Description
In the Linux kernel, the following vulnerability has been resolved:

net: mvpp2: sync RX data at the hardware packet offset

mvpp2 programs the RX queue packet offset, so hardware writes received
data at dma_addr + MVPP2_SKB_HEADROOM. The current CPU sync starts at
dma_addr and only covers rx_bytes + MVPP2_MH_SIZE bytes, which syncs the
unused headroom and misses the same number of bytes at the packet tail.

On non-coherent DMA systems this can leave the CPU reading stale cache
contents for the end of the received frame.

Use dma_sync_single_range_for_cpu() with MVPP2_SKB_HEADROOM as the range
offset so the sync covers the Marvell header and packet data actually
written by hardware.
Published: 2026-06-25
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The mvpp2 network driver programs the hardware to write incoming frames after a configured headroom region. The CPU cache synchronization routine, however, starts at the beginning of that region and covers only a fixed amount of bytes, purposely missing the tail portion of each packet. On systems that do not use coherent DMA, this mismatch can leave stale data in the processor’s cache. An attacker could potentially read that lingering contents, leading to unauthorized disclosure of data that was previously stored in the same memory region. The defect is represented by CWE‑821, which denotes inconsistencies in protecting data flow.

Affected Systems

The flaw is present in any Linux kernel that contains the unpatched mvpp2 driver for Marvell Ethernet NICs. Any instance where the driver uses the old synchronization logic remains vulnerable. This includes all kernel releases before the commit that introduced dma_sync_single_range_for_cpu with the correct offset, particularly on hardware that operates with non-coherent DMA.

Risk and Exploitability

The CVSS score of 8.6 reflects a high severity, while the EPSS of <1% indicates a very low likelihood of exploitation at present. It is not listed in CISA’s KEV catalog, suggesting no widespread incidents have been observed. The likely attack path is network-based: an adversary would have to inject packets onto the affected interface to trigger the stale cache read. This inference is not stated explicitly in the advisory but is deduced from the nature of the vulnerability. Because exploitation would require controlling network traffic, the overall risk is moderate, but the impact of a successful attack could be significant due to confidential data exposure.

Generated by OpenCVE AI on June 28, 2026 at 14:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Linux kernel update that includes the mvpp2 driver fix, which uses dma_sync_single_range_for_cpu with the correct MVPP2_SKB_HEADROOM offset.
  • If the system cannot be updated immediately, consider configuring the NIC or kernel to use coherent DMA mode or enabling the kernel’s coherent DMA fallback, as non-coherent DMA is the root cause.
  • Monitor system logs and traffic patterns for anomalous cache behavior or leaked data during the transition period.

Generated by OpenCVE AI on June 28, 2026 at 14:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4664-1 linux security update
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
History

Sun, 28 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L'}


Fri, 26 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-346
CWE-368

Fri, 26 Jun 2026 12:15:00 +0000


Thu, 25 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-346
CWE-368

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net: mvpp2: sync RX data at the hardware packet offset mvpp2 programs the RX queue packet offset, so hardware writes received data at dma_addr + MVPP2_SKB_HEADROOM. The current CPU sync starts at dma_addr and only covers rx_bytes + MVPP2_MH_SIZE bytes, which syncs the unused headroom and misses the same number of bytes at the packet tail. On non-coherent DMA systems this can leave the CPU reading stale cache contents for the end of the received frame. Use dma_sync_single_range_for_cpu() with MVPP2_SKB_HEADROOM as the range offset so the sync covers the Marvell header and packet data actually written by hardware.
Title net: mvpp2: sync RX data at the hardware packet offset
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-28T06:40:31.101Z

Reserved: 2026-06-09T07:44:35.392Z

Link: CVE-2026-53217

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity :

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-53217 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T14:15:08Z

Weaknesses
  • CWE-821

    Incorrect Synchronization