Description
In the Linux kernel, the following vulnerability has been resolved:

dpaa2-switch: validate num_ifs to prevent out-of-bounds write

The driver obtains sw_attr.num_ifs from firmware via dpsw_get_attributes()
but never validates it against DPSW_MAX_IF (64). This value controls
iteration in dpaa2_switch_fdb_get_flood_cfg(), which writes port indices
into the fixed-size cfg->if_id[DPSW_MAX_IF] array. When firmware reports
num_ifs >= 64, the loop can write past the array bounds.

Add a bound check for num_ifs in dpaa2_switch_init().

dpaa2_switch_fdb_get_flood_cfg() appends the control interface (port
num_ifs) after all matched ports. When num_ifs == DPSW_MAX_IF and all
ports match the flood filter, the loop fills all 64 slots and the control
interface write overflows by one entry.

The check uses >= because num_ifs == DPSW_MAX_IF is also functionally
broken.

build_if_id_bitmap() silently drops any ID >= 64:
if (id[i] < DPSW_MAX_IF)
bmap[id[i] / 64] |= ...
Published: 2026-05-06
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The dpaa2-switch driver in the Linux kernel reads a numeric value, num_ifs, supplied by firmware without proper bounds checking. The driver assumes that this value never exceeds 64 interfaces and writes the interface indices into a statically sized array of 64 elements. If the firmware provides a value of 64 or greater, the driver writes beyond the end of the array, corrupting neighboring memory. Such memory corruption in kernel space may allow a malicious user to gain elevated privileges or disrupt system operation, potentially leading to a crash or arbitrary code execution.

Affected Systems

All Linux kernel installations that include the dpaa2-switch driver without the recent bound‑check patch are affected. This encompasses any system using the upstream Linux kernel. Although no specific version range is listed, the vulnerability exists in kernels prior to the commit that introduced the num_ifs validation.

Risk and Exploitability

The vulnerability is not currently listed in CISA's KEV catalogue and an EPSS score of 0.00024 (< 1%) is available, so the statistical likelihood of exploitation is undetermined. However, because it is an out‑of‑bounds write in kernel code, the potential impact is severe should an attacker be able to supply a malicious firmware value or otherwise influence the num_ifs parameter. The is inferred to be local or device‑level, requiring control over firmware or the network device that feeds into the driver. The CVSS score of 7.8 indicates high severity.

Generated by OpenCVE AI on May 11, 2026 at 23:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy a Linux kernel version that includes the dpaa2-switch num_ifs bound‑check or apply the upstream patch committing the validation.
  • If a kernel update cannot be applied immediately, enforce firmware validation to ensure the num_ifs value never exceeds 63 by configuring the device firmware or restricting firmware updates to trusted sources.
  • Secure the firmware update pathway and limit untrusted device firmware from being loaded into the system to prevent malicious values from reaching the driver.

Generated by OpenCVE AI on May 11, 2026 at 23:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 20:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 07 May 2026 06:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787

Thu, 07 May 2026 04:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119

Thu, 07 May 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Wed, 06 May 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119

Wed, 06 May 2026 12:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: dpaa2-switch: validate num_ifs to prevent out-of-bounds write The driver obtains sw_attr.num_ifs from firmware via dpsw_get_attributes() but never validates it against DPSW_MAX_IF (64). This value controls iteration in dpaa2_switch_fdb_get_flood_cfg(), which writes port indices into the fixed-size cfg->if_id[DPSW_MAX_IF] array. When firmware reports num_ifs >= 64, the loop can write past the array bounds. Add a bound check for num_ifs in dpaa2_switch_init(). dpaa2_switch_fdb_get_flood_cfg() appends the control interface (port num_ifs) after all matched ports. When num_ifs == DPSW_MAX_IF and all ports match the flood filter, the loop fills all 64 slots and the control interface write overflows by one entry. The check uses >= because num_ifs == DPSW_MAX_IF is also functionally broken. build_if_id_bitmap() silently drops any ID >= 64: if (id[i] < DPSW_MAX_IF) bmap[id[i] / 64] |= ...
Title dpaa2-switch: validate num_ifs to prevent out-of-bounds write
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:20:00.994Z

Reserved: 2026-05-01T14:12:55.992Z

Link: CVE-2026-43205

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T12:16:39.747

Modified: 2026-05-11T19:59:54.157

Link: CVE-2026-43205

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43205 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T00:00:04Z

Weaknesses