{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23206", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.986Z", "datePublished": "2026-02-14T16:27:29.095Z", "dateUpdated": "2026-05-11T22:02:22.500Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:02:22.500Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndpaa2-switch: prevent ZERO_SIZE_PTR dereference when num_ifs is zero\n\nThe driver allocates arrays for ports, FDBs, and filter blocks using\nkcalloc() with ethsw->sw_attr.num_ifs as the element count. When the\ndevice reports zero interfaces (either due to hardware configuration\nor firmware issues), kcalloc(0, ...) returns ZERO_SIZE_PTR (0x10)\ninstead of NULL.\n\nLater in dpaa2_switch_probe(), the NAPI initialization unconditionally\naccesses ethsw->ports[0]->netdev, which attempts to dereference\nZERO_SIZE_PTR (address 0x10), resulting in a kernel panic.\n\nAdd a check to ensure num_ifs is greater than zero after retrieving\ndevice attributes. This prevents the zero-sized allocations and\nsubsequent invalid pointer dereference."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c"], "versions": [{"version": "0b1b71370458860579831e77485883fcf2e8fbbe", "lessThan": "2fcccca88456b592bd668db13aa1d29ed257ca2b", "status": "affected", "versionType": "git"}, {"version": "0b1b71370458860579831e77485883fcf2e8fbbe", "lessThan": "80165ff16051448d6f840585ebe13f2400415df3", "status": "affected", "versionType": "git"}, {"version": "0b1b71370458860579831e77485883fcf2e8fbbe", "lessThan": "b97415c4362f739e25ec6f71012277086fabdf6f", "status": "affected", "versionType": "git"}, {"version": "0b1b71370458860579831e77485883fcf2e8fbbe", "lessThan": "4acc40db06ffd0fd92683505342b00c8a7394c60", "status": "affected", "versionType": "git"}, {"version": "0b1b71370458860579831e77485883fcf2e8fbbe", "lessThan": "155eb99aff2920153bf21217ae29565fff81e6af", "status": "affected", "versionType": "git"}, {"version": "0b1b71370458860579831e77485883fcf2e8fbbe", "lessThan": "ed48a84a72fefb20a82dd90a7caa7807e90c6f66", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c"], "versions": [{"version": "5.13", "status": "affected"}, {"version": "0", "lessThan": "5.13", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.200", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.163", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.124", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.70", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.10", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.13", "versionEndExcluding": "5.15.200"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.13", "versionEndExcluding": "6.1.163"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.13", "versionEndExcluding": "6.6.124"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.13", "versionEndExcluding": "6.12.70"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.13", "versionEndExcluding": "6.18.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.13", "versionEndExcluding": "6.19"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/2fcccca88456b592bd668db13aa1d29ed257ca2b"}, {"url": "https://git.kernel.org/stable/c/80165ff16051448d6f840585ebe13f2400415df3"}, {"url": "https://git.kernel.org/stable/c/b97415c4362f739e25ec6f71012277086fabdf6f"}, {"url": "https://git.kernel.org/stable/c/4acc40db06ffd0fd92683505342b00c8a7394c60"}, {"url": "https://git.kernel.org/stable/c/155eb99aff2920153bf21217ae29565fff81e6af"}, {"url": "https://git.kernel.org/stable/c/ed48a84a72fefb20a82dd90a7caa7807e90c6f66"}], "title": "dpaa2-switch: prevent ZERO_SIZE_PTR dereference when num_ifs is zero", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "87005985-2B34-4396-9F44-650DB23E2D23", "versionEndExcluding": "5.15.200", "versionStartIncluding": "5.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E9C856E1-4308-4C0B-A973-7DD375DF66C4", "versionEndExcluding": "6.1.163", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "76183B9F-CABE-4E21-A3E3-F0EBF99DC3C7", "versionEndExcluding": "6.6.124", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "F3791390-0628-4808-99EF-1ED8ABF60933", "versionEndExcluding": "6.12.70", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "7156C23F-009E-4D05-838C-A2DA417B5B8D", "versionEndExcluding": "6.18.10", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*", "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*", "matchCriteriaId": "3EF854A1-ABB1-4E93-BE9A-44569EC76C0D", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*", "matchCriteriaId": "F5DC0CA6-F0AF-4DDF-A882-3DADB9A886A7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:*", "matchCriteriaId": "EB5B7DFC-C36B-45D8-922C-877569FDDF43", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndpaa2-switch: prevent ZERO_SIZE_PTR dereference when num_ifs is zero\n\nThe driver allocates arrays for ports, FDBs, and filter blocks using\nkcalloc() with ethsw->sw_attr.num_ifs as the element count. When the\ndevice reports zero interfaces (either due to hardware configuration\nor firmware issues), kcalloc(0, ...) returns ZERO_SIZE_PTR (0x10)\ninstead of NULL.\n\nLater in dpaa2_switch_probe(), the NAPI initialization unconditionally\naccesses ethsw->ports[0]->netdev, which attempts to dereference\nZERO_SIZE_PTR (address 0x10), resulting in a kernel panic.\n\nAdd a check to ensure num_ifs is greater than zero after retrieving\ndevice attributes. This prevents the zero-sized allocations and\nsubsequent invalid pointer dereference."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\ndpaa2-switch: evitar la desreferencia de ZERO_SIZE_PTR cuando num_ifs es cero\n\nEl controlador asigna arreglos para puertos, FDBs y bloques de filtro usando kcalloc() con ethsw->sw_attr.num_ifs como el recuento de elementos. Cuando el dispositivo reporta cero interfaces (ya sea debido a la configuraci\u00f3n del hardware o a problemas de firmware), kcalloc(0, ...) devuelve ZERO_SIZE_PTR (0x10) en lugar de NULL.