Skip to main content

Linux Kernel CVE-2026-53230

| EUVDEUVD-2026-39321 HIGH
Out-of-bounds Read (CWE-125)
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-pw9r-h2m6-6vvg
8.7
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
8.7 HIGH
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:H
vuln.today AI
5.1 MEDIUM

Trigger requires privileged devlink configuration of a VF MAC-list max (PR:H) on local mlx5 hardware (AV:L); impact is a small OOB read causing potential info leak (C:L) and likely panic (A:H), no integrity change.

3.1 AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 09:39 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
8.7 (HIGH)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 25, 2026 - 09:16 cve.org
HIGH 8.7

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net/mlx5: Fix slab-out-of-bounds in mlx5_query_nic_vport_mac_list

mlx5_query_nic_vport_mac_list() sizes its firmware command buffer using the PF's log_max_current_uc/mc_list capabilities. When querying a VF vport with a larger configured max (via devlink), the firmware response can overflow this buffer:

BUG: KASAN: slab-out-of-bounds in mlx5_query_nic_vport_mac_list+0x453/0x4c0 [mlx5_core] Read of size 4 at addr ff1100013ffc8a12 by task kworker/u96:2/385

CPU: 12 UID: 0 PID: 385 Comm: kworker/u96:2 Not tainted 7.0.0-rc6+ #1 PREEMPT Hardware name: QEMU Standard PC (Q35 + ICH9, 2009) Workqueue: mlx5_esw_wq esw_vport_change_handler [mlx5_core] Call Trace: <TASK> dump_stack_lvl+0x69/0xa0 print_report+0x176/0x4e4 kasan_report+0xc8/0x100 mlx5_query_nic_vport_mac_list+0x453/0x4c0 [mlx5_core] esw_update_vport_addr_list+0x2e3/0xda0 [mlx5_core] esw_vport_change_handle_locked+0xa1f/0x1060 [mlx5_core] esw_vport_change_handler+0x6a/0x90 [mlx5_core] process_one_work+0x87f/0x15e0 worker_thread+0x62b/0x1020 kthread+0x375/0x490 ret_from_fork+0x4dc/0x810 ret_from_fork_asm+0x11/0x20 </TASK>

Fix by querying the vport's own HCA caps to size the buffer correctly. Refactor the function to allocate and return the MAC list internally, removing the caller's dependency on knowing the correct max.

AnalysisAI

Out-of-bounds kernel memory read in the Linux mlx5_core driver's mlx5_query_nic_vport_mac_list() function allows a slab-out-of-bounds access when querying a VF vport whose configured MAC-list maximum exceeds the PF's log_max_current_uc/mc_list capability. The driver sizes its firmware command buffer using the PF capabilities rather than the vport's own HCA caps, so an oversized firmware response overflows the buffer during eswitch vport-change handling. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain privileged access to mlx5 SR-IOV host
Delivery
Set VF MAC-list max above PF via devlink
Exploit
Trigger VF address-list change
Execution
Oversized firmware response overflows buffer
Persist
Out-of-bounds kernel slab read
Impact
Info leak or kernel panic

Vulnerability AssessmentAI

Exploitation Requires a system using the mlx5_core driver with NVIDIA/Mellanox ConnectX hardware operating in SR-IOV / e-switch (switchdev) mode, AND a virtual function whose configured MAC-list maximum (log_max_current_uc_list / log_max_current_mc_list) has been set larger than the physical function's capability via devlink - this non-default, privileged configuration is the concrete prerequisite. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed and lean toward moderate, config-gated risk rather than urgent mass exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario On a host with an mlx5 NIC in SR-IOV mode, a privileged operator (or compromised management plane) raises a virtual function's MAC-list maximum via devlink above the PF's capability; when that VF's address list subsequently changes, the kernel's eswitch worker queries the vport and reads past the undersized slab buffer, leaking adjacent kernel memory or panicking the host. No public exploit code is identified at time of analysis, and the local attack vector plus dependency on privileged devlink configuration make opportunistic exploitation unlikely.
Remediation Vendor-released patch: update to a fixed Linux stable kernel - 6.6.143, 6.12.94, 6.18.36, 7.0.13, or 7.1 (or later) on the matching branch, drawing the corresponding stable commit from https://git.kernel.org/stable/c/ (e.g. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all systems running Linux mlx5_core driver with ConnectX NICs in SR-IOV/switchdev mode; document current driver versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53230 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy