CVE Catalog

CVE-2026-53215

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.55%

42th percentile — higher than 42% of all known CVEs

Summary

In the Linux kernel, a vulnerability in the mvpp2 driver allows an RX buffer to be returned to the BM pool after being handed to XDP or skb, causing use-after-free. The fix reorders operations to refill the BM pool before handing the buffer to XDP or skb.

Risk Assessment

An attacker could exploit this vulnerability to access kernel memory, potentially leading to privilege escalation or data leakage. The risk is elevated in environments with virtualization or network packet processing.

Recommendation

Immediately update the Linux kernel to a version containing the fix (commit 5a7b5e8c). For production systems, schedule a reboot after the update.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: net: mvpp2: refill RX buffers before XDP or skb use The RX error path returns the current descriptor buffer to the hardware BM pool. That is only valid while the driver still owns the buffer. mvpp2_rx_refill() can fail after the current buffer has been handed to XDP or attached to an skb. In those cases mvpp2_run_xdp() may have recycled, redirected, or queued the page for XDP_TX, and an skb free also retires the data buffer. Returning such a buffer to BM lets hardware DMA into memory that is no longer owned by the RX ring. Refill the BM pool before handing the current buffer to XDP or to the skb. If the allocation fails there, drop the packet and return the still-owned current buffer to BM, preserving the pool depth. Once the refill succeeds, later local drops retire/free the current buffer instead of returning it to BM.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS