CVE-2026-53009
In the Linux kernel, the following vulnerability has been resolved: ice: fix double-free of tx_buf skb If ice_tso() or ice_tx_csum() fail,
CVSS
7.8
Alto
EPSS
0.1%
p3
KEV
—
Exploit Today
1
0-100
Publicado: 24 jun 2026 · Última mod.: 15 jul 2026 · CWE-415 · CWE-416
In the Linux kernel, the following vulnerability has been resolved: ice: fix double-free of tx_buf skb If ice_tso() or ice_tx_csum() fail, the error path in ice_xmit_frame_ring() frees the skb, but the 'first' tx_buf still points to it and is marked as valid (ICE_TX_BUF_SKB). 'next_to_use' remains unchanged, so the potential problem will likely fix itself when the next packet is transmitted and the tx_buf gets overwritten. But if there is no next packet and the interface is brought down instead, ice_clean_tx_ring() -> ice_unmap_and_free_tx_buf() will find the tx_buf and free the skb for the second time. The fix is to reset the tx_buf type to ICE_TX_BUF_EMPTY in the error path, so that ice_unmap_and_free_tx_buf(). Move the initialization of 'first' up, to ensure it's already valid in case we hit the linearization error path. The bug was spotted by AI while I had it looking for something else. It also proposed an initial version of the patch. I reproduced the bug and tested the fix by adding code to inject failures, on a build with KASAN. I looked for similar bugs in related Intel drivers and did not find any.
- git.kernel.orghttps://git.kernel.org/stable/c/1a303baa715e6b78d6a406aaf335f87ff35acfcd
- git.kernel.orghttps://git.kernel.org/stable/c/4c08fc2119ef0281cfa2cee007acf0a251be55f2
- access.redhat.comhttps://access.redhat.com/security/cve/CVE-2026-53009
- bugzilla.redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2492390
- security.access.redhat.comhttps://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-53009.json