CVE-2026-43141 Overview
CVE-2026-43141 is a Linux kernel vulnerability in the ntb_hw_switchtec driver. The flaw is a shift-out-of-bounds condition triggered when the number of Memory Window Lookup Tables (MW LUTs) is configured to zero. Under that configuration, the driver invokes rounddown_pow_of_two on a zero value, which produces undefined behavior. The Non-Transparent Bridge (NTB) hardware switch driver is used to enable PCIe-based communication between independent host systems. Kernel maintainers have resolved the issue by ensuring rounddown_pow_of_two is only called on valid, non-zero values.
Critical Impact
A zero-value MW LUT configuration triggers undefined behavior in the kernel driver, potentially leading to system instability or denial of service on hosts using Switchtec NTB hardware.
Affected Products
- Linux kernel versions containing the ntb_hw_switchtec driver prior to the fix commits
- Systems using Microsemi/Microchip Switchtec PCIe switches with NTB functionality
- Distributions shipping affected stable kernel branches referenced in the patch series
Discovery Timeline
- 2026-05-06 - CVE-2026-43141 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-43141
Vulnerability Analysis
The vulnerability resides in the Switchtec NTB hardware driver (ntb_hw_switchtec) within the Linux kernel. The driver determines the number of available MW LUTs based on NTB configuration values supplied by the underlying hardware. When this count is zero, the driver still passes the value to rounddown_pow_of_two, a kernel helper that rounds an integer down to the nearest power of two.
The rounddown_pow_of_two macro is undefined for an input of zero. Internally it relies on bit-shift operations whose shift amount becomes negative or out of range when the input is zero. This produces a shift-out-of-bounds condition that the Undefined Behavior Sanitizer (UBSAN) flags at runtime.
The fix adds a guard so rounddown_pow_of_two is invoked only when the MW LUT count is non-zero. This prevents the undefined behavior path from executing during driver initialization on hardware configurations that expose zero MW LUTs.
Root Cause
The root cause is missing input validation before performing a power-of-two reduction. The driver assumed the LUT count would always be a positive integer, but the NTB configuration permits a value of zero. Calling rounddown_pow_of_two(0) evaluates a left-shift by a negative count, which is undefined behavior in C.
Attack Vector
The trigger requires a specific NTB hardware configuration in which the number of MW LUTs is zero. An attacker would generally need local access or the ability to influence NTB configuration to reach the vulnerable code path. The primary observed impact is kernel-level undefined behavior during driver initialization, which can manifest as instability on affected hosts.
The vulnerability is described in prose only because no public proof-of-concept exploit has been released. Refer to the upstream patches for technical specifics, including Kernel Patch Commit 186615f and Kernel Patch Commit d652ef3.
Detection Methods for CVE-2026-43141
Indicators of Compromise
- UBSAN warnings in kernel logs referencing shift-out-of-bounds originating from ntb_hw_switchtec
- Kernel stack traces during module load that include rounddown_pow_of_two and Switchtec NTB initialization functions
- Unexpected reboots or instability on hosts equipped with Switchtec PCIe switches configured for NTB
Detection Strategies
- Inventory kernels running across the fleet and compare build versions against the fixed commits in the upstream stable branches
- Enable CONFIG_UBSAN_SHIFT on test kernels to surface the undefined behavior during driver load
- Audit hosts that load ntb_hw_switchtec and verify their NTB MW LUT configuration
Monitoring Recommendations
- Forward dmesg and journald kernel logs to a centralized logging or SIEM platform and alert on UBSAN entries
- Track loaded kernel modules across servers and flag systems still running unpatched ntb_hw_switchtec
- Monitor host availability and crash telemetry for systems using Switchtec NTB hardware
How to Mitigate CVE-2026-43141
Immediate Actions Required
- Apply the upstream kernel patches that guard rounddown_pow_of_two against zero-valued MW LUT counts
- Update to a kernel build that includes the fix from your distribution vendor
- Restrict local access on systems using Switchtec NTB hardware until the patched kernel is deployed
Patch Information
The fix is distributed across multiple stable branches. Relevant commits include Kernel Patch Commit 186615f, Kernel Patch Commit 1a867d0, Kernel Patch Commit 2e4d5e8, Kernel Patch Commit 5590cd0, Kernel Patch Commit a11d03d, Kernel Patch Commit a133e3c, Kernel Patch Commit d0559d0, and Kernel Patch Commit d652ef3. The patch ensures rounddown_pow_of_two is invoked only on valid non-zero values.
Workarounds
- Blacklist the ntb_hw_switchtec kernel module on systems that do not require Switchtec NTB functionality
- Reconfigure NTB hardware to expose a non-zero number of MW LUTs where supported by the platform
- Limit physical and administrative access to hosts running affected kernels until patches are applied
# Configuration example
# Prevent the affected driver from loading until the patched kernel is deployed
echo "blacklist ntb_hw_switchtec" | sudo tee /etc/modprobe.d/blacklist-ntb-switchtec.conf
sudo update-initramfs -u
# Verify the running kernel and module status
uname -r
lsmod | grep ntb_hw_switchtec
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
