{"document":{"category":"csaf_vex","csaf_version":"2.0","title":"CVE-2026-53215: net: mvpp2: refill RX buffers before XDP or skb use","publisher":{"category":"vendor","name":"HarborGuard Database","namespace":"https://database.harborguard.co"},"tracking":{"id":"CVE-2026-53215","status":"final","version":"1","initial_release_date":"2026-06-25T08:39:18.875Z","current_release_date":"2026-06-28T06:40:28.295Z","revision_history":[{"date":"2026-06-25T08:39:18.875Z","number":"1","summary":"Initial machine-readable export from HarborGuard."}]},"distribution":{"tlp":{"label":"WHITE"},"text":"Public CVE data; freely redistributable."},"notes":[{"category":"description","text":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mvpp2: refill RX buffers before XDP or skb use\n\nThe RX error path returns the current descriptor buffer to the hardware\nBM pool. That is only valid while the driver still owns the buffer.\n\nmvpp2_rx_refill() can fail after the current buffer has been handed to\nXDP or attached to an skb. In those cases mvpp2_run_xdp() may have\nrecycled, redirected, or queued the page for XDP_TX, and an skb free also\nretires the data buffer. Returning such a buffer to BM lets hardware DMA\ninto memory that is no longer owned by the RX ring.\n\nRefill the BM pool before handing the current buffer to XDP or to the\nskb. If the allocation fails there, drop the packet and return the\nstill-owned current buffer to BM, preserving the pool depth. Once the\nrefill succeeds, later local drops retire/free the current buffer instead\nof returning it to BM.","title":"CVE description"}],"references":[{"category":"self","summary":"CVE-2026-53215 on HarborGuard Database","url":"https://database.harborguard.co/cve/CVE-2026-53215"},{"category":"external","summary":"CVE Record","url":"https://www.cve.org/CVERecord?id=CVE-2026-53215"},{"category":"external","summary":"git.kernel.org","url":"https://git.kernel.org/stable/c/a88b3293b556f4d8fba11db9a8061a6b0d3b69e6"},{"category":"external","summary":"git.kernel.org","url":"https://git.kernel.org/stable/c/a03cdcedb2cbcc42551dc3e4746929e93c5352d5"},{"category":"external","summary":"git.kernel.org","url":"https://git.kernel.org/stable/c/580f92f27cb8724bcc4be98ee89890eab524a2ae"},{"category":"external","summary":"git.kernel.org","url":"https://git.kernel.org/stable/c/d0c8c4fbd22d260fe28530260656c5fb3c20ce84"},{"category":"external","summary":"git.kernel.org","url":"https://git.kernel.org/stable/c/8a2126c5afe89f8ceeb60a3afb9f075b736194cd"},{"category":"external","summary":"git.kernel.org","url":"https://git.kernel.org/stable/c/02e1b5c4d3b4c658b72c145427cded1bba613fc1"},{"category":"external","summary":"git.kernel.org","url":"https://git.kernel.org/stable/c/5e8e2a9624df72fca7c736b2966b2cbf6c9c3ff6"}]},"product_tree":{"branches":[{"category":"vendor","name":"Linux","branches":[{"category":"product_name","name":"Linux","branches":[{"category":"product_version_range","name":">=07dd0a7aae7f72af7cec18909581c2bb570edddc =07dd0a7aae7f72af7cec18909581c2bb570edddc =07dd0a7aae7f72af7cec18909581c2bb570edddc =07dd0a7aae7f72af7cec18909581c2bb570edddc =07dd0a7aae7f72af7cec18909581c2bb570edddc <580f92f27cb8724bcc4be98ee89890eab524a2ae","product":{"name":"Linux Linux >=07dd0a7aae7f72af7cec18909581c2bb570edddc <580f92f27cb8724bcc4be98ee89890eab524a2ae","product_id":"CSAFPID-3","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*"}}},{"category":"product_version_range","name":">=07dd0a7aae7f72af7cec18909581c2bb570edddc =07dd0a7aae7f72af7cec18909581c2bb570edddc =07dd0a7aae7f72af7cec18909581c2bb570edddc <8a2126c5afe89f8ceeb60a3afb9f075b736194cd","product":{"name":"Linux Linux >=07dd0a7aae7f72af7cec18909581c2bb570edddc <8a2126c5afe89f8ceeb60a3afb9f075b736194cd","product_id":"CSAFPID-5","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*"}}},{"category":"product_version_range","name":">=07dd0a7aae7f72af7cec18909581c2bb570edddc <02e1b5c4d3b4c658b72c145427cded1bba613fc1","product":{"name":"Linux Linux >=07dd0a7aae7f72af7cec18909581c2bb570edddc <02e1b5c4d3b4c658b72c145427cded1bba613fc1","product_id":"CSAFPID-6","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*"}}},{"category":"product_version_range","name":">=07dd0a7aae7f72af7cec18909581c2bb570edddc <5e8e2a9624df72fca7c736b2966b2cbf6c9c3ff6","product":{"name":"Linux Linux >=07dd0a7aae7f72af7cec18909581c2bb570edddc <5e8e2a9624df72fca7c736b2966b2cbf6c9c3ff6","product_id":"CSAFPID-7","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"95a936364f2685e9e040c6b179b553604d96de22","product":{"name":"Linux Linux 