CVE-2026-43205
Analyzed Analyzed - Analysis Complete
Out-of-Bounds Write in Linux Kernel dpaa2-switch Driver

Publication date: 2026-05-06

Last updated on: 2026-05-11

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: dpaa2-switch: validate num_ifs to prevent out-of-bounds write The driver obtains sw_attr.num_ifs from firmware via dpsw_get_attributes() but never validates it against DPSW_MAX_IF (64). This value controls iteration in dpaa2_switch_fdb_get_flood_cfg(), which writes port indices into the fixed-size cfg->if_id[DPSW_MAX_IF] array. When firmware reports num_ifs >= 64, the loop can write past the array bounds. Add a bound check for num_ifs in dpaa2_switch_init(). dpaa2_switch_fdb_get_flood_cfg() appends the control interface (port num_ifs) after all matched ports. When num_ifs == DPSW_MAX_IF and all ports match the flood filter, the loop fills all 64 slots and the control interface write overflows by one entry. The check uses >= because num_ifs == DPSW_MAX_IF is also functionally broken. build_if_id_bitmap() silently drops any ID >= 64: if (id[i] < DPSW_MAX_IF) bmap[id[i] / 64] |= ...
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-05-11
Generated
2026-06-16
AI Q&A
2026-05-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-43205
EUVD
EUVD-2026-27768
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.2 (inc) to 6.6.128 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.75 (exc)
linux linux_kernel 7.0
linux linux_kernel From 6.13 (inc) to 6.18.16 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.6 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.165 (exc)
linux linux_kernel From 5.13 (inc) to 5.15.202 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's dpaa2-switch driver. The driver obtains a value called num_ifs from firmware, which indicates the number of interfaces. However, it does not validate this value against a maximum allowed limit (DPSW_MAX_IF, which is 64). Because of this, if the firmware reports num_ifs as 64 or greater, the driver can write beyond the bounds of a fixed-size array when processing port indices. This out-of-bounds write occurs in the function dpaa2_switch_fdb_get_flood_cfg(), potentially causing memory corruption.

The issue arises because the loop that writes port indices into the array does not check if num_ifs exceeds the array size, leading to an overflow by one entry when num_ifs equals DPSW_MAX_IF. The vulnerability was fixed by adding a boundary check for num_ifs during initialization.

Impact Analysis

This vulnerability can lead to an out-of-bounds write in kernel memory, which may cause system instability, crashes, or potentially allow an attacker to execute arbitrary code with kernel privileges. Such memory corruption issues can compromise the security and reliability of the affected system.

Mitigation Strategies

The vulnerability is caused by the dpaa2-switch driver not validating the num_ifs value obtained from firmware, which can lead to an out-of-bounds write. To mitigate this vulnerability, you should update your Linux kernel to a version where the dpaa2_switch_init() function includes a bound check for num_ifs against DPSW_MAX_IF (64).

This update prevents the driver from iterating beyond the fixed-size array bounds, thus avoiding the overflow.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43205. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart