen-netback/xenbus.c+3 −3 modifieddiff --git a/drivers/net/xen-netback/xenbus.c b/drivers/net/xen-netback/xenbus.c index 9ee9ce0493fe6b..c47e327039a0af 100644 --- a/drivers/net/xen-netback/xenbus.c +++ b/drivers/net/xen-netback/xenbus.c @@ -735,10 +735,11 @@ static void connect(struct backend_info *be) */ requested_num_queues = xenbus_read_unsigned(dev->otherend, "multi-queue-num-queues", 1); - if (requested_num_queues > xenvif_max_queues) { + if (requested_num_queues > xenvif_max_queues || + requested_num_queues == 0) { /* buggy or malicious guest */ xenbus_dev_fatal(dev, -EINVAL, - "guest requested %u queues, exceeding the maximum of %u.", + "guest requested %u queues, but valid range is 1 - %u.", requested_num_queues, xenvif_max_queues); return; } -- cgit 1.3-korg
88b0fced1bbbxen-netback: reject zero-queue configuration from guest
1 file changed · +3 −3
drivers/net/xen-netback/xenbus.c+3 −3 modifieddiff --git a/drivers/net/xen-netback/xenbus.c b/drivers/net/xen-netback/xenbus.c index a78a25b872409a..61b547aab286a2 100644 --- a/drivers/net/xen-netback/xenbus.c +++ b/drivers/net/xen-netback/xenbus.c @@ -735,10 +735,11 @@ static void connect(struct backend_info *be) */ requested_num_queues = xenbus_read_unsigned(dev->otherend, "multi-queue-num-queues", 1); - if (requested_num_queues > xenvif_max_queues) { + if (requested_num_queues > xenvif_max_queues || + requested_num_queues == 0) { /* buggy or malicious guest */ xenbus_dev_fatal(dev, -EINVAL, - "guest requested %u queues, exceeding the maximum of %u.", + "guest requested %u queues, but valid range is 1 - %u.", requested_num_queues, xenvif_max_queues); return; } -- cgit 1.3-korg
d99f69ddc70fxen-netback: reject zero-queue configuration from guest
1 file changed · +3 −3
drivers/net/xen-netback/xenbus.c+3 −3 modifieddiff --git a/drivers/net/xen-netback/xenbus.c b/drivers/net/xen-netback/xenbus.c index a78a25b872409a..61b547aab286a2 100644 --- a/drivers/net/xen-netback/xenbus.c +++ b/drivers/net/xen-netback/xenbus.c @@ -735,10 +735,11 @@ static void connect(struct backend_info *be) */ requested_num_queues = xenbus_read_unsigned(dev->otherend, "multi-queue-num-queues", 1); - if (requested_num_queues > xenvif_max_queues) { + if (requested_num_queues > xenvif_max_queues || + requested_num_queues == 0) { /* buggy or malicious guest */ xenbus_dev_fatal(dev, -EINVAL, - "guest requested %u queues, exceeding the maximum of %u.", + "guest requested %u queues, but valid range is 1 - %u.", requested_num_queues, xenvif_max_queues); return; } -- cgit 1.3-korg
ce66d6786de4xen-netback: reject zero-queue configuration from guest
1 file changed · +3 −3
drivers/net/xen-netback/xenbus.c+3 −3 modifieddiff --git a/drivers/net/xen-netback/xenbus.c b/drivers/net/xen-netback/xenbus.c index 001636901ddae2..a972b05da96fc6 100644 --- a/drivers/net/xen-netback/xenbus.c +++ b/drivers/net/xen-netback/xenbus.c @@ -735,10 +735,11 @@ static void connect(struct backend_info *be) */ requested_num_queues = xenbus_read_unsigned(dev->otherend, "multi-queue-num-queues", 1); - if (requested_num_queues > xenvif_max_queues) { + if (requested_num_queues > xenvif_max_queues || + requested_num_queues == 0) { /* buggy or malicious guest */ xenbus_dev_fatal(dev, -EINVAL, - "guest requested %u queues, exceeding the maximum of %u.", + "guest requested %u queues, but valid range is 1 - %u.", requested_num_queues, xenvif_max_queues); return; } -- cgit 1.3-korg
ec4859ac5c93xen-netback: reject zero-queue configuration from guest
1 file changed · +3 −3
