CVE-2026-23180 - Vulnerability Details

- dpaa2-switch: add bounds check for if_id in IRQ handler

Description

In the Linux kernel, the following vulnerability has been resolved:

dpaa2-switch: add bounds check for if_id in IRQ handler

The IRQ handler extracts if_id from the upper 16 bits of the hardware
status register and uses it to index into ethsw->ports[] without
validation. Since if_id can be any 16-bit value (0-65535) but the ports
array is only allocated with sw_attr.num_ifs elements, this can lead to
an out-of-bounds read potentially.

Add a bounds check before accessing the array, consistent with the
existing validation in dpaa2_switch_rx().

Published: 2026-02-14

Score: 7 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

In the Linux kernel, the dpaa2‑switch driver extracts an interface identifier from the upper 16 bits of a hardware status register and indexes into an internal ports array without validating that the identifier is within bounds. Because the if_id value can be any 16‑bit number while the array is sized only to the number of configured interfaces, an out‑of‑bounds read can occur. This flaw may expose kernel memory contents or cause a crash, potentially allowing an attacker to glean sensitive information.

Affected Systems

The vulnerability exists in the Linux kernel’s dpaa2‑switch module. Any kernel containing the unpatched dpaa2‑switch code, regardless of release level, is affected. The issue is not limited to a single kernel version; all builds from the time the code was introduced up to the date of the patch are vulnerable.

Risk and Exploitability

The flaw carries a CVSS base score of 7.0, indicating moderate severity. The EPSS score is under 1 %, reflecting a very low exploitation probability, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation would likely require local or privileged access to a device that triggers the dpaa2‑switch IRQ handler, making it practical mainly for attackers with physical or kernel-level access.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`24ab724f8a4661b2dc8e696b41df93bdc108f7a1`	affected	< 77611cab5bdfff7a070ae574bbfba20a1de99d1b
`24ab724f8a4661b2dc8e696b41df93bdc108f7a1`	affected	< 34b56c16efd61325d80bf1d780d0e176be662f59
`24ab724f8a4661b2dc8e696b41df93bdc108f7a1`	affected	< f89e33c9c37f0001b730e23b3b05ab7b1ecface2
`24ab724f8a4661b2dc8e696b41df93bdc108f7a1`	affected	< 2447edc367800ba914acf7ddd5d250416b45fb31
`24ab724f8a4661b2dc8e696b41df93bdc108f7a1`	affected	< 1b381a638e1851d8cfdfe08ed9cdbec5295b18c9
`24ab724f8a4661b2dc8e696b41df93bdc108f7a1`	affected	< 31a7a0bbeb006bac2d9c81a2874825025214b6d8

Linux

affected

Version	Status	Constraints
`5.15`	affected	—
`0`	unaffected	< 5.15
`5.15.200`	unaffected	≤ 5.15.*
`6.1.163`	unaffected	≤ 6.1.*
`6.6.124`	unaffected	≤ 6.6.*
`6.12.70`	unaffected	≤ 6.12.*
`6.18.10`	unaffected	≤ 6.18.*
`6.19`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

—

Version	Status	Scheme	Platform
`[24ab724f8a4661b2dc8e696b41df93bdc108f7a1,77611cab5bdfff7a070ae574bbfba20a1de99d1b)`	affected	code_commit	—
`[24ab724f8a4661b2dc8e696b41df93bdc108f7a1,34b56c16efd61325d80bf1d780d0e176be662f59)`	affected	code_commit	—
`[24ab724f8a4661b2dc8e696b41df93bdc108f7a1,f89e33c9c37f0001b730e23b3b05ab7b1ecface2)`	affected	code_commit	—
`[24ab724f8a4661b2dc8e696b41df93bdc108f7a1,2447edc367800ba914acf7ddd5d250416b45fb31)`	affected	code_commit	—
`[24ab724f8a4661b2dc8e696b41df93bdc108f7a1,1b381a638e1851d8cfdfe08ed9cdbec5295b18c9)`	affected	code_commit	—
`[24ab724f8a4661b2dc8e696b41df93bdc108f7a1,31a7a0bbeb006bac2d9c81a2874825025214b6d8)`	affected	code_commit	—

