Description
In the Linux kernel, the following vulnerability has been resolved:

dpaa2-switch: validate num_ifs to prevent out-of-bounds write

The driver obtains sw_attr.num_ifs from firmware via dpsw_get_attributes()
but never validates it against DPSW_MAX_IF (64). This value controls
iteration in dpaa2_switch_fdb_get_flood_cfg(), which writes port indices
into the fixed-size cfg->if_id[DPSW_MAX_IF] array. When firmware reports
num_ifs >= 64, the loop can write past the array bounds.

Add a bound check for num_ifs in dpaa2_switch_init().

dpaa2_switch_fdb_get_flood_cfg() appends the control interface (port
num_ifs) after all matched ports. When num_ifs == DPSW_MAX_IF and all
ports match the flood filter, the loop fills all 64 slots and the control
interface write overflows by one entry.

The check uses >= because num_ifs == DPSW_MAX_IF is also functionally
broken.

build_if_id_bitmap() silently drops any ID >= 64:
if (id[i] < DPSW_MAX_IF)
bmap[id[i] / 64] |= ...
Published: 2026-05-06
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The dpaa2-switch driver in the Linux kernel reads a numeric value, num_ifs, supplied by firmware without proper bounds checking. The driver assumes that this value never exceeds 64 interfaces and writes the interface indices into a statically sized array of 64 elements. If the firmware provides a value of 64 or greater, the driver writes beyond the end of the array, corrupting neighboring memory. Such memory corruption in kernel space may allow a malicious user to gain elevated privileges or disrupt system operation, potentially leading to a crash or arbitrary code execution.

Affected Systems

All Linux kernel installations that include the dpaa2-switch driver without the recent bound‑check patch are affected. This encompasses any system using the upstream Linux kernel in the CPE namespace cpe:2.3:o:linux:linux_kernel:* Although no specific version range is listed, the vulnerability exists in kernels prior to the commit that introduced the num_ifs validation.

Risk and Exploitability

The vulnerability is not currently listed in CISA's KEV catalogue and no EPSS score is available, so the statistical likelihood of exploitation is undetermined. However, because it is an out‑of‑bounds write in kernel code, the potential impact is severe should an attacker be able to supply a malicious firmware value or otherwise influence the num_ifs parameter. The attack vector is inferred to be local or device‑level, requiring control over firmware or the network device that feeds into the driver.

Generated by OpenCVE AI on May 6, 2026 at 13:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy a Linux kernel version that includes the dpaa2-switch num_ifs bound‑check or apply the upstream patch committing the validation.
  • If a kernel update cannot be applied immediately, enforce firmware validation to ensure the num_ifs value never exceeds 63 by configuring the device firmware or restricting firmware updates to trusted sources.
  • Secure the firmware update pathway and limit untrusted device firmware from being loaded into the system to prevent malicious values from reaching the driver.

Generated by OpenCVE AI on May 6, 2026 at 13:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119

Wed, 06 May 2026 12:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: dpaa2-switch: validate num_ifs to prevent out-of-bounds write The driver obtains sw_attr.num_ifs from firmware via dpsw_get_attributes() but never validates it against DPSW_MAX_IF (64). This value controls iteration in dpaa2_switch_fdb_get_flood_cfg(), which writes port indices into the fixed-size cfg->if_id[DPSW_MAX_IF] array. When firmware reports num_ifs >= 64, the loop can write past the array bounds. Add a bound check for num_ifs in dpaa2_switch_init(). dpaa2_switch_fdb_get_flood_cfg() appends the control interface (port num_ifs) after all matched ports. When num_ifs == DPSW_MAX_IF and all ports match the flood filter, the loop fills all 64 slots and the control interface write overflows by one entry. The check uses >= because num_ifs == DPSW_MAX_IF is also functionally broken. build_if_id_bitmap() silently drops any ID >= 64: if (id[i] < DPSW_MAX_IF) bmap[id[i] / 64] |= ...
Title dpaa2-switch: validate num_ifs to prevent out-of-bounds write
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-06T11:28:10.270Z

Reserved: 2026-05-01T14:12:55.992Z

Link: CVE-2026-43205

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-06T12:16:39.747

Modified: 2026-05-06T13:07:51.607

Link: CVE-2026-43205

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T17:00:05Z

Weaknesses