CVE-2026-43141 - Vulnerability Details

- ntb: ntb_hw_switchtec: Fix shift-out-of-bounds for 0 mw lut

Description

In the Linux kernel, the following vulnerability has been resolved:

ntb: ntb_hw_switchtec: Fix shift-out-of-bounds for 0 mw lut

Number of MW LUTs depends on NTB configuration and can be set to zero,
in such scenario rounddown_pow_of_two will cause undefined behaviour and
should not be performed.
This patch ensures that rounddown_pow_of_two is called on valid value.

Published: 2026-05-06

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A shift‑out‑of‑bounds error occurs in the Linux kernel’s NTB switchtec driver when the number of MW Look‑Up Tables (LUTs) is set to zero. The rounddown_pow_of_two function was called with a zero value, which is undefined behavior. This can corrupt kernel memory or cause a crash, potentially enabling an attacker to gain arbitrary code execution or cause a denial of service.

Affected Systems

The vulnerability affects any Linux system that loads the ntb_hw_switchtec driver and configures the NTB with zero MW LUTs. The exact kernel version range is not specified, so all kernel releases that contain the vulnerable code before the patch are affected.

Risk and Exploitability

Because the flaw is in the kernel, it carries a significant impact if exploitable, although the lack of an EPSS score and KEV listing suggest no widespread, publicly available exploitation. The most likely attack vector would involve local or physical access to the NTB device, or a compromise that can alter driver configuration. Applying the patch that guards against the zero‑value case mitigates the risk.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< d652ef399f131fcd5f8f34266167449ee7c9e5b3
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 5590cd04d6845c01a6bad985a491c58af6fb5389
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< a11d03d116eef138a7249202bd772c8e61915aec
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< d0559d07afabfddaaded6a61a16154486b956764
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 2e4d5e8d86a969318340be95470bb76e52392082
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< a133e3caf844a3f56b6eef89ddaa66115874f6bd
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 1a867d0d79a4a570a33f2f433919ad2bd7a27b67
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 186615f8855a0be4ee7d3fcd09a8ecc10e783b08

Linux

affected

Version	Status	Constraints
`5.10.252`	unaffected	≤ 5.10.*
`5.15.202`	unaffected	≤ 5.15.*
`6.1.165`	unaffected	≤ 6.1.*
`6.6.128`	unaffected	≤ 6.6.*
`6.12.75`	unaffected	≤ 6.12.*
`6.18.16`	unaffected	≤ 6.18.*
`6.19.6`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,d652ef399f131fcd5f8f34266167449ee7c9e5b3)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,5590cd04d6845c01a6bad985a491c58af6fb5389)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,a11d03d116eef138a7249202bd772c8e61915aec)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,d0559d07afabfddaaded6a61a16154486b956764)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,2e4d5e8d86a969318340be95470bb76e52392082)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,a133e3caf844a3f56b6eef89ddaa66115874f6bd)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,1a867d0d79a4a570a33f2f433919ad2bd7a27b67)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,186615f8855a0be4ee7d3fcd09a8ecc10e783b08)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[5.10.252,5.11.0)`	unaffected	semver	—
`[5.15.202,5.16.0)`	unaffected	semver	—
`[6.1.165,6.2.0)`	unaffected	semver	—
`[6.6.128,6.7.0)`	unaffected	semver	—
`[6.12.75,6.13.0)`	unaffected	semver	—
`[6.18.16,6.19.0)`	unaffected	semver	—
`[6.19.6,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to a version that includes the fix for ntb_hw_switchtec, referencing the kernel commits provided in the advisory.
If an immediate kernel upgrade is not possible, disable or unload the ntb driver (`rmmod ntb_hw_switchtec`) to prevent use of the vulnerable logic.
Monitor kernel logs for messages related to NTB or potential crashes that might indicate an exploitation attempt.

Generated by OpenCVE AI on May 6, 2026 at 13:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/186615f8855a0be4ee7d3fcd09a8ecc10e783b08
https://git.kernel.org/stable/c/1a867d0d79a4a570a33f2f433919ad2bd7a27b67
https://git.kernel.org/stable/c/2e4d5e8d86a969318340be95470bb76e52392082
https://git.kernel.org/stable/c/5590cd04d6845c01a6bad985a491c58af6fb5389
https://git.kernel.org/stable/c/a11d03d116eef138a7249202bd772c8e61915aec
https://git.kernel.org/stable/c/a133e3caf844a3f56b6eef89ddaa66115874f6bd
https://git.kernel.org/stable/c/d0559d07afabfddaaded6a61a16154486b956764
https://git.kernel.org/stable/c/d652ef399f131fcd5f8f34266167449ee7c9e5b3

History

Wed, 06 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-190 CWE-682

Wed, 06 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: ntb: ntb_hw_switchtec: Fix shift-out-of-bounds for 0 mw lut Number of MW LUTs depends on NTB configuration and can be set to zero, in such scenario rounddown_pow_of_two will cause undefined behaviour and should not be performed. This patch ensures that rounddown_pow_of_two is called on valid value.
Title		ntb: ntb_hw_switchtec: Fix shift-out-of-bounds for 0 mw lut
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/186615f8855a0be4ee7d3fcd09a8ecc10e783b08 https://git.kernel.org/stable/c/1a867d0d79a4a570a33f2f433919ad2bd7a27b67 https://git.kernel.org/stable/c/2e4d5e8d86a969318340be95470bb76e52392082 https://git.kernel.org/stable/c/5590cd04d6845c01a6bad985a491c58af6fb5389 https://git.kernel.org/stable/c/a11d03d116eef138a7249202bd772c8e61915aec https://git.kernel.org/stable/c/a133e3caf844a3f56b6eef89ddaa66115874f6bd https://git.kernel.org/stable/c/d0559d07afabfddaaded6a61a16154486b956764 https://git.kernel.org/stable/c/d652ef399f131fcd5f8f34266167449ee7c9e5b3

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-06T11:27:26.193Z

Updated: 2026-05-06T11:27:26.193Z

Reserved: 2026-05-01T14:12:55.989Z

Link: CVE-2026-43141

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-06T12:16:31.493

Modified: 2026-05-06T13:07:51.607

Link: CVE-2026-43141

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-06T16:00:06Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object