Linux

Linux Kernel

—

Version	Status	Scheme	Platform
`5.15`	affected	generic	—
`[0,5.15)`	unaffected	generic	—
`[5.15.200,5.16.0)`	unaffected	semver	—
`[6.1.163,6.2.0)`	unaffected	semver	—
`[6.6.124,6.7.0)`	unaffected	semver	—
`[6.12.70,6.13.0)`	unaffected	semver	—
`[6.18.10,6.19.0)`	unaffected	semver	—
`[6.19,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply a Linux kernel update that includes the dpaa2‑switch bounds‑check patch (commits referenced in the advisory).
If a kernel update cannot be made immediately, disable the dpaa2‑switch driver or the associated device to prevent the vulnerable IRQ handler from executing.
Monitor system logs for signs of out‑of‑bounds read attempts and configure audit rules to flag repeated access to critical registers.

Generated by OpenCVE AI on April 15, 2026 at 20:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4499-1	linux-6.1 security update
Debian DSA	DSA-6141-1	linux security update
Debian DSA	DSA-6163-1	linux security update

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00018.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/1b381a638e1851d8cfdfe08ed9cdbec5295b18c9
https://git.kernel.org/stable/c/2447edc367800ba914acf7ddd5d250416b45fb31
https://git.kernel.org/stable/c/31a7a0bbeb006bac2d9c81a2874825025214b6d8
https://git.kernel.org/stable/c/34b56c16efd61325d80bf1d780d0e176be662f59
https://git.kernel.org/stable/c/77611cab5bdfff7a070ae574bbfba20a1de99d1b
https://git.kernel.org/stable/c/f89e33c9c37f0001b730e23b3b05ab7b1ecface2
https://lore.kernel.org/linux-cve-announce/2026021429-CVE-2026-23180-19a8@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-23180
https://www.cve.org/CVERecord?id=CVE-2026-23180

History

Wed, 15 Apr 2026 21:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-125

Tue, 17 Feb 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2026021429-CVE-2026-23180-19a8@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-23180 https://www.cve.org/CVERecord?id=CVE-2026-23180
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Moderate`

Sat, 14 Feb 2026 16:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: dpaa2-switch: add bounds check for if_id in IRQ handler The IRQ handler extracts if_id from the upper 16 bits of the hardware status register and uses it to index into ethsw->ports[] without validation. Since if_id can be any 16-bit value (0-65535) but the ports array is only allocated with sw_attr.num_ifs elements, this can lead to an out-of-bounds read potentially. Add a bounds check before accessing the array, consistent with the existing validation in dpaa2_switch_rx().
Title		dpaa2-switch: add bounds check for if_id in IRQ handler
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/1b381a638e1851d8cfdfe08ed9cdbec5295b18c9 https://git.kernel.org/stable/c/2447edc367800ba914acf7ddd5d250416b45fb31 https://git.kernel.org/stable/c/31a7a0bbeb006bac2d9c81a2874825025214b6d8 https://git.kernel.org/stable/c/34b56c16efd61325d80bf1d780d0e176be662f59 https://git.kernel.org/stable/c/77611cab5bdfff7a070ae574bbfba20a1de99d1b https://git.kernel.org/stable/c/f89e33c9c37f0001b730e23b3b05ab7b1ecface2

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-02-14T16:27:11.463Z

Updated: 2026-04-03T13:32:19.605Z

Reserved: 2026-01-13T15:37:45.984Z

Link: CVE-2026-23180

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2026-02-14T17:15:55.747

Modified: 2026-04-15T14:34:27.800

Link: CVE-2026-23180

Redhat

Severity : Moderate

Publid Date: 2026-02-14T00:00:00Z

Links: CVE-2026-23180 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-15T20:45:06Z

Weaknesses

CWE-125

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object