CVE-2026-53216
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk42th percentile — higher than 42% of all known CVEs
Summary
In the Linux kernel, the mvpp2 driver incorrectly initializes the XDP frame size (frame_sz) to PAGE_SIZE instead of the actual RX buffer size from the BM pool. This allows bpf_xdp_adjust_tail() to grow a packet beyond the allocated buffer, causing memory corruption.
Risk Assessment
The organization faces potential memory corruption or network instability due to erroneous BPF program behavior on mvpp2 interfaces, which could lead to system crashes or data integrity issues.
Recommendation
Immediately update the Linux kernel to a version containing the fix that initializes frame_sz with bm_pool->frag_size to ensure XDP frame size matches the actual buffer.
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: net: mvpp2: limit XDP frame size to the RX buffer mvpp2 has short and long BM pools, and short pool buffers can be smaller than PAGE_SIZE. The XDP path nevertheless initializes every xdp_buff with PAGE_SIZE as frame size. XDP helpers use frame_sz to validate tail growth and to derive the hard end of the data area. Advertising PAGE_SIZE for short buffers can let bpf_xdp_adjust_tail() grow a packet past the real allocation, corrupting memory or later tripping skb tailroom checks. Initialize the XDP buffer with bm_pool->frag_size so XDP tailroom matches the actual buffer backing the packet.

