CVE-2026-53215

Summary

In the Linux kernel, the following vulnerability has been resolved:

net: mvpp2: refill RX buffers before XDP or skb use

The RX error path returns the current descriptor buffer to the hardware BM pool. That is only valid while the driver still owns the buffer.

mvpp2_rx_refill() can fail after the current buffer has been handed to XDP or attached to an skb. In those cases mvpp2_run_xdp() may have recycled, redirected, or queued the page for XDP_TX, and an skb free also retires the data buffer. Returning such a buffer to BM lets hardware DMA into memory that is no longer owned by the RX ring.

Refill the BM pool before handing the current buffer to XDP or to the skb. If the allocation fails there, drop the packet and return the still-owned current buffer to BM, preserving the pool depth. Once the refill succeeds, later local drops retire/free the current buffer instead of returning it to BM.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux07dd0a7aae7f72af7cec18909581c2bb570edddc < a88b3293b556f4d8fba11db9a8061a6b0d3b69e6affected
LinuxLinux07dd0a7aae7f72af7cec18909581c2bb570edddc < a03cdcedb2cbcc42551dc3e4746929e93c5352d5affected
LinuxLinux07dd0a7aae7f72af7cec18909581c2bb570edddc < 580f92f27cb8724bcc4be98ee89890eab524a2aeaffected
LinuxLinux07dd0a7aae7f72af7cec18909581c2bb570edddc < d0c8c4fbd22d260fe28530260656c5fb3c20ce84affected
LinuxLinux07dd0a7aae7f72af7cec18909581c2bb570edddc < 8a2126c5afe89f8ceeb60a3afb9f075b736194cdaffected
LinuxLinux07dd0a7aae7f72af7cec18909581c2bb570edddc < 02e1b5c4d3b4c658b72c145427cded1bba613fc1affected
LinuxLinux07dd0a7aae7f72af7cec18909581c2bb570edddc < 5e8e2a9624df72fca7c736b2966b2cbf6c9c3ff6affected
LinuxLinux95a936364f2685e9e040c6b179b553604d96de22affected
LinuxLinuxfba2cf348d9eb50b2049a73cc09313dab6d293f1affected
LinuxLinux5.7.15 < 5.8affected
LinuxLinux5.8.2 < 5.9affected
LinuxLinux5.9affected
LinuxLinux0 < 5.9unaffected
LinuxLinux5.15.210 <= 5.15.*unaffected
LinuxLinux6.1.176 <= 6.1.*unaffected
LinuxLinux6.6.143 <= 6.6.*unaffected
LinuxLinux6.12.94 <= 6.12.*unaffected
LinuxLinux6.18.36 <= 6.18.*unaffected
LinuxLinux7.0.13 <= 7.0.*unaffected
LinuxLinux7.1 <= *unaffected

Weaknesses

References