CVE-2026-53007
Analyzed Analyzed - Analysis Complete

NULL Pointer Dereference in Linux Kernel Ice Driver

Vulnerability report for CVE-2026-53007, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-07-14

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: ice: fix potential NULL pointer deref in error path of ice_set_ringparam() ice_set_ringparam nullifies tstamp_ring of temporary tx_rings, without clearing ICE_TX_RING_FLAGS_TXTIME bit. When ICE_TX_RING_FLAGS_TXTIME is set and the subsequent ice_setup_tx_ring() call fails, a NULL pointer dereference could happen in the unwinding sequence: ice_clean_tx_ring() -> ice_is_txtime_cfg() == true (ICE_TX_RING_FLAGS_TXTIME is set) -> ice_free_tx_tstamp_ring() -> ice_free_tstamp_ring() -> tstamp_ring->desc (NULL deref) Clear ICE_TX_RING_FLAGS_TXTIME bit to avoid the potential issue. Note that this potential issue is found by manual code review. Compile test only since unfortunately I don't have E830 devices.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-07-14
Generated
2026-07-15
AI Q&A
2026-06-24
EPSS Evaluated
2026-07-13
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel From 6.18 (inc) to 7.0.10 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's ice driver, specifically in the function ice_set_ringparam(). The issue occurs because the function nullifies the tstamp_ring of temporary tx_rings without clearing the ICE_TX_RING_FLAGS_TXTIME bit. If this bit remains set and the subsequent call to ice_setup_tx_ring() fails, a NULL pointer dereference can happen during the error handling sequence. This leads to a crash when the code attempts to access a NULL pointer in the timestamp ring descriptors.

The problem arises in the unwinding sequence involving ice_clean_tx_ring(), ice_is_txtime_cfg(), ice_free_tx_tstamp_ring(), and ice_free_tstamp_ring(), where the NULL dereference occurs. The fix involves clearing the ICE_TX_RING_FLAGS_TXTIME bit to prevent this NULL pointer dereference.

Impact Analysis

This vulnerability can cause a NULL pointer dereference in the Linux kernel's ice driver, which may lead to a kernel crash or system instability. Such crashes can result in denial of service conditions where the affected system or device becomes unresponsive or requires a reboot.

Mitigation Strategies

The vulnerability is fixed by clearing the ICE_TX_RING_FLAGS_TXTIME bit in the Linux kernel's ice driver to avoid a potential NULL pointer dereference during error handling in ice_set_ringparam().

To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes this fix for the ice driver.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53007. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart