Skip to main content

Linux Kernel EUVDEUVD-2026-39320

| CVE-2026-53229 HIGH
Memory Leak (CWE-401)
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-gvrm-xh5g-w8v6
7.5
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
2.5 LOW

Requires a configured AF_XDP zero-copy setup (PR:L) and a hard-to-force SQ-full failure path (AC:H), causing only gradual resource leakage (A:L) with no confidentiality or integrity impact.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 09:39 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.5 (HIGH)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 25, 2026 - 09:16 cve.org
HIGH 7.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net/mlx5e: xsk: Fix DMA and xdp_frame leak on XDP_TX xmit failure

In the XSK branch of mlx5e_xmit_xdp_buff(), when sq->xmit_xdp_frame() returns false (e.g. XDPSQ is full), the function returns without unmapping the DMA address or freeing the xdp_frame allocated by xdp_convert_zc_to_xdp_frame(). The xdpi_fifo push only happens on success, so the completion path cannot recover these entries.

With CONFIG_DMA_API_DEBUG=y, the leak surfaces on driver unbind:

DMA-API: pci 0000:08:00.0: device driver has pending DMA allocations while released from device [count=1116] One of leaked entries details: [device address=0x000000010ffd7028] [size=1534 bytes] [mapped with DMA_TO_DEVICE] [mapped as phy] WARNING: kernel/dma/debug.c:881 at dma_debug_device_change+0x127/0x180 ... DMA-API: Mapped at: debug_dma_map_phys+0x4b/0xd0 dma_map_phys+0xfd/0x2d0 mlx5e_xdp_handle+0x5ae/0xac0 [mlx5_core] mlx5e_xsk_skb_from_cqe_mpwrq_linear+0xc4/0x170 [mlx5_core] mlx5e_handle_rx_cqe_mpwrq+0xc1/0x290 [mlx5_core]

Add the missing unmap + xdp_return_frame, matching the cleanup already done in mlx5e_xdp_xmit(). has_frags is rejected earlier in this branch, so no per-frag unmap is needed.

AnalysisAI

Resource exhaustion (DMA mapping and xdp_frame leak) in the Linux kernel's mlx5e driver affects systems using AF_XDP (XSK) zero-copy sockets on NVIDIA/Mellanox ConnectX NICs. In the XSK path of mlx5e_xmit_xdp_buff(), an XDP_TX transmit failure (e.g. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Reach mlx5 NIC running XSK zero-copy
Delivery
Send sustained high-rate traffic flow
Exploit
Saturate XDP send queue (XDPSQ full)
Install
Trigger XDP_TX xmit-failure leak path
C2
Leak DMA mappings and xdp_frames repeatedly
Execute
Exhaust kernel memory / DMA resources
Impact
Host instability or denial of service

Vulnerability AssessmentAI

Exploitation Requires the host to be running AF_XDP (XSK) sockets in zero-copy mode on a mlx5 (NVIDIA/Mellanox ConnectX) interface with an attached XDP program that uses the XDP_TX action - this is a specialized, non-default networking configuration. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals conflict and should temper the headline CVSS 7.5. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario On a host running an AF_XDP zero-copy application on a Mellanox ConnectX NIC, a sustained high-rate traffic flow keeps the XDP send queue full so XDP_TX transmits repeatedly fail; each failure leaks an xdp_frame and a DMA mapping. Over time the accumulating leaked DMA mappings and kernel memory degrade host stability and can surface as warnings or resource exhaustion. …
Remediation Vendor-released patch: update to a fixed stable kernel - 6.12.94, 6.18.36, 7.0.13, or 7.1 (or your distribution's backport containing the listed stable commits). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory systems running Linux with AF_XDP/XSK sockets on Mellanox ConnectX NICs to identify affected assets. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39320 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy