Vulnerability Details CVE-2026-53008
In the Linux kernel, the following vulnerability has been resolved:
ice: fix race condition in TX timestamp ring cleanup
Fix a race condition between ice_free_tx_tstamp_ring() and ice_tx_map()
that can cause a NULL pointer dereference.
ice_free_tx_tstamp_ring currently clears the ICE_TX_FLAGS_TXTIME flag
after NULLing the tstamp_ring. This could allow a concurrent ice_tx_map
call on another CPU to dereference the tstamp_ring, which could lead to
a NULL pointer dereference.
CPU A:ice_free_tx_tstamp_ring() | CPU B:ice_tx_map()
--------------------------------|---------------------------------
tx_ring->tstamp_ring = NULL |
| ice_is_txtime_cfg() -> true
| tstamp_ring = tx_ring->tstamp_ring
| tstamp_ring->count // NULL deref!
flags &= ~ICE_TX_FLAGS_TXTIME |
Fix by:
1. Reordering ice_free_tx_tstamp_ring() to clear the flag before
NULLing the pointer, with smp_wmb() to ensure proper ordering.
2. Adding smp_rmb() in ice_tx_map() after the flag check to order the
flag read before the pointer read, using READ_ONCE() for the
pointer, and adding a NULL check as a safety net.
3. Converting tx_ring->flags from u8 to DECLARE_BITMAP() and using
atomic bitops (set_bit(), clear_bit(), test_bit()) for all flag
operations throughout the driver:
- ICE_TX_RING_FLAGS_XDP
- ICE_TX_RING_FLAGS_VLAN_L2TAG1
- ICE_TX_RING_FLAGS_VLAN_L2TAG2
- ICE_TX_RING_FLAGS_TXTIME
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 5.1%
CVSS Severity
CVSS v3 Score 4.7
Products affected by CVE-2026-53008
-
cpe:2.3:o:linux:linux_kernel:6.18
-
cpe:2.3:o:linux:linux_kernel:6.18.1
-
cpe:2.3:o:linux:linux_kernel:6.18.10
-
cpe:2.3:o:linux:linux_kernel:6.18.11
-
cpe:2.3:o:linux:linux_kernel:6.18.13
-
cpe:2.3:o:linux:linux_kernel:6.18.14
-
cpe:2.3:o:linux:linux_kernel:6.18.16
-
cpe:2.3:o:linux:linux_kernel:6.18.17
-
cpe:2.3:o:linux:linux_kernel:6.18.18
-
cpe:2.3:o:linux:linux_kernel:6.18.19
-
cpe:2.3:o:linux:linux_kernel:6.18.2
-
cpe:2.3:o:linux:linux_kernel:6.18.20
-
cpe:2.3:o:linux:linux_kernel:6.18.21
-
cpe:2.3:o:linux:linux_kernel:6.18.22
-
cpe:2.3:o:linux:linux_kernel:6.18.23
-
cpe:2.3:o:linux:linux_kernel:6.18.24
-
cpe:2.3:o:linux:linux_kernel:6.18.25
-
cpe:2.3:o:linux:linux_kernel:6.18.26
-
cpe:2.3:o:linux:linux_kernel:6.18.27
-
cpe:2.3:o:linux:linux_kernel:6.18.28
-
cpe:2.3:o:linux:linux_kernel:6.18.29
-
cpe:2.3:o:linux:linux_kernel:6.18.3
-
cpe:2.3:o:linux:linux_kernel:6.18.30
-
cpe:2.3:o:linux:linux_kernel:6.18.31
-
cpe:2.3:o:linux:linux_kernel:6.18.32
-
cpe:2.3:o:linux:linux_kernel:6.18.33
-
cpe:2.3:o:linux:linux_kernel:6.18.34
-
cpe:2.3:o:linux:linux_kernel:6.18.35
-
cpe:2.3:o:linux:linux_kernel:6.18.36
-
cpe:2.3:o:linux:linux_kernel:6.18.37
-
cpe:2.3:o:linux:linux_kernel:6.18.4
-
cpe:2.3:o:linux:linux_kernel:6.18.5
-
cpe:2.3:o:linux:linux_kernel:6.18.6
-
cpe:2.3:o:linux:linux_kernel:6.18.7
-
cpe:2.3:o:linux:linux_kernel:6.18.8
-
cpe:2.3:o:linux:linux_kernel:6.18.9
-
cpe:2.3:o:linux:linux_kernel:6.19
-
cpe:2.3:o:linux:linux_kernel:6.19.1
-
cpe:2.3:o:linux:linux_kernel:6.19.10
-
cpe:2.3:o:linux:linux_kernel:6.19.11
-
cpe:2.3:o:linux:linux_kernel:6.19.12
-
cpe:2.3:o:linux:linux_kernel:6.19.13
-
cpe:2.3:o:linux:linux_kernel:6.19.14
-
cpe:2.3:o:linux:linux_kernel:6.19.3
-
cpe:2.3:o:linux:linux_kernel:6.19.4
-
cpe:2.3:o:linux:linux_kernel:6.19.6
-
cpe:2.3:o:linux:linux_kernel:6.19.7
-
cpe:2.3:o:linux:linux_kernel:6.19.8
-
cpe:2.3:o:linux:linux_kernel:6.19.9
-
cpe:2.3:o:linux:linux_kernel:7.0
-
cpe:2.3:o:linux:linux_kernel:7.0.1
-
cpe:2.3:o:linux:linux_kernel:7.0.2
-
cpe:2.3:o:linux:linux_kernel:7.0.3
-
cpe:2.3:o:linux:linux_kernel:7.0.4
-
cpe:2.3:o:linux:linux_kernel:7.0.5
-
cpe:2.3:o:linux:linux_kernel:7.0.6
-
cpe:2.3:o:linux:linux_kernel:7.0.7
-
cpe:2.3:o:linux:linux_kernel:7.0.8
-
cpe:2.3:o:linux:linux_kernel:7.0.9