Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local privileged access needed (AV:L/PR:L) and the fault triggers only on a hard-to-force aux-device probe error, so AC:H; kernel memory corruption yields high C/I/A.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
idpf: fix double free and use-after-free in aux device error paths
When auxiliary_device_add() fails in idpf_plug_vport_aux_dev() or idpf_plug_core_aux_dev(), the err_aux_dev_add label calls auxiliary_device_uninit() and falls through to err_aux_dev_init. The uninit call will trigger put_device(), which invokes the release callback (idpf_vport_adev_release / idpf_core_adev_release) that frees iadev. The fall-through then reads adev->id from the freed iadev for ida_free() and double-frees iadev with kfree().
Free the IDA slot and clear the back-pointer before uninit, while adev is still valid, then return immediately.
Commit 65637c3a1811 ("idpf: fix UAF in RDMA core aux dev deinitialization") fixed the same use-after-free in the matching unplug path in this file but missed both probe error paths.
AnalysisAI
Memory corruption (double free and use-after-free, CWE-415) in the Linux kernel's Intel idpf network driver allows a local low-privileged actor to corrupt kernel heap memory when the auxiliary device probe error path executes. The idpf_plug_vport_aux_dev() and idpf_plug_core_aux_dev() routines free the iadev structure via a release callback during auxiliary_device_uninit(), then fall through and read adev->id from the freed object for ida_free() and kfree() it again. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires local access to a host running the idpf driver, which in turn requires Intel IDPF-capable NIