CVE-2026-53008

Summary

In the Linux kernel, the following vulnerability has been resolved:

ice: fix race condition in TX timestamp ring cleanup

Fix a race condition between ice_free_tx_tstamp_ring() and ice_tx_map() that can cause a NULL pointer dereference.

ice_free_tx_tstamp_ring currently clears the ICE_TX_FLAGS_TXTIME flag after NULLing the tstamp_ring. This could allow a concurrent ice_tx_map call on another CPU to dereference the tstamp_ring, which could lead to a NULL pointer dereference.

CPU A:ice_free_tx_tstamp_ring()CPU B:ice_tx_map()
tx_ring->tstamp_ring = NULL
ice_is_txtime_cfg() -> true
tstamp_ring = tx_ring->tstamp_ring
tstamp_ring->count // NULL deref!
flags &= ~ICE_TX_FLAGS_TXTIME

Fix by:

  1. Reordering ice_free_tx_tstamp_ring() to clear the flag before NULLing the pointer, with smp_wmb() to ensure proper ordering.
  2. Adding smp_rmb() in ice_tx_map() after the flag check to order the flag read before the pointer read, using READ_ONCE() for the pointer, and adding a NULL check as a safety net.
  3. Converting tx_ring->flags from u8 to DECLARE_BITMAP() and using atomic bitops (set_bit(), clear_bit(), test_bit()) for all flag operations throughout the driver:
    • ICE_TX_RING_FLAGS_XDP
    • ICE_TX_RING_FLAGS_VLAN_L2TAG1
    • ICE_TX_RING_FLAGS_VLAN_L2TAG2
    • ICE_TX_RING_FLAGS_TXTIME

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxccde82e909467abdf098a8ee6f63e1ecf9a47ce5 < 097409d20465723283632515df73038a4a853edaaffected
LinuxLinuxccde82e909467abdf098a8ee6f63e1ecf9a47ce5 < 7c72ec18c2a4111204c2e915f8e4f6d849ce9398affected
LinuxLinux6.18affected
LinuxLinux0 < 6.18unaffected
LinuxLinux7.0.10 <= 7.0.*unaffected
LinuxLinux7.1 <= *unaffected

Weaknesses

References