CVE-2026-53007
Received Received - Intake
NULL Pointer Dereference in Linux Kernel Ice Driver

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: ice: fix potential NULL pointer deref in error path of ice_set_ringparam() ice_set_ringparam nullifies tstamp_ring of temporary tx_rings, without clearing ICE_TX_RING_FLAGS_TXTIME bit. When ICE_TX_RING_FLAGS_TXTIME is set and the subsequent ice_setup_tx_ring() call fails, a NULL pointer dereference could happen in the unwinding sequence: ice_clean_tx_ring() -> ice_is_txtime_cfg() == true (ICE_TX_RING_FLAGS_TXTIME is set) -> ice_free_tx_tstamp_ring() -> ice_free_tstamp_ring() -> tstamp_ring->desc (NULL deref) Clear ICE_TX_RING_FLAGS_TXTIME bit to avoid the potential issue. Note that this potential issue is found by manual code review. Compile test only since unfortunately I don't have E830 devices.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-53007
EUVD
EUVD-2026-38875
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
intel ice *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

The vulnerability is fixed by clearing the ICE_TX_RING_FLAGS_TXTIME bit in the Linux kernel's ice driver to avoid a potential NULL pointer dereference during error handling in ice_set_ringparam().

To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes this fix for the ice driver.

Executive Summary

This vulnerability exists in the Linux kernel's ice driver, specifically in the function ice_set_ringparam(). The issue occurs because the function nullifies the tstamp_ring of temporary tx_rings without clearing the ICE_TX_RING_FLAGS_TXTIME bit. If this bit remains set and the subsequent call to ice_setup_tx_ring() fails, a NULL pointer dereference can happen during the error handling sequence. This leads to a crash when the code attempts to access a NULL pointer in the timestamp ring descriptors.

The problem arises in the unwinding sequence involving ice_clean_tx_ring(), ice_is_txtime_cfg(), ice_free_tx_tstamp_ring(), and ice_free_tstamp_ring(), where the NULL dereference occurs. The fix involves clearing the ICE_TX_RING_FLAGS_TXTIME bit to prevent this NULL pointer dereference.

Impact Analysis

This vulnerability can cause a NULL pointer dereference in the Linux kernel's ice driver, which may lead to a kernel crash or system instability. Such crashes can result in denial of service conditions where the affected system or device becomes unresponsive or requires a reboot.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53007. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart