Description
In the Linux kernel, the following vulnerability has been resolved:

net: mvpp2: limit XDP frame size to the RX buffer

mvpp2 has short and long BM pools, and short pool buffers can be smaller
than PAGE_SIZE. The XDP path nevertheless initializes every xdp_buff with
PAGE_SIZE as frame size.

XDP helpers use frame_sz to validate tail growth and to derive the hard
end of the data area. Advertising PAGE_SIZE for short buffers can let
bpf_xdp_adjust_tail() grow a packet past the real allocation, corrupting
memory or later tripping skb tailroom checks.

Initialize the XDP buffer with bm_pool->frag_size so XDP tailroom matches
the actual buffer backing the packet.
Published: 2026-06-25
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The mvpp2 driver in the Linux kernel incorrectly sets the frame size for XDP buffers to PAGE_SIZE, even when the buffer is taken from a short BM pool that is smaller than a page. This mismatch allows the helper bpf_xdp_adjust_tail() to extend a packet beyond the actual allocation, potentially overwriting adjacent memory or causing later skb tailroom checks to fail. The primary effect is a memory corruption vulnerability that can lead to kernel instability or data integrity problems. Based on the description, it is inferred that an attacker could trigger this corruption by delivering specially crafted packets that force tail growth beyond the real buffer size, though the exact exploitation path is not detailed in the provided material.

Affected Systems

Linux kernel systems that include the mvpp2 network driver, across all distributions that ship this driver. No specific kernel version is identified, so any kernel with the unpatched mvpp2 implementation may be affected.

Risk and Exploitability

No EPSS score or KEV listing is available, and the CVSS score is not stated in the provided data, indicating that no publicly known exploit demonstrations exist for this flaw. The lack of exploitation evidence, combined with the requirement that traffic be processed by the XDP path on an affected interface, suggests that the risk depends on whether an attacker can send targeted packets through that path. Overall, the potential impact is significant, but the probability of successful exploitation remains uncertain without further evidence.

Generated by OpenCVE AI on June 25, 2026 at 11:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel patch that limits XDP frame size to bm_pool->frag_size, as referenced in commit 3b8b0c3631b19faee53f0d15a49924129b063eec
  • Upgrade to a Linux kernel release that incorporates this patch; verify the presence of the commit 910617a4e67dbdd5fdb39d9dc6a51e491e1b2c3e and subsequent revisions
  • As a temporary measure, disable XDP on the affected interface(s) with "ip link set dev <dev> xdp off" or remove any BPF programs that adjust packet tail size beyond the actual buffer size

Generated by OpenCVE AI on June 25, 2026 at 11:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-122

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net: mvpp2: limit XDP frame size to the RX buffer mvpp2 has short and long BM pools, and short pool buffers can be smaller than PAGE_SIZE. The XDP path nevertheless initializes every xdp_buff with PAGE_SIZE as frame size. XDP helpers use frame_sz to validate tail growth and to derive the hard end of the data area. Advertising PAGE_SIZE for short buffers can let bpf_xdp_adjust_tail() grow a packet past the real allocation, corrupting memory or later tripping skb tailroom checks. Initialize the XDP buffer with bm_pool->frag_size so XDP tailroom matches the actual buffer backing the packet.
Title net: mvpp2: limit XDP frame size to the RX buffer
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-25T08:39:19.529Z

Reserved: 2026-06-09T07:44:35.392Z

Link: CVE-2026-53216

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T12:00:14Z

Weaknesses
  • CWE-119

    Improper Restriction of Operations within the Bounds of a Memory Buffer

  • CWE-122

    Heap-based Buffer Overflow