CVE-2026-23206 in Linuxinfo

Summary

by MITRE • 02/14/2026

In the Linux kernel, the following vulnerability has been resolved:

dpaa2-switch: prevent ZERO_SIZE_PTR dereference when num_ifs is zero

The driver allocates arrays for ports, FDBs, and filter blocks using kcalloc() with ethsw->sw_attr.num_ifs as the element count. When the device reports zero interfaces (either due to hardware configuration or firmware issues), kcalloc(0, ...) returns ZERO_SIZE_PTR (0x10) instead of NULL.

Later in dpaa2_switch_probe(), the NAPI initialization unconditionally accesses ethsw->ports[0]->netdev, which attempts to dereference
ZERO_SIZE_PTR (address 0x10), resulting in a kernel panic.

Add a check to ensure num_ifs is greater than zero after retrieving device attributes. This prevents the zero-sized allocations and subsequent invalid pointer dereference.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 05/06/2026

This vulnerability exists in the Linux kernel's dpaa2-switch driver where a specific condition leads to a kernel panic due to improper handling of zero-sized memory allocations. The issue occurs when the hardware or firmware reports zero interfaces for the device, causing the driver to attempt allocation of arrays with zero elements. The kcalloc function when called with a zero element count returns a special ZERO_SIZE_PTR value of 0x10 instead of NULL, which creates a dangerous situation where subsequent code attempts to dereference this invalid pointer.

The technical flaw manifests in the driver's initialization sequence where the ethsw->sw_attr.num_ifs field is used to determine array sizes for ports, FDBs, and filter blocks. When this value equals zero, the allocation succeeds but returns the ZERO_SIZE_PTR, which later gets dereferenced during NAPI initialization. The problematic access occurs at ethsw->ports[0]->netdev where the code assumes at least one valid port exists, but instead encounters the invalid pointer at address 0x10. This represents a classic case of improper bounds checking and memory allocation validation that violates the fundamental principle of null pointer dereference prevention.

The operational impact of this vulnerability is severe as it can cause immediate system crashes leading to kernel panics and complete system downtime. This affects systems running Linux kernels with the dpaa2-switch driver, particularly those using specific hardware platforms such as Freescale's DPAA2 (Data Path Acceleration Architecture 2) networking hardware. The vulnerability is exploitable in scenarios where hardware misconfiguration or firmware bugs result in zero interface reporting, making it a critical issue for production environments where system stability is paramount.

The root cause aligns with CWE-476 which addresses null pointer dereference vulnerabilities, and more specifically relates to CWE-682 which covers incorrect arithmetic operations. From an ATT&CK perspective, this vulnerability could be leveraged by adversaries to perform denial of service attacks against systems running affected kernel versions, potentially targeting network infrastructure or embedded systems that rely on DPAA2 hardware. The fix implemented involves adding a validation check to ensure num_ifs is greater than zero before proceeding with allocations, which prevents the zero-sized memory allocation and subsequent invalid pointer dereference, thereby aligning with defensive programming practices recommended in secure coding standards.

This vulnerability demonstrates the importance of proper input validation and memory allocation handling in kernel space code, where the consequences of insufficient bounds checking can result in complete system crashes. The mitigation approach of checking the interface count before allocation addresses the core issue by preventing the problematic execution path entirely, ensuring that the driver only proceeds when valid hardware configuration is present. This solution maintains system stability while preserving the intended functionality of the driver for legitimate use cases where interfaces are properly configured.

Responsible

Linux

Reservation

01/13/2026

Disclosure

02/14/2026

Moderation

accepted

CPE

ready

EPSS

0.00114

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!