CVE-2026-53008
Received Received - Intake
Race Condition in Linux Kernel ICE Driver TX Timestamp Ring

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: ice: fix race condition in TX timestamp ring cleanup Fix a race condition between ice_free_tx_tstamp_ring() and ice_tx_map() that can cause a NULL pointer dereference. ice_free_tx_tstamp_ring currently clears the ICE_TX_FLAGS_TXTIME flag after NULLing the tstamp_ring. This could allow a concurrent ice_tx_map call on another CPU to dereference the tstamp_ring, which could lead to a NULL pointer dereference. CPU A:ice_free_tx_tstamp_ring() | CPU B:ice_tx_map() --------------------------------|--------------------------------- tx_ring->tstamp_ring = NULL | | ice_is_txtime_cfg() -> true | tstamp_ring = tx_ring->tstamp_ring | tstamp_ring->count // NULL deref! flags &= ~ICE_TX_FLAGS_TXTIME | Fix by: 1. Reordering ice_free_tx_tstamp_ring() to clear the flag before NULLing the pointer, with smp_wmb() to ensure proper ordering. 2. Adding smp_rmb() in ice_tx_map() after the flag check to order the flag read before the pointer read, using READ_ONCE() for the pointer, and adding a NULL check as a safety net. 3. Converting tx_ring->flags from u8 to DECLARE_BITMAP() and using atomic bitops (set_bit(), clear_bit(), test_bit()) for all flag operations throughout the driver: - ICE_TX_RING_FLAGS_XDP - ICE_TX_RING_FLAGS_VLAN_L2TAG1 - ICE_TX_RING_FLAGS_VLAN_L2TAG2 - ICE_TX_RING_FLAGS_TXTIME
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-53008
EUVD
EUVD-2026-38876
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
intel ice *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a race condition in the Linux kernel's ice network driver related to the TX timestamp ring cleanup process.

Specifically, the function ice_free_tx_tstamp_ring() clears a flag after setting a pointer (tstamp_ring) to NULL. Meanwhile, another function, ice_tx_map(), running on a different CPU, can concurrently access this pointer before the flag is cleared, leading to a NULL pointer dereference.

The issue arises because ice_tx_map() may read the tstamp_ring pointer while it is NULL, causing a crash or undefined behavior.

The fix involves reordering operations to clear the flag before NULLing the pointer, adding memory barriers to ensure proper ordering, adding NULL checks, and changing flag handling to use atomic bit operations.

Impact Analysis

This vulnerability can cause a NULL pointer dereference in the Linux kernel's ice network driver, which may lead to system crashes or instability.

Such crashes could result in denial of service conditions, affecting network functionality and overall system reliability.

Mitigation Strategies

The vulnerability is fixed by updating the Linux kernel driver for the Intel ice network device to a version that includes the following changes:

  • Reordering the function ice_free_tx_tstamp_ring() to clear the ICE_TX_FLAGS_TXTIME flag before NULLing the timestamp ring pointer, ensuring proper memory ordering with smp_wmb().
  • Adding memory barriers (smp_rmb()) and using READ_ONCE() in ice_tx_map() to safely read the flag and pointer, including a NULL check to prevent dereferencing a NULL pointer.
  • Converting tx_ring->flags from a u8 type to a bitmap with atomic bit operations (set_bit(), clear_bit(), test_bit()) for all flag manipulations in the driver.

Therefore, the immediate mitigation step is to update the Linux kernel or the ice driver to a version that contains these fixes.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53008. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart