CVE-2026-23206

In the Linux kernel, the following vulnerability has been resolved: dpaa2-switch: prevent ZERO_SIZE_PTR dereference when num_ifs is zero The driver allocates arrays for ports, FDBs, and filter blocks using kcalloc() with ethsw->sw_attr.num_ifs as the element count. When the device reports zero interfaces (either due to hardware configuration or firmware issues), kcalloc(0, ...) returns ZERO_SIZE_PTR (0x10) instead of NULL. Later in dpaa2_switch_probe(), the NAPI initialization unconditionally accesses ethsw->ports[0]->netdev, which attempts to dereference ZERO_SIZE_PTR (address 0x10), resulting in a kernel panic. Add a check to ensure num_ifs is greater than zero after retrieving device attributes. This prevents the zero-sized allocations and subsequent invalid pointer dereference.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/155eb99aff2920153bf21217ae29565fff81e6af	Patch
https://git.kernel.org/stable/c/2fcccca88456b592bd668db13aa1d29ed257ca2b	Patch
https://git.kernel.org/stable/c/4acc40db06ffd0fd92683505342b00c8a7394c60	Patch
https://git.kernel.org/stable/c/80165ff16051448d6f840585ebe13f2400415df3	Patch
https://git.kernel.org/stable/c/b97415c4362f739e25ec6f71012277086fabdf6f	Patch
https://git.kernel.org/stable/c/ed48a84a72fefb20a82dd90a7caa7807e90c6f66	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc1::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc2::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc3::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc4::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc5::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc6::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc7::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc8::::::

History

19 Mar 2026, 16:34

Type	Values Removed	Values Added
References	~~() https://git.kernel.org/stable/c/155eb99aff2920153bf21217ae29565fff81e6af -~~	() https://git.kernel.org/stable/c/155eb99aff2920153bf21217ae29565fff81e6af - Patch
References	~~() https://git.kernel.org/stable/c/2fcccca88456b592bd668db13aa1d29ed257ca2b -~~	() https://git.kernel.org/stable/c/2fcccca88456b592bd668db13aa1d29ed257ca2b - Patch
References	~~() https://git.kernel.org/stable/c/4acc40db06ffd0fd92683505342b00c8a7394c60 -~~	() https://git.kernel.org/stable/c/4acc40db06ffd0fd92683505342b00c8a7394c60 - Patch
References	~~() https://git.kernel.org/stable/c/80165ff16051448d6f840585ebe13f2400415df3 -~~	() https://git.kernel.org/stable/c/80165ff16051448d6f840585ebe13f2400415df3 - Patch
References	~~() https://git.kernel.org/stable/c/b97415c4362f739e25ec6f71012277086fabdf6f -~~	() https://git.kernel.org/stable/c/b97415c4362f739e25ec6f71012277086fabdf6f - Patch
References	~~() https://git.kernel.org/stable/c/ed48a84a72fefb20a82dd90a7caa7807e90c6f66 -~~	() https://git.kernel.org/stable/c/ed48a84a72fefb20a82dd90a7caa7807e90c6f66 - Patch
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.5
CWE		CWE-476
CPE		cpe:2.3:o:linux:linux_kernel:6.19:rc1:::::: cpe:2.3:o:linux:linux_kernel:::::::: cpe:2.3:o:linux:linux_kernel:6.19:rc8:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc3:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc4:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc2:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc6:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc5:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc7::::::
First Time		Linux Linux linux Kernel

18 Feb 2026, 17:52

Type	Values Removed	Values Added
Summary		(es) En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta: dpaa2-switch: evitar la desreferencia de ZERO_SIZE_PTR cuando num_ifs es cero El controlador asigna arreglos para puertos, FDBs y bloques de filtro usando kcalloc() con ethsw->sw_attr.num_ifs como el recuento de elementos. Cuando el dispositivo reporta cero interfaces (ya sea debido a la configuración del hardware o a problemas de firmware), kcalloc(0, ...) devuelve ZERO_SIZE_PTR (0x10) en lugar de NULL. Más tarde en dpaa2_switch_probe(), la inicialización de NAPI accede incondicionalmente a ethsw->ports[0]->netdev, lo que intenta desreferenciar ZERO_SIZE_PTR (dirección 0x10), resultando en un pánico del kernel. Añadir una verificación para asegurar que num_ifs sea mayor que cero después de recuperar los atributos del dispositivo. Esto evita las asignaciones de tamaño cero y la subsiguiente desreferencia de puntero inválido.

14 Feb 2026, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-14 17:15

Updated : 2026-03-19 16:34

NVD link : CVE-2026-23206

Mitre link : CVE-2026-23206

CVE.ORG link : CVE-2026-23206

JSON object : View

Products Affected

linux

linux_kernel

CWE

CWE-476

NULL Pointer Dereference

5.5 /10