HIGH
ntb LutInit Underflow
CVE-2026-43141
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
KernelScan AI4.5MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: ntb: ntb_hw_switchtec: Fix shift-out-of-bounds for 0 mw lut Number of MW LUTs depends on NTB configuration and can be set to zero, in such scenario rounddown_pow_of_two will cause undefined behaviour and should not be performed. This patch ensures that rounddown_pow_of_two is called on valid value.
02KernelScan AI Analysis
Risk summary
Systems with Switchtec NTB hardware configured with zero memory window lookup tables can experience kernel crashes during driver initialization. This affects systems with specific NTB hardware configurations where the hardware reports zero MW LUTs.
Vulnerability analysis
The vulnerability occurs in the NTB Switchtec driver initialization code where rounddown_pow_of_two() is called on hardware-reported MW LUT counts without checking for zero values. When NTB hardware is configured with zero memory window lookup tables, the function receives zero as input, causing undefined behavior in the underlying shift operations. The fix adds zero-checks before calling rounddown_pow_of_two() for both local and peer MW LUT counts. This is a physical access vulnerability requiring specific Switchtec NTB hardware to be present and configured in a particular way.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.252 | d652ef399f13 |
| 5.15 | 5.15.202 | 5590cd04d684 |
| 6.1 | 6.1.165 | a11d03d116ee |
| 6.12 | 6.12.75 | 2e4d5e8d86a9 |
| 6.18 | 6.18.16 | a133e3caf844 |
| 6.19 | 6.19.6 | 1a867d0d79a4 |
| 6.6 | 6.6.128 | d0559d07afab |
| mainline | 7.0 | 186615f8855a |