HIGH
mailbox ClusterCfg OOB
CVE-2026-43274
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
KernelScan AI5.3MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: mailbox: mchp-ipc-sbi: fix out-of-bounds access in mchp_ipc_get_cluster_aggr_irq() The cluster_cfg array is dynamically allocated to hold per-CPU configuration structures, with its size based on the number of online CPUs. Previously, this array was indexed using hartid, which may be non-contiguous or exceed the bounds of the array, leading to out-of-bounds access. Switch to using cpuid as the index, as it is guaranteed to be within the valid range provided by for_each_online_cpu().
02KernelScan AI Analysis
Risk summary
Systems using Microchip IPC mailbox hardware are vulnerable to kernel memory corruption through out-of-bounds array access. An attacker with local access to the system can trigger the vulnerable interrupt handler or driver initialization path, leading to out-of-bounds read and write of kernel memory. Successful exploitation could leak limited kernel heap information or cause a kernel panic.
Vulnerability analysis
The vulnerability occurs because the cluster_cfg array is allocated based on the number of online CPUs but indexed using hartid, which can be non-contiguous or exceed array bounds on RISC-V systems. During driver initialization, this results in out-of-bounds writes of IRQ numbers and buffer pointers. During interrupt handling, the code performs out-of-bounds reads of kernel pointers and may dereference them, leading to further memory corruption or a kernel panic. The attack surface is limited to systems with the specific Microchip IPC hardware and requires local privileged access to trigger the vulnerable code paths.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.18 | 6.18.16 | 95438699c929 |
| 6.19 | 6.19.6 | 0442b6229e2e |
| mainline | 7.0 | f7c330a8c83c |