CVE-2026-53230
Received Received - Intake
Buffer Overflow in Linux Kernel mlx5_core Driver

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix slab-out-of-bounds in mlx5_query_nic_vport_mac_list mlx5_query_nic_vport_mac_list() sizes its firmware command buffer using the PF's log_max_current_uc/mc_list capabilities. When querying a VF vport with a larger configured max (via devlink), the firmware response can overflow this buffer: BUG: KASAN: slab-out-of-bounds in mlx5_query_nic_vport_mac_list+0x453/0x4c0 [mlx5_core] Read of size 4 at addr ff1100013ffc8a12 by task kworker/u96:2/385 CPU: 12 UID: 0 PID: 385 Comm: kworker/u96:2 Not tainted 7.0.0-rc6+ #1 PREEMPT Hardware name: QEMU Standard PC (Q35 + ICH9, 2009) Workqueue: mlx5_esw_wq esw_vport_change_handler [mlx5_core] Call Trace: <TASK> dump_stack_lvl+0x69/0xa0 print_report+0x176/0x4e4 kasan_report+0xc8/0x100 mlx5_query_nic_vport_mac_list+0x453/0x4c0 [mlx5_core] esw_update_vport_addr_list+0x2e3/0xda0 [mlx5_core] esw_vport_change_handle_locked+0xa1f/0x1060 [mlx5_core] esw_vport_change_handler+0x6a/0x90 [mlx5_core] process_one_work+0x87f/0x15e0 worker_thread+0x62b/0x1020 kthread+0x375/0x490 ret_from_fork+0x4dc/0x810 ret_from_fork_asm+0x11/0x20 </TASK> Fix by querying the vport's own HCA caps to size the buffer correctly. Refactor the function to allocate and return the MAC list internally, removing the caller's dependency on knowing the correct max.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-53230
EUVD
EUVD-2026-39321
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
mlx mlx5_core *
mlx5 mlx5_core *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's mlx5_core driver, specifically in the function mlx5_query_nic_vport_mac_list. The function sizes its firmware command buffer based on the physical function's (PF) maximum unicast/multicast list capabilities. However, when querying a virtual function (VF) vport that has a larger configured maximum via devlink, the firmware response can overflow the allocated buffer.

This overflow leads to a slab-out-of-bounds error detected by Kernel Address Sanitizer (KASAN), which indicates that the kernel is reading beyond the allocated memory buffer. The issue arises because the buffer size is incorrectly determined, causing memory corruption.

The fix involves querying the vport's own Host Channel Adapter (HCA) capabilities to size the buffer correctly and refactoring the function to allocate and return the MAC list internally, removing the need for the caller to know the correct maximum size.

Impact Analysis

This vulnerability can cause a kernel memory corruption due to a buffer overflow, which may lead to system instability, crashes, or denial of service.

Because it involves reading out-of-bounds memory in kernel space, it could potentially be exploited to execute arbitrary code or escalate privileges, although the exact impact depends on the attacker's capabilities and system configuration.

Detection Guidance

This vulnerability manifests as a slab-out-of-bounds error in the mlx5_query_nic_vport_mac_list function within the mlx5_core kernel module. Detection can be done by monitoring kernel logs for KASAN (Kernel Address Sanitizer) reports indicating slab-out-of-bounds errors related to mlx5_query_nic_vport_mac_list.

You can check the kernel logs for such errors using the following command:

  • dmesg | grep -i 'mlx5_query_nic_vport_mac_list'
  • journalctl -k | grep -i 'mlx5_query_nic_vport_mac_list'

Additionally, monitoring for BUG reports or KASAN slab-out-of-bounds messages related to mlx5_core in the kernel logs can help detect exploitation attempts or crashes caused by this vulnerability.

Mitigation Strategies

The vulnerability is fixed by correctly sizing the firmware command buffer when querying the vport's MAC list, specifically by querying the vport's own HCA capabilities and refactoring the function to allocate and return the MAC list internally.

Immediate mitigation steps include:

  • Update the Linux kernel to a version that includes the fix for this vulnerability (post 7.0.0-rc6+ where the patch is applied).
  • Avoid querying VF vports with larger configured max values via devlink until the kernel is updated.
  • Monitor kernel logs for any signs of slab-out-of-bounds errors related to mlx5_core and take corrective action if detected.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53230. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart