Impact
In the Linux kernel, the mvpp2 network driver incorrectly refills receive buffers when a descriptor has already been handed to XDP or an skb. The driver can return a buffer that the kernel no longer owns to the hardware buffer manager after that buffer may have been recycled, redirected, or queued for transmission. Hardware may then perform DMA into memory that is not owned by the kernel, potentially corrupting kernel memory.
Affected Systems
All Linux kernel releases that include the mvpp2 driver and were built before the upstream commit that introduced the safe refill logic are vulnerable. Distribution packages built from those kernels contain the defect. Using any kernel that incorporates the upstream commit or a later release resolves the issue.
Risk and Exploitability
The CVSS score of 9.8 indicates a high severity, while the EPSS score of < 1% suggests a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, and no active exploits are reported. Exploitation would require sending crafted network traffic that triggers the wrong buffer reuse path, but the description does not indicate any known exploitation.
OpenCVE Enrichment
Debian DLA