Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Network-triggered but bounded to non-coherent-DMA mvpp2 hardware with non-deterministic stale data, hence AC:H and only low confidentiality/integrity impact (C:L/I:L), no availability effect.
Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).
CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
net: mvpp2: sync RX data at the hardware packet offset
mvpp2 programs the RX queue packet offset, so hardware writes received data at dma_addr + MVPP2_SKB_HEADROOM. The current CPU sync starts at dma_addr and only covers rx_bytes + MVPP2_MH_SIZE bytes, which syncs the unused headroom and misses the same number of bytes at the packet tail.
On non-coherent DMA systems this can leave the CPU reading stale cache contents for the end of the received frame.
Use dma_sync_single_range_for_cpu() with MVPP2_SKB_HEADROOM as the range offset so the sync covers the Marvell header and packet data actually written by hardware.
AnalysisAI
Information disclosure and frame corruption in the Linux kernel's Marvell mvpp2 network driver allows stale cache contents to be read into received packets on non-coherent DMA systems. Because the driver synced the RX buffer starting at the raw DMA address rather than at the hardware packet offset (MVPP2_SKB_HEADROOM), it synchronized unused headroom and missed an equal number of bytes at the packet tail, leaving the CPU to read stale cache lines for the end of each frame. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the affected system to use the Marvell mvpp2 (PPv2) Ethernet driver AND to run on a platform with non-coherent DMA (typical of the ARM Armada 7K/8K SoCs this driver serves); coherent-DMA systems do not exhibit the stale-cache reads at all. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied NVD CVSS of 8.6 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L) substantially overstates real-world risk for this bug, and the signals conflict. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | On a Marvell Armada-based appliance running a vulnerable kernel with non-coherent DMA, an attacker (or even normal traffic) sends frames to a mvpp2-backed interface; because the RX tail is never cache-synced, the host processes packets whose trailing bytes contain stale kernel buffer contents, causing data corruption or leaking remnants of previously held memory into the receive path. No public exploit exists, and the leaked content is non-deterministic and not directly returned to the sender, making targeted exfiltration impractical. |
| Remediation | Upstream fix available (stable commits/branches); update to a kernel that contains the corrected dma_sync_single_range_for_cpu() call - specifically 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, or 7.1 or later on your respective branch, applying the matching git.kernel.org/stable commit listed in the NVD references. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify systems running Marvell Armada-class hardware and verify current kernel versions in use. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39308
GHSA-vj9r-56j4-wwmh