In the Linux kernel, the following vulnerability has been resolved:
ice: fix double-free of tx_buf skb
If icetso() or icetxcsum() fail, the error path in icexmitframering() frees the skb, but the 'first' txbuf still points to it and is marked as valid (ICETXBUFSKB). 'nexttouse' remains unchanged, so the potential problem will likely fix itself when the next packet is transmitted and the txbuf gets overwritten. But if there is no next packet and the interface is brought down instead, icecleantxring() -> iceunmapandfreetxbuf() will find the txbuf and free the skb for the second time.
The fix is to reset the txbuf type to ICETXBUFEMPTY in the error path, so that iceunmapandfreetx_buf(). Move the initialization of 'first' up, to ensure it's already valid in case we hit the linearization error path.
The bug was spotted by AI while I had it looking for something else. It also proposed an initial version of the patch.
I reproduced the bug and tested the fix by adding code to inject failures, on a build with KASAN.
I looked for similar bugs in related Intel drivers and did not find any.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53009.json",
"cna_assigner": "Linux"
}