\n\nM\u00e1s tarde en dpaa2_switch_probe(), la inicializaci\u00f3n de NAPI accede incondicionalmente a ethsw->ports[0]->netdev, lo que intenta desreferenciar ZERO_SIZE_PTR (direcci\u00f3n 0x10), resultando en un p\u00e1nico del kernel.\n\nA\u00f1adir una verificaci\u00f3n para asegurar que num_ifs sea mayor que cero despu\u00e9s de recuperar los atributos del dispositivo. Esto evita las asignaciones de tama\u00f1o cero y la subsiguiente desreferencia de puntero inv\u00e1lido."}], "id": "CVE-2026-23206", "lastModified": "2026-03-19T16:34:27.203", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-14T17:15:58.507", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/155eb99aff2920153bf21217ae29565fff81e6af"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/2fcccca88456b592bd668db13aa1d29ed257ca2b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/4acc40db06ffd0fd92683505342b00c8a7394c60"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/80165ff16051448d6f840585ebe13f2400415df3"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/b97415c4362f739e25ec6f71012277086fabdf6f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/ed48a84a72fefb20a82dd90a7caa7807e90c6f66"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: dpaa2-switch: prevent ZERO_SIZE_PTR dereference when num_ifs is zero", "id": "2439943", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2439943"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\ndpaa2-switch: prevent ZERO_SIZE_PTR dereference when num_ifs is zero\nThe driver allocates arrays for ports, FDBs, and filter blocks using\nkcalloc() with ethsw->sw_attr.num_ifs as the element count. When the\ndevice reports zero interfaces (either due to hardware configuration\nor firmware issues), kcalloc(0, ...) returns ZERO_SIZE_PTR (0x10)\ninstead of NULL.\nLater in dpaa2_switch_probe(), the NAPI initialization unconditionally\naccesses ethsw->ports[0]->netdev, which attempts to dereference\nZERO_SIZE_PTR (address 0x10), resulting in a kernel panic.\nAdd a check to ensure num_ifs is greater than zero after retrieving\ndevice attributes. This prevents the zero-sized allocations and\nsubsequent invalid pointer dereference."], "name": "CVE-2026-23206", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-02-14T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23206\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23206\nhttps://lore.kernel.org/linux-cve-announce/2026021438-CVE-2026-23206-ed03@gregkh/T"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[0b1b71370458860579831e77485883fcf2e8fbbe,2fcccca88456b592bd668db13aa1d29ed257ca2b)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[0b1b71370458860579831e77485883fcf2e8fbbe,80165ff16051448d6f840585ebe13f2400415df3)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[0b1b71370458860579831e77485883fcf2e8fbbe,b97415c4362f739e25ec6f71012277086fabdf6f)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[0b1b71370458860579831e77485883fcf2e8fbbe,4acc40db06ffd0fd92683505342b00c8a7394c60)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[0b1b71370458860579831e77485883fcf2e8fbbe,155eb99aff2920153bf21217ae29565fff81e6af)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[0b1b71370458860579831e77485883fcf2e8fbbe,ed48a84a72fefb20a82dd90a7caa7807e90c6f66)"}}], "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "5.13"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,5.13)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[5.15.200,5.16.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.163,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.124,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.70,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.10,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.19,*]"}}], "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-18T12:12:15.718898+00:00", "value": {"mitigation_remediation": ["Upgrade the Linux kernel to a version that includes the dpaa2-switch zero\u2011size allocation check", "Disable the dpaa2-switch driver by removing the module or using modprobe -r dpaa2_switch if the kernel version cannot be updated immediately", "Ensure that the device firmware reports a non\u2011zero interface count or patch the firmware to prevent zero\u2011count reports", "Monitor system logs for kernel panic events related to dpaa2_switch and apply upstream patches as they become available"], "summary": {"action": "Apply Patch", "impact": "Denial of Service (kernel panic)"}, "threat_synthesis": {"affected_systems": "The vulnerability affects any Linux kernel that includes the dpaa2-switch driver, including all 6.19 release candidates (6.19-rc1 through 6.19-rc8) and any later kernel releases that have not yet incorporated the fix. The affected vendor is Linux, product Linux kernel.", "description_and_impact": "The dpaa2-switch driver allocates arrays for ports, FDBs, and filter blocks using kcalloc() with a count derived from the device report. When the hardware reports zero interfaces, kcalloc(0,\u2026) returns a ZERO_SIZE_PTR instead of NULL, and a later unconditional dereference of this pointer inside dpaa2_switch_probe() causes a kernel panic. This results in a complete loss of system availability as the operating system crashes.", "risk_and_exploitability": "The CVSS score of 5.5 indicates moderate severity. With an EPSS score of less than 1%, the likelihood of exploitation in the wild is low, and the vulnerability does not appear in the CISA KEV catalog. Based on the description, the attack vector is inferred to be local or privileged\u2014an attacker would need to influence the device configuration or supply malformed firmware so that the driver probes with zero interfaces, triggering the crash."}}}}, "created": "2026-02-16T09:43:26.129366+00:00", "updated": "2026-04-18T12:15:15.786305+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}