ACK: [SRU][N/J][PATCH 0/2] CVE-2026-53215
Jian Hui Lee
jianhui.lee at canonical.com
Thu Jul 16 02:54:23 UTC 2026
Acked-by: Jian Hui Lee <jianhui.lee at canonical.com>
On Wed, Jul 15, 2026 at 02:16:20PM +0300, Cengiz Can via kernel-team wrote:
> https://ubuntu.com/security/CVE-2026-53215
>
> [ Impact ]
>
> The mvpp2 driver's RX error path returns the current descriptor buffer to the
> hardware BM pool, which is only valid while the driver still owns the buffer.
> However, mvpp2_rx_refill() can fail after the current buffer has already been
> handed to XDP or attached to an skb, where it may have been recycled,
> redirected, queued for XDP_TX, or freed. Returning such a buffer to the BM pool
> lets the hardware DMA into memory that is no longer owned by the RX ring,
> leading to memory corruption. With a CVSS score of 9.8, this can be exploited
> to compromise system integrity, confidentiality, and availability.
>
> [ Fix ]
>
> noble: clean cherry-pick
> jammy: clean cherry-pick
>
> [ Test Plan ]
>
> Boot tested.
>
> [ Where Problems Could Occur ]
>
> A regression in this fix could affect networking on Marvell PPv2 (mvpp2)
> Ethernet controllers, potentially causing RX buffer pool depletion, packet
> drops, or incorrect buffer accounting under memory pressure or heavy XDP
> traffic.
>
More information about the kernel-team
mailing list