CVE-2026-53216
Received Received - Intake
XDP Frame Size Miscalculation in Linux Kernel

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net: mvpp2: limit XDP frame size to the RX buffer mvpp2 has short and long BM pools, and short pool buffers can be smaller than PAGE_SIZE. The XDP path nevertheless initializes every xdp_buff with PAGE_SIZE as frame size. XDP helpers use frame_sz to validate tail growth and to derive the hard end of the data area. Advertising PAGE_SIZE for short buffers can let bpf_xdp_adjust_tail() grow a packet past the real allocation, corrupting memory or later tripping skb tailroom checks. Initialize the XDP buffer with bm_pool->frag_size so XDP tailroom matches the actual buffer backing the packet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-53216
EUVD
EUVD-2026-39307
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's mvpp2 network driver, specifically related to the handling of XDP (eXpress Data Path) frame sizes.

The mvpp2 driver has two buffer pools: short and long. Short pool buffers can be smaller than the system's PAGE_SIZE, but the XDP path incorrectly initializes every xdp_buff with a frame size equal to PAGE_SIZE.

XDP helpers rely on the frame size to validate packet tail growth and to determine the boundary of the data area. By advertising a frame size of PAGE_SIZE for smaller buffers, it allows the function bpf_xdp_adjust_tail() to extend a packet beyond its actual allocated memory.

This can lead to memory corruption or cause later checks on the socket buffer's tailroom to fail.

The fix involves initializing the XDP buffer with the actual fragment size of the buffer pool, so that the tailroom matches the real buffer backing the packet.

Impact Analysis

This vulnerability can lead to memory corruption in the Linux kernel's network stack.

Memory corruption can cause system instability, crashes, or unexpected behavior in network packet processing.

Additionally, it may allow attackers or malicious code to exploit the corrupted memory to escalate privileges or execute arbitrary code, depending on the system context.

Mitigation Strategies

The vulnerability has been resolved by initializing the XDP buffer with the actual buffer size (bm_pool->frag_size) instead of PAGE_SIZE to ensure the XDP tailroom matches the real buffer backing the packet.

To mitigate this vulnerability, you should update your Linux kernel to a version that includes this fix for the mvpp2 driver.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53216. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart