{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-53009","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-06-09T07:44:35.378Z","datePublished":"2026-06-24T16:29:20.332Z","dateUpdated":"2026-07-08T12:06:03.141Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-06-28T06:37:58.894Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nice: fix double-free of tx_buf skb\n\nIf ice_tso() or ice_tx_csum() fail, the error path in\nice_xmit_frame_ring() frees the skb, but the 'first' tx_buf still points\nto it and is marked as valid (ICE_TX_BUF_SKB).\n'next_to_use' remains unchanged, so the potential problem will\nlikely fix itself when the next packet is transmitted and the tx_buf\ngets overwritten. But if there is no next packet and the interface is\nbrought down instead, ice_clean_tx_ring() -> ice_unmap_and_free_tx_buf()\nwill find the tx_buf and free the skb for the second time.\n\nThe fix is to reset the tx_buf type to ICE_TX_BUF_EMPTY in the error\npath, so that ice_unmap_and_free_tx_buf().\nMove the initialization of 'first' up, to ensure it's already valid in\ncase we hit the linearization error path.\n\nThe bug was spotted by AI while I had it looking for something else.\nIt also proposed an initial version of the patch.\n\nI reproduced the bug and tested the fix by adding code to inject\nfailures, on a build with KASAN.\n\nI looked for similar bugs in related Intel drivers and did not find any."}],"metrics":[{"cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH"}}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/ethernet/intel/ice/ice_txrx.c"],"versions":[{"version":"d76a60ba7afb89523c88cf2ed3a044ce4180289e","lessThan":"4c08fc2119ef0281cfa2cee007acf0a251be55f2","status":"affected","versionType":"git"},{"version":"d76a60ba7afb89523c88cf2ed3a044ce4180289e","lessThan":"1a303baa715e6b78d6a406aaf335f87ff35acfcd","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/ethernet/intel/ice/ice_txrx.c"],"versions":[{"version":"4.17","status":"affected"},{"version":"0","lessThan":"4.17","status":"unaffected","versionType":"semver"},{"version":"7.0.10","lessThanOrEqual":"7.0.*","status":"unaffected","versionType":"semver"},{"version":"7.1","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.17","versionEndExcluding":"7.0.10"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.17","versionEndExcluding":"7.1"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/4c08fc2119ef0281cfa2cee007acf0a251be55f2"},{"url":"https://git.kernel.org/stable/c/1a303baa715e6b78d6a406aaf335f87ff35acfcd"}],"title":"ice: fix double-free of tx_buf skb","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"affected":[{"cpes":["cpe:/o:redhat:enterprise_linux:10"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux 10","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:7"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux 7","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:8"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux 8","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:9"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux 9","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:6"],"defaultStatus":"unaffected","product":"Red Hat Enterprise Linux 6","vendor":"Red Hat"}],"datePublic":"2026-06-24T00:00:00.000Z","descriptions":[{"lang":"en","value":"A flaw was found in the Linux kernel's ice network driver. An error in the driver's handling of network packet transmission, specifically when ice_tso() or ice_tx_csum() functions fail, can lead to a double-free of a network buffer (skb). This occurs because a transmit buffer (tx_buf) may still point to an already freed buffer. If the network interface is subsequently brought down, this double-free can be triggered, potentially leading to a system crash or denial of service (DoS)."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Moderate"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"HIGH","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":7,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-416","description":"Use After Free","lang":"en","type":"CWE"}]}],"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-53009"},{"name":"RHBZ#2492390","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2492390"},{"tags":["x_sadp-csaf-vex"],"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-53009.json"}],"timeline":[{"lang":"en","time":"2026-06-24T00:00:00.000Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-06-24T00:00:00.000Z","value":"Made public."}],"title":"kernel: ice: fix double-free of tx_buf skb","workarounds":[{"lang":"en","value":"To mitigate this issue, prevent module ice from being loaded. Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading automatically."}],"x_adpType":"supplier","x_generator":{"engine":"sadp-cli 1.0.0"},"providerMetadata":{"orgId":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","shortName":"redhat-SADP","dateUpdated":"2026-07-08T12:06:03.141Z"}}]}}