{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23180", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.984Z", "datePublished": "2026-02-14T16:27:11.463Z", "dateUpdated": "2026-05-11T22:01:52.245Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:01:52.245Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndpaa2-switch: add bounds check for if_id in IRQ handler\n\nThe IRQ handler extracts if_id from the upper 16 bits of the hardware\nstatus register and uses it to index into ethsw->ports[] without\nvalidation. Since if_id can be any 16-bit value (0-65535) but the ports\narray is only allocated with sw_attr.num_ifs elements, this can lead to\nan out-of-bounds read potentially.\n\nAdd a bounds check before accessing the array, consistent with the\nexisting validation in dpaa2_switch_rx()."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7, "baseSeverity": "HIGH"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c"], "versions": [{"version": "24ab724f8a4661b2dc8e696b41df93bdc108f7a1", "lessThan": "77611cab5bdfff7a070ae574bbfba20a1de99d1b", "status": "affected", "versionType": "git"}, {"version": "24ab724f8a4661b2dc8e696b41df93bdc108f7a1", "lessThan": "34b56c16efd61325d80bf1d780d0e176be662f59", "status": "affected", "versionType": "git"}, {"version": "24ab724f8a4661b2dc8e696b41df93bdc108f7a1", "lessThan": "f89e33c9c37f0001b730e23b3b05ab7b1ecface2", "status": "affected", "versionType": "git"}, {"version": "24ab724f8a4661b2dc8e696b41df93bdc108f7a1", "lessThan": "2447edc367800ba914acf7ddd5d250416b45fb31", "status": "affected", "versionType": "git"}, {"version": "24ab724f8a4661b2dc8e696b41df93bdc108f7a1", "lessThan": "1b381a638e1851d8cfdfe08ed9cdbec5295b18c9", "status": "affected", "versionType": "git"}, {"version": "24ab724f8a4661b2dc8e696b41df93bdc108f7a1", "lessThan": "31a7a0bbeb006bac2d9c81a2874825025214b6d8", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c"], "versions": [{"version": "5.15", "status": "affected"}, {"version": "0", "lessThan": "5.15", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.200", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.163", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.124", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.70", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.10", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "5.15.200"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "6.1.163"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "6.6.124"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "6.12.70"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "6.18.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "6.19"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/77611cab5bdfff7a070ae574bbfba20a1de99d1b"}, {"url": "https://git.kernel.org/stable/c/34b56c16efd61325d80bf1d780d0e176be662f59"}, {"url": "https://git.kernel.org/stable/c/f89e33c9c37f0001b730e23b3b05ab7b1ecface2"}, {"url": "https://git.kernel.org/stable/c/2447edc367800ba914acf7ddd5d250416b45fb31"}, {"url": "https://git.kernel.org/stable/c/1b381a638e1851d8cfdfe08ed9cdbec5295b18c9"}, {"url": "https://git.kernel.org/stable/c/31a7a0bbeb006bac2d9c81a2874825025214b6d8"}], "title": "dpaa2-switch: add bounds check for if_id in IRQ handler", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndpaa2-switch: add bounds check for if_id in IRQ handler\n\nThe IRQ handler extracts if_id from the upper 16 bits of the hardware\nstatus register and uses it to index into ethsw->ports[] without\nvalidation. Since if_id can be any 16-bit value (0-65535) but the ports\narray is only allocated with sw_attr.num_ifs elements, this can lead to\nan out-of-bounds read potentially.\n\nAdd a bounds check before accessing the array, consistent with the\nexisting validation in dpaa2_switch_rx()."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\ndpaa2-switch: a\u00f1adir comprobaci\u00f3n de l\u00edmites para if_id en el manejador IRQ\n\nEl manejador IRQ extrae if_id de los 16 bits superiores del registro de estado del hardware y lo utiliza para indexar en ethsw->ports[] sin validaci\u00f3n. Dado que if_id puede ser cualquier valor de 16 bits (0-65535) pero el array de puertos solo se asigna con elementos sw_attr.num_ifs, esto puede llevar a una posible lectura fuera de l\u00edmites.\n\nA\u00f1adir una comprobaci\u00f3n de l\u00edmites antes de acceder al array, consistente con la validaci\u00f3n existente en dpaa2_switch_rx()."}], "id": "CVE-2026-23180", "lastModified": "2026-04-15T14:34:27.800", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 5.9, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}]}, "published": "2026-02-14T17:15:55.747", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/1b381a638e1851d8cfdfe08ed9cdbec5295b18c9"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/2447edc367800ba914acf7ddd5d250416b45fb31"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/31a7a0bbeb006bac2d9c81a2874825025214b6d8"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/34b56c16efd61325d80bf1d780d0e176be662f59"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/77611cab5bdfff7a070ae574bbfba20a1de99d1b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f89e33c9c37f0001b730e23b3b05ab7b1ecface2"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Deferred"}

