CVE-2026-53215: net: mvpp2: refill RX buffers before XDP or skb use
In the Linux kernel, the following vulnerability has been resolved: net: mvpp2: refill RX buffers before XDP or skb use The RX error path returns the current descriptor buffer to the hardware BM pool. That is only valid while the driver still owns the buffer. mvpp2_rx_refill() can fail after the current buffer has been handed to XDP or attached to an skb. In those cases mvpp2_run_xdp() may have recycled, redirected, or queued the page for XDP_TX, and an skb free also retires the data buffer. Returning such a buffer to BM lets hardware DMA into memory that is no longer owned by the RX ring. Refill the BM pool before handing the current buffer to XDP or to the skb. If the allocation fails there, drop the packet and return the still-owned current buffer to BM, preserving the pool depth. Once the refill succeeds, later local drops retire/free the current buffer instead of returning it to BM.
Metrics
- CVSS v3.1
- 9.8
- Severity
- CRITICAL
- Fixed in
- 0
- Affected Products
- 2
HarborGuard Analysis
Synopsis
A use-after-free vulnerability exists in the Linux kernel's mvpp2 network driver, reachable over the network without any authentication. The flaw allows hardware DMA to write into memory that the driver no longer owns, because the RX error path incorrectly returns a buffer to the BM pool after that buffer has already been handed to XDP or attached to an skb. Successful exploitation gives an attacker the ability to read arbitrary memory, overwrite arbitrary memory, and crash the affected system. Patched-image rebuilds at the fix versions (5.8, 5.15.210, and the upstream commit references) are available on HarborGuard for affected environments.
HarborGuard Coverage
Detection of CVE-2026-53215 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in both registries and CI/CD pipelines, including custom-built images that bundle a vulnerable kernel or kernel module.
AvailableHarborGuard scores this CVE at 9.8 Critical (CVSS v3.1) and surfaces it at the top of each affected environment's findings queue; per-environment compliance policy weighting then routes the finding to the appropriate team inbox inside each customer organization.
AvailableA patched-image rebuild at the fix versions listed upstream becomes available on HarborGuard the moment the corrected packages are published. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a PR against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The vulnerable code path is reachable over the network; an attacker must be able to send crafted packets to the affected interface exposed by the mvpp2 driver.
- AuthenticationNot required
No account or credentials are required; the exploit is triggered by unauthenticated network traffic.
- Victim interactionNot required
No user or administrator action is needed; exploitation is fully remote and passive from the victim's perspective.
- Attack complexityDetail
Attack complexity is low; the exploit is reliable and requires no special conditions, race wins, or knowledge of memory layout beyond reaching the vulnerable network interface.
Blast Radius
- An attacker triggers hardware DMA writes into freed memory pages, enabling arbitrary memory corruption anywhere in the kernel address space.
- Kernel memory containing credentials, session tokens, or sensitive process data can be read by influencing which freed pages are reused and inspected.
- Corrupted kernel data structures cause an unrecoverable kernel panic, crashing the host and any containers or workloads running on it.
- Persistent memory corruption can be used to overwrite kernel function pointers, providing a path to full kernel code execution.
How HarborGuard Handles This
Available on HarborGuard: detection fires within minutes of CVE publication for any image whose kernel or kernel modules fall within the affected version range, including custom-built images. For environments running an affected kernel version, a patched-image rebuild targeting the fixed versions becomes available as soon as upstream packages are indexed. For customers who opt into auto-remediation, HarborGuard queues a rebuild, runs a regression test, and opens a PR against affected workloads; for Critical-severity issues the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy does not permit auto-remediation, the finding is held in the team inbox with fix-version details attached. Until a patched image is deployed, compensating controls such as network-policy isolation of nodes running the mvpp2 driver, egress filtering on those interfaces, and restricting untrusted external traffic to affected hosts are worth considering to limit exposure.
Fix available
- Linux / Linux< a88b3293b556f4d8fba11db9a8061a6b0d3b69e6 (from 07dd0a7aae7f72af7cec18909581c2bb570edddc) · < a03cdcedb2cbcc42551dc3e4746929e93c5352d5 (from 07dd0a7aae7f72af7cec18909581c2bb570edddc) · < 580f92f27cb8724bcc4be98ee89890eab524a2ae (from 07dd0a7aae7f72af7cec18909581c2bb570edddc) · < d0c8c4fbd22d260fe28530260656c5fb3c20ce84 (from 07dd0a7aae7f72af7cec18909581c2bb570edddc) · < 8a2126c5afe89f8ceeb60a3afb9f075b736194cd (from 07dd0a7aae7f72af7cec18909581c2bb570edddc) · < 02e1b5c4d3b4c658b72c145427cded1bba613fc1 (from 07dd0a7aae7f72af7cec18909581c2bb570edddc)
- Linux / Linux5.9Fixed in 0, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, 7.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H