CVE-2026-53216
CRITICALnet: mvpp2: limit XDP frame size to the RX buffer
Title source: cnaDescription
In the Linux kernel, the following vulnerability has been resolved: net: mvpp2: limit XDP frame size to the RX buffer mvpp2 has short and long BM pools, and short pool buffers can be smaller than PAGE_SIZE. The XDP path nevertheless initializes every xdp_buff with PAGE_SIZE as frame size. XDP helpers use frame_sz to validate tail growth and to derive the hard end of the data area. Advertising PAGE_SIZE for short buffers can let bpf_xdp_adjust_tail() grow a packet past the real allocation, corrupting memory or later tripping skb tailroom checks. Initialize the XDP buffer with bm_pool->frag_size so XDP tailroom matches the actual buffer backing the packet.
References (7)
Core 7
Core References
Scores
CVSS v3
9.8
EPSS
0.0055
EPSS Percentile
42.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
Status
published
Products (24)
linux/Kernel
5.16.0 - 6.1.176linux
linux/Kernel
5.9.0 - 5.15.210linux
linux/Kernel
6.13.0 - 6.18.36linux
linux/Kernel
6.19.0 - 7.0.13linux
linux/Kernel
6.2.0 - 6.6.143linux
linux/Kernel
6.7.0 - 6.12.94linux
Linux/Linux
< 5.9
Linux/Linux
07dd0a7aae7f72af7cec18909581c2bb570edddc - 3b8b0c3631b19faee53f0d15a49924129b063eec
Linux/Linux
07dd0a7aae7f72af7cec18909581c2bb570edddc - 910617a4e67dbdd5fdb39d9dc6a51e491e1b2c3e
Linux/Linux
07dd0a7aae7f72af7cec18909581c2bb570edddc - 9545cc5ef18ca22d031f2f47c157192460652359
... and 14 more
Published
Jun 25, 2026
Tracked Since
Jun 25, 2026