CVE-2026-53216

CRITICAL

net: mvpp2: limit XDP frame size to the RX buffer

Title source: cna
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: net: mvpp2: limit XDP frame size to the RX buffer mvpp2 has short and long BM pools, and short pool buffers can be smaller than PAGE_SIZE. The XDP path nevertheless initializes every xdp_buff with PAGE_SIZE as frame size. XDP helpers use frame_sz to validate tail growth and to derive the hard end of the data area. Advertising PAGE_SIZE for short buffers can let bpf_xdp_adjust_tail() grow a packet past the real allocation, corrupting memory or later tripping skb tailroom checks. Initialize the XDP buffer with bm_pool->frag_size so XDP tailroom matches the actual buffer backing the packet.

Scores

CVSS v3 9.8
EPSS 0.0055
EPSS Percentile 42.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

Status published
Products (24)
linux/Kernel 5.16.0 - 6.1.176linux
linux/Kernel 5.9.0 - 5.15.210linux
linux/Kernel 6.13.0 - 6.18.36linux
linux/Kernel 6.19.0 - 7.0.13linux
linux/Kernel 6.2.0 - 6.6.143linux
linux/Kernel 6.7.0 - 6.12.94linux
Linux/Linux < 5.9
Linux/Linux 07dd0a7aae7f72af7cec18909581c2bb570edddc - 3b8b0c3631b19faee53f0d15a49924129b063eec
Linux/Linux 07dd0a7aae7f72af7cec18909581c2bb570edddc - 910617a4e67dbdd5fdb39d9dc6a51e491e1b2c3e
Linux/Linux 07dd0a7aae7f72af7cec18909581c2bb570edddc - 9545cc5ef18ca22d031f2f47c157192460652359
... and 14 more
Published Jun 25, 2026
Tracked Since Jun 25, 2026