Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Triggered by NIC-received frames (AV:A) only when refill allocation fails under memory pressure (AC:H), no auth (PR:N); impact is mainly DMA corruption/instability (A:H) with limited, indirect C/I leakage.
Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).
CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
net: mvpp2: refill RX buffers before XDP or skb use
The RX error path returns the current descriptor buffer to the hardware BM pool. That is only valid while the driver still owns the buffer.
mvpp2_rx_refill() can fail after the current buffer has been handed to XDP or attached to an skb. In those cases mvpp2_run_xdp() may have recycled, redirected, or queued the page for XDP_TX, and an skb free also retires the data buffer. Returning such a buffer to BM lets hardware DMA into memory that is no longer owned by the RX ring.
Refill the BM pool before handing the current buffer to XDP or to the skb. If the allocation fails there, drop the packet and return the still-owned current buffer to BM, preserving the pool depth. Once the refill succeeds, later local drops retire/free the current buffer instead of returning it to BM.
AnalysisAI
Memory corruption in the Linux kernel's Marvell mvpp2 (PPv2) Ethernet driver arises from an incorrect RX buffer-recycling order: when mvpp2_rx_refill() fails after the current buffer has already been handed to XDP or attached to an skb, the driver still returns that buffer to the hardware Buffer Manager (BM) pool, allowing the NIC to DMA into memory the RX ring no longer owns. Systems running Marvell Armada SoCs with the mvpp2 driver and XDP or skb RX processing are affected; the fix reorders the refill to complete before the buffer is handed off. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the target to run the Linux mvpp2 driver on Marvell PPv2/Armada hardware with the RX path delivering frames to XDP (recycled/redirected/XDP_TX) or building skbs. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals conflict sharply. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | On a Marvell Armada-based appliance under memory pressure, an attacker (or simply heavy traffic plus a constrained system) drives sustained RX load so that mvpp2_rx_refill() hits an allocation failure right as a packet is being handed to XDP or built into an skb; the driver then wrongly returns that in-use buffer to the BM pool, and the NIC subsequently DMAs into a page now owned by the networking/XDP path, corrupting kernel memory and potentially leaking or destabilizing data. No public POC is known, and the CVSS AC effectively rises in practice because the attacker cannot directly force the allocation failure. |
| Remediation | Upgrade to a kernel containing the fix for your branch: Vendor-released patch - 5.15.210, 6.1.176, 6.6.143, 6.12.94, 7.0.13, 6.18.36, or 7.1, whichever matches your stable series, available via the kernel.org stable commits (https://git.kernel.org/stable/c/8a2126c5afe89f8ceeb60a3afb9f075b736194cd and the related commits listed for CVE-2026-53215) and tracked at https://nvd.nist.gov/vuln/detail/CVE-2026-53215. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify inventory of Marvell Armada SoC systems in production and development environments. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39306
GHSA-37pv-m98r-vgm8