CVE-2026-43241 Overview
CVE-2026-43241 is an array-index-out-of-bounds vulnerability in the Linux kernel's ntb_hw_switchtec driver. The flaw resides in the Non-Transparent Bridge (NTB) hardware driver for Microsemi Switchtec PCIe switches. The number of Memory Window (MW) Lookup Tables (LUTs) depends on the NTB configuration and can be set up to MAX_MWS. Without proper bounds enforcement, the driver could index past the end of the mw_sizes array. The upstream patch adds validation to reject invalid indices and prints a message to the user when the configuration is not valid.
Critical Impact
An invalid NTB configuration could trigger out-of-bounds memory access in kernel space, potentially leading to memory corruption or kernel instability.
Affected Products
- Linux kernel ntb_hw_switchtec driver
- Systems using Microsemi Switchtec PCIe NTB hardware
- Multiple stable Linux kernel branches (per upstream stable commits)
Discovery Timeline
- 2026-05-06 - CVE-2026-43241 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-43241
Vulnerability Analysis
The vulnerability resides in the ntb_hw_switchtec driver, which exposes Non-Transparent Bridge functionality between PCIe hosts using Microsemi Switchtec switches. Memory Windows (MWs) are mapped regions that allow one host to access another host's memory across the NTB. Each MW has an associated size stored in the mw_sizes array. The number of MW LUTs depends on the runtime NTB configuration and can reach MAX_MWS. The driver did not validate the LUT index against the actual configuration before indexing into mw_sizes. An invalid index therefore reached the array, producing an out-of-bounds access in kernel memory.
Root Cause
The root cause is missing bounds validation in code paths that access mw_sizes using a configuration-dependent LUT index. The driver assumed the index would always fall within the valid range. When the NTB configuration produced an index beyond the configured number of MW LUTs, the access read or referenced memory adjacent to the array.
Attack Vector
The vulnerability is reachable through configurations that produce an invalid MW LUT index for the ntb_hw_switchtec driver. Triggering the condition requires the affected hardware and an invalid or unexpected NTB configuration on a system using Switchtec PCIe NTB. The patch replaces unchecked indexing with a guard that rejects invalid access and emits a diagnostic message indicating the configuration is not valid. Refer to the upstream fixes such as Linux Kernel Commit 0e93042 and Linux Kernel Commit 47ce292 for the implementation details.
Detection Methods for CVE-2026-43241
Indicators of Compromise
- Kernel log messages from the ntb_hw_switchtec driver indicating an invalid NTB configuration after patching.
- KASAN or slab-out-of-bounds reports referencing mw_sizes or functions in ntb_hw_switchtec.c on unpatched kernels.
- Unexpected kernel oops or panic traces originating from Switchtec NTB code paths.
Detection Strategies
- Inventory hosts running kernels with ntb_hw_switchtec loaded using lsmod | grep switchtec and correlate with kernel version data.
- Compare running kernel build identifiers against the fixed commits listed in the CVE references to identify unpatched systems.
- Enable KASAN in test environments to surface out-of-bounds accesses during NTB configuration validation.
Monitoring Recommendations
- Forward dmesg and /var/log/kern.log to a central log platform and alert on warnings from the switchtec and ntb subsystems.
- Track kernel package versions across the fleet and flag deviations from approved patched builds.
- Monitor systems with PCIe NTB hardware more closely, since exposure is limited to that hardware class.
How to Mitigate CVE-2026-43241
Immediate Actions Required
- Update affected Linux systems to a kernel build that includes the upstream fix for the ntb_hw_switchtec out-of-bounds access.
- Identify hosts using Microsemi Switchtec PCIe NTB hardware and prioritize those for patching.
- Validate NTB configuration parameters against the documented number of MW LUTs supported by the deployed hardware.
Patch Information
The fix has been merged across multiple stable kernel branches. Reference commits include Linux Kernel Commit 0e93042, Linux Kernel Commit 2346856, Linux Kernel Commit 348e1ac, Linux Kernel Commit 47ce292, Linux Kernel Commit 740945d, Linux Kernel Commit 85c9daa, Linux Kernel Commit c8ba7ad, and Linux Kernel Commit ee02c4f. Apply the corresponding distribution kernel updates as they become available.
Workarounds
- If patching is not immediately possible and the hardware is not required, unload the module with modprobe -r ntb_hw_switchtec to remove the vulnerable code path.
- Restrict configuration of NTB MW LUT counts to values within the documented hardware limits.
- Restrict local administrative access to systems with Switchtec NTB hardware until the kernel is updated.
# Configuration example: verify kernel version and module status
uname -r
lsmod | grep ntb_hw_switchtec
# If unused, remove the vulnerable module until patched
sudo modprobe -r ntb_hw_switchtec
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
