CVE-2026-53216
Analyzed Analyzed - Analysis Complete

XDP Frame Size Miscalculation in Linux Kernel

Vulnerability report for CVE-2026-53216, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-25

Last updated on: 2026-07-02

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: net: mvpp2: limit XDP frame size to the RX buffer mvpp2 has short and long BM pools, and short pool buffers can be smaller than PAGE_SIZE. The XDP path nevertheless initializes every xdp_buff with PAGE_SIZE as frame size. XDP helpers use frame_sz to validate tail growth and to derive the hard end of the data area. Advertising PAGE_SIZE for short buffers can let bpf_xdp_adjust_tail() grow a packet past the real allocation, corrupting memory or later tripping skb tailroom checks. Initialize the XDP buffer with bm_pool->frag_size so XDP tailroom matches the actual buffer backing the packet.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-25
Last Modified
2026-07-02
Generated
2026-07-15
AI Q&A
2026-06-25
EPSS Evaluated
2026-07-14
NVD
EUVD

Affected Vendors & Products

Showing 13 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel From 5.16 (inc) to 6.1.176 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.143 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.36 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.94 (exc)
linux linux_kernel From 6.19 (inc) to 7.0.13 (exc)
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel From 5.9 (inc) to 5.15.210 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's mvpp2 network driver, specifically related to the handling of XDP (eXpress Data Path) frame sizes.

The mvpp2 driver has two buffer pools: short and long. Short pool buffers can be smaller than the system's PAGE_SIZE, but the XDP path incorrectly initializes every xdp_buff with a frame size equal to PAGE_SIZE.

XDP helpers rely on the frame size to validate packet tail growth and to determine the boundary of the data area. By advertising a frame size of PAGE_SIZE for smaller buffers, it allows the function bpf_xdp_adjust_tail() to extend a packet beyond its actual allocated memory.

This can lead to memory corruption or cause later checks on the socket buffer's tailroom to fail.

The fix involves initializing the XDP buffer with the actual fragment size of the buffer pool, so that the tailroom matches the real buffer backing the packet.

Impact Analysis

This vulnerability can lead to memory corruption in the Linux kernel's network stack.

Memory corruption can cause system instability, crashes, or unexpected behavior in network packet processing.

Additionally, it may allow attackers or malicious code to exploit the corrupted memory to escalate privileges or execute arbitrary code, depending on the system context.

Mitigation Strategies

The vulnerability has been resolved by initializing the XDP buffer with the actual buffer size (bm_pool->frag_size) instead of PAGE_SIZE to ensure the XDP tailroom matches the real buffer backing the packet.

To mitigate this vulnerability, you should update your Linux kernel to a version that includes this fix for the mvpp2 driver.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53216. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart