HIGH
ntb MW Overflow
CVE-2026-43241
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
KernelScan AI6.1MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: ntb: ntb_hw_switchtec: Fix array-index-out-of-bounds access Number of MW LUTs depends on NTB configuration and can be set to MAX_MWS, This patch protects against invalid index out of bounds access to mw_sizes When invalid access print message to user that configuration is not valid.
02KernelScan AI Analysis
Risk summary
Systems with NTB (Non-Transparent Bridge) Switchtec hardware are vulnerable to kernel memory corruption through malicious or misconfigured hardware. An attacker with physical access could install crafted NTB devices that trigger out-of-bounds array writes during driver initialization, potentially leading to system crashes or code execution.
Vulnerability analysis
The vulnerability occurs in the switchtec_ntb_init_shared() function where the driver calculates an array index (idx = sndev->nr_direct_mw + i) based on hardware-reported NTB configuration without validating it against the MAX_MWS array boundary. This allows hardware to specify configurations that cause writes beyond the mw_sizes array bounds. The fix adds a bounds check that prevents the overflow and logs an error for invalid configurations. The attack surface is limited to physical access scenarios where an attacker can install or reconfigure NTB hardware.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.252 | 348e1ac9ad98 |
| 5.15 | 5.15.202 | ee02c4f980c9 |
| 6.1 | 6.1.165 | 740945de8960 |
| 6.12 | 6.12.75 | 0e9304209451 |
| 6.18 | 6.18.16 | 2346856b7482 |
| 6.19 | 6.19.6 | 47ce292dd45d |
| 6.6 | 6.6.128 | 85c9daa1f831 |
| mainline | 7.0 | c8ba7ad2cc1c |