net: mvpp2: refill RX buffers before XDP or skb use_CVE-2026-53215

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mvpp2: refill RX buffers before XDP or skb use\n\nThe RX error path returns the current descriptor buffer to the hardware\nBM pool. That is only valid while the driver still owns the buffer.\n\nmvpp2_rx_refill() can fail after the current buffer has been handed to\nXDP or attached to an skb. In those cases mvpp2_run_xdp() may have\nrecycled, redirected, or queued the page for XDP_TX, and an skb free also\nretires the data buffer. Returning such a buffer to BM lets hardware DMA\ninto memory that is no longer owned by the RX ring.\n\nRefill the BM pool before handing the current buffer to XDP or to the\nskb. If the allocation fails there, drop the packet and return the\nstill-owned current buffer to BM, preserving the pool depth. Once the\nrefill succeeds, later local drops retire/free the current buffer instead\nof returning it to BM.",
    "published": "2026-06-25T08:39:18.875Z",
    "modified": "2026-06-28T06:40:28.295Z",
    "type": "cve",
    "title": "net: mvpp2: refill RX buffers before XDP or skb use",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/a88b3293b556f4d8fba11db9a8061a6b0d3b69e6\nhttps://git.kernel.org/stable/c/a03cdcedb2cbcc42551dc3e4746929e93c5352d5\nhttps://git.kernel.org/stable/c/580f92f27cb8724bcc4be98ee89890eab524a2ae\nhttps://git.kernel.org/stable/c/d0c8c4fbd22d260fe28530260656c5fb3c20ce84\nhttps://git.kernel.org/stable/c/8a2126c5afe89f8ceeb60a3afb9f075b736194cd\nhttps://git.kernel.org/stable/c/02e1b5c4d3b4c658b72c145427cded1bba613fc1\nhttps://git.kernel.org/stable/c/5e8e2a9624df72fca7c736b2966b2cbf6c9c3ff6",
    "id": "CVE-2026-53215",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux 07dd0a7aae7f72af7cec18909581c2bb570edddc\nLinux Linux 07dd0a7aae7f72af7cec18909581c2bb570edddc\nLinux Linux 07dd0a7aae7f72af7cec18909581c2bb570edddc\nLinux Linux 07dd0a7aae7f72af7cec18909581c2bb570edddc\nLinux Linux 07dd0a7aae7f72af7cec18909581c2bb570edddc\nLinux Linux 07dd0a7aae7f72af7cec18909581c2bb570edddc\nLinux Linux 07dd0a7aae7f72af7cec18909581c2bb570edddc\nLinux Linux 95a936364f2685e9e040c6b179b553604d96de22\nLinux Linux fba2cf348d9eb50b2049a73cc09313dab6d293f1\nLinux Linux 5.7.15\nLinux Linux 5.8.2\nLinux Linux 5.9",
    "sourceHref": "",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "07dd0a7aae7f72af7cec18909581c2bb570edddc",
    "vendor": "Linux",
    "ai_description": "A vulnerability in the Linux kernel's mvpp2 driver allows for potential DMA into memory that is no longer owned by the RX ring, due to incorrect buffer handling in the RX error path.",
    "ai_severity": "Critical",
    "ai_vendor": "The Linux Foundation",
    "ai_product": "Linux Kernel",
    "ai_version": "5.7.15, 5.8.2, 5.9",
    "ai_score": 9.8
}