CVE-2026-53009
HighCVSS 7.8Exploitation Probability (EPSS)
Low risk2th percentile — higher than 2% of all known CVEs
Summary
In the Linux kernel, the ice driver has a double-free vulnerability of the skb buffer when ice_tso() or ice_tx_csum() fail. The pointer to skb remains in tx_buf, causing a second free when the interface is brought down.
Risk Assessment
Double-free memory corruption can lead to kernel data structure damage, potentially allowing an attacker to cause a system panic or, in extreme cases, privilege escalation.
Recommendation
Immediately update the Linux kernel to a version containing the fix (commit addressing the issue). If an update is not possible, temporarily avoid using network interfaces based on the ice driver in production environments.
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: ice: fix double-free of tx_buf skb If ice_tso() or ice_tx_csum() fail, the error path in ice_xmit_frame_ring() frees the skb, but the 'first' tx_buf still points to it and is marked as valid (ICE_TX_BUF_SKB). 'next_to_use' remains unchanged, so the potential problem will likely fix itself when the next packet is transmitted and the tx_buf gets overwritten. But if there is no next packet and the interface is brought down instead, ice_clean_tx_ring() -> ice_unmap_and_free_tx_buf() will find the tx_buf and free the skb for the second time. The fix is to reset the tx_buf type to ICE_TX_BUF_EMPTY in the error path, so that ice_unmap_and_free_tx_buf(). Move the initialization of 'first' up, to ensure it's already valid in case we hit the linearization error path. The bug was spotted by AI while I had it looking for something else. It also proposed an initial version of the patch. I reproduced the bug and tested the fix by adding code to inject failures, on a build with KASAN. I looked for similar bugs in related Intel drivers and did not find any.

