Description
In the Linux kernel, the following vulnerability has been resolved:

dpaa2-switch: prevent ZERO_SIZE_PTR dereference when num_ifs is zero

The driver allocates arrays for ports, FDBs, and filter blocks using
kcalloc() with ethsw->sw_attr.num_ifs as the element count. When the
device reports zero interfaces (either due to hardware configuration
or firmware issues), kcalloc(0, ...) returns ZERO_SIZE_PTR (0x10)
instead of NULL.

Later in dpaa2_switch_probe(), the NAPI initialization unconditionally
accesses ethsw->ports[0]->netdev, which attempts to dereference
ZERO_SIZE_PTR (address 0x10), resulting in a kernel panic.

Add a check to ensure num_ifs is greater than zero after retrieving
device attributes. This prevents the zero-sized allocations and
subsequent invalid pointer dereference.
Published: 2026-02-14
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service (kernel panic)
Action: Apply Patch
AI Analysis

Impact

The dpaa2-switch driver allocates arrays for ports, FDBs, and filter blocks using kcalloc() with a count derived from the device report. When the hardware reports zero interfaces, kcalloc(0,…) returns a ZERO_SIZE_PTR instead of NULL, and a later unconditional dereference of this pointer inside dpaa2_switch_probe() causes a kernel panic. This results in a complete loss of system availability as the operating system crashes.

Affected Systems

The vulnerability affects any Linux kernel that includes the dpaa2-switch driver, including all 6.19 release candidates (6.19-rc1 through 6.19-rc8) and any later kernel releases that have not yet incorporated the fix. The affected vendor is Linux, product Linux kernel.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity. With an EPSS score of less than 1%, the likelihood of exploitation in the wild is low, and the vulnerability does not appear in the CISA KEV catalog. Based on the description, the attack vector is inferred to be local or privileged—an attacker would need to influence the device configuration or supply malformed firmware so that the driver probes with zero interfaces, triggering the crash.

Generated by OpenCVE AI on April 18, 2026 at 12:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that includes the dpaa2-switch zero‑size allocation check
  • Disable the dpaa2-switch driver by removing the module or using modprobe -r dpaa2_switch if the kernel version cannot be updated immediately
  • Ensure that the device firmware reports a non‑zero interface count or patch the firmware to prevent zero‑count reports
  • Monitor system logs for kernel panic events related to dpaa2_switch and apply upstream patches as they become available

Generated by OpenCVE AI on April 18, 2026 at 12:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4499-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6141-1 linux security update
Debian DSA Debian DSA DSA-6163-1 linux security update
History

Thu, 19 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476
CPEs cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Mon, 16 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Sat, 14 Feb 2026 16:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: dpaa2-switch: prevent ZERO_SIZE_PTR dereference when num_ifs is zero The driver allocates arrays for ports, FDBs, and filter blocks using kcalloc() with ethsw->sw_attr.num_ifs as the element count. When the device reports zero interfaces (either due to hardware configuration or firmware issues), kcalloc(0, ...) returns ZERO_SIZE_PTR (0x10) instead of NULL. Later in dpaa2_switch_probe(), the NAPI initialization unconditionally accesses ethsw->ports[0]->netdev, which attempts to dereference ZERO_SIZE_PTR (address 0x10), resulting in a kernel panic. Add a check to ensure num_ifs is greater than zero after retrieving device attributes. This prevents the zero-sized allocations and subsequent invalid pointer dereference.
Title dpaa2-switch: prevent ZERO_SIZE_PTR dereference when num_ifs is zero
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-02-14T16:27:29.095Z

Reserved: 2026-01-13T15:37:45.986Z

Link: CVE-2026-23206

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-02-14T17:15:58.507

Modified: 2026-03-19T16:34:27.203

Link: CVE-2026-23206

cve-icon Redhat

Severity : Important

Publid Date: 2026-02-14T00:00:00Z

Links: CVE-2026-23206 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T12:15:15Z

Weaknesses