CVE-2026-23206
Unknown Unknown - Not Provided
NULL Pointer Dereference in Linux dpaa2-switch Driver Causes Kernel Panic

Publication date: 2026-02-14

Last updated on: 2026-03-19

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: dpaa2-switch: prevent ZERO_SIZE_PTR dereference when num_ifs is zero The driver allocates arrays for ports, FDBs, and filter blocks using kcalloc() with ethsw->sw_attr.num_ifs as the element count. When the device reports zero interfaces (either due to hardware configuration or firmware issues), kcalloc(0, ...) returns ZERO_SIZE_PTR (0x10) instead of NULL. Later in dpaa2_switch_probe(), the NAPI initialization unconditionally accesses ethsw->ports[0]->netdev, which attempts to dereference ZERO_SIZE_PTR (address 0x10), resulting in a kernel panic. Add a check to ensure num_ifs is greater than zero after retrieving device attributes. This prevents the zero-sized allocations and subsequent invalid pointer dereference.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-14
Last Modified
2026-03-19
Generated
2026-06-16
AI Q&A
2026-02-14
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23206
EUVD
EUVD-2026-5837
Affected Vendors & Products
Showing 13 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel From 5.16 (inc) to 6.1.163 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.70 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.124 (exc)
linux linux_kernel 6.19
linux linux_kernel From 6.13 (inc) to 6.18.10 (exc)
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel From 5.13 (inc) to 5.15.200 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs in the Linux kernel's dpaa2-switch driver. When the device reports zero interfaces (num_ifs is zero), the driver allocates arrays using kcalloc with zero elements. Instead of returning NULL, kcalloc returns a ZERO_SIZE_PTR (address 0x10). Later, the code tries to access ethsw->ports[0]->netdev unconditionally, which dereferences this ZERO_SIZE_PTR, causing a kernel panic.

The fix involves adding a check to ensure that num_ifs is greater than zero before proceeding, preventing zero-sized allocations and the invalid pointer dereference.

Impact Analysis

This vulnerability can cause a kernel panic due to an invalid pointer dereference when the device reports zero interfaces. A kernel panic results in a system crash, leading to denial of service and potential data loss or system instability.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, ensure that the Linux kernel version you are using includes the fix that adds a check to verify that num_ifs is greater than zero before proceeding with allocations and pointer dereferences in the dpaa2-switch driver.

If an updated kernel is not yet available, avoid using hardware or firmware configurations that cause the device to report zero interfaces, as this triggers the vulnerability.

Monitoring for kernel panics related to dpaa2-switch or the address 0x10 dereference may help identify if the vulnerability is being triggered.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23206. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart