Description
In the Linux kernel, the following vulnerability has been resolved:

net/mlx5e: xsk: Fix DMA and xdp_frame leak on XDP_TX xmit failure

In the XSK branch of mlx5e_xmit_xdp_buff(), when sq->xmit_xdp_frame()
returns false (e.g. XDPSQ is full), the function returns without
unmapping the DMA address or freeing the xdp_frame allocated by
xdp_convert_zc_to_xdp_frame(). The xdpi_fifo push only happens on
success, so the completion path cannot recover these entries.

With CONFIG_DMA_API_DEBUG=y, the leak surfaces on driver unbind:

DMA-API: pci 0000:08:00.0: device driver has pending DMA
allocations while released from device [count=1116]
One of leaked entries details: [device address=0x000000010ffd7028]
[size=1534 bytes] [mapped with DMA_TO_DEVICE] [mapped as phy]
WARNING: kernel/dma/debug.c:881 at dma_debug_device_change+0x127/0x180
...
DMA-API: Mapped at:
debug_dma_map_phys+0x4b/0xd0
dma_map_phys+0xfd/0x2d0
mlx5e_xdp_handle+0x5ae/0xac0 [mlx5_core]
mlx5e_xsk_skb_from_cqe_mpwrq_linear+0xc4/0x170 [mlx5_core]
mlx5e_handle_rx_cqe_mpwrq+0xc1/0x290 [mlx5_core]

Add the missing unmap + xdp_return_frame, matching the cleanup already
done in mlx5e_xdp_xmit(). has_frags is rejected earlier in this branch,
so no per-frag unmap is needed.
Published: 2026-06-25
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An error in the mlx5e XSK path inside the Linux kernel causes DMA mappings and xdp_frames to remain allocated when a transmit queue becomes full, resulting in a growing number of pending DMA allocations and unreleased memory. This memory leak can exhaust kernel memory and lead to system instability or denial-of-service. The vulnerability is a resource management violation (CWE-772).

Affected Systems

Linux kernel builds that include the mlx5e driver with the XSK path are affected. All kernel versions that compile the net/mlx5e subsystem may contain the vulnerable code; specific release ranges are not listed. Administrators should verify whether their kernel incorporates the XSK path and the unmap issue in xmit_xdp_buff().

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, but the EPSS score of less than 1% shows a very low probability of widespread exploitation. The flaw does not provide remote code execution; the likely attack vector is local or privileged access that triggers the XDP transmit queue to become full, such as by flooding XDP traffic. On high-throughput networking workloads, the resulting resource exhaustion can disrupt legitimate traffic, representing a significant denial-of-service risk.

Generated by OpenCVE AI on June 28, 2026 at 14:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Linux kernel that includes the commit that adds the missing unmap and xdp_frame release in mlx5e_xmit_xdp_buff().
  • If upgrading the kernel is not feasible, apply the upstream patch from the kernel repository to the mlx5e source before building the kernel.
  • Disable XSK or XDP on the affected network interfaces until the patched kernel or patch is installed.
  • Optionally enable CONFIG_DMA_API_DEBUG during testing to surface pending DMA allocations and verify that the leak no longer occurs.

Generated by OpenCVE AI on June 28, 2026 at 14:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 28 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-401

Sun, 28 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}


Fri, 26 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-772
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate


Thu, 25 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-401

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: xsk: Fix DMA and xdp_frame leak on XDP_TX xmit failure In the XSK branch of mlx5e_xmit_xdp_buff(), when sq->xmit_xdp_frame() returns false (e.g. XDPSQ is full), the function returns without unmapping the DMA address or freeing the xdp_frame allocated by xdp_convert_zc_to_xdp_frame(). The xdpi_fifo push only happens on success, so the completion path cannot recover these entries. With CONFIG_DMA_API_DEBUG=y, the leak surfaces on driver unbind: DMA-API: pci 0000:08:00.0: device driver has pending DMA allocations while released from device [count=1116] One of leaked entries details: [device address=0x000000010ffd7028] [size=1534 bytes] [mapped with DMA_TO_DEVICE] [mapped as phy] WARNING: kernel/dma/debug.c:881 at dma_debug_device_change+0x127/0x180 ... DMA-API: Mapped at: debug_dma_map_phys+0x4b/0xd0 dma_map_phys+0xfd/0x2d0 mlx5e_xdp_handle+0x5ae/0xac0 [mlx5_core] mlx5e_xsk_skb_from_cqe_mpwrq_linear+0xc4/0x170 [mlx5_core] mlx5e_handle_rx_cqe_mpwrq+0xc1/0x290 [mlx5_core] Add the missing unmap + xdp_return_frame, matching the cleanup already done in mlx5e_xdp_xmit(). has_frags is rejected earlier in this branch, so no per-frag unmap is needed.
Title net/mlx5e: xsk: Fix DMA and xdp_frame leak on XDP_TX xmit failure
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-28T06:40:40.498Z

Reserved: 2026-06-09T07:44:35.393Z

Link: CVE-2026-53229

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-53229 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T14:45:17Z

Weaknesses
  • CWE-772

    Missing Release of Resource after Effective Lifetime