CVE-2026-53009
Analyzed Analyzed - Analysis Complete

Double-Free in Linux Kernel Ice Driver

Vulnerability report for CVE-2026-53009, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-07-15

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: ice: fix double-free of tx_buf skb If ice_tso() or ice_tx_csum() fail, the error path in ice_xmit_frame_ring() frees the skb, but the 'first' tx_buf still points to it and is marked as valid (ICE_TX_BUF_SKB). 'next_to_use' remains unchanged, so the potential problem will likely fix itself when the next packet is transmitted and the tx_buf gets overwritten. But if there is no next packet and the interface is brought down instead, ice_clean_tx_ring() -> ice_unmap_and_free_tx_buf() will find the tx_buf and free the skb for the second time. The fix is to reset the tx_buf type to ICE_TX_BUF_EMPTY in the error path, so that ice_unmap_and_free_tx_buf(). Move the initialization of 'first' up, to ensure it's already valid in case we hit the linearization error path. The bug was spotted by AI while I had it looking for something else. It also proposed an initial version of the patch. I reproduced the bug and tested the fix by adding code to inject failures, on a build with KASAN. I looked for similar bugs in related Intel drivers and did not find any.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-07-15
Generated
2026-07-15
AI Q&A
2026-06-24
EPSS Evaluated
2026-07-13
NVD
EUVD

Affected Vendors & Products

Showing 5 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 4.17 (inc) to 7.0.10 (exc)
redhat enterprise_linux 7.0
redhat enterprise_linux 8.0
redhat enterprise_linux 9.0
redhat enterprise_linux 10.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-415 The product calls free() twice on the same memory address.
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
CWE-1341 The product attempts to close or release a resource or handle more than once, without any successful open between the close operations.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Mitigation Strategies

The vulnerability has been fixed in the Linux kernel by correcting the error path in the ice driver to prevent a double-free of the tx_buf skb.

To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes this fix.

The fix involves resetting the tx_buf type to ICE_TX_BUF_EMPTY in the error path and ensuring proper initialization of the 'first' tx_buf to avoid double-free conditions.

Executive Summary

This vulnerability is a double-free bug in the Linux kernel's ice network driver. Specifically, if the functions ice_tso() or ice_tx_csum() fail during packet transmission, the error handling code frees a network buffer (skb) but does not properly reset the associated buffer pointer (tx_buf). This causes the buffer to be freed again later when the network interface is brought down, leading to a double-free condition.

The issue arises because the 'first' tx_buf still points to the freed skb and is marked as valid, while the 'next_to_use' pointer remains unchanged. Normally, this problem might self-correct when the next packet is transmitted and overwrites the tx_buf, but if no further packets are sent and the interface is shut down, the double-free occurs.

The fix involved resetting the tx_buf type to empty in the error path to prevent the second free, and adjusting initialization to ensure proper handling in all error cases.

Impact Analysis

A double-free vulnerability in a kernel driver can lead to memory corruption, which may cause system instability, crashes, or potentially allow an attacker to execute arbitrary code with kernel privileges.

In this specific case, the vulnerability could cause the network interface to malfunction or the entire system to become unstable if the double-free is triggered, especially when the interface is brought down after a transmission failure.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53009. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart