APPLIED: [SRU][N/J][PATCH 0/2] CVE-2026-53215
Stefan Bader
stefan.bader at canonical.com
Thu Jul 16 07:52:57 UTC 2026
On 15/07/2026 13:16, Cengiz Can via kernel-team wrote:
> https://ubuntu.com/security/CVE-2026-53215
>
> [ Impact ]
>
> The mvpp2 driver's RX error path returns the current descriptor buffer to the
> hardware BM pool, which is only valid while the driver still owns the buffer.
> However, mvpp2_rx_refill() can fail after the current buffer has already been
> handed to XDP or attached to an skb, where it may have been recycled,
> redirected, queued for XDP_TX, or freed. Returning such a buffer to the BM pool
> lets the hardware DMA into memory that is no longer owned by the RX ring,
> leading to memory corruption. With a CVSS score of 9.8, this can be exploited
> to compromise system integrity, confidentiality, and availability.
>
> [ Fix ]
>
> noble: clean cherry-pick
> jammy: clean cherry-pick
>
> [ Test Plan ]
>
> Boot tested.
>
> [ Where Problems Could Occur ]
>
> A regression in this fix could affect networking on Marvell PPv2 (mvpp2)
> Ethernet controllers, potentially causing RX buffer pool depletion, packet
> drops, or incorrect buffer accounting under memory pressure or heavy XDP
> traffic.
>
Applied to noble,jammy:linux/master-next. Thanks.
-Stefan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 52669 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260716/03999505/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260716/03999505/attachment-0001.sig>
More information about the kernel-team
mailing list