CVE-2026-43205
Awaiting Analysis Awaiting Analysis - Queue
Out-of-Bounds Write in Linux Kernel dpaa2-switch Driver

Publication date: 2026-05-06

Last updated on: 2026-05-06

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: dpaa2-switch: validate num_ifs to prevent out-of-bounds write The driver obtains sw_attr.num_ifs from firmware via dpsw_get_attributes() but never validates it against DPSW_MAX_IF (64). This value controls iteration in dpaa2_switch_fdb_get_flood_cfg(), which writes port indices into the fixed-size cfg->if_id[DPSW_MAX_IF] array. When firmware reports num_ifs >= 64, the loop can write past the array bounds. Add a bound check for num_ifs in dpaa2_switch_init(). dpaa2_switch_fdb_get_flood_cfg() appends the control interface (port num_ifs) after all matched ports. When num_ifs == DPSW_MAX_IF and all ports match the flood filter, the loop fills all 64 slots and the control interface write overflows by one entry. The check uses >= because num_ifs == DPSW_MAX_IF is also functionally broken. build_if_id_bitmap() silently drops any ID >= 64: if (id[i] < DPSW_MAX_IF) bmap[id[i] / 64] |= ...
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-05-06
Generated
2026-05-07
AI Q&A
2026-05-06
EPSS Evaluated
N/A
NVD
CVE-2026-43205
EUVD
EUVD-2026-27768
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
linux kernel *
linux_kernel linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's dpaa2-switch driver. The driver obtains a value called num_ifs from firmware, which indicates the number of interfaces. However, it does not validate this value against a maximum allowed limit (DPSW_MAX_IF, which is 64). Because of this, if the firmware reports num_ifs as 64 or greater, the driver can write beyond the bounds of a fixed-size array when processing port indices. This out-of-bounds write occurs in the function dpaa2_switch_fdb_get_flood_cfg(), potentially causing memory corruption.

The issue arises because the loop that writes port indices into the array does not check if num_ifs exceeds the array size, leading to an overflow by one entry when num_ifs equals DPSW_MAX_IF. The vulnerability was fixed by adding a boundary check for num_ifs during initialization.


How can this vulnerability impact me? :

This vulnerability can lead to an out-of-bounds write in kernel memory, which may cause system instability, crashes, or potentially allow an attacker to execute arbitrary code with kernel privileges. Such memory corruption issues can compromise the security and reliability of the affected system.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is caused by the dpaa2-switch driver not validating the num_ifs value obtained from firmware, which can lead to an out-of-bounds write. To mitigate this vulnerability, you should update your Linux kernel to a version where the dpaa2_switch_init() function includes a bound check for num_ifs against DPSW_MAX_IF (64).

This update prevents the driver from iterating beyond the fixed-size array bounds, thus avoiding the overflow.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart