7.8

CVE-2026-43205

EPSS 0.01%
Veröffentlicht 06.05.2026 11:28:10
Zuletzt bearbeitet 11.05.2026 19:59:54
Quelle 416baaa9-dc9f-4396-8d5f-8c081f
CVE-Watchlists
Login
Unerledigt
Login

dpaa2-switch: validate num_ifs to prevent out-of-bounds write

In the Linux kernel, the following vulnerability has been resolved:

dpaa2-switch: validate num_ifs to prevent out-of-bounds write

The driver obtains sw_attr.num_ifs from firmware via dpsw_get_attributes()
but never validates it against DPSW_MAX_IF (64). This value controls
iteration in dpaa2_switch_fdb_get_flood_cfg(), which writes port indices
into the fixed-size cfg->if_id[DPSW_MAX_IF] array. When firmware reports
num_ifs >= 64, the loop can write past the array bounds.

Add a bound check for num_ifs in dpaa2_switch_init().

dpaa2_switch_fdb_get_flood_cfg() appends the control interface (port
num_ifs) after all matched ports. When num_ifs == DPSW_MAX_IF and all
ports match the flood filter, the loop fills all 64 slots and the control
interface write overflows by one entry.

The check uses >= because num_ifs == DPSW_MAX_IF is also functionally
broken.

build_if_id_bitmap() silently drops any ID >= 64:
      if (id[i] < DPSW_MAX_IF)
          bmap[id[i] / 64] |= ...

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 10

NVD 7 VulnDex Vulnerability Enrichment 8

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Linux ≫ Linux Kernel Version >= 5.13 < 5.15.202

Linux ≫ Linux Kernel Version >= 5.16 < 6.1.165

Linux ≫ Linux Kernel Version >= 6.2 < 6.6.128

Linux ≫ Linux Kernel Version >= 6.7 < 6.12.75

Linux ≫ Linux Kernel Version >= 6.13 < 6.18.16

Linux ≫ Linux Kernel Version >= 6.19 < 6.19.6

Linux ≫ Linux Kernel Version7.0 Updaterc1

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.01%	0.025

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.8	1.8	5.9	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-787 Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

https://git.kernel.org/stable/c/a26dda3bae469c8e4e1b1993ad33dafa32d0fc28

Patch

https://git.kernel.org/stable/c/a3034a8d56174dd6464c46823438f25797910a8d

Patch

https://git.kernel.org/stable/c/b690635d4719214892855b79ce018d4b1672ac96

Patch

https://git.kernel.org/stable/c/8b841fd529db9faf8bc678d429d4bf4e98b10900

Patch

https://git.kernel.org/stable/c/89764cf44544e943230f5e03b8c40a90da26537c

Patch

https://git.kernel.org/stable/c/c18493f750208eb4ff1198fc5a02786b8b2d70a6

Patch

https://git.kernel.org/stable/c/8a5752c6dcc085a3bfc78589925182e4e98468c5

Patch

https://nvd.nist.gov/vuln/detail/CVE-2026-43205

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-43205

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-43205

EUVD