CVE-2026-43205

HIGH EPSS 3.6%
Published May 6, 20261mo ago · Modified Jun 17, 20262w ago
7.8 CVSS 3.1
High
Find Similar
Published May 6, 2026 1mo ago
Last Modified Jun 17, 2026 2w ago

Description

In the Linux kernel, the following vulnerability has been resolved: dpaa2-switch: validate num_ifs to prevent out-of-bounds write The driver obtains sw_attr.num_ifs from firmware via dpsw_get_attributes() but never validates it against DPSW_MAX_IF (64). This value controls iteration in dpaa2_switch_fdb_get_flood_cfg(), which writes port indices into the fixed-size cfg->if_id[DPSW_MAX_IF] array. When firmware reports num_ifs >= 64, the loop can write past the array bounds. Add a bound check for num_ifs in dpaa2_switch_init(). dpaa2_switch_fdb_get_flood_cfg() appends the control interface (port num_ifs) after all matched ports. When num_ifs == DPSW_MAX_IF and all ports match the flood filter, the loop fills all 64 slots and the control interface write overflows by one entry. The check uses >= because num_ifs == DPSW_MAX_IF is also functionally broken. build_if_id_bitmap() silently drops any ID >= 64: if (id[i] < DPSW_MAX_IF) bmap[id[i] / 64] |= ...

CVSS Details

Base Score
7.8
Exploitability
1.8
Impact
5.9
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
3.6% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-787 Out-of-bounds Write Memory Safety

Affected Products 7

VendorProductVersionRange
linuxlinux_kernel*≥5.13  –  <5.15.202
linuxlinux_kernel*≥5.16  –  <6.1.165
linuxlinux_kernel*≥6.2  –  <6.6.128
linuxlinux_kernel*≥6.7  –  <6.12.75
linuxlinux_kernel*≥6.13  –  <6.18.16
linuxlinux_kernel*≥6.19  –  <6.19.6
linuxlinux_kernel7.0any

References 7

  • git.kernel.org https://git.kernel.org/stable/c/89764cf44544e943230f5e03b8c40a90da26537c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/8a5752c6dcc085a3bfc78589925182e4e98468c5
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/8b841fd529db9faf8bc678d429d4bf4e98b10900
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a26dda3bae469c8e4e1b1993ad33dafa32d0fc28
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a3034a8d56174dd6464c46823438f25797910a8d
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/b690635d4719214892855b79ce018d4b1672ac96
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c18493f750208eb4ff1198fc5a02786b8b2d70a6
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/89764cf44544e943230f5e03b8c40a90da26537c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/8a5752c6dcc085a3bfc78589925182e4e98468c5
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/8b841fd529db9faf8bc678d429d4bf4e98b10900
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a26dda3bae469c8e4e1b1993ad33dafa32d0fc28
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a3034a8d56174dd6464c46823438f25797910a8d
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/b690635d4719214892855b79ce018d4b1672ac96
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c18493f750208eb4ff1198fc5a02786b8b2d70a6
    Patch