CVE-2026-43465
Received Received - Intake
Buffer Fragment Reference Counting Flaw in Mellanox mlx5e Driver

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: RX, Fix XDP multi-buf frag counting for striding RQ XDP multi-buf programs can modify the layout of the XDP buffer when the program calls bpf_xdp_pull_data() or bpf_xdp_adjust_tail(). The referenced commit in the fixes tag corrected the assumption in the mlx5 driver that the XDP buffer layout doesn't change during a program execution. However, this fix introduced another issue: the dropped fragments still need to be counted on the driver side to avoid page fragment reference counting issues. The issue was discovered by the drivers/net/xdp.py selftest, more specifically the test_xdp_native_tx_mb: - The mlx5 driver allocates a page_pool page and initializes it with a frag counter of 64 (pp_ref_count=64) and the internal frag counter to 0. - The test sends one packet with no payload. - On RX (mlx5e_skb_from_cqe_mpwrq_nonlinear()), mlx5 configures the XDP buffer with the packet data starting in the first fragment which is the page mentioned above. - The XDP program runs and calls bpf_xdp_pull_data() which moves the header into the linear part of the XDP buffer. As the packet doesn't contain more data, the program drops the tail fragment since it no longer contains any payload (pp_ref_count=63). - mlx5 device skips counting this fragment. Internal frag counter remains 0. - mlx5 releases all 64 fragments of the page but page pp_ref_count is 63 => negative reference counting error. Resulting splat during the test: WARNING: CPU: 0 PID: 188225 at ./include/net/page_pool/helpers.h:297 mlx5e_page_release_fragmented.isra.0+0xbd/0xe0 [mlx5_core] Modules linked in: [...] CPU: 0 UID: 0 PID: 188225 Comm: ip Not tainted 6.18.0-rc7_for_upstream_min_debug_2025_12_08_11_44 #1 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:mlx5e_page_release_fragmented.isra.0+0xbd/0xe0 [mlx5_core] [...] Call Trace: <TASK> mlx5e_free_rx_mpwqe+0x20a/0x250 [mlx5_core] mlx5e_dealloc_rx_mpwqe+0x37/0xb0 [mlx5_core] mlx5e_free_rx_descs+0x11a/0x170 [mlx5_core] mlx5e_close_rq+0x78/0xa0 [mlx5_core] mlx5e_close_queues+0x46/0x2a0 [mlx5_core] mlx5e_close_channel+0x24/0x90 [mlx5_core] mlx5e_close_channels+0x5d/0xf0 [mlx5_core] mlx5e_safe_switch_params+0x2ec/0x380 [mlx5_core] mlx5e_change_mtu+0x11d/0x490 [mlx5_core] mlx5e_change_nic_mtu+0x19/0x30 [mlx5_core] netif_set_mtu_ext+0xfc/0x240 do_setlink.isra.0+0x226/0x1100 rtnl_newlink+0x7a9/0xba0 rtnetlink_rcv_msg+0x220/0x3c0 netlink_rcv_skb+0x4b/0xf0 netlink_unicast+0x255/0x380 netlink_sendmsg+0x1f3/0x420 __sock_sendmsg+0x38/0x60 ____sys_sendmsg+0x1e8/0x240 ___sys_sendmsg+0x7c/0xb0 [...] __sys_sendmsg+0x5f/0xb0 do_syscall_64+0x55/0xc70 The problem applies for XDP_PASS as well which is handled in a different code path in the driver. This patch fixes the issue by doing page frag counting on all the original XDP buffer fragments for all relevant XDP actions (XDP_TX , XDP_REDIRECT and XDP_PASS). This is basically reverting to the original counting before the commit in the fixes tag. As frag_page is still pointing to the original tail, the nr_frags parameter to xdp_update_skb_frags_info() needs to be calculated in a different way to reflect the new nr_frags.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-05-09
AI Q&A
2026-05-08
EPSS Evaluated
N/A
NVD
CVE-2026-43465
EUVD
EUVD-2026-28771
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mlx mlx5_core *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's mlx5 driver related to XDP (eXpress Data Path) multi-buffer fragment counting. When an XDP multi-buf program modifies the layout of the XDP buffer using functions like bpf_xdp_pull_data() or bpf_xdp_adjust_tail(), the mlx5 driver incorrectly assumes the buffer layout does not change during execution.

This incorrect assumption leads to the driver failing to count dropped fragments properly, causing a mismatch in page fragment reference counting. Specifically, the driver releases more fragments than it should, resulting in negative reference counting errors and kernel warnings or crashes.

The issue was discovered through a self-test that showed the mlx5 driver releasing fragments incorrectly after an XDP program drops a tail fragment. The fix involves correctly counting all original XDP buffer fragments for all relevant XDP actions (XDP_TX, XDP_REDIRECT, and XDP_PASS), reverting to the original counting method before the problematic commit.


How can this vulnerability impact me? :

This vulnerability can cause negative reference counting errors in the mlx5 driver, which may lead to kernel warnings, instability, or crashes during network packet processing.

Such instability can affect the reliability and availability of systems using the mlx5 network driver, potentially causing network disruptions or degraded performance.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability was discovered by the drivers/net/xdp.py selftest, specifically the test_xdp_native_tx_mb test. Detection involves observing kernel warnings related to mlx5e_page_release_fragmented and negative reference counting errors in the mlx5 driver.

You can monitor your system logs for warnings similar to the following message indicating the issue: "WARNING: CPU: ... mlx5e_page_release_fragmented.isra.0+0xbd/0xe0 [mlx5_core]".

To detect this vulnerability, you may run the mlx5 driver selftests if available, or monitor kernel logs (e.g., using dmesg or journalctl) for related error messages.

  • Check kernel logs for mlx5 driver warnings: sudo dmesg | grep mlx5e_page_release_fragmented
  • Run the mlx5 driver selftest if available: python3 drivers/net/xdp.py test_xdp_native_tx_mb

What immediate steps should I take to mitigate this vulnerability?

The vulnerability is fixed by a patch that correctly counts page fragments for all relevant XDP actions in the mlx5 driver. Immediate mitigation involves updating the Linux kernel to a version that includes this fix.

Until the patch is applied, avoid running XDP multi-buf programs that call bpf_xdp_pull_data() or bpf_xdp_adjust_tail() on systems using the mlx5 driver, as these trigger the issue.

Monitoring for the described kernel warnings can help identify if the issue is occurring, but the primary mitigation is to apply the kernel update containing the fix.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart