Detections
Analytics

CVE-2026-43205

high

Description

In the Linux kernel, the following vulnerability has been resolved: dpaa2-switch: validate num_ifs to prevent out-of-bounds write The driver obtains sw_attr.num_ifs from firmware via dpsw_get_attributes() but never validates it against DPSW_MAX_IF (64). This value controls iteration in dpaa2_switch_fdb_get_flood_cfg(), which writes port indices into the fixed-size cfg->if_id[DPSW_MAX_IF] array. When firmware reports num_ifs >= 64, the loop can write past the array bounds. Add a bound check for num_ifs in dpaa2_switch_init(). dpaa2_switch_fdb_get_flood_cfg() appends the control interface (port num_ifs) after all matched ports. When num_ifs == DPSW_MAX_IF and all ports match the flood filter, the loop fills all 64 slots and the control interface write overflows by one entry. The check uses >= because num_ifs == DPSW_MAX_IF is also functionally broken. build_if_id_bitmap() silently drops any ID >= 64: if (id[i] < DPSW_MAX_IF) bmap[id[i] / 64] |= ...

References

https://git.kernel.org/stable/c/c18493f750208eb4ff1198fc5a02786b8b2d70a6

https://git.kernel.org/stable/c/b690635d4719214892855b79ce018d4b1672ac96

https://git.kernel.org/stable/c/a3034a8d56174dd6464c46823438f25797910a8d

https://git.kernel.org/stable/c/a26dda3bae469c8e4e1b1993ad33dafa32d0fc28

https://git.kernel.org/stable/c/8b841fd529db9faf8bc678d429d4bf4e98b10900

https://git.kernel.org/stable/c/8a5752c6dcc085a3bfc78589925182e4e98468c5

https://git.kernel.org/stable/c/89764cf44544e943230f5e03b8c40a90da26537c

Details

Source: Mitre, NVD

Published: 2026-05-06

Updated: 2026-05-06

Risk Information

CVSS v2

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Severity: Critical

CVSS v3

Base Score: 7.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Severity: High

EPSS

EPSS: 0.00024