CVE-2026-53215 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

net: mvpp2: refill RX buffers before XDP or skb use

The RX error path returns the current descriptor buffer to the hardware
BM pool. That is only valid while the driver still owns the buffer.

mvpp2_rx_refill() can fail after the current buffer has been handed to
XDP or attached to an skb. In those cases mvpp2_run_xdp() may have
recycled, redirected, or queued the page for XDP_TX, and an skb free also
retires the data buffer. Returning such a buffer to BM lets hardware DMA
into memory that is no longer owned by the RX ring.

Refill the BM pool before handing the current buffer to XDP or to the
skb. If the allocation fails there, drop the packet and return the
still-owned current buffer to BM, preserving the pool depth. Once the
refill succeeds, later local drops retire/free the current buffer instead
of returning it to BM.

Published: 2026-06-25

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The driver for the mvpp2 network interface incorrectly returns a receive buffer to the hardware buffer manager after that buffer has already been passed to XDP processing or attached to an skb. Because the kernel no longer owns the buffer at this point, the hardware may DMA into memory that has been freed or repurposed, resulting in kernel memory corruption or leakage of sensitive data. This flaw allows an attacker to corrupt the integrity of protected memory and potentially read or overwrite critical data in the kernel space.

Affected Systems

All Linux kernel installations that ship with the mvpp2 driver before the patch are affected. The original CPE is cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*. No explicit version range is listed, so any kernel that includes the pre‑patch mvpp2 driver is vulnerable until the firmware or kernel is upgraded to a release that contains the fix introduced in the commit 02e1b5c4d3b4c658b72c145427cded1bba613fc1 and the subsequent associated patches.

Risk and Exploitability

The vulnerability can be triggered by crafted network traffic that forces the driver to hand a receive buffer to the XDP or skb paths. Once a packet follows that path, a race can occur between buffer reuse and DMA, producing a window where the hardware writes to unowned memory. No EPSS value is available and the vulnerability is not currently listed in the CISA KEV catalog, but the kernel‑level nature of the bug and the potential for arbitrary memory corruption indicate a high severity if exploited. The attack is likely remote, requiring network access to the affected interface, and could lead to arbitrary code execution if an attacker successfully corrupts kernel memory.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`07dd0a7aae7f72af7cec18909581c2bb570edddc`	affected	< a88b3293b556f4d8fba11db9a8061a6b0d3b69e6
`07dd0a7aae7f72af7cec18909581c2bb570edddc`	affected	< a03cdcedb2cbcc42551dc3e4746929e93c5352d5
`07dd0a7aae7f72af7cec18909581c2bb570edddc`	affected	< 580f92f27cb8724bcc4be98ee89890eab524a2ae
`07dd0a7aae7f72af7cec18909581c2bb570edddc`	affected	< d0c8c4fbd22d260fe28530260656c5fb3c20ce84
`07dd0a7aae7f72af7cec18909581c2bb570edddc`	affected	< 8a2126c5afe89f8ceeb60a3afb9f075b736194cd
`07dd0a7aae7f72af7cec18909581c2bb570edddc`	affected	< 02e1b5c4d3b4c658b72c145427cded1bba613fc1
`07dd0a7aae7f72af7cec18909581c2bb570edddc`	affected	< 5e8e2a9624df72fca7c736b2966b2cbf6c9c3ff6
`95a936364f2685e9e040c6b179b553604d96de22`	affected	—
`fba2cf348d9eb50b2049a73cc09313dab6d293f1`	affected	—
`5.7.15`	affected	< 5.8
`5.8.2`	affected	< 5.9

Linux

affected

Version	Status	Constraints
`5.9`	affected	—
`0`	unaffected	< 5.9
`5.15.210`	unaffected	≤ 5.15.*
`6.1.176`	unaffected	≤ 6.1.*
`6.6.143`	unaffected	≤ 6.6.*
`6.12.94`	unaffected	≤ 6.12.*
`6.18.36`	unaffected	≤ 6.18.*
`7.0.13`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that includes the patch for the mvpp2 driver (see commit 02e1b5c4d3b4c658b72c145427cded1bba613fc1).
If a distribution update is not available, download the patch, apply it to the mvpp2 driver source, and rebuild the kernel module.
As an interim measure, disable XDP processing (e.g., using ethtool -K <iface> xdp off) or remove the mvpp2 interface from active use until the kernel can be upgraded.

Generated by OpenCVE AI on June 25, 2026 at 11:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0018.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/02e1b5c4d3b4c658b72c145427cded1bba613fc1
https://git.kernel.org/stable/c/580f92f27cb8724bcc4be98ee89890eab524a2ae
https://git.kernel.org/stable/c/5e8e2a9624df72fca7c736b2966b2cbf6c9c3ff6
https://git.kernel.org/stable/c/8a2126c5afe89f8ceeb60a3afb9f075b736194cd
https://git.kernel.org/stable/c/a03cdcedb2cbcc42551dc3e4746929e93c5352d5
https://git.kernel.org/stable/c/a88b3293b556f4d8fba11db9a8061a6b0d3b69e6
https://git.kernel.org/stable/c/d0c8c4fbd22d260fe28530260656c5fb3c20ce84

History

Thu, 25 Jun 2026 12:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-590 CWE-665

Thu, 25 Jun 2026 09:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: net: mvpp2: refill RX buffers before XDP or skb use The RX error path returns the current descriptor buffer to the hardware BM pool. That is only valid while the driver still owns the buffer. mvpp2_rx_refill() can fail after the current buffer has been handed to XDP or attached to an skb. In those cases mvpp2_run_xdp() may have recycled, redirected, or queued the page for XDP_TX, and an skb free also retires the data buffer. Returning such a buffer to BM lets hardware DMA into memory that is no longer owned by the RX ring. Refill the BM pool before handing the current buffer to XDP or to the skb. If the allocation fails there, drop the packet and return the still-owned current buffer to BM, preserving the pool depth. Once the refill succeeds, later local drops retire/free the current buffer instead of returning it to BM.
Title		net: mvpp2: refill RX buffers before XDP or skb use
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/02e1b5c4d3b4c658b72c145427cded1bba613fc1 https://git.kernel.org/stable/c/580f92f27cb8724bcc4be98ee89890eab524a2ae https://git.kernel.org/stable/c/5e8e2a9624df72fca7c736b2966b2cbf6c9c3ff6 https://git.kernel.org/stable/c/8a2126c5afe89f8ceeb60a3afb9f075b736194cd https://git.kernel.org/stable/c/a03cdcedb2cbcc42551dc3e4746929e93c5352d5 https://git.kernel.org/stable/c/a88b3293b556f4d8fba11db9a8061a6b0d3b69e6 https://git.kernel.org/stable/c/d0c8c4fbd22d260fe28530260656c5fb3c20ce84

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-25T08:39:18.875Z

Updated: 2026-06-25T08:39:18.875Z

Reserved: 2026-06-09T07:44:35.392Z

Link: CVE-2026-53215

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-25T12:00:14Z

Weaknesses

CWE-590
Free of Memory not on the Heap
CWE-665
Improper Initialization

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object