Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Requires a configured AF_XDP zero-copy setup (PR:L) and a hard-to-force SQ-full failure path (AC:H), causing only gradual resource leakage (A:L) with no confidentiality or integrity impact.
Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).
CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5e: xsk: Fix DMA and xdp_frame leak on XDP_TX xmit failure
In the XSK branch of mlx5e_xmit_xdp_buff(), when sq->xmit_xdp_frame() returns false (e.g. XDPSQ is full), the function returns without unmapping the DMA address or freeing the xdp_frame allocated by xdp_convert_zc_to_xdp_frame(). The xdpi_fifo push only happens on success, so the completion path cannot recover these entries.
With CONFIG_DMA_API_DEBUG=y, the leak surfaces on driver unbind:
DMA-API: pci 0000:08:00.0: device driver has pending DMA allocations while released from device [count=1116] One of leaked entries details: [device address=0x000000010ffd7028] [size=1534 bytes] [mapped with DMA_TO_DEVICE] [mapped as phy] WARNING: kernel/dma/debug.c:881 at dma_debug_device_change+0x127/0x180 ... DMA-API: Mapped at: debug_dma_map_phys+0x4b/0xd0 dma_map_phys+0xfd/0x2d0 mlx5e_xdp_handle+0x5ae/0xac0 [mlx5_core] mlx5e_xsk_skb_from_cqe_mpwrq_linear+0xc4/0x170 [mlx5_core] mlx5e_handle_rx_cqe_mpwrq+0xc1/0x290 [mlx5_core]
Add the missing unmap + xdp_return_frame, matching the cleanup already done in mlx5e_xdp_xmit(). has_frags is rejected earlier in this branch, so no per-frag unmap is needed.
AnalysisAI
Resource exhaustion (DMA mapping and xdp_frame leak) in the Linux kernel's mlx5e driver affects systems using AF_XDP (XSK) zero-copy sockets on NVIDIA/Mellanox ConnectX NICs. In the XSK path of mlx5e_xmit_xdp_buff(), an XDP_TX transmit failure (e.g. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires the host to be running AF_XDP (XSK) sockets in zero-copy mode on a mlx5 (NVIDIA/Mellanox ConnectX) interface with an attached XDP program that uses the XDP_TX action - this is a specialized, non-default networking configuration. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals conflict and should temper the headline CVSS 7.5. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | On a host running an AF_XDP zero-copy application on a Mellanox ConnectX NIC, a sustained high-rate traffic flow keeps the XDP send queue full so XDP_TX transmits repeatedly fail; each failure leaks an xdp_frame and a DMA mapping. Over time the accumulating leaked DMA mappings and kernel memory degrade host stability and can surface as warnings or resource exhaustion. … |
| Remediation | Vendor-released patch: update to a fixed stable kernel - 6.12.94, 6.18.36, 7.0.13, or 7.1 (or your distribution's backport containing the listed stable commits). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory systems running Linux with AF_XDP/XSK sockets on Mellanox ConnectX NICs to identify affected assets. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-401 – Memory Leak
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39320
GHSA-gvrm-xh5g-w8v6