Description
In the Linux kernel, the following vulnerability has been resolved:

net/mlx5e: xsk: Fix DMA and xdp_frame leak on XDP_TX xmit failure

In the XSK branch of mlx5e_xmit_xdp_buff(), when sq->xmit_xdp_frame()
returns false (e.g. XDPSQ is full), the function returns without
unmapping the DMA address or freeing the xdp_frame allocated by
xdp_convert_zc_to_xdp_frame(). The xdpi_fifo push only happens on
success, so the completion path cannot recover these entries.

With CONFIG_DMA_API_DEBUG=y, the leak surfaces on driver unbind:

DMA-API: pci 0000:08:00.0: device driver has pending DMA
allocations while released from device [count=1116]
One of leaked entries details: [device address=0x000000010ffd7028]
[size=1534 bytes] [mapped with DMA_TO_DEVICE] [mapped as phy]
WARNING: kernel/dma/debug.c:881 at dma_debug_device_change+0x127/0x180
...
DMA-API: Mapped at:
debug_dma_map_phys+0x4b/0xd0
dma_map_phys+0xfd/0x2d0
mlx5e_xdp_handle+0x5ae/0xac0 [mlx5_core]
mlx5e_xsk_skb_from_cqe_mpwrq_linear+0xc4/0x170 [mlx5_core]
mlx5e_handle_rx_cqe_mpwrq+0xc1/0x290 [mlx5_core]

Add the missing unmap + xdp_return_frame, matching the cleanup already
done in mlx5e_xdp_xmit(). has_frags is rejected earlier in this branch,
so no per-frag unmap is needed.
Published: 2026-06-25
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the mlx5e XSK driver, the function that transmits packets via XDP fails to clean up DMA mappings and free xdp_frames when the transmit queue is full. The missed unmap and frame release allow runaway memory and DMA allocations to accumulate, potentially causing the driver to report intense pending DMA usage and leading to kernel instability or degraded network performance. The vulnerability does not provide an attacker‑visible privilege escalation or arbitrary code execution path, but it can weaken system reliability when the driver encounters repeated transmit failures.

Affected Systems

The issue affects Linux kernel versions that include the mlx5e driver in the net/mlx5e subsystem. Vendor information identifies the affected product as Linux:Linux; specific kernel release ranges are not listed, so any kernel build utilizing the mlx5e XSK path may be impacted.

Risk and Exploitability

No CVSS or EPSS score is published, and the vulnerability is not included in the CISA KEV catalog. The exploitability requires entry in the kernel’s mlx5e driver, typically local to the machine, and is most likely triggered under heavy XDP traffic or after a queue becomes full. An attacker with local or privileged access could induce high packet load to accelerate the leak, leading to resource exhaustion. Because the flaw does not provide external remote exploitation, the overall risk is moderate to high for systems running unpatched kernels under high network workloads.

Generated by OpenCVE AI on June 25, 2026 at 11:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that incorporates the commit fixing the DMA unmap and xdp_frame release in mlx5e_xmit_xdp_buff()
  • If an immediate kernel upgrade is not possible, compile and install the patch directly from the kernel repository maintainer’s commit sequence
  • Enable CONFIG_DMA_API_DEBUG or similar diagnostics to surface pending DMA allocations during development and validate the fix in a staging environment
  • Apply kernel module isolation or limit XDP traffic to critical interfaces until a patched kernel is deployed to prevent accidental queue saturation

Generated by OpenCVE AI on June 25, 2026 at 11:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-401

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: xsk: Fix DMA and xdp_frame leak on XDP_TX xmit failure In the XSK branch of mlx5e_xmit_xdp_buff(), when sq->xmit_xdp_frame() returns false (e.g. XDPSQ is full), the function returns without unmapping the DMA address or freeing the xdp_frame allocated by xdp_convert_zc_to_xdp_frame(). The xdpi_fifo push only happens on success, so the completion path cannot recover these entries. With CONFIG_DMA_API_DEBUG=y, the leak surfaces on driver unbind: DMA-API: pci 0000:08:00.0: device driver has pending DMA allocations while released from device [count=1116] One of leaked entries details: [device address=0x000000010ffd7028] [size=1534 bytes] [mapped with DMA_TO_DEVICE] [mapped as phy] WARNING: kernel/dma/debug.c:881 at dma_debug_device_change+0x127/0x180 ... DMA-API: Mapped at: debug_dma_map_phys+0x4b/0xd0 dma_map_phys+0xfd/0x2d0 mlx5e_xdp_handle+0x5ae/0xac0 [mlx5_core] mlx5e_xsk_skb_from_cqe_mpwrq_linear+0xc4/0x170 [mlx5_core] mlx5e_handle_rx_cqe_mpwrq+0xc1/0x290 [mlx5_core] Add the missing unmap + xdp_return_frame, matching the cleanup already done in mlx5e_xdp_xmit(). has_frags is rejected earlier in this branch, so no per-frag unmap is needed.
Title net/mlx5e: xsk: Fix DMA and xdp_frame leak on XDP_TX xmit failure
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-25T08:39:28.552Z

Reserved: 2026-06-09T07:44:35.393Z

Link: CVE-2026-53229

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T12:00:14Z

Weaknesses
  • CWE-401

    Missing Release of Memory after Effective Lifetime