net: mvpp2: limit XDP frame size to the RX buffer

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

net: mvpp2: limit XDP frame size to the RX buffer

mvpp2 has short and long BM pools, and short pool buffers can be smaller
than PAGE_SIZE. The XDP path nevertheless initializes every xdp_buff with
PAGE_SIZE as frame size.

XDP helpers use frame_sz to validate tail growth and to derive the hard
end of the data area. Advertising PAGE_SIZE for short buffers can let
bpf_xdp_adjust_tail() grow a packet past the real allocation, corrupting
memory or later tripping skb tailroom checks.

Initialize the XDP buffer with bm_pool->frag_size so XDP tailroom matches
the actual buffer backing the packet.

AI Analysis

A vulnerability in the Linux kernel's mvpp2 driver allows an attacker to corrupt memory or trip skb tailroom checks by growing a packet past the real allocation.

Basic Information

ID CVE-2026-53216

Source Linux

Published Jun 25, 2026 at 08:39

Modified Jun 28, 2026 at 06:40

Affected Product

Vendor Linux

Product Linux

Version 07dd0a7aae7f72af7cec18909581c2bb570edddc

Affected Versions Linux Linux 07dd0a7aae7f72af7cec18909581c2bb570edddc
Linux Linux 07dd0a7aae7f72af7cec18909581c2bb570edddc
Linux Linux 07dd0a7aae7f72af7cec18909581c2bb570edddc
Linux Linux 07dd0a7aae7f72af7cec18909581c2bb570edddc
Linux Linux 07dd0a7aae7f72af7cec18909581c2bb570edddc
Linux Linux 07dd0a7aae7f72af7cec18909581c2bb570edddc
Linux Linux 07dd0a7aae7f72af7cec18909581c2bb570edddc
Linux Linux 5.9

AI Assessment

AI Score 9.8 / 10

AI Severity Critical

Vendor Linux

Product Linux Kernel

Version 5.9, 07dd0a7aae7f72af7cec18909581c2bb570edddc

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mvpp2: limit XDP frame size to the RX buffer\n\nmvpp2 has short and long BM pools, and short pool buffers can be smaller\nthan PAGE_SIZE. The XDP path nevertheless initializes every xdp_buff with\nPAGE_SIZE as frame size.\n\nXDP helpers use frame_sz to validate tail growth and to derive the hard\nend of the data area. Advertising PAGE_SIZE for short buffers can let\nbpf_xdp_adjust_tail() grow a packet past the real allocation, corrupting\nmemory or later tripping skb tailroom checks.\n\nInitialize the XDP buffer with bm_pool->frag_size so XDP tailroom matches\nthe actual buffer backing the packet.",
    "published": "2026-06-25T08:39:19.529Z",
    "modified": "2026-06-28T06:40:29.513Z",
    "type": "cve",
    "title": "net: mvpp2: limit XDP frame size to the RX buffer",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/a3ee9231ccec6ec3be2de89c56f897055fd9eab1\nhttps://git.kernel.org/stable/c/ec8e1e5842bc0dbd4c272761f4db3651eecd0339\nhttps://git.kernel.org/stable/c/3b8b0c3631b19faee53f0d15a49924129b063eec\nhttps://git.kernel.org/stable/c/994bd2b58d2bd08aa97ec0836cc813cfcb00d749\nhttps://git.kernel.org/stable/c/910617a4e67dbdd5fdb39d9dc6a51e491e1b2c3e\nhttps://git.kernel.org/stable/c/9545cc5ef18ca22d031f2f47c157192460652359\nhttps://git.kernel.org/stable/c/f3c6aa078927e6fe8121c9c591ddee8716c5305a",
    "id": "CVE-2026-53216",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux 07dd0a7aae7f72af7cec18909581c2bb570edddc\nLinux Linux 07dd0a7aae7f72af7cec18909581c2bb570edddc\nLinux Linux 07dd0a7aae7f72af7cec18909581c2bb570edddc\nLinux Linux 07dd0a7aae7f72af7cec18909581c2bb570edddc\nLinux Linux 07dd0a7aae7f72af7cec18909581c2bb570edddc\nLinux Linux 07dd0a7aae7f72af7cec18909581c2bb570edddc\nLinux Linux 07dd0a7aae7f72af7cec18909581c2bb570edddc\nLinux Linux 5.9",
    "sourceHref": "",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "07dd0a7aae7f72af7cec18909581c2bb570edddc",
    "vendor": "Linux",
    "ai_description": "A vulnerability in the Linux kernel's mvpp2 driver allows an attacker to corrupt memory or trip skb tailroom checks by growing a packet past the real allocation.",
    "ai_severity": "Critical",
    "ai_vendor": "Linux",
    "ai_product": "Linux Kernel",
    "ai_version": "5.9, 07dd0a7aae7f72af7cec18909581c2bb570edddc",
    "ai_score": 9.8
}

net: mvpp2: limit XDP frame size to the RX buffer_CVE-2026-53216