Skip to main content

Linux Kernel EUVDEUVD-2026-39308

| CVE-2026-53217 HIGH
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-vj9r-56j4-wwmh
8.6
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
8.6 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
vuln.today AI
4.8 MEDIUM

Network-triggered but bounded to non-coherent-DMA mvpp2 hardware with non-deterministic stale data, hence AC:H and only low confidentiality/integrity impact (C:L/I:L), no availability effect.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
Low

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 09:36 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
8.6 (HIGH)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 25, 2026 - 09:16 cve.org
HIGH 8.6

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net: mvpp2: sync RX data at the hardware packet offset

mvpp2 programs the RX queue packet offset, so hardware writes received data at dma_addr + MVPP2_SKB_HEADROOM. The current CPU sync starts at dma_addr and only covers rx_bytes + MVPP2_MH_SIZE bytes, which syncs the unused headroom and misses the same number of bytes at the packet tail.

On non-coherent DMA systems this can leave the CPU reading stale cache contents for the end of the received frame.

Use dma_sync_single_range_for_cpu() with MVPP2_SKB_HEADROOM as the range offset so the sync covers the Marvell header and packet data actually written by hardware.

AnalysisAI

Information disclosure and frame corruption in the Linux kernel's Marvell mvpp2 network driver allows stale cache contents to be read into received packets on non-coherent DMA systems. Because the driver synced the RX buffer starting at the raw DMA address rather than at the hardware packet offset (MVPP2_SKB_HEADROOM), it synchronized unused headroom and missed an equal number of bytes at the packet tail, leaving the CPU to read stale cache lines for the end of each frame. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Send Ethernet frames to mvpp2 interface
Delivery
Driver skips RX-tail cache sync
Exploit
CPU reads stale cache at packet tail
Execution
Stale memory enters received frame
Impact
Data corruption or limited info leak

Vulnerability AssessmentAI

Exploitation Exploitation requires the affected system to use the Marvell mvpp2 (PPv2) Ethernet driver AND to run on a platform with non-coherent DMA (typical of the ARM Armada 7K/8K SoCs this driver serves); coherent-DMA systems do not exhibit the stale-cache reads at all. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied NVD CVSS of 8.6 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L) substantially overstates real-world risk for this bug, and the signals conflict. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario On a Marvell Armada-based appliance running a vulnerable kernel with non-coherent DMA, an attacker (or even normal traffic) sends frames to a mvpp2-backed interface; because the RX tail is never cache-synced, the host processes packets whose trailing bytes contain stale kernel buffer contents, causing data corruption or leaking remnants of previously held memory into the receive path. No public exploit exists, and the leaked content is non-deterministic and not directly returned to the sender, making targeted exfiltration impractical.
Remediation Upstream fix available (stable commits/branches); update to a kernel that contains the corrected dma_sync_single_range_for_cpu() call - specifically 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, or 7.1 or later on your respective branch, applying the matching git.kernel.org/stable commit listed in the NVD references. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify systems running Marvell Armada-class hardware and verify current kernel versions in use. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39308 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy