CVE-2026-53229
Received Received - Intake
Memory Leak in Linux Kernel XSK Module

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: xsk: Fix DMA and xdp_frame leak on XDP_TX xmit failure In the XSK branch of mlx5e_xmit_xdp_buff(), when sq->xmit_xdp_frame() returns false (e.g. XDPSQ is full), the function returns without unmapping the DMA address or freeing the xdp_frame allocated by xdp_convert_zc_to_xdp_frame(). The xdpi_fifo push only happens on success, so the completion path cannot recover these entries. With CONFIG_DMA_API_DEBUG=y, the leak surfaces on driver unbind: DMA-API: pci 0000:08:00.0: device driver has pending DMA allocations while released from device [count=1116] One of leaked entries details: [device address=0x000000010ffd7028] [size=1534 bytes] [mapped with DMA_TO_DEVICE] [mapped as phy] WARNING: kernel/dma/debug.c:881 at dma_debug_device_change+0x127/0x180 ... DMA-API: Mapped at: debug_dma_map_phys+0x4b/0xd0 dma_map_phys+0xfd/0x2d0 mlx5e_xdp_handle+0x5ae/0xac0 [mlx5_core] mlx5e_xsk_skb_from_cqe_mpwrq_linear+0xc4/0x170 [mlx5_core] mlx5e_handle_rx_cqe_mpwrq+0xc1/0x290 [mlx5_core] Add the missing unmap + xdp_return_frame, matching the cleanup already done in mlx5e_xdp_xmit(). has_frags is rejected earlier in this branch, so no per-frag unmap is needed.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-53229
EUVD
EUVD-2026-39320
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
mlx5 mlx5_core *
mlx mlx5e *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's mlx5e driver, specifically in the XSK branch of the mlx5e_xmit_xdp_buff() function. When the function sq->xmit_xdp_frame() fails to transmit (for example, when the XDPSQ is full), it returns without properly unmapping the DMA address or freeing the xdp_frame allocated by xdp_convert_zc_to_xdp_frame(). Because the xdpi_fifo push only occurs on success, the cleanup path cannot recover these leaked resources, leading to a DMA and xdp_frame leak.

This leak can be detected when CONFIG_DMA_API_DEBUG=y is enabled, showing warnings about pending DMA allocations when the driver is unbound. The fix involves adding the missing unmap and xdp_return_frame calls to properly release resources on failure.

Impact Analysis

This vulnerability can cause resource leaks in the Linux kernel's mlx5e driver, specifically leaking DMA mappings and xdp_frame allocations when transmission fails. Over time, this can lead to increased memory usage and resource exhaustion, potentially degrading system performance or causing instability.

Additionally, if the system is running with DMA API debugging enabled, warnings about these leaks will appear during driver unbinding, indicating improper resource management.

Detection Guidance

This vulnerability can be detected by observing DMA API debug messages when the device driver is unbound. Specifically, with CONFIG_DMA_API_DEBUG=y enabled in the kernel, you may see warnings indicating pending DMA allocations that were not properly released.

Look for kernel log messages similar to: "DMA-API: pci 0000:08:00.0: device driver has pending DMA allocations while released from device [count=...]" which indicate leaked DMA mappings.

To check for these messages, you can use the following command to view kernel logs:

  • dmesg | grep -i 'DMA-API'

Additionally, monitoring the device driver unload or unbind process logs can help detect the issue.

Mitigation Strategies

The immediate mitigation is to update the Linux kernel to a version that includes the fix for this vulnerability.

The fix involves adding the missing DMA unmap and xdp_return_frame calls in the mlx5e_xsk_xmit_xdp_buff() function to properly release resources on XDP_TX transmit failure.

If updating the kernel is not immediately possible, enabling CONFIG_DMA_API_DEBUG=y can help detect the issue early by logging DMA leaks, allowing for manual intervention or monitoring.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53229. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart