{"api_version":"1","generated_at":"2026-06-25T19:21:35+00:00","cve":"CVE-2026-53215","urls":{"html":"https://cve.report/CVE-2026-53215","api":"https://cve.report/api/cve/CVE-2026-53215.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-53215","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-53215"},"summary":{"title":"net: mvpp2: refill RX buffers before XDP or skb use","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mvpp2: refill RX buffers before XDP or skb use\n\nThe RX error path returns the current descriptor buffer to the hardware\nBM pool. That is only valid while the driver still owns the buffer.\n\nmvpp2_rx_refill() can fail after the current buffer has been handed to\nXDP or attached to an skb. In those cases mvpp2_run_xdp() may have\nrecycled, redirected, or queued the page for XDP_TX, and an skb free also\nretires the data buffer. Returning such a buffer to BM lets hardware DMA\ninto memory that is no longer owned by the RX ring.\n\nRefill the BM pool before handing the current buffer to XDP or to the\nskb. If the allocation fails there, drop the packet and return the\nstill-owned current buffer to BM, preserving the pool depth. Once the\nrefill succeeds, later local drops retire/free the current buffer instead\nof returning it to BM.","state":"PUBLISHED","assigner":"Linux","published_at":"2026-06-25 09:16:39","updated_at":"2026-06-25 09:16:39"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/8a2126c5afe89f8ceeb60a3afb9f075b736194cd","name":"https://git.kernel.org/stable/c/8a2126c5afe89f8ceeb60a3afb9f075b736194cd","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/a88b3293b556f4d8fba11db9a8061a6b0d3b69e6","name":"https://git.kernel.org/stable/c/a88b3293b556f4d8fba11db9a8061a6b0d3b69e6","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/a03cdcedb2cbcc42551dc3e4746929e93c5352d5","name":"https://git.kernel.org/stable/c/a03cdcedb2cbcc42551dc3e4746929e93c5352d5","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/d0c8c4fbd22d260fe28530260656c5fb3c20ce84","name":"https://git.kernel.org/stable/c/d0c8c4fbd22d260fe28530260656c5fb3c20ce84","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/5e8e2a9624df72fca7c736b2966b2cbf6c9c3ff6","name":"https://git.kernel.org/stable/c/5e8e2a9624df72fca7c736b2966b2cbf6c9c3ff6","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/02e1b5c4d3b4c658b72c145427cded1bba613fc1","name":"https://git.kernel.org/stable/c/02e1b5c4d3b4c658b72c145427cded1bba613fc1","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/580f92f27cb8724bcc4be98ee89890eab524a2ae","name":"https://git.kernel.org/stable/c/580f92f27cb8724bcc4be98ee89890eab524a2ae","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-53215","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-53215","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 07dd0a7aae7f72af7cec18909581c2bb570edddc a88b3293b556f4d8fba11db9a8061a6b0d3b69e6 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 07dd0a7aae7f72af7cec18909581c2bb570edddc a03cdcedb2cbcc42551dc3e4746929e93c5352d5 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 07dd0a7aae7f72af7cec18909581c2bb570edddc 580f92f27cb8724bcc4be98ee89890eab524a2ae git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 07dd0a7aae7f72af7cec18909581c2bb570edddc d0c8c4fbd22d260fe28530260656c5fb3c20ce84 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 07dd0a7aae7f72af7cec18909581c2bb570edddc 8a2126c5afe89f8ceeb60a3afb9f075b736194cd git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 07dd0a7aae7f72af7cec18909581c2bb570edddc 02e1b5c4d3b4c658b72c145427cded1bba613fc1 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 07dd0a7aae7f72af7cec18909581c2bb570edddc 5e8e2a9624df72fca7c736b2966b2cbf6c9c3ff6 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 95a936364f2685e9e040c6b179b553604d96de22 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected fba2cf348d9eb50b2049a73cc09313dab6d293f1 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 5.7.15 5.8 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 5.8.2 5.9 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 5.9","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.9 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.15.210 5.15.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.1.176 6.1.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.143 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.94 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.36 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0.13 7.0.