{"id":"CVE-2026-53216","summary":"net: mvpp2: limit XDP frame size to the RX buffer","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mvpp2: limit XDP frame size to the RX buffer\n\nmvpp2 has short and long BM pools, and short pool buffers can be smaller\nthan PAGE_SIZE. The XDP path nevertheless initializes every xdp_buff with\nPAGE_SIZE as frame size.\n\nXDP helpers use frame_sz to validate tail growth and to derive the hard\nend of the data area. Advertising PAGE_SIZE for short buffers can let\nbpf_xdp_adjust_tail() grow a packet past the real allocation, corrupting\nmemory or later tripping skb tailroom checks.\n\nInitialize the XDP buffer with bm_pool-\u003efrag_size so XDP tailroom matches\nthe actual buffer backing the packet.","modified":"2026-07-08T08:13:45.652950687Z","published":"2026-06-25T08:39:19.529Z","related":["CGA-35q5-qh7v-cvrj"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53216.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/3b8b0c3631b19faee53f0d15a49924129b063eec"},{"type":"WEB","url":"https://git.kernel.org/stable/c/910617a4e67dbdd5fdb39d9dc6a51e491e1b2c3e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9545cc5ef18ca22d031f2f47c157192460652359"},{"type":"WEB","url":"https://git.kernel.org/stable/c/994bd2b58d2bd08aa97ec0836cc813cfcb00d749"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a3ee9231ccec6ec3be2de89c56f897055fd9eab1"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ec8e1e5842bc0dbd4c272761f4db3651eecd0339"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f3c6aa078927e6fe8121c9c591ddee8716c5305a"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53216.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-53216"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"07dd0a7aae7f72af7cec18909581c2bb570edddc"},{"fixed":"a3ee9231ccec6ec3be2de89c56f897055fd9eab1"},{"fixed":"ec8e1e5842bc0dbd4c272761f4db3651eecd0339"},{"fixed":"3b8b0c3631b19faee53f0d15a49924129b063eec"},{"fixed":"994bd2b58d2bd08aa97ec0836cc813cfcb00d749"},{"fixed":"910617a4e67dbdd5fdb39d9dc6a51e491e1b2c3e"},{"fixed":"9545cc5ef18ca22d031f2f47c157192460652359"},{"fixed":"f3c6aa078927e6fe8121c9c591ddee8716c5305a"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53216.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"5.9.0"},{"fixed":"5.15.210"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.176"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.143"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.94"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.36"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"7.0.13"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53216.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}