CVE-2026-53009

In the Linux kernel, the following vulnerability has been resolved:

ice: fix double-free of tx buf skb

If ice tso() or ice tx csum() fail, the error path in ice xmit frame ring() frees the skb, but the 'first' tx buf still points to it and is marked as valid (ICE TX BUF SKB). 'next to use' remains unchanged, so the potential problem will likely fix itself when the next packet is transmitted and the tx buf gets overwritten. But if there is no next packet and the interface is brought down instead, ice clean tx ring() -> ice unmap and free tx buf() will find the tx buf and free the skb for the second time.

The fix is to reset the tx buf type to ICE TX BUF EMPTY in the error path, so that ice unmap and free tx buf(). Move the initialization of 'first' up, to ensure it's already valid in case we hit the linearization error path.

The bug was spotted by AI while I had it looking for something else. It also proposed an initial version of the patch.

I reproduced the bug and tested the fix by adding code to inject failures, on a build with KASAN.

I looked for similar bugs in related Intel drivers and did not find any.