{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-43205","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-05-01T14:12:55.992Z","datePublished":"2026-05-06T11:28:10.270Z","dateUpdated":"2026-05-11T22:20:00.994Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T22:20:00.994Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ndpaa2-switch: validate num_ifs to prevent out-of-bounds write\n\nThe driver obtains sw_attr.num_ifs from firmware via dpsw_get_attributes()\nbut never validates it against DPSW_MAX_IF (64). This value controls\niteration in dpaa2_switch_fdb_get_flood_cfg(), which writes port indices\ninto the fixed-size cfg->if_id[DPSW_MAX_IF] array. When firmware reports\nnum_ifs >= 64, the loop can write past the array bounds.\n\nAdd a bound check for num_ifs in dpaa2_switch_init().\n\ndpaa2_switch_fdb_get_flood_cfg() appends the control interface (port\nnum_ifs) after all matched ports. When num_ifs == DPSW_MAX_IF and all\nports match the flood filter, the loop fills all 64 slots and the control\ninterface write overflows by one entry.\n\nThe check uses >= because num_ifs == DPSW_MAX_IF is also functionally\nbroken.\n\nbuild_if_id_bitmap() silently drops any ID >= 64:\n      if (id[i] < DPSW_MAX_IF)\n          bmap[id[i] / 64] |= ..."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c"],"versions":[{"version":"539dda3c5d190c5088b5e57944b1b482fcb464de","lessThan":"a26dda3bae469c8e4e1b1993ad33dafa32d0fc28","status":"affected","versionType":"git"},{"version":"539dda3c5d190c5088b5e57944b1b482fcb464de","lessThan":"a3034a8d56174dd6464c46823438f25797910a8d","status":"affected","versionType":"git"},{"version":"539dda3c5d190c5088b5e57944b1b482fcb464de","lessThan":"b690635d4719214892855b79ce018d4b1672ac96","status":"affected","versionType":"git"},{"version":"539dda3c5d190c5088b5e57944b1b482fcb464de","lessThan":"8b841fd529db9faf8bc678d429d4bf4e98b10900","status":"affected","versionType":"git"},{"version":"539dda3c5d190c5088b5e57944b1b482fcb464de","lessThan":"89764cf44544e943230f5e03b8c40a90da26537c","status":"affected","versionType":"git"},{"version":"539dda3c5d190c5088b5e57944b1b482fcb464de","lessThan":"c18493f750208eb4ff1198fc5a02786b8b2d70a6","status":"affected","versionType":"git"},{"version":"539dda3c5d190c5088b5e57944b1b482fcb464de","lessThan":"8a5752c6dcc085a3bfc78589925182e4e98468c5","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c"],"versions":[{"version":"5.13","status":"affected"},{"version":"0","lessThan":"5.13","status":"unaffected","versionType":"semver"},{"version":"5.15.202","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.165","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.128","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.75","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.16","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19.6","lessThanOrEqual":"6.19.*","status":"unaffected","versionType":"semver"},{"version":"7.0","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.13","versionEndExcluding":"5.15.202"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.13","versionEndExcluding":"6.1.165"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.13","versionEndExcluding":"6.6.128"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.13","versionEndExcluding":"6.12.75"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.13","versionEndExcluding":"6.18.16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.13","versionEndExcluding":"6.19.6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.13","versionEndExcluding":"7.0"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/a26dda3bae469c8e4e1b1993ad33dafa32d0fc28"},{"url":"https://git.kernel.org/stable/c/a3034a8d56174dd6464c46823438f25797910a8d"},{"url":"https://git.kernel.org/stable/c/b690635d4719214892855b79ce018d4b1672ac96"},{"url":"https://git.kernel.org/stable/c/8b841fd529db9faf8bc678d429d4bf4e98b10900"},{"url":"https://git.kernel.org/stable/c/89764cf44544e943230f5e03b8c40a90da26537c"},{"url":"https://git.kernel.org/stable/c/c18493f750208eb4ff1198fc5a02786b8b2d70a6"},{"url":"https://git.kernel.org/stable/c/8a5752c6dcc085a3bfc78589925182e4e98468c5"}],"title":"dpaa2-switch: validate num_ifs to prevent out-of-bounds write","x_generator":{"engine":"bippy-1.2.0"}}}}