HIGH
dpaa2-switch IRQ OOB
CVE-2026-23180
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI6.1MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: dpaa2-switch: add bounds check for if_id in IRQ handler The IRQ handler extracts if_id from the upper 16 bits of the hardware status register and uses it to index into ethsw->ports[] without validation. Since if_id can be any 16-bit value (0-65535) but the ports array is only allocated with sw_attr.num_ifs elements, this can lead to an out-of-bounds read potentially. Add a bounds check before accessing the array, consistent with the existing validation in dpaa2_switch_rx().
02KernelScan AI Analysis
Risk summary
Systems using Freescale DPAA2 switch hardware are vulnerable to an out-of-bounds read in the IRQ handler that can lead to a kernel panic. The vulnerability requires local access with low privileges to trigger hardware interrupts (e.g., via network interface manipulation), making it a concern for systems where untrusted users have local access or where the switch is deployed in multi-tenant environments.
Vulnerability analysis
The root cause is missing bounds validation in the IRQ handler when extracting if_id from the upper 16 bits of a hardware status register. The handler uses a 16-bit if_id value (0-65535) directly as an array index into ethsw->ports[] without checking against the actual array size (sw_attr.num_ifs). Because the index can vastly exceed the allocated array bounds, the out-of-bounds read will likely access unmapped kernel memory pages, resulting in a kernel panic—especially dangerous in interrupt context. A small amount of slab data may be leaked before the crash. The fix adds a bounds check before array access, consistent with existing validation in dpaa2_switch_rx().
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.15 | 5.15.200 | 77611cab5bdf |
| 6.1 | 6.1.163 | 34b56c16efd6 |
| 6.12 | 6.12.70 | 2447edc36780 |
| 6.18 | 6.18.10 | 1b381a638e18 |
| 6.6 | 6.6.124 | f89e33c9c37f |
| mainline | 6.19 | 31a7a0bbeb00 |