CVE-2026-53009

Source
https://cve.org/CVERecord?id=CVE-2026-53009
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53009.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-53009
Downstream
Published
2026-06-24T16:29:20.332Z
Modified
2026-07-12T03:54:37.402212687Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
ice: fix double-free of tx_buf skb
Details

In the Linux kernel, the following vulnerability has been resolved:

ice: fix double-free of tx_buf skb

If icetso() or icetxcsum() fail, the error path in icexmitframering() frees the skb, but the 'first' txbuf still points to it and is marked as valid (ICETXBUFSKB). 'nexttouse' remains unchanged, so the potential problem will likely fix itself when the next packet is transmitted and the txbuf gets overwritten. But if there is no next packet and the interface is brought down instead, icecleantxring() -> iceunmapandfreetxbuf() will find the txbuf and free the skb for the second time.

The fix is to reset the txbuf type to ICETXBUFEMPTY in the error path, so that iceunmapandfreetx_buf(). Move the initialization of 'first' up, to ensure it's already valid in case we hit the linearization error path.

The bug was spotted by AI while I had it looking for something else. It also proposed an initial version of the patch.

I reproduced the bug and tested the fix by adding code to inject failures, on a build with KASAN.

I looked for similar bugs in related Intel drivers and did not find any.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53009.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
d76a60ba7afb89523c88cf2ed3a044ce4180289e
Fixed
4c08fc2119ef0281cfa2cee007acf0a251be55f2
Fixed
1a303baa715e6b78d6a406aaf335f87ff35acfcd

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53009.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.17.0
Fixed
7.0.10

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53009.json"