drivers/net/xen-netback/xenbus.c+3 −3 modifieddiff --git a/drivers/net/xen-netback/xenbus.c b/drivers/net/xen-netback/xenbus.c index a78a25b872409a..61b547aab286a2 100644 --- a/drivers/net/xen-netback/xenbus.c +++ b/drivers/net/xen-netback/xenbus.c @@ -735,10 +735,11 @@ static void connect(struct backend_info *be) */ requested_num_queues = xenbus_read_unsigned(dev->otherend, "multi-queue-num-queues", 1); - if (requested_num_queues > xenvif_max_queues) { + if (requested_num_queues > xenvif_max_queues || + requested_num_queues == 0) { /* buggy or malicious guest */ xenbus_dev_fatal(dev, -EINVAL, - "guest requested %u queues, exceeding the maximum of %u.", + "guest requested %u queues, but valid range is 1 - %u.", requested_num_queues, xenvif_max_queues); return; } -- cgit 1.3-korg
654780dee9eaxen-netback: reject zero-queue configuration from guest
1 file changed · +3 −3
drivers/net/xen-netback/xenbus.c+3 −3 modifieddiff --git a/drivers/net/xen-netback/xenbus.c b/drivers/net/xen-netback/xenbus.c index a78a25b872409a..61b547aab286a2 100644 --- a/drivers/net/xen-netback/xenbus.c +++ b/drivers/net/xen-netback/xenbus.c @@ -735,10 +735,11 @@ static void connect(struct backend_info *be) */ requested_num_queues = xenbus_read_unsigned(dev->otherend, "multi-queue-num-queues", 1); - if (requested_num_queues > xenvif_max_queues) { + if (requested_num_queues > xenvif_max_queues || + requested_num_queues == 0) { /* buggy or malicious guest */ xenbus_dev_fatal(dev, -EINVAL, - "guest requested %u queues, exceeding the maximum of %u.", + "guest requested %u queues, but valid range is 1 - %u.", requested_num_queues, xenvif_max_queues); return; } -- cgit 1.3-korg
2993e0f904c4xen-netback: reject zero-queue configuration from guest
1 file changed · +3 −3
drivers/net/xen-netback/xenbus.c+3 −3 modifieddiff --git a/drivers/net/xen-netback/xenbus.c b/drivers/net/xen-netback/xenbus.c index 9ee9ce0493fe6b..c47e327039a0af 100644 --- a/drivers/net/xen-netback/xenbus.c +++ b/drivers/net/xen-netback/xenbus.c @@ -735,10 +735,11 @@ static void connect(struct backend_info *be) */ requested_num_queues = xenbus_read_unsigned(dev->otherend, "multi-queue-num-queues", 1); - if (requested_num_queues > xenvif_max_queues) { + if (requested_num_queues > xenvif_max_queues || + requested_num_queues == 0) { /* buggy or malicious guest */ xenbus_dev_fatal(dev, -EINVAL, - "guest requested %u queues, exceeding the maximum of %u.", + "guest requested %u queues, but valid range is 1 - %u.", requested_num_queues, xenvif_max_queues); return; } -- cgit 1.3-korg
6d1dc8014334xen-netback: reject zero-queue configuration from guest
1 file changed · +3 −3
drivers/net/xen-netback/xenbus.c+3 −3 modifieddiff --git a/drivers/net/xen-netback/xenbus.c b/drivers/net/xen-netback/xenbus.c index a78a25b872409a..61b547aab286a2 100644 --- a/drivers/net/xen-netback/xenbus.c +++ b/drivers/net/xen-netback/xenbus.c @@ -735,10 +735,11 @@ static void connect(struct backend_info *be) */ requested_num_queues = xenbus_read_unsigned(dev->otherend, "multi-queue-num-queues", 1); - if (requested_num_queues > xenvif_max_queues) { + if (requested_num_queues > xenvif_max_queues || + requested_num_queues == 0) { /* buggy or malicious guest */ xenbus_dev_fatal(dev, -EINVAL, - "guest requested %u queues, exceeding the maximum of %u.", + "guest requested %u queues, but valid range is 1 - %u.", requested_num_queues, xenvif_max_queues); return; } -- cgit 1.3-korg
787bfa423228xen-netback: reject zero-queue configuration from guest
1 file changed · +3 −3
drivers/net/xen-netback/xenbus.c+3 −3 modifieddiff --git a/drivers/net/xen-netback/xenbus.c b/drivers/net/xen-netback/xenbus.c index e85b3c5d4acce0..5b78d9172aac96 100644 --- a/drivers/net/xen-netback/xenbus.c +++ b/drivers/net/xen-netback/xenbus.c @@ -735,10 +735,11 @@ static void connect(struct backend_info *be) */ requested_num_queues = xenbus_read_unsigned(dev->otherend, "multi-queue-num-queues", 1); - if (requested_num_queues > xenvif_max_queues) { + if (requested_num_queues > xenvif_max_queues || + requested_num_queues == 0) { /* buggy or malicious guest */ xenbus_dev_fatal(dev, -EINVAL, - "guest requested %u queues, exceeding the maximum of %u.", + "guest requested %u queues, but valid range is 1 - %u.", requested_num_queues, xenvif_max_queues); return; } -- cgit 1.3-korg