95a936364f2685e9e040c6b179b553604d96de22","product_id":"CSAFPID-8","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"fba2cf348d9eb50b2049a73cc09313dab6d293f1","product":{"name":"Linux Linux fba2cf348d9eb50b2049a73cc09313dab6d293f1","product_id":"CSAFPID-9","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*"}}},{"category":"product_version_range","name":">=5.7.15 <5.8","product":{"name":"Linux Linux >=5.7.15 <5.8","product_id":"CSAFPID-10","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*"}}},{"category":"product_version_range","name":">=5.8.2 <5.9","product":{"name":"Linux Linux >=5.8.2 <5.9","product_id":"CSAFPID-11","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*"}}}]}]},{"category":"vendor","name":"Linux","branches":[{"category":"product_name","name":"Linux","branches":[{"category":"product_version","name":"5.9","product":{"name":"Linux Linux 5.9","product_id":"CSAFPID-12","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:5.9:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"0","product":{"name":"Linux Linux 0","product_id":"CSAFPID-13","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:5.9:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"5.15.210","product":{"name":"Linux Linux 5.15.210","product_id":"CSAFPID-14","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:5.9:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"6.1.176","product":{"name":"Linux Linux 6.1.176","product_id":"CSAFPID-15","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:5.9:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"6.6.143","product":{"name":"Linux Linux 6.6.143","product_id":"CSAFPID-16","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:5.9:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"6.12.94","product":{"name":"Linux Linux 6.12.94","product_id":"CSAFPID-17","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:5.9:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"6.18.36","product":{"name":"Linux Linux 6.18.36","product_id":"CSAFPID-18","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:5.9:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"7.0.13","product":{"name":"Linux Linux 7.0.13","product_id":"CSAFPID-19","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:5.9:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"7.1","product":{"name":"Linux Linux 7.1","product_id":"CSAFPID-20","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:5.9:*:*:*:*:*:*:*"}}}]}]}]},"vulnerabilities":[{"cve":"CVE-2026-53215","title":"net: mvpp2: refill RX buffers before XDP or skb use","notes":[{"category":"description","text":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mvpp2: refill RX buffers before XDP or skb use\n\nThe RX error path returns the current descriptor buffer to the hardware\nBM pool. That is only valid while the driver still owns the buffer.\n\nmvpp2_rx_refill() can fail after the current buffer has been handed to\nXDP or attached to an skb. In those cases mvpp2_run_xdp() may have\nrecycled, redirected, or queued the page for XDP_TX, and an skb free also\nretires the data buffer. Returning such a buffer to BM lets hardware DMA\ninto memory that is no longer owned by the RX ring.\n\nRefill the BM pool before handing the current buffer to XDP or to the\nskb. If the allocation fails there, drop the packet and return the\nstill-owned current buffer to BM, preserving the pool depth. Once the\nrefill succeeds, later local drops retire/free the current buffer instead\nof returning it to BM.","title":"CVE description"}],"product_status":{"known_affected":["CSAFPID-1","CSAFPID-2","CSAFPID-3","CSAFPID-4","CSAFPID-5","CSAFPID-6","CSAFPID-7","CSAFPID-8","CSAFPID-9","CSAFPID-10","CSAFPID-11","CSAFPID-12"],"fixed":["CSAFPID-13","CSAFPID-14","CSAFPID-15","CSAFPID-16","CSAFPID-17","CSAFPID-18","CSAFPID-19","CSAFPID-20"]},"scores":[{"cvss_v3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL"},"products":["CSAFPID-1","CSAFPID-2","CSAFPID-3","CSAFPID-4","CSAFPID-5","CSAFPID-6","CSAFPID-7","CSAFPID-8","CSAFPID-9","CSAFPID-10","CSAFPID-11","CSAFPID-12"]}],"remediations":[{"category":"vendor_fix","details":"Update to a fixed version: 0, 02e1b5c4d3b4c658b72c145427cded1bba613fc1, 5.8, 5.9, 5.15.210, 580f92f27cb8724bcc4be98ee89890eab524a2ae, 5e8e2a9624df72fca7c736b2966b2cbf6c9c3ff6, 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, 7.1, 8a2126c5afe89f8ceeb60a3afb9f075b736194cd, a03cdcedb2cbcc42551dc3e4746929e93c5352d5, a88b3293b556f4d8fba11db9a8061a6b0d3b69e6, d0c8c4fbd22d260fe28530260656c5fb3c20ce84.","product_ids":["CSAFPID-1","CSAFPID-2","CSAFPID-3","CSAFPID-4","CSAFPID-5","CSAFPID-6","CSAFPID-7","CSAFPID-8","CSAFPID-9","CSAFPID-10","CSAFPID-11","CSAFPID-12"]}]}]}