CVE-2026-43205

/* * Conceptual PoC for CVE-2026-43205 * This simulates the missing bounds check in dpaa2-switch driver. */ #include <stdio.h> #include <string.h> #define DPSW_MAX_IF 64 struct dpsw_attr { int num_ifs; }; struct fdb_cfg { int if_id[DPSW_MAX_IF]; }; // Simulating the vulnerable function dpaa2_switch_fdb_get_flood_cfg void vulnerable_flood_cfg(struct dpsw_attr *sw_attr, struct fdb_cfg *cfg) { // Vulnerability: No check for sw_attr->num_ifs >= DPSW_MAX_IF for (int i = 0; i < sw_attr->num_ifs; i++) { // This writes past the array if num_ifs >= 64 cfg->if_id[i] = i; printf("Writing index %d\n", i); } // The code appends the control interface here // If num_ifs == 64, this writes to cfg->if_id[64] (Out of bounds) cfg->if_id[sw_attr->num_ifs] = 0xFFFF; printf("Writing control interface at index %d\n", sw_attr->num_ifs); } int main() { struct dpsw_attr malicious_attr; struct fdb_cfg cfg; // Initialize memory to detect overflow memset(&cfg, 0x41, sizeof(cfg)); // Simulate firmware reporting a value >= 64 malicious_attr.num_ifs = 64; printf("[+] Triggering PoC with num_ifs = %d\n", malicious_attr.num_ifs); vulnerable_flood_cfg(&malicious_attr, &cfg); printf("[-] Exploit finished. Memory corruption occurred at if_id[64].\n"); return 0; }

{"cve": {"id": "CVE-2026-43205", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-06T12:16:39.747", "lastModified": "2026-05-11T19:59:54.157", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndpaa2-switch: validate num_ifs to prevent out-of-bounds write\n\nThe driver obtains sw_attr.num_ifs from firmware via dpsw_get_attributes()\nbut never validates it against DPSW_MAX_IF (64). This value controls\niteration in dpaa2_switch_fdb_get_flood_cfg(), which writes port indices\ninto the fixed-size cfg->if_id[DPSW_MAX_IF] array. When firmware reports\nnum_ifs >= 64, the loop can write past the array bounds.\n\nAdd a bound check for num_ifs in dpaa2_switch_init().\n\ndpaa2_switch_fdb_get_flood_cfg() appends the control interface (port\nnum_ifs) after all matched ports. When num_ifs == DPSW_MAX_IF and all\nports match the flood filter, the loop fills all 64 slots and the control\ninterface write overflows by one entry.\n\nThe check uses >= because num_ifs == DPSW_MAX_IF is also functionally\nbroken.\n\nbuild_if_id_bitmap() silently drops any ID >= 64:\n if (id[i] < DPSW_MAX_IF)\n bmap[id[i] / 64] |= ..."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.13", "versionEndExcluding": "5.15.202", "matchCriteriaId": "5A03991A-3AEB-4B4D-987D-1A1007DF71F0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.165", "matchCriteriaId": "797C7F46-D0BE-4FB8-A502-C5EF8E6B6654"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.128", "matchCriteriaId": "851E9353-6C09-4CC9-877E-E09DB164A3C2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.75", "matchCriteriaId": "BCE16369-98ED-41CF-8995-DFDC10B288D2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.16", "matchCriteriaId": "B4B8CDA9-BADF-4CF5-8B3B-702DE8EEA40B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.6", "matchCriteriaId": "373EEEDA-FAA1-4FB4-B6ED-DB4DD99DBE67"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/89764cf44544e943230f5e03b8c40a90da26537c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/8a5752c6dcc085a3bfc78589925182e4e98468c5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/8b841fd529db9faf8bc678d429d4bf4e98b10900", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/a26dda3bae469c8e4e1b1993ad33dafa32d0fc28", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/a3034a8d56174dd6464c46823438f25797910a8d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/b690635d4719214892855b79ce018d4b1672ac96", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/c18493f750208eb4ff1198fc5a02786b8b2d70a6", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}