In the Linux kernel, the following vulnerability has been resolved:
net: mvpp2: limit XDP frame size to the RX buffer
mvpp2 has short and long BM pools, and short pool buffers can be smaller than PAGESIZE. The XDP path nevertheless initializes every xdpbuff with PAGE_SIZE as frame size.
XDP helpers use framesz to validate tail growth and to derive the hard end of the data area. Advertising PAGESIZE for short buffers can let bpfxdpadjust_tail() grow a packet past the real allocation, corrupting memory or later tripping skb tailroom checks.
Initialize the XDP buffer with bmpool->fragsize so XDP tailroom matches the actual buffer backing the packet.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53216.json",
"cna_assigner": "Linux"
}