88b0fced1bbbxen-netback: reject zero-queue configuration from guest
1 file changed · +3 −3
drivers/net/xen-netback/xenbus.c+3 −3 modifieddiff --git a/drivers/net/xen-netback/xenbus.c b/drivers/net/xen-netback/xenbus.c index a78a25b872409a..61b547aab286a2 100644 --- a/drivers/net/xen-netback/xenbus.c +++ b/drivers/net/xen-netback/xenbus.c @@ -735,10 +735,11 @@ static void connect(struct backend_info *be) */ requested_num_queues = xenbus_read_unsigned(dev->otherend, "multi-queue-num-queues", 1); - if (requested_num_queues > xenvif_max_queues) { + if (requested_num_queues > xenvif_max_queues || + requested_num_queues == 0) { /* buggy or malicious guest */ xenbus_dev_fatal(dev, -EINVAL, - "guest requested %u queues, exceeding the maximum of %u.", + "guest requested %u queues, but valid range is 1 - %u.", requested_num_queues, xenvif_max_queues); return; } -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"Missing zero-value validation on the multi-queue-num-queues xenbus key allows vzalloc(0) to trigger a WARN_ON and potential kernel panic."
Attack vector
A malicious or buggy Xen guest writes "0" to the xenbus key `multi-queue-num-queues` [patch_id=2661643]. The backend's `connect()` function only checks the upper bound (`requested_num_queues > xenvif_max_queues`) but not zero, so `requested_num_queues=0` reaches `vzalloc(array_size(0, sizeof(struct xenvif_queue)))`, which triggers `WARN_ON_ONCE(!size)` in `__vmalloc_node_range()`. On systems with `panic_on_warn=1`, this causes a guest-to-host denial of service [patch_id=2661643]. No authentication is needed beyond the ability to write to the guest's xenbus node.
Affected code
The vulnerability resides in the `connect()` function in `drivers/net/xen-netback/xenbus.c` [patch_id=2661643]. The function reads the `multi-queue-num-queues` xenbus key from the guest and passes the value directly to `vzalloc(array_size(..., sizeof(struct xenvif_queue)))` without validating that it is non-zero.
What the fix does
The patch adds `requested_num_queues == 0` to the existing validation condition, so that a zero value is rejected with `xenbus_dev_fatal()` just like an excessive value [patch_id=2661643]. The error message is also updated from "exceeding the maximum of %u" to "valid range is 1 - %u" to correctly describe the allowed range. This mirrors the zero-queue guard already present in `xen-blkback` [patch_id=2661643].
Preconditions
- authAttacker must be able to write to the guest's xenbus node (i.e., control a Xen guest domain)
- configThe host must have panic_on_warn=1 set for the DoS to be effective
- configThe xen-netback backend driver must be handling the guest's network interface
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- git.kernel.org/stable/c/2993e0f904c45f8af12917344bb1cac7ccd05a60nvd
- git.kernel.org/stable/c/654780dee9eae419e1648ea58462c4efe54518fanvd
- git.kernel.org/stable/c/6d1dc8014334c7fb25719999bca84d811e60a559nvd
- git.kernel.org/stable/c/787bfa423228c4b02ba3368128f625d579085353nvd
- git.kernel.org/stable/c/88b0fced1bbbfdb356a007592604008ffc93a6a1nvd
- git.kernel.org/stable/c/ce66d6786de45b7ed9cbbdc0988054bf09e58f54nvd
- git.kernel.org/stable/c/d99f69ddc70fd9f4b8148add62209a1a8eb5c615nvd
- git.kernel.org/stable/c/ec4859ac5c933e3315543a61adc1ca4358006a41nvd
News mentions
0No linked articles in our index yet.