CVE-2026-43372 Overview
CVE-2026-43372 is a medium-severity vulnerability in the Linux kernel's Distributed Switch Architecture (DSA) subsystem, specifically in the Microchip KSZ switch driver. The flaw resides in the Precision Time Protocol (PTP) interrupt request (IRQ) setup routine ksz_ptp_irq_setup(). When request_threaded_irq() fails during PTP message IRQ initialization, the newly created IRQ mapping is not disposed, leaving an orphaned resource. The error path only frees mappings that were successfully set up, missing the failed mapping. The issue affects Linux kernel version 6.18 and several 7.0 release candidates.
Critical Impact
A local attacker with low privileges can trigger repeated PTP IRQ setup failures to exhaust kernel IRQ mapping resources, leading to availability loss on systems using Microchip DSA-managed switches.
Affected Products
- Linux kernel 6.18
- Linux kernel 7.0-rc1, 7.0-rc2, 7.0-rc3
- Systems using the net/dsa/microchip driver with PTP enabled
Discovery Timeline
- 2026-05-08 - CVE-2026-43372 published to NVD
- 2026-05-15 - Last updated in NVD database
Technical Details for CVE-2026-43372
Vulnerability Analysis
The vulnerability exists in the Linux kernel networking stack, within the Microchip DSA driver responsible for managing KSZ-family Ethernet switches. PTP support in this driver requires per-port IRQ mappings to handle hardware timestamping events. The ksz_ptp_irq_setup() function iterates over PTP message IRQs, creating an IRQ domain mapping for each and then calling request_threaded_irq() to register a handler.
When request_threaded_irq() fails for a given IRQ, the function's error path unwinds only the previously successful mappings. The mapping just created for the failing IRQ is never released through irq_dispose_mapping(). This leaves a dangling entry in the IRQ domain.
Repeated triggering of this failure path leaks IRQ descriptors and domain entries. Over time, this exhausts kernel resources and can destabilize the networking subsystem on affected hardware platforms.
Root Cause
The root cause is incomplete cleanup logic in an error handling path, classified under [CWE-NVD-noinfo] but consistent with resource leak patterns. The fix disposes the newly created mapping when its associated request_threaded_irq() call fails, ensuring symmetric allocation and release semantics in the failure case.
Attack Vector
Exploitation requires local access with low privileges on a system using a Microchip DSA switch driver with PTP enabled. An attacker capable of repeatedly triggering driver probe or PTP setup failures, for example through device manipulation or repeated module load operations, can incrementally leak IRQ resources. The impact is denial of service through availability loss, with no impact on confidentiality or integrity.
No public exploit code is available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The EPSS score reflects a low likelihood of exploitation in the wild.
Detection Methods for CVE-2026-43372
Indicators of Compromise
- Kernel log messages from the ksz or dsa subsystem reporting request_threaded_irq failures during PTP setup
- Growing IRQ descriptor counts visible in /proc/interrupts without corresponding device additions
- Repeated module load and unload events for ksz_common, ksz9477, or related Microchip DSA drivers
Detection Strategies
- Monitor kernel ring buffer output via dmesg for PTP IRQ setup errors on networking equipment running affected kernel versions
- Audit installed kernel versions across the fleet against the patched commits 3704ac6, 6c58a9f, 99c8c16, c2d1d41, and e80fef3
- Correlate networking driver errors with abnormal local process activity that may be probing the driver
Monitoring Recommendations
- Track IRQ allocation trends and alert on sustained growth without hardware changes
- Forward kernel logs from embedded and network appliance Linux systems to centralized log analysis
- Inventory devices using Microchip KSZ switches with PTP enabled to scope exposure
How to Mitigate CVE-2026-43372
Immediate Actions Required
- Identify Linux systems running kernel 6.18 or 7.0-rc1 through rc3 with the Microchip DSA driver loaded
- Apply the upstream stable kernel fix incorporating the referenced commits as soon as vendor builds are available
- Restrict local access to systems exposing the affected driver to trusted administrators
Patch Information
The fix has been merged into the mainline and stable Linux kernel trees. Affected users should update to a kernel containing one of the following commits: Kernel Git Commit - 3704ac6, Kernel Git Commit - 6c58a9f, Kernel Git Commit - 99c8c16, Kernel Git Commit - c2d1d41, or Kernel Git Commit - e80fef3. Distribution maintainers will backport the fix into supported stable branches.
Workarounds
- Disable PTP functionality on Microchip DSA switches where hardware timestamping is not required
- Avoid loading the ksz DSA driver on systems that do not require Microchip switch management
- Limit local user accounts and process privileges on affected appliances until patches are applied
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
