The mvpp2 network driver programs a packet offset that causes hardware to write incoming frame data starting after an aligned headroom region. The driver’s CPU cache synchronization routine, however, begins at the start of this region and only covers the headroom plus a fixed number of bytes, so it does not include the data actually appended by the hardware at the tail end of the packet. On systems whose DMA is non‑coherent this omission means the processor may read stale contents from its cache for the tail portion of received frames, potentially revealing sensitive information that was previously stored in that memory.

This flaw affects Linux kernels that include the mvpp2 driver for Marvell Ethernet hardware. The kernel source on the listed commit hashes implements the fix, but the specific Kernel versions that have integrated the change were not specified. Any deployment that has not yet updated past the commit which adds dma_sync_single_range_for_cpu with the correct headroom offset remains vulnerable.

The current CVSS score is not supplied and EPSS is unavailable, so formal metrics are missing. The vulnerability is listed in CISA’s KEV catalog as not present, indicating that it has not yet been widely observed in the wild. Nevertheless, an attacker with the ability to inject frames onto the network interface controlled by mvpp2, such as a local network adversary or a compromised host, could deliberately trigger stale reads by sending long or malformed packets, thereby biasing the cache and exposing data. The attack vector is therefore local or network‑based, and exploitation would require the attacker to manipulate traffic to the affected interface. Given the nature of the bug, the risk to confidentiality is significant, while availability impacts are minimal.