CVE-2026-43205
- Source
- https://cve.org/CVERecord?id=CVE-2026-43205
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43205.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2026-43205
- Downstream
- Published
- 2026-05-06T11:28:10.270Z
- Modified
- 2026-05-28T03:54:49.263609400Z
- Summary
- dpaa2-switch: validate num_ifs to prevent out-of-bounds write
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
dpaa2-switch: validate num_ifs to prevent out-of-bounds write
The driver obtains swattr.numifs from firmware via dpswgetattributes() but never validates it against DPSWMAXIF (64). This value controls iteration in dpaa2switchfdbgetfloodcfg(), which writes port indices into the fixed-size cfg->ifid[DPSWMAXIF] array. When firmware reports num_ifs >= 64, the loop can write past the array bounds.
Add a bound check for numifs in dpaa2switch_init().
dpaa2switchfdbgetfloodcfg() appends the control interface (port numifs) after all matched ports. When numifs == DPSWMAX_IF and all ports match the flood filter, the loop fills all 64 slots and the control interface write overflows by one entry.
The check uses >= because numifs == DPSWMAX_IF is also functionally broken.
buildifidbitmap() silently drops any ID >= 64: if (id[i] < DPSWMAX_IF) bmap[id[i] / 64] |= ...
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43205.json", "cna_assigner": "Linux" }- References
-
- https://git.kernel.org/stable/c/89764cf44544e943230f5e03b8c40a90da26537c
- https://git.kernel.org/stable/c/8a5752c6dcc085a3bfc78589925182e4e98468c5
- https://git.kernel.org/stable/c/8b841fd529db9faf8bc678d429d4bf4e98b10900
- https://git.kernel.org/stable/c/a26dda3bae469c8e4e1b1993ad33dafa32d0fc28
- https://git.kernel.org/stable/c/a3034a8d56174dd6464c46823438f25797910a8d
- https://git.kernel.org/stable/c/b690635d4719214892855b79ce018d4b1672ac96
- https://git.kernel.org/stable/c/c18493f750208eb4ff1198fc5a02786b8b2d70a6
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43205.json
- https://nvd.nist.gov/vuln/detail/CVE-2026-43205
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced539dda3c5d190c5088b5e57944b1b482fcb464deFixeda26dda3bae469c8e4e1b1993ad33dafa32d0fc28Fixeda3034a8d56174dd6464c46823438f25797910a8dFixedb690635d4719214892855b79ce018d4b1672ac96Fixed8b841fd529db9faf8bc678d429d4bf4e98b10900Fixed89764cf44544e943230f5e03b8c40a90da26537cFixedc18493f750208eb4ff1198fc5a02786b8b2d70a6Fixed8a5752c6dcc085a3bfc78589925182e4e98468c5
Linux / Kernel
Package
- Name
- Kernel
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced5.13.0Fixed5.15.202
- Type
- ECOSYSTEM
- Events
-
Introduced5.16.0Fixed6.1.165
- Type
- ECOSYSTEM
- Events
-
Introduced6.2.0Fixed6.6.128
- Type
- ECOSYSTEM
- Events
-
Introduced6.7.0Fixed6.12.75
- Type
- ECOSYSTEM
- Events
-
Introduced6.13.0Fixed6.18.16
- Type
- ECOSYSTEM
- Events
-
Introduced6.19.0Fixed6.19.6