Description
In the Linux kernel, the following vulnerability has been resolved:

net: mvpp2: limit XDP frame size to the RX buffer

mvpp2 has short and long BM pools, and short pool buffers can be smaller
than PAGE_SIZE. The XDP path nevertheless initializes every xdp_buff with
PAGE_SIZE as frame size.

XDP helpers use frame_sz to validate tail growth and to derive the hard
end of the data area. Advertising PAGE_SIZE for short buffers can let
bpf_xdp_adjust_tail() grow a packet past the real allocation, corrupting
memory or later tripping skb tailroom checks.

Initialize the XDP buffer with bm_pool->frag_size so XDP tailroom matches
the actual buffer backing the packet.
Published: 2026-06-25
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The mvpp2 driver in the Linux kernel incorrectly sets the frame size of every XDP buffer to PAGE_SIZE, regardless of whether the buffer comes from a short BM pool that is smaller than a page. This mis‑sized frame size allows the bpf_xdp_adjust_tail() helper to grow packets beyond the memory actually reserved for the buffer. The resulting write past the end of the buffer can overwrite arbitrary kernel memory or trigger skb tailroom checks, giving an attacker the possibility to corrupt kernel state or execute code. The flaw is a classic buffer overflow, evidenced by CWE-787.

Affected Systems

Linux kernel systems that include the mvpp2 network driver and have not yet applied the patch. The vulnerability applies across all distributions, as the affected code is part of the upstream kernel.

Risk and Exploitability

The EPSS score is reported as less than 1%, indicating a very low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog, but it has a high severity CVSS score of 9.8. Based on the description, it is inferred that the attacker would need to inject crafted packets that traverse the XDP path on an affected interface, and that exploitation is more likely in a compromised or internal network context rather than through remote public exposure.

Generated by OpenCVE AI on June 28, 2026 at 14:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel patch that sets the XDP frame size to the actual fragment size (commit 3b8b0c3631b19faee53f0d15a49924129b063eec).
  • Upgrade to the latest supported kernel release that incorporates this patch.
  • If the patch cannot be applied immediately, disable XDP on the affected interface(s) with the command 'ip link set dev <dev> xdp off' or remove any BPF programs that adjust the packet tail.

Generated by OpenCVE AI on June 28, 2026 at 14:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
History

Sun, 28 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Fri, 26 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-122

Fri, 26 Jun 2026 12:15:00 +0000


Thu, 25 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-122

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net: mvpp2: limit XDP frame size to the RX buffer mvpp2 has short and long BM pools, and short pool buffers can be smaller than PAGE_SIZE. The XDP path nevertheless initializes every xdp_buff with PAGE_SIZE as frame size. XDP helpers use frame_sz to validate tail growth and to derive the hard end of the data area. Advertising PAGE_SIZE for short buffers can let bpf_xdp_adjust_tail() grow a packet past the real allocation, corrupting memory or later tripping skb tailroom checks. Initialize the XDP buffer with bm_pool->frag_size so XDP tailroom matches the actual buffer backing the packet.
Title net: mvpp2: limit XDP frame size to the RX buffer
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-28T06:40:29.513Z

Reserved: 2026-06-09T07:44:35.392Z

Link: CVE-2026-53216

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity :

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-53216 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T14:45:17Z

Weaknesses