Skip to main content

Linux Kernel CVE-2026-53216

| EUVDEUVD-2026-39307 CRITICAL
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-8vc2-h54q-6258
9.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
6.4 MEDIUM

Reachable only via a privileged XDP program (PR:H) under specific short-pool conditions on Marvell hardware (AC:H, AV:L); out-of-bounds write yields full memory-safety impact (C/I/A:H).

3.1 AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 09:35 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
9.8 (CRITICAL)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 25, 2026 - 09:16 cve.org
CRITICAL 9.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net: mvpp2: limit XDP frame size to the RX buffer

mvpp2 has short and long BM pools, and short pool buffers can be smaller than PAGE_SIZE. The XDP path nevertheless initializes every xdp_buff with PAGE_SIZE as frame size.

XDP helpers use frame_sz to validate tail growth and to derive the hard end of the data area. Advertising PAGE_SIZE for short buffers can let bpf_xdp_adjust_tail() grow a packet past the real allocation, corrupting memory or later tripping skb tailroom checks.

Initialize the XDP buffer with bm_pool->frag_size so XDP tailroom matches the actual buffer backing the packet.

AnalysisAI

Memory corruption in the Linux kernel's Marvell mvpp2 (PPv2) Ethernet driver allows the XDP fast-path to write past the real packet buffer on hardware using short BM pools. The driver hard-codes PAGE_SIZE as the XDP frame size even when short-pool buffers are smaller, so bpf_xdp_adjust_tail() can legitimately grow a frame beyond its actual allocation, corrupting adjacent memory or later tripping skb tailroom checks. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain XDP-load capability on mvpp2 host
Delivery
Attach XDP program calling adjust_tail
Exploit
Steer packet into short BM pool
Execution
Grow frame past real allocation
Impact
Corrupt adjacent kernel memory or crash

Vulnerability AssessmentAI

Exploitation Exploitation requires three concrete conditions drawn from the description: (1) the system uses the mvpp2 driver on Marvell PPv2/Armada hardware that allocates short BM pool buffers smaller than PAGE_SIZE; (2) an XDP/eBPF program is attached to the mvpp2 RX path; and (3) that program invokes bpf_xdp_adjust_tail() to grow a packet, which the buggy PAGE_SIZE frame_sz allows to exceed the real allocation. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:N, C/I/A:H = 9.8) appears to be an automated NVD/kernel-CNA maximum and significantly overstates real-world risk; it should be treated with skepticism. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario On a Marvell PPv2-based appliance running an XDP program that extends packet tails, an actor able to load or influence that XDP program (or steer traffic into the short BM pool) triggers bpf_xdp_adjust_tail() to grow a short-pool frame beyond its real allocation, writing into adjacent kernel memory and corrupting it or crashing the box on a later tailroom check. No public exploit is identified at time of analysis, and the attacker needs privileged XDP-loading capability plus the specific short-pool buffer condition, making this a targeted/local rather than commodity attack.
Remediation Vendor-released patch: upgrade to a fixed Linux stable release - 7.1, 7.0.13, 6.18.36, 6.12.94, 6.6.143, 6.1.176, or 5.15.210, whichever matches your maintained series. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify systems running Marvell mvpp2 Ethernet hardware with XDP packet processing enabled; check vendor advisories for affected kernel versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53216 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy