| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2026021438-CVE-2026-23206-ed03@gregkh> Date: Sat, 14 Feb 2026 17:29:03 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2026-23206: dpaa2-switch: prevent ZERO_SIZE_PTR dereference when num_ifs is zero From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: dpaa2-switch: prevent ZERO_SIZE_PTR dereference when num_ifs is zero The driver allocates arrays for ports, FDBs, and filter blocks using kcalloc() with ethsw->sw_attr.num_ifs as the element count. When the device reports zero interfaces (either due to hardware configuration or firmware issues), kcalloc(0, ...) returns ZERO_SIZE_PTR (0x10) instead of NULL. Later in dpaa2_switch_probe(), the NAPI initialization unconditionally accesses ethsw->ports[0]->netdev, which attempts to dereference ZERO_SIZE_PTR (address 0x10), resulting in a kernel panic. Add a check to ensure num_ifs is greater than zero after retrieving device attributes. This prevents the zero-sized allocations and subsequent invalid pointer dereference. The Linux kernel CVE team has assigned CVE-2026-23206 to this issue. Affected and fixed versions =========================== Issue introduced in 5.13 with commit 0b1b71370458860579831e77485883fcf2e8fbbe and fixed in 5.15.200 with commit 2fcccca88456b592bd668db13aa1d29ed257ca2b Issue introduced in 5.13 with commit 0b1b71370458860579831e77485883fcf2e8fbbe and fixed in 6.1.163 with commit 80165ff16051448d6f840585ebe13f2400415df3 Issue introduced in 5.13 with commit 0b1b71370458860579831e77485883fcf2e8fbbe and fixed in 6.6.124 with commit b97415c4362f739e25ec6f71012277086fabdf6f Issue introduced in 5.13 with commit 0b1b71370458860579831e77485883fcf2e8fbbe and fixed in 6.12.70 with commit 4acc40db06ffd0fd92683505342b00c8a7394c60 Issue introduced in 5.13 with commit 0b1b71370458860579831e77485883fcf2e8fbbe and fixed in 6.18.10 with commit 155eb99aff2920153bf21217ae29565fff81e6af Issue introduced in 5.13 with commit 0b1b71370458860579831e77485883fcf2e8fbbe and fixed in 6.19 with commit ed48a84a72fefb20a82dd90a7caa7807e90c6f66 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2026-23206 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/2fcccca88456b592bd668db13aa1d29ed257ca2b https://git.kernel.org/stable/c/80165ff16051448d6f840585ebe13f2400415df3 https://git.kernel.org/stable/c/b97415c4362f739e25ec6f71012277086fabdf6f https://git.kernel.org/stable/c/4acc40db06ffd0fd92683505342b00c8a7394c60 https://git.kernel.org/stable/c/155eb99aff2920153bf21217ae29565fff81e6af https://git.kernel.org/stable/c/ed48a84a72fefb20a82dd90a7caa7807e90c6f66
Powered by blists - more mailing lists