Severity by source
AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Local access only (AV:L), race condition requires precise timing (AC:H), low-privilege local user needed (PR:L), availability-only kernel crash impact (A:H), no C/I impact.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
ice: fix race condition in TX timestamp ring cleanup
Fix a race condition between ice_free_tx_tstamp_ring() and ice_tx_map() that can cause a NULL pointer dereference.
ice_free_tx_tstamp_ring currently clears the ICE_TX_FLAGS_TXTIME flag after NULLing the tstamp_ring. This could allow a concurrent ice_tx_map call on another CPU to dereference the tstamp_ring, which could lead to a NULL pointer dereference.
CPU A:ice_free_tx_tstamp_ring() | CPU B:ice_tx_map() --------------------------------|--------------------------------- tx_ring->tstamp_ring = NULL |
| ice_is_txtime_cfg() -> true | tstamp_ring = tx_ring->tstamp_ring | tstamp_ring->count // NULL deref! flags &= ~ICE_TX_FLAGS_TXTIME |
Fix by:
- Reordering ice_free_tx_tstamp_ring() to clear the flag before
NULLing the pointer, with smp_wmb() to ensure proper ordering.
- Adding smp_rmb() in ice_tx_map() after the flag check to order the
flag read before the pointer read, using READ_ONCE() for the pointer, and adding a NULL check as a safety net.
- Converting tx_ring->flags from u8 to DECLARE_BITMAP() and using
atomic bitops (set_bit(), clear_bit(), test_bit()) for all flag operations throughout the driver:
- ICE_TX_RING_FLAGS_XDP
- ICE_TX_RING_FLAGS_VLAN_L2TAG1
- ICE_TX_RING_FLAGS_VLAN_L2TAG2
- ICE_TX_RING_FLAGS_TXTIME
AnalysisAI
NULL pointer dereference in the Linux kernel ICE (Intel Ethernet Controller) driver allows a local low-privileged attacker to trigger a kernel panic via a race condition during TX timestamp ring teardown. The flaw exists in systems using Intel ICE-series NICs with TX timestamping configured, where concurrent execution of ice_free_tx_tstamp_ring() and ice_tx_map() across CPU cores can cause CPU B to dereference a pointer that CPU A has already set to NULL. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires: (1) local shell access with low privileges on the target system; (2) the system must use an Intel ICE-series network controller (E810 or compatible); (3) TX timestamping (ICE_TX_FLAGS_TXTIME / TXTIME feature) must be actively configured on the NIC - this is non-default and requires explicit SO_TXTIME socket configuration or PTP timestamping setup; (4) concurrent execution across at least two CPU cores is required to trigger the race window between ice_free_tx_tstamp_ring() on CPU A and ice_tx_map() on CPU B. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Real-world risk is low-to-moderate for systems running affected kernel versions with Intel ICE-series hardware and TX timestamping enabled. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local user with shell access on a server running an affected Linux kernel version with an Intel ICE NIC and TX timestamping configured repeatedly triggers network transmit operations (e.g., via SO_TXTIME sockets) on one CPU core while simultaneously causing interface teardown or driver reload on another CPU core. If the race window is won - CPU B reads tstamp_ring as NULL after CPU A has already cleared it - the kernel dereferences the NULL pointer in ice_tx_map(), resulting in a kernel oops or panic and a full system denial of service. … |
| Remediation | Apply the vendor-released patch by upgrading to Linux kernel 6.18, 7.0.10, or 7.1 as appropriate to your stable branch, which include the fix commits 097409d20465723283632515df73038a4a853eda and 7c72ec18c2a4111204c2e915f8e4f6d849ce9398. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-362 – Race Condition
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38876
GHSA-gqxp-fj3h-cr3v