Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-53229

CVE-2026-53229: Linux Kernel mlx5e DMA Leak Vulnerability

CVE-2026-53229 is a DMA and xdp_frame leak flaw in the Linux kernel's mlx5e XSK driver that occurs on XDP_TX transmission failure. This article covers the technical details, affected systems, and mitigation strategies.

Published:

CVE-2026-53229 Overview

CVE-2026-53229 is a resource leak vulnerability in the Linux kernel's Mellanox mlx5e network driver. The flaw resides in the AF_XDP (XSK) zero-copy branch of mlx5e_xmit_xdp_buff(). When the underlying sq->xmit_xdp_frame() call fails, for example because the XDP send queue (XDPSQ) is full, the function returns early without unmapping the DMA address or freeing the xdp_frame previously allocated by xdp_convert_zc_to_xdp_frame(). Because the xdpi_fifo push only occurs on the success path, the completion handler cannot recover these orphaned entries, resulting in persistent DMA mappings and memory leaks visible on driver unbind.

Critical Impact

Repeated XDP_TX transmit failures on mlx5 NICs using AF_XDP zero-copy sockets leak DMA mappings and xdp_frame memory, exhausting IOMMU resources and triggering DMA-API warnings on driver release.

Affected Products

  • Linux kernel net/mlx5e driver supporting AF_XDP zero-copy transmit
  • Systems using Mellanox/NVIDIA ConnectX adapters with XDP_TX workloads
  • Kernel builds with CONFIG_DMA_API_DEBUG=y surface the leak explicitly

Discovery Timeline

  • 2026-06-25 - CVE-2026-53229 published to NVD
  • 2026-06-25 - Last updated in NVD database

Technical Details for CVE-2026-53229

Vulnerability Analysis

The vulnerability is a memory and resource leak in the XSK (AF_XDP socket) transmit branch of mlx5e_xmit_xdp_buff(). The XDP_TX path converts a zero-copy XDP buffer to an xdp_frame using xdp_convert_zc_to_xdp_frame(), maps a DMA address with dma_map_phys(), and then calls sq->xmit_xdp_frame() to enqueue the frame on the XDP send queue. When the enqueue succeeds, the driver pushes a descriptor onto the xdpi_fifo so the completion path can later unmap the DMA region and release the frame. When the enqueue fails, the function returns without performing either cleanup step, and the completion path has no record of the allocation. Each failed transmit therefore leaves a live DMA mapping and an allocated xdp_frame behind. With CONFIG_DMA_API_DEBUG=y, the leak materializes on driver unbind as a DMA-API: device driver has pending DMA allocations warning from dma_debug_device_change, reporting hundreds or thousands of leaked entries depending on workload.

Root Cause

The root cause is missing error-path cleanup in the XSK branch of mlx5e_xmit_xdp_buff(). The success path registers the allocation in the completion FIFO, but the failure path omits the matching dma_unmap and xdp_return_frame() calls already used in mlx5e_xdp_xmit() [CWE-401 Missing Release of Memory after Effective Lifetime].

Attack Vector

Local exploitation requires the ability to drive sustained XDP_TX traffic through an AF_XDP zero-copy socket while the XDPSQ is congested. There is no published remote attack vector. The practical impact is resource exhaustion: leaked DMA mappings can pressure IOMMU table space and pinned memory, and the leak prevents clean driver teardown.

No verified exploit code is available for CVE-2026-53229. See the upstream fix commits referenced in the mitigation section for the corrected cleanup sequence.

Detection Methods for CVE-2026-53229

Indicators of Compromise

  • Kernel warnings from dma_debug_device_change+0x127/0x180 reporting device driver has pending DMA allocations for mlx5_core devices on driver unbind.
  • DMA-API log entries showing mapping sites at mlx5e_xdp_handle, mlx5e_xsk_skb_from_cqe_mpwrq_linear, and mlx5e_handle_rx_cqe_mpwrq.
  • Growing xdp_frame allocations and pinned DMA memory on hosts running AF_XDP zero-copy workloads against mlx5 NICs.

Detection Strategies

  • Enable CONFIG_DMA_API_DEBUG=y in test or pre-production kernels to surface unreleased mappings against mlx5_core devices.
  • Track XDPSQ full or backpressure counters exported by the mlx5e driver alongside AF_XDP TX drop counters to correlate failed enqueues with leak growth.
  • Monitor IOMMU mapping counts and kernel slab usage for xdp_mem and related caches over the lifetime of AF_XDP workloads.

Monitoring Recommendations

  • Alert on any DMA-API warnings emitted by kernel/dma/debug.c referencing mlx5_core or XDP code paths.
  • Watch for unexpected increases in dev->dma_active_cacheline or vendor-equivalent counters on hosts running AF_XDP applications.
  • Audit running kernel versions against the patched commits to confirm whether hosts carry the fix.

How to Mitigate CVE-2026-53229

Immediate Actions Required

  • Apply the upstream kernel fix that adds the missing dma_unmap and xdp_return_frame() calls in the XSK branch of mlx5e_xmit_xdp_buff().
  • Rebase out-of-tree mlx5 driver patches onto a kernel containing the fix before deploying AF_XDP zero-copy workloads.
  • Restart or reload mlx5_core after patching to clear any leaked DMA mappings accumulated under the vulnerable code.

Patch Information

The fix has been merged upstream across multiple stable branches. Reference the following commits: Kernel commit 0aabca726b43, Kernel commit 2789b74ae1f4, Kernel commit 7b3eeba50fbc, and Kernel commit b69004f5a6ad. The patch mirrors the cleanup already present in mlx5e_xdp_xmit() and skips per-fragment unmapping because has_frags is rejected earlier in the XSK branch.

Workarounds

  • Disable AF_XDP zero-copy mode on affected mlx5 interfaces and fall back to copy mode or skb-based XDP until patched kernels are deployed.
  • Size XDP send queues to reduce the frequency of xmit_xdp_frame() failures, lowering leak accumulation in the interim.
  • Schedule periodic driver reloads on long-lived hosts running AF_XDP workloads to reclaim leaked DMA mappings.
bash
# Verify kernel contains the mlx5e XSK XDP_TX leak fix
uname -r
git -C /usr/src/linux log --oneline | grep -E '0aabca726b43|2789b74ae1f4|7b3eeba50fbc|b69004f5a6ad'

# Temporarily disable AF_XDP zero-copy on an mlx5 interface
ethtool -K eth0 ntuple off
# Run AF_XDP applications with XDP_COPY instead of XDP_ZEROCOPY flags

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.