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.1 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"a88b3293b556f4d8fba11db9a8061a6b0d3b69e6","status":"affected","version":"07dd0a7aae7f72af7cec18909581c2bb570edddc","versionType":"git"},{"lessThan":"a03cdcedb2cbcc42551dc3e4746929e93c5352d5","status":"affected","version":"07dd0a7aae7f72af7cec18909581c2bb570edddc","versionType":"git"},{"lessThan":"580f92f27cb8724bcc4be98ee89890eab524a2ae","status":"affected","version":"07dd0a7aae7f72af7cec18909581c2bb570edddc","versionType":"git"},{"lessThan":"d0c8c4fbd22d260fe28530260656c5fb3c20ce84","status":"affected","version":"07dd0a7aae7f72af7cec18909581c2bb570edddc","versionType":"git"},{"lessThan":"8a2126c5afe89f8ceeb60a3afb9f075b736194cd","status":"affected","version":"07dd0a7aae7f72af7cec18909581c2bb570edddc","versionType":"git"},{"lessThan":"02e1b5c4d3b4c658b72c145427cded1bba613fc1","status":"affected","version":"07dd0a7aae7f72af7cec18909581c2bb570edddc","versionType":"git"},{"lessThan":"5e8e2a9624df72fca7c736b2966b2cbf6c9c3ff6","status":"affected","version":"07dd0a7aae7f72af7cec18909581c2bb570edddc","versionType":"git"},{"status":"affected","version":"95a936364f2685e9e040c6b179b553604d96de22","versionType":"git"},{"status":"affected","version":"fba2cf348d9eb50b2049a73cc09313dab6d293f1","versionType":"git"},{"lessThan":"5.8","status":"affected","version":"5.7.15","versionType":"semver"},{"lessThan":"5.9","status":"affected","version":"5.8.2","versionType":"semver"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"5.9"},{"lessThan":"5.9","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"5.15.*","status":"unaffected","version":"5.15.210","versionType":"semver"},{"lessThanOrEqual":"6.1.*","status":"unaffected","version":"6.1.176","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.143","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.94","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.36","versionType":"semver"},{"lessThanOrEqual":"7.0.*","status":"unaffected","version":"7.0.13","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.1","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.15.210","versionStartIncluding":"5.9","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.1.176","versionStartIncluding":"5.9","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.143","versionStartIncluding":"5.9","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.94","versionStartIncluding":"5.9","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.36","versionStartIncluding":"5.9","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0.13","versionStartIncluding":"5.9","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.1","versionStartIncluding":"5.9","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.7.15","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.8.2","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mvpp2: refill RX buffers before XDP or skb use\n\nThe RX error path returns the current descriptor buffer to the hardware\nBM pool. That is only valid while the driver still owns the buffer.\n\nmvpp2_rx_refill() can fail after the current buffer has been handed to\nXDP or attached to an skb. In those cases mvpp2_run_xdp() may have\nrecycled, redirected, or queued the page for XDP_TX, and an skb free also\nretires the data buffer. Returning such a buffer to BM lets hardware DMA\ninto memory that is no longer owned by the RX ring.\n\nRefill the BM pool before handing the current buffer to XDP or to the\nskb. If the allocation fails there, drop the packet and return the\nstill-owned current buffer to BM, preserving the pool depth. Once the\nrefill succeeds, later local drops retire/free the current buffer instead\nof returning it to BM."}],"providerMetadata":{"dateUpdated":"2026-06-25T08:39:18.875Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/a88b3293b556f4d8fba11db9a8061a6b0d3b69e6"},{"url":"https://git.kernel.org/stable/c/a03cdcedb2cbcc42551dc3e4746929e93c5352d5"},{"url":"https://git.kernel.org/stable/c/580f92f27cb8724bcc4be98ee89890eab524a2ae"},{"url":"https://git.kernel.org/stable/c/d0c8c4fbd22d260fe28530260656c5fb3c20ce84"},{"url":"https://git.kernel.org/stable/c/8a2126c5afe89f8ceeb60a3afb9f075b736194cd"},{"url":"https://git.kernel.org/stable/c/02e1b5c4d3b4c658b72c145427cded1bba613fc1"},{"url":"https://git.kernel.org/stable/c/5e8e2a9624df72fca7c736b2966b2cbf6c9c3ff6"}],"title":"net: mvpp2: refill RX buffers before XDP or skb use","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-53215","datePublished":"2026-06-25T08:39:18.875Z","dateReserved":"2026-06-09T07:44:35.392Z","dateUpdated":"2026-06-25T08:39:18.875Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-25 09:16:39","lastModifiedDate":"2026-06-25 09:16:39","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"53215","Ordinal":"1","Title":"net: mvpp2: refill RX buffers before XDP or skb use","CVE":"CVE-2026-53215","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"53215","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mvpp2: refill RX buffers before XDP or skb use\n\nThe RX error path returns the current descriptor buffer to the hardware\nBM pool. That is only valid while the driver still owns the buffer.\n\nmvpp2_rx_refill() can fail after the current buffer has been handed to\nXDP or attached to an skb. In those cases mvpp2_run_xdp() may have\nrecycled, redirected, or queued the page for XDP_TX, and an skb free also\nretires the data buffer. Returning such a buffer to BM lets hardware DMA\ninto memory that is no longer owned by the RX ring.\n\nRefill the BM pool before handing the current buffer to XDP or to the\nskb. If the allocation fails there, drop the packet and return the\nstill-owned current buffer to BM, preserving the pool depth. Once the\nrefill succeeds, later local drops retire/free the current buffer instead\nof returning it to BM.","Type":"Description","Title":"net: mvpp2: refill RX buffers before XDP or skb use"}]}}}