CVE-2026-53009
Received Received - Intake
Double-Free in Linux Kernel Ice Driver

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: ice: fix double-free of tx_buf skb If ice_tso() or ice_tx_csum() fail, the error path in ice_xmit_frame_ring() frees the skb, but the 'first' tx_buf still points to it and is marked as valid (ICE_TX_BUF_SKB). 'next_to_use' remains unchanged, so the potential problem will likely fix itself when the next packet is transmitted and the tx_buf gets overwritten. But if there is no next packet and the interface is brought down instead, ice_clean_tx_ring() -> ice_unmap_and_free_tx_buf() will find the tx_buf and free the skb for the second time. The fix is to reset the tx_buf type to ICE_TX_BUF_EMPTY in the error path, so that ice_unmap_and_free_tx_buf(). Move the initialization of 'first' up, to ensure it's already valid in case we hit the linearization error path. The bug was spotted by AI while I had it looking for something else. It also proposed an initial version of the patch. I reproduced the bug and tested the fix by adding code to inject failures, on a build with KASAN. I looked for similar bugs in related Intel drivers and did not find any.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-53009
EUVD
EUVD-2026-38877
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
intel linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

The vulnerability has been fixed in the Linux kernel by correcting the error path in the ice driver to prevent a double-free of the tx_buf skb.

To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes this fix.

The fix involves resetting the tx_buf type to ICE_TX_BUF_EMPTY in the error path and ensuring proper initialization of the 'first' tx_buf to avoid double-free conditions.

Executive Summary

This vulnerability is a double-free bug in the Linux kernel's ice network driver. Specifically, if the functions ice_tso() or ice_tx_csum() fail during packet transmission, the error handling code frees a network buffer (skb) but does not properly reset the associated buffer pointer (tx_buf). This causes the buffer to be freed again later when the network interface is brought down, leading to a double-free condition.

The issue arises because the 'first' tx_buf still points to the freed skb and is marked as valid, while the 'next_to_use' pointer remains unchanged. Normally, this problem might self-correct when the next packet is transmitted and overwrites the tx_buf, but if no further packets are sent and the interface is shut down, the double-free occurs.

The fix involved resetting the tx_buf type to empty in the error path to prevent the second free, and adjusting initialization to ensure proper handling in all error cases.

Impact Analysis

A double-free vulnerability in a kernel driver can lead to memory corruption, which may cause system instability, crashes, or potentially allow an attacker to execute arbitrary code with kernel privileges.

In this specific case, the vulnerability could cause the network interface to malfunction or the entire system to become unstable if the double-free is triggered, especially when the interface is brought down after a transmission failure.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53009. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart