Skip to main content

Linux Kernel CVE-2026-53215

| EUVDEUVD-2026-39306 CRITICAL
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-37pv-m98r-vgm8
9.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
6.4 MEDIUM

Triggered by NIC-received frames (AV:A) only when refill allocation fails under memory pressure (AC:H), no auth (PR:N); impact is mainly DMA corruption/instability (A:H) with limited, indirect C/I leakage.

3.1 AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H
4.0 AV:A/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 09:35 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
9.8 (CRITICAL)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 25, 2026 - 09:16 cve.org
CRITICAL 9.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net: mvpp2: refill RX buffers before XDP or skb use

The RX error path returns the current descriptor buffer to the hardware BM pool. That is only valid while the driver still owns the buffer.

mvpp2_rx_refill() can fail after the current buffer has been handed to XDP or attached to an skb. In those cases mvpp2_run_xdp() may have recycled, redirected, or queued the page for XDP_TX, and an skb free also retires the data buffer. Returning such a buffer to BM lets hardware DMA into memory that is no longer owned by the RX ring.

Refill the BM pool before handing the current buffer to XDP or to the skb. If the allocation fails there, drop the packet and return the still-owned current buffer to BM, preserving the pool depth. Once the refill succeeds, later local drops retire/free the current buffer instead of returning it to BM.

AnalysisAI

Memory corruption in the Linux kernel's Marvell mvpp2 (PPv2) Ethernet driver arises from an incorrect RX buffer-recycling order: when mvpp2_rx_refill() fails after the current buffer has already been handed to XDP or attached to an skb, the driver still returns that buffer to the hardware Buffer Manager (BM) pool, allowing the NIC to DMA into memory the RX ring no longer owns. Systems running Marvell Armada SoCs with the mvpp2 driver and XDP or skb RX processing are affected; the fix reorders the refill to complete before the buffer is handed off. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Send sustained RX traffic to Marvell NIC
Delivery
Induce memory pressure
Exploit
mvpp2_rx_refill() allocation fails
Execution
In-use buffer wrongly returned to BM pool
Persist
NIC DMAs into freed/handed-off page
Impact
Kernel memory corruption / info disclosure

Vulnerability AssessmentAI

Exploitation Exploitation requires the target to run the Linux mvpp2 driver on Marvell PPv2/Armada hardware with the RX path delivering frames to XDP (recycled/redirected/XDP_TX) or building skbs. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals conflict sharply. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario On a Marvell Armada-based appliance under memory pressure, an attacker (or simply heavy traffic plus a constrained system) drives sustained RX load so that mvpp2_rx_refill() hits an allocation failure right as a packet is being handed to XDP or built into an skb; the driver then wrongly returns that in-use buffer to the BM pool, and the NIC subsequently DMAs into a page now owned by the networking/XDP path, corrupting kernel memory and potentially leaking or destabilizing data. No public POC is known, and the CVSS AC effectively rises in practice because the attacker cannot directly force the allocation failure.
Remediation Upgrade to a kernel containing the fix for your branch: Vendor-released patch - 5.15.210, 6.1.176, 6.6.143, 6.12.94, 7.0.13, 6.18.36, or 7.1, whichever matches your stable series, available via the kernel.org stable commits (https://git.kernel.org/stable/c/8a2126c5afe89f8ceeb60a3afb9f075b736194cd and the related commits listed for CVE-2026-53215) and tracked at https://nvd.nist.gov/vuln/detail/CVE-2026-53215. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify inventory of Marvell Armada SoC systems in production and development environments. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53215 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy