CVE-2026-53215

CRITICAL

net: mvpp2: refill RX buffers before XDP or skb use

Title source: cna
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: net: mvpp2: refill RX buffers before XDP or skb use The RX error path returns the current descriptor buffer to the hardware BM pool. That is only valid while the driver still owns the buffer. mvpp2_rx_refill() can fail after the current buffer has been handed to XDP or attached to an skb. In those cases mvpp2_run_xdp() may have recycled, redirected, or queued the page for XDP_TX, and an skb free also retires the data buffer. Returning such a buffer to BM lets hardware DMA into memory that is no longer owned by the RX ring. Refill the BM pool before handing the current buffer to XDP or to the skb. If the allocation fails there, drop the packet and return the still-owned current buffer to BM, preserving the pool depth. Once the refill succeeds, later local drops retire/free the current buffer instead of returning it to BM.

Scores

CVSS v3 9.8
EPSS 0.0055
EPSS Percentile 42.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

Status published
Products (28)
linux/Kernel 5.16.0 - 6.1.176linux
linux/Kernel 5.9.0 - 5.15.210linux
linux/Kernel 6.13.0 - 6.18.36linux
linux/Kernel 6.19.0 - 7.0.13linux
linux/Kernel 6.2.0 - 6.6.143linux
linux/Kernel 6.7.0 - 6.12.94linux
Linux/Linux < 5.9
Linux/Linux 07dd0a7aae7f72af7cec18909581c2bb570edddc - 02e1b5c4d3b4c658b72c145427cded1bba613fc1
Linux/Linux 07dd0a7aae7f72af7cec18909581c2bb570edddc - 580f92f27cb8724bcc4be98ee89890eab524a2ae
Linux/Linux 07dd0a7aae7f72af7cec18909581c2bb570edddc - 5e8e2a9624df72fca7c736b2966b2cbf6c9c3ff6
... and 18 more
Published Jun 25, 2026
Tracked Since Jun 25, 2026