HIGH
mailbox IndexXlate OOB
CVE-2026-43281
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
KernelScan AI5.6MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: mailbox: Prevent out-of-bounds access in fw_mbox_index_xlate() Although it is guided that `#mbox-cells` must be at least 1, there are many instances of `#mbox-cells = <0>;` in the device tree. If that is the case and the corresponding mailbox controller does not provide `fw_xlate` and of_xlate` function pointers, `fw_mbox_index_xlate()` will be used by default and out-of-bounds accesses could occur due to lack of bounds check in that function.
02KernelScan AI Analysis
Risk summary
Systems with mailbox hardware controllers and malformed device tree entries with #mbox-cells = 0 are at risk. An attacker with root access could trigger out-of-bounds memory access leading to information disclosure, limited kernel memory corruption, or kernel crashes. The vulnerability affects embedded systems and SoCs that use mailbox controllers for inter-processor communication.
Vulnerability analysis
The fw_mbox_index_xlate() function in the mailbox subsystem fails to validate that sp->nargs is at least 1 before accessing sp->args[0]. When device tree entries specify #mbox-cells = 0, the nargs field becomes 0 but the code still attempts to read args[0], causing an out-of-bounds array access. Additionally, the original code assigned args[0] to a signed int ind, allowing a crafted 32-bit cell value to wrap to a negative index and bypass the num_chans bounds check. The returned struct mbox_chan pointer is then written to by the caller (e.g., chan->cl, chan->con_priv), turning the out-of-bounds read into subsequent out-of-bounds writes. The fix adds proper bounds checking by verifying sp->nargs >= 1 before array access and removes the signed integer truncation by comparing the u64 value directly against num_chans.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.258 | 2c7ff651ec6b |
| 5.15 | 5.15.209 | ec0874447895 |
| 6.1 | 6.1.167 | 2662ed331a69 |
| 6.12 | 6.12.77 | 01d9a8c2615d |
| 6.18 | 6.18.16 | 4caae8168d1b |
| 6.19 | 6.19.6 | f50b39fd7c72 |
| 6.6 | 6.6.130 | 31c4c67dec33 |
| mainline | 7.0 | fcd7f96c7836 |