Bug 2467090 (CVE-2026-43205) - CVE-2026-43205 kernel: Linux kernel dpaa2-switch: Kernel memory corruption via out-of-bounds write
Summary: CVE-2026-43205 kernel: Linux kernel dpaa2-switch: Kernel memory corruption vi...
Keywords:
Status: NEW
Alias: CVE-2026-43205
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-05-06 13:03 UTC by OSIDB Bzimport
Modified: 2026-05-13 02:25 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-05-06 13:03:43 UTC 
In the Linux kernel, the following vulnerability has been resolved:

dpaa2-switch: validate num_ifs to prevent out-of-bounds write

The driver obtains sw_attr.num_ifs from firmware via dpsw_get_attributes()
but never validates it against DPSW_MAX_IF (64). This value controls
iteration in dpaa2_switch_fdb_get_flood_cfg(), which writes port indices
into the fixed-size cfg->if_id[DPSW_MAX_IF] array. When firmware reports
num_ifs >= 64, the loop can write past the array bounds.

Add a bound check for num_ifs in dpaa2_switch_init().

dpaa2_switch_fdb_get_flood_cfg() appends the control interface (port
num_ifs) after all matched ports. When num_ifs == DPSW_MAX_IF and all
ports match the flood filter, the loop fills all 64 slots and the control
interface write overflows by one entry.

The check uses >= because num_ifs == DPSW_MAX_IF is also functionally
broken.

build_if_id_bitmap() silently drops any ID >= 64:
      if (id[i] < DPSW_MAX_IF)
          bmap[id[i] / 64] |= ...
Comment 1 Keith Grant 2026-05-06 21:26:21 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026050647-CVE-2026-43205-3180@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.