CVE-2026-43205
Description
In the Linux kernel, the following vulnerability has been resolved: dpaa2-switch: validate num_ifs to prevent out-of-bounds write The driver obtains sw_attr.num_ifs from firmware via dpsw_get_attributes() but never validates it against DPSW_MAX_IF (64). This value controls iteration in dpaa2_switch_fdb_get_flood_cfg(), which writes port indices into the fixed-size cfg->if_id[DPSW_MAX_IF] array. When firmware reports num_ifs >= 64, the loop can write past the array bounds. Add a bound check for num_ifs in dpaa2_switch_init(). dpaa2_switch_fdb_get_flood_cfg() appends the control interface (port num_ifs) after all matched ports. When num_ifs == DPSW_MAX_IF and all ports match the flood filter, the loop fills all 64 slots and the control interface write overflows by one entry. The check uses >= because num_ifs == DPSW_MAX_IF is also functionally broken. build_if_id_bitmap() silently drops any ID >= 64: if (id[i] < DPSW_MAX_IF) bmap[id[i] / 64] |= ...
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| sles | affected | | |
| debian | bookworm | fixed | 6.1.170-1 |
| debian | bullseye | fixed | 0 |
| debian | forky | fixed | 6.19.6-1 |
| debian | sid | fixed | 6.19.6-1 |
| debian | trixie | fixed | 6.12.85-1 |
| linux-kernel | affected | 5.15.202 | |
| linux-kernel | 7.0 | affected | |
References
- https://git.kernel.org/stable/c/89764cf44544e943230f5e03b8c40a90da26537c
- https://git.kernel.org/stable/c/8a5752c6dcc085a3bfc78589925182e4e98468c5
- https://git.kernel.org/stable/c/8b841fd529db9faf8bc678d429d4bf4e98b10900
- https://git.kernel.org/stable/c/a26dda3bae469c8e4e1b1993ad33dafa32d0fc28
- https://git.kernel.org/stable/c/a3034a8d56174dd6464c46823438f25797910a8d
- https://git.kernel.org/stable/c/b690635d4719214892855b79ce018d4b1672ac96
- https://git.kernel.org/stable/c/c18493f750208eb4ff1198fc5a02786b8b2d70a6
- https://www.suse.com/security/cve/CVE-2026-43205.html
- https://security-tracker.debian.org/tracker/CVE-2026-43205
CWEs
CWE-787
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.