How is CVE-2026-53216 exploited?

Network reachability (required): The vulnerable code path is reachable over the network; an attacker must be able to send packets to a host running an affected mvpp2 network interface. Authentication (not-required): No account or credential of any privilege level is needed to trigger the vulnerability; unauthenticated network traffic is sufficient. Victim interaction (not-required): No user or administrator action is required; the vulnerability is triggered by incoming network packets processed by the driver. Attack complexity (info): Exploitation is reliable and imposes no special environmental conditions; the attacker does not need to win a race or arrange a specific memory layout to reach the vulnerable code path.

What is the impact of CVE-2026-53216?

An attacker can corrupt out-of-bounds kernel memory beyond a short BM pool buffer, potentially overwriting adjacent kernel data structures. An attacker can read contents of kernel memory regions adjacent to the short pool allocation, exposing sensitive in-kernel data such as pointers, keys, or session state. An attacker can modify persisted kernel data structures, altering network stack behavior or privilege-enforcement state. An attacker can crash the affected kernel entirely by tripping skb tailroom checks or causing a fault from the corrupted memory region, taking down all workloads on the host.

Back to search

CRITICALCVE-2026-53216Published 2026-06-25Modified 2026-06-28CNA Linux

CVE-2026-53216: net: mvpp2: limit XDP frame size to the RX buffer

In the Linux kernel, the following vulnerability has been resolved: net: mvpp2: limit XDP frame size to the RX buffer mvpp2 has short and long BM pools, and short pool buffers can be smaller than PAGE_SIZE. The XDP path nevertheless initializes every xdp_buff with PAGE_SIZE as frame size. XDP helpers use frame_sz to validate tail growth and to derive the hard end of the data area. Advertising PAGE_SIZE for short buffers can let bpf_xdp_adjust_tail() grow a packet past the real allocation, corrupting memory or later tripping skb tailroom checks. Initialize the XDP buffer with bm_pool->frag_size so XDP tailroom matches the actual buffer backing the packet.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: 0
Affected Products: 2

HarborGuard Analysis

Synopsis

A memory corruption vulnerability exists in the Linux kernel's mvpp2 network driver, reachable over the network without any authentication. The driver incorrectly advertises PAGE_SIZE as the XDP frame size for short buffer-pool allocations, allowing the bpf_xdp_adjust_tail() helper to grow a packet past the real allocation boundary, corrupting kernel memory. Successful exploitation gives an attacker the ability to read arbitrary kernel memory, tamper with kernel data structures, or crash the system. A patched-image rebuild at the fix versions (5.15.210, 6.1.176, 6.6.143, and the upstream commit) is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-53216 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that package affected kernel versions. Coverage applies both to images sitting in registries and to images evaluated inline in CI/CD pipelines.

Available

Triage

HarborGuard is capable of scoring this CVE at its published CVSS v3.1 rating of 9.8 (Critical) and weighting that score against each environment's compliance policy to determine urgency. Triage findings are routed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available

Patch

A patched-image rebuild at the fix versions (5.15.210, 6.1.176, 6.6.143, or the upstream commit 3b8b0c3631b19faee53f0d15a49924129b063eec) becomes available through HarborGuard once the upstream fix is confirmed. For customers who opt into auto-remediation, HarborGuard is capable of executing the rebuild, running a regression test suite against the new image, and opening a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The vulnerable code path is reachable over the network; an attacker must be able to send packets to a host running an affected mvpp2 network interface.
AuthenticationNot required
No account or credential of any privilege level is needed to trigger the vulnerability; unauthenticated network traffic is sufficient.
Victim interactionNot required
No user or administrator action is required; the vulnerability is triggered by incoming network packets processed by the driver.
Attack complexityDetail
Exploitation is reliable and imposes no special environmental conditions; the attacker does not need to win a race or arrange a specific memory layout to reach the vulnerable code path.

Blast Radius

An attacker can corrupt out-of-bounds kernel memory beyond a short BM pool buffer, potentially overwriting adjacent kernel data structures.
An attacker can read contents of kernel memory regions adjacent to the short pool allocation, exposing sensitive in-kernel data such as pointers, keys, or session state.
An attacker can modify persisted kernel data structures, altering network stack behavior or privilege-enforcement state.
An attacker can crash the affected kernel entirely by tripping skb tailroom checks or causing a fault from the corrupted memory region, taking down all workloads on the host.

How HarborGuard Handles This

Available on HarborGuard: detection of CVE-2026-53216 is active across all connected environments the moment the advisory is ingested. Given the Critical severity (CVSS 9.8) and the availability of upstream fix versions, a patched-image rebuild is available for environments running Linux kernel versions prior to 5.15.210, 6.1.176, or 6.6.143. For customers who opt into auto-remediation, HarborGuard can rebuild the image at the fixed version, run a regression test suite, and open a pull request against affected workloads; median time from CVE publication to merged patch PR for Critical-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy does not permit auto-remediation, HarborGuard surfaces the finding with full CVSS detail and fix-version guidance so teams can act manually. Until a patched image is deployed, compensating controls such as network-policy isolation of hosts running mvpp2 interfaces and egress filtering on untrusted packet sources can reduce exposure.

See how HarborGuard automates this

Fix available

03b8b0c3631b19faee53f0d15a49924129b063eec5.15.2106.1.1766.6.1436.12.946.18.367.0.137.1910617a4e67dbdd5fdb39d9dc6a51e491e1b2c3e9545cc5ef18ca22d031f2f47c157192460652359994bd2b58d2bd08aa97ec0836cc813cfcb00d749a3ee9231ccec6ec3be2de89c56f897055fd9eab1ec8e1e5842bc0dbd4c272761f4db3651eecd0339f3c6aa078927e6fe8121c9c591ddee8716c5305a

Affected packages

Linux / Linux
< a3ee9231ccec6ec3be2de89c56f897055fd9eab1 (from 07dd0a7aae7f72af7cec18909581c2bb570edddc) · < ec8e1e5842bc0dbd4c272761f4db3651eecd0339 (from 07dd0a7aae7f72af7cec18909581c2bb570edddc) · < 3b8b0c3631b19faee53f0d15a49924129b063eec (from 07dd0a7aae7f72af7cec18909581c2bb570edddc) · < 994bd2b58d2bd08aa97ec0836cc813cfcb00d749 (from 07dd0a7aae7f72af7cec18909581c2bb570edddc) · < 910617a4e67dbdd5fdb39d9dc6a51e491e1b2c3e (from 07dd0a7aae7f72af7cec18909581c2bb570edddc) · < 9545cc5ef18ca22d031f2f47c157192460652359 (from 07dd0a7aae7f72af7cec18909581c2bb570edddc)
Linux / Linux
5.9
Fixed in 0, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, 7.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available