{"bugzilla": {"description": "kernel: dpaa2-switch: add bounds check for if_id in IRQ handler", "id": "2439884", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2439884"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "details": ["No description is available for this CVE."], "name": "CVE-2026-23180", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-02-14T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23180\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23180\nhttps://lore.kernel.org/linux-cve-announce/2026021429-CVE-2026-23180-19a8@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[24ab724f8a4661b2dc8e696b41df93bdc108f7a1,77611cab5bdfff7a070ae574bbfba20a1de99d1b)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[24ab724f8a4661b2dc8e696b41df93bdc108f7a1,34b56c16efd61325d80bf1d780d0e176be662f59)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[24ab724f8a4661b2dc8e696b41df93bdc108f7a1,f89e33c9c37f0001b730e23b3b05ab7b1ecface2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[24ab724f8a4661b2dc8e696b41df93bdc108f7a1,2447edc367800ba914acf7ddd5d250416b45fb31)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[24ab724f8a4661b2dc8e696b41df93bdc108f7a1,1b381a638e1851d8cfdfe08ed9cdbec5295b18c9)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[24ab724f8a4661b2dc8e696b41df93bdc108f7a1,31a7a0bbeb006bac2d9c81a2874825025214b6d8)"}}], "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "5.15"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,5.15)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[5.15.200,5.16.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.163,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.124,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.70,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.10,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.19,*]"}}], "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-15T20:31:18.138493+00:00", "value": {"mitigation_remediation": ["Apply a Linux kernel update that includes the dpaa2\u2011switch bounds\u2011check patch (commits referenced in the advisory).", "If a kernel update cannot be made immediately, disable the dpaa2\u2011switch driver or the associated device to prevent the vulnerable IRQ handler from executing.", "Monitor system logs for signs of out\u2011of\u2011bounds read attempts and configure audit rules to flag repeated access to critical registers."], "summary": {"action": "Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in the Linux kernel\u2019s dpaa2\u2011switch module. Any kernel containing the unpatched dpaa2\u2011switch code, regardless of release level, is affected. The issue is not limited to a single kernel version; all builds from the time the code was introduced up to the date of the patch are vulnerable.", "description_and_impact": "In the Linux kernel, the dpaa2\u2011switch driver extracts an interface identifier from the upper 16 bits of a hardware status register and indexes into an internal ports array without validating that the identifier is within bounds. Because the if_id value can be any 16\u2011bit number while the array is sized only to the number of configured interfaces, an out\u2011of\u2011bounds read can occur. This flaw may expose kernel memory contents or cause a crash, potentially allowing an attacker to glean sensitive information.", "risk_and_exploitability": "The flaw carries a CVSS base score of 7.0, indicating moderate severity. The EPSS score is under 1\u202f%, reflecting a very low exploitation probability, and the vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation would likely require local or privileged access to a device that triggers the dpaa2\u2011switch IRQ handler, making it practical mainly for attackers with physical or kernel-level access."}}}}, "created": "2026-02-16T09:43:56.989792+00:00", "updated": "2026-04-15T20:45:06.373393+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"], "weaknesses": ["CWE-125"]}