CVE-2026-43205

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> dpaa2-switch: validate num_ifs to prevent out-of-bounds write<br /> <br /> The driver obtains sw_attr.num_ifs from firmware via dpsw_get_attributes()<br /> but never validates it against DPSW_MAX_IF (64). This value controls<br /> iteration in dpaa2_switch_fdb_get_flood_cfg(), which writes port indices<br /> into the fixed-size cfg-&gt;if_id[DPSW_MAX_IF] array. When firmware reports<br /> num_ifs &gt;= 64, the loop can write past the array bounds.<br /> <br /> Add a bound check for num_ifs in dpaa2_switch_init().<br /> <br /> dpaa2_switch_fdb_get_flood_cfg() appends the control interface (port<br /> num_ifs) after all matched ports. When num_ifs == DPSW_MAX_IF and all<br /> ports match the flood filter, the loop fills all 64 slots and the control<br /> interface write overflows by one entry.<br /> <br /> The check uses &gt;= because num_ifs == DPSW_MAX_IF is also functionally<br /> broken.<br /> <br /> build_if_id_bitmap() silently drops any ID &gt;= 64:<br /> if (id[i]