ACK: [SRU][N/J][PATCH 0/2] CVE-2026-53215

Alessio Faina alessio.faina at canonical.com
Wed Jul 15 14:32:55 UTC 2026


On Wed, Jul 15, 2026 at 02:16:20PM +0300, Cengiz Can via kernel-team wrote:
> https://ubuntu.com/security/CVE-2026-53215
> 
> [ Impact ]
> 
> The mvpp2 driver's RX error path returns the current descriptor buffer to the
> hardware BM pool, which is only valid while the driver still owns the buffer.
> However, mvpp2_rx_refill() can fail after the current buffer has already been
> handed to XDP or attached to an skb, where it may have been recycled,
> redirected, queued for XDP_TX, or freed. Returning such a buffer to the BM pool
> lets the hardware DMA into memory that is no longer owned by the RX ring,
> leading to memory corruption. With a CVSS score of 9.8, this can be exploited
> to compromise system integrity, confidentiality, and availability.
> 
> [ Fix ]
> 
> noble: clean cherry-pick
> jammy: clean cherry-pick
> 
> [ Test Plan ]
> 
> Boot tested.
> 
> [ Where Problems Could Occur ]
> 
> A regression in this fix could affect networking on Marvell PPv2 (mvpp2)
> Ethernet controllers, potentially causing RX buffer pool depletion, packet
> drops, or incorrect buffer accounting under memory pressure or heavy XDP
> traffic.
> 
> -- 
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

Acked-by: Alessio Faina <alessio.faina at canonical.com>



More information about the kernel-team mailing list