CVE-2026-53216

In the Linux kernel, the following vulnerability has been resolved:

net: mvpp2: limit XDP frame size to the RX buffer

mvpp2 has short and long BM pools, and short pool buffers can be smaller than PAGE SIZE. The XDP path nevertheless initializes every xdp buff with PAGE SIZE as frame size.

XDP helpers use frame sz to validate tail growth and to derive the hard end of the data area. Advertising PAGE SIZE for short buffers can let bpf xdp adjust tail() grow a packet past the real allocation, corrupting memory or later tripping skb tailroom checks.

Initialize the XDP buffer with bm pool->frag size so XDP tailroom matches the actual buffer backing the packet.