Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Reachable only via a privileged XDP program (PR:H) under specific short-pool conditions on Marvell hardware (AC:H, AV:L); out-of-bounds write yields full memory-safety impact (C/I/A:H).
Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).
CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
net: mvpp2: limit XDP frame size to the RX buffer
mvpp2 has short and long BM pools, and short pool buffers can be smaller than PAGE_SIZE. The XDP path nevertheless initializes every xdp_buff with PAGE_SIZE as frame size.
XDP helpers use frame_sz to validate tail growth and to derive the hard end of the data area. Advertising PAGE_SIZE for short buffers can let bpf_xdp_adjust_tail() grow a packet past the real allocation, corrupting memory or later tripping skb tailroom checks.
Initialize the XDP buffer with bm_pool->frag_size so XDP tailroom matches the actual buffer backing the packet.
AnalysisAI
Memory corruption in the Linux kernel's Marvell mvpp2 (PPv2) Ethernet driver allows the XDP fast-path to write past the real packet buffer on hardware using short BM pools. The driver hard-codes PAGE_SIZE as the XDP frame size even when short-pool buffers are smaller, so bpf_xdp_adjust_tail() can legitimately grow a frame beyond its actual allocation, corrupting adjacent memory or later tripping skb tailroom checks. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires three concrete conditions drawn from the description: (1) the system uses the mvpp2 driver on Marvell PPv2/Armada hardware that allocates short BM pool buffers smaller than PAGE_SIZE; (2) an XDP/eBPF program is attached to the mvpp2 RX path; and (3) that program invokes bpf_xdp_adjust_tail() to grow a packet, which the buggy PAGE_SIZE frame_sz allows to exceed the real allocation. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:N, C/I/A:H = 9.8) appears to be an automated NVD/kernel-CNA maximum and significantly overstates real-world risk; it should be treated with skepticism. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | On a Marvell PPv2-based appliance running an XDP program that extends packet tails, an actor able to load or influence that XDP program (or steer traffic into the short BM pool) triggers bpf_xdp_adjust_tail() to grow a short-pool frame beyond its real allocation, writing into adjacent kernel memory and corrupting it or crashing the box on a later tailroom check. No public exploit is identified at time of analysis, and the attacker needs privileged XDP-loading capability plus the specific short-pool buffer condition, making this a targeted/local rather than commodity attack. |
| Remediation | Vendor-released patch: upgrade to a fixed Linux stable release - 7.1, 7.0.13, 6.18.36, 6.12.94, 6.6.143, 6.1.176, or 5.15.210, whichever matches your maintained series. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify systems running Marvell mvpp2 Ethernet hardware with XDP packet processing enabled; check vendor advisories for affected kernel versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39307
GHSA-8vc2-h54q-6258