HIGH Published 2026-04-03

dpaa2-switch IRQ Storm

CVE-2026-23422

CVSS 7.8 / 10.0 NVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

KernelScan AI7.8HIGH

01Description

In the Linux kernel, the following vulnerability has been resolved: dpaa2-switch: Fix interrupt storm after receiving bad if_id in IRQ handler Commit 31a7a0bbeb00 ("dpaa2-switch: add bounds check for if_id in IRQ handler") introduces a range check for if_id to avoid an out-of-bounds access. If an out-of-bounds if_id is detected, the interrupt status is not cleared. This may result in an interrupt storm. Clear the interrupt status after detecting an out-of-bounds if_id to avoid the problem. Found by an experimental AI code review agent at Google.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

An interrupt storm vulnerability in the DPAA2 switch driver can cause system performance degradation or denial of service when invalid interface IDs are received in hardware interrupts. The system becomes unresponsive due to excessive interrupt handling overhead.

Affecteddrivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c

Vulnerability analysis

Root Cause: A previous bounds check fix (commit 31a7a0bbeb00) added validation for if_id in the IRQ handler to prevent out-of-bounds array access, but failed to clear the interrupt status when an invalid if_id is detected. This causes the hardware interrupt to remain asserted, leading to an interrupt storm where the same invalid interrupt is repeatedly triggered.

Attack Surface: This affects systems using Freescale DPAA2 switch hardware. An attacker with the ability to manipulate hardware interrupt status registers (potentially through DMA attacks, hardware bugs, or malicious firmware) could trigger invalid if_id values to cause a denial of service through interrupt storms that consume CPU resources and potentially make the system unresponsive.

Fix Mechanism: The patch modifies the error handling path to ensure the interrupt status is cleared even when an out-of-bounds if_id is detected. It changes the 'goto out;' to 'goto out_clear;' so that dpsw_clear_irq_status() is called before returning, preventing the interrupt from being retriggered.

03Fix Versions

Branch	Fixed in	Patch commit
5.15	5.15.203	`7def51cb9fb8`
6.1	6.1.167	`b5bababe7703`
6.12	6.12.77	`fa4412cdc517`
6.18	6.18.17	`00f42ace446f`
6.19	6.19.7	`28fd8ac1d493`
6.6	6.6.130	`c7becfe3e604`
mainline	7.0	`74badb9c20b1`