CVE-2026-53009
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved:
ice: fix double-free of tx_buf skb
If ice_tso() or ice_tx_csum() fail, the error path in ice_xmit_frame_ring() frees the skb, but the 'first' tx_buf still points to it and is marked as valid (ICE_TX_BUF_SKB). 'next_to_use' remains unchanged, so the potential problem will likely fix itself when the next packet is transmitted and the tx_buf gets overwritten. But if there is no next packet and the interface is brought down instead, ice_clean_tx_ring() -> ice_unmap_and_free_tx_buf() will find the tx_buf and free the skb for the second time.
The fix is to reset the tx_buf type to ICE_TX_BUF_EMPTY in the error path, so that ice_unmap_and_free_tx_buf(). Move the initialization of 'first' up, to ensure it's already valid in case we hit the linearization error path.
The bug was spotted by AI while I had it looking for something else. It also proposed an initial version of the patch.
I reproduced the bug and tested the fix by adding code to inject failures, on a build with KASAN.
I looked for similar bugs in related Intel drivers and did not find any.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | d76a60ba7afb89523c88cf2ed3a044ce4180289e < 4c08fc2119ef0281cfa2cee007acf0a251be55f2 | affected |
| Linux | Linux | d76a60ba7afb89523c88cf2ed3a044ce4180289e < 1a303baa715e6b78d6a406aaf335f87ff35acfcd | affected |
| Linux | Linux | 4.17 | affected |
| Linux | Linux | 0 < 4.17 | unaffected |
| Linux | Linux | 7.0.10 <= 7.0.* | unaffected |
| Linux | Linux | 7.1 <= * | unaffected |
Weaknesses
ADP Enrichment
kernel: ice: fix double-free of tx_buf skb
Additional References
- https://access.redhat.com/security/cve/CVE-2026-53009
- https://bugzilla.redhat.com/show_bug.cgi?id=2492390
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-53009.json
References
- https://git.kernel.org/stable/c/4c08fc2119ef0281cfa2cee007acf0a251be55f2
- https://git.kernel.org/stable/c/1a303baa715e6b78d6a406aaf335f87ff35acfcd
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.