CVE-2026-53215 (GCVE-0-2026-53215)

Vulnerability from cvelistv5 – Published: 2026-06-25 08:39 – Updated: 2026-06-28 06:40
VLAI
Title
net: mvpp2: refill RX buffers before XDP or skb use
Summary
In the Linux kernel, the following vulnerability has been resolved: net: mvpp2: refill RX buffers before XDP or skb use The RX error path returns the current descriptor buffer to the hardware BM pool. That is only valid while the driver still owns the buffer. mvpp2_rx_refill() can fail after the current buffer has been handed to XDP or attached to an skb. In those cases mvpp2_run_xdp() may have recycled, redirected, or queued the page for XDP_TX, and an skb free also retires the data buffer. Returning such a buffer to BM lets hardware DMA into memory that is no longer owned by the RX ring. Refill the BM pool before handing the current buffer to XDP or to the skb. If the allocation fails there, drop the packet and return the still-owned current buffer to BM, preserving the pool depth. Once the refill succeeds, later local drops retire/free the current buffer instead of returning it to BM.
Assigner
Impacted products
Vendor Product Version
Linux Linux Affected: 07dd0a7aae7f72af7cec18909581c2bb570edddc , < a88b3293b556f4d8fba11db9a8061a6b0d3b69e6 (git)
Affected: 07dd0a7aae7f72af7cec18909581c2bb570edddc , < a03cdcedb2cbcc42551dc3e4746929e93c5352d5 (git)
Affected: 07dd0a7aae7f72af7cec18909581c2bb570edddc , < 580f92f27cb8724bcc4be98ee89890eab524a2ae (git)
Affected: 07dd0a7aae7f72af7cec18909581c2bb570edddc , < d0c8c4fbd22d260fe28530260656c5fb3c20ce84 (git)
Affected: 07dd0a7aae7f72af7cec18909581c2bb570edddc , < 8a2126c5afe89f8ceeb60a3afb9f075b736194cd (git)
Affected: 07dd0a7aae7f72af7cec18909581c2bb570edddc , < 02e1b5c4d3b4c658b72c145427cded1bba613fc1 (git)
Affected: 07dd0a7aae7f72af7cec18909581c2bb570edddc , < 5e8e2a9624df72fca7c736b2966b2cbf6c9c3ff6 (git)
Affected: 95a936364f2685e9e040c6b179b553604d96de22 (git)
Affected: fba2cf348d9eb50b2049a73cc09313dab6d293f1 (git)
Affected: 5.7.15 , < 5.8 (semver)
Affected: 5.8.2 , < 5.9 (semver)
Create a notification for this product.
Linux Linux Affected: 5.9
Unaffected: 0 , < 5.9 (semver)
Unaffected: 5.15.210 , ≤ 5.15.* (semver)
Unaffected: 6.1.176 , ≤ 6.1.* (semver)
Unaffected: 6.6.143 , ≤ 6.6.* (semver)
Unaffected: 6.12.94 , ≤ 6.12.* (semver)
Unaffected: 6.18.36 , ≤ 6.18.* (semver)
Unaffected: 7.0.13 , ≤ 7.0.* (semver)
Unaffected: 7.1 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a88b3293b556f4d8fba11db9a8061a6b0d3b69e6",
              "status": "affected",
              "version": "07dd0a7aae7f72af7cec18909581c2bb570edddc",
              "versionType": "git"
            },
            {
              "lessThan": "a03cdcedb2cbcc42551dc3e4746929e93c5352d5",
              "status": "affected",
              "version": "07dd0a7aae7f72af7cec18909581c2bb570edddc",
              "versionType": "git"
            },
            {
              "lessThan": "580f92f27cb8724bcc4be98ee89890eab524a2ae",
              "status": "affected",
              "version": "07dd0a7aae7f72af7cec18909581c2bb570edddc",
              "versionType": "git"
            },
            {
              "lessThan": "d0c8c4fbd22d260fe28530260656c5fb3c20ce84",
              "status": "affected",
              "version": "07dd0a7aae7f72af7cec18909581c2bb570edddc",
              "versionType": "git"
            },
            {
              "lessThan": "8a2126c5afe89f8ceeb60a3afb9f075b736194cd",
              "status": "affected",
              "version": "07dd0a7aae7f72af7cec18909581c2bb570edddc",
              "versionType": "git"
            },
            {
              "lessThan": "02e1b5c4d3b4c658b72c145427cded1bba613fc1",
              "status": "affected",
              "version": "07dd0a7aae7f72af7cec18909581c2bb570edddc",
              "versionType": "git"
            },
            {
              "lessThan": "5e8e2a9624df72fca7c736b2966b2cbf6c9c3ff6",
              "status": "affected",
              "version": "07dd0a7aae7f72af7cec18909581c2bb570edddc",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "95a936364f2685e9e040c6b179b553604d96de22",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "fba2cf348d9eb50b2049a73cc09313dab6d293f1",
              "versionType": "git"
            },
            {
              "lessThan": "5.8",
              "status": "affected",
              "version": "5.7.15",
              "versionType": "semver"
            },
            {
              "lessThan": "5.9",
              "status": "affected",
              "version": "5.8.2",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.9"
            },
            {
              "lessThan": "5.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.210",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.176",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.143",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.36",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.210",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.176",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.143",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.94",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.36",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.13",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.7.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.8.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mvpp2: refill RX buffers before XDP or skb use\n\nThe RX error path returns the current descriptor buffer to the hardware\nBM pool. That is only valid while the driver still owns the buffer.\n\nmvpp2_rx_refill() can fail after the current buffer has been handed to\nXDP or attached to an skb. In those cases mvpp2_run_xdp() may have\nrecycled, redirected, or queued the page for XDP_TX, and an skb free also\nretires the data buffer. Returning such a buffer to BM lets hardware DMA\ninto memory that is no longer owned by the RX ring.\n\nRefill the BM pool before handing the current buffer to XDP or to the\nskb. If the allocation fails there, drop the packet and return the\nstill-owned current buffer to BM, preserving the pool depth. Once the\nrefill succeeds, later local drops retire/free the current buffer instead\nof returning it to BM."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-28T06:40:28.295Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a88b3293b556f4d8fba11db9a8061a6b0d3b69e6"
        },
        {
          "url": "https://git.kernel.org/stable/c/a03cdcedb2cbcc42551dc3e4746929e93c5352d5"
        },
        {
          "url": "https://git.kernel.org/stable/c/580f92f27cb8724bcc4be98ee89890eab524a2ae"
        },
        {
          "url": "https://git.kernel.org/stable/c/d0c8c4fbd22d260fe28530260656c5fb3c20ce84"
        },
        {
          "url": "https://git.kernel.org/stable/c/8a2126c5afe89f8ceeb60a3afb9f075b736194cd"
        },
        {
          "url": "https://git.kernel.org/stable/c/02e1b5c4d3b4c658b72c145427cded1bba613fc1"
        },
        {
          "url": "https://git.kernel.org/stable/c/5e8e2a9624df72fca7c736b2966b2cbf6c9c3ff6"
        }
      ],
      "title": "net: mvpp2: refill RX buffers before XDP or skb use",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-53215",
    "datePublished": "2026-06-25T08:39:18.875Z",
    "dateReserved": "2026-06-09T07:44:35.392Z",
    "dateUpdated": "2026-06-28T06:40:28.295Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-53215",
      "date": "2026-07-01",
      "epss": "0.00546",
      "percentile": "0.41707"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-53215\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-06-25T09:16:39.160\",\"lastModified\":\"2026-06-30T14:44:27.313\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: mvpp2: refill RX buffers before XDP or skb use\\n\\nThe RX error path returns the current descriptor buffer to the hardware\\nBM pool. That is only valid while the driver still owns the buffer.\\n\\nmvpp2_rx_refill() can fail after the current buffer has been handed to\\nXDP or attached to an skb. In those cases mvpp2_run_xdp() may have\\nrecycled, redirected, or queued the page for XDP_TX, and an skb free also\\nretires the data buffer. Returning such a buffer to BM lets hardware DMA\\ninto memory that is no longer owned by the RX ring.\\n\\nRefill the BM pool before handing the current buffer to XDP or to the\\nskb. If the allocation fails there, drop the packet and return the\\nstill-owned current buffer to BM, preserving the pool depth. Once the\\nrefill succeeds, later local drops retire/free the current buffer instead\\nof returning it to BM.\"}],\"affected\":[{\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"affectedData\":[{\"vendor\":\"Linux\",\"product\":\"Linux\",\"defaultStatus\":\"unaffected\",\"programFiles\":[\"drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c\"],\"repo\":\"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\",\"versions\":[{\"version\":\"07dd0a7aae7f72af7cec18909581c2bb570edddc\",\"lessThan\":\"a88b3293b556f4d8fba11db9a8061a6b0d3b69e6\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"07dd0a7aae7f72af7cec18909581c2bb570edddc\",\"lessThan\":\"a03cdcedb2cbcc42551dc3e4746929e93c5352d5\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"07dd0a7aae7f72af7cec18909581c2bb570edddc\",\"lessThan\":\"580f92f27cb8724bcc4be98ee89890eab524a2ae\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"07dd0a7aae7f72af7cec18909581c2bb570edddc\",\"lessThan\":\"d0c8c4fbd22d260fe28530260656c5fb3c20ce84\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"07dd0a7aae7f72af7cec18909581c2bb570edddc\",\"lessThan\":\"8a2126c5afe89f8ceeb60a3afb9f075b736194cd\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"07dd0a7aae7f72af7cec18909581c2bb570edddc\",\"lessThan\":\"02e1b5c4d3b4c658b72c145427cded1bba613fc1\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"07dd0a7aae7f72af7cec18909581c2bb570edddc\",\"lessThan\":\"5e8e2a9624df72fca7c736b2966b2cbf6c9c3ff6\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"95a936364f2685e9e040c6b179b553604d96de22\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"fba2cf348d9eb50b2049a73cc09313dab6d293f1\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"5.7.15\",\"lessThan\":\"5.8\",\"versionType\":\"semver\",\"status\":\"affected\"},{\"version\":\"5.8.2\",\"lessThan\":\"5.9\",\"versionType\":\"semver\",\"status\":\"affected\"}]},{\"vendor\":\"Linux\",\"product\":\"Linux\",\"defaultStatus\":\"affected\",\"programFiles\":[\"drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c\"],\"repo\":\"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\",\"versions\":[{\"version\":\"5.9\",\"status\":\"affected\"},{\"version\":\"0\",\"lessThan\":\"5.9\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"5.15.210\",\"lessThanOrEqual\":\"5.15.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"6.1.176\",\"lessThanOrEqual\":\"6.1.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"6.6.143\",\"lessThanOrEqual\":\"6.6.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"6.12.94\",\"lessThanOrEqual\":\"6.12.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"6.18.36\",\"lessThanOrEqual\":\"6.18.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"7.0.13\",\"lessThanOrEqual\":\"7.0.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"7.1\",\"lessThanOrEqual\":\"*\",\"versionType\":\"original_commit_for_fix\",\"status\":\"unaffected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/02e1b5c4d3b4c658b72c145427cded1bba613fc1\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/580f92f27cb8724bcc4be98ee89890eab524a2ae\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/5e8e2a9624df72fca7c736b2966b2cbf6c9c3ff6\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/8a2126c5afe89f8ceeb60a3afb9f075b736194cd\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/a03cdcedb2cbcc42551dc3e4746929e93c5352d5\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/a88b3293b556f4d8fba11db9a8061a6b0d3b69e6\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/d0c8c4fbd22d260fe28530260656c5fb3c20ce84\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…