APPLIED: [SRU][N/J][PATCH 0/2] CVE-2026-53215

Stefan Bader stefan.bader at canonical.com
Thu Jul 16 07:52:57 UTC 2026


On 15/07/2026 13:16, Cengiz Can via kernel-team wrote:
> https://ubuntu.com/security/CVE-2026-53215
> 
> [ Impact ]
> 
> The mvpp2 driver's RX error path returns the current descriptor buffer to the
> hardware BM pool, which is only valid while the driver still owns the buffer.
> However, mvpp2_rx_refill() can fail after the current buffer has already been
> handed to XDP or attached to an skb, where it may have been recycled,
> redirected, queued for XDP_TX, or freed. Returning such a buffer to the BM pool
> lets the hardware DMA into memory that is no longer owned by the RX ring,
> leading to memory corruption. With a CVSS score of 9.8, this can be exploited
> to compromise system integrity, confidentiality, and availability.
> 
> [ Fix ]
> 
> noble: clean cherry-pick
> jammy: clean cherry-pick
> 
> [ Test Plan ]
> 
> Boot tested.
> 
> [ Where Problems Could Occur ]
> 
> A regression in this fix could affect networking on Marvell PPv2 (mvpp2)
> Ethernet controllers, potentially causing RX buffer pool depletion, packet
> drops, or incorrect buffer accounting under memory pressure or heavy XDP
> traffic.
> 

Applied to noble,jammy:linux/master-next. Thanks.

-Stefan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 52669 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260716/03999505/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260716/03999505/attachment-0001.sig>


More information about the kernel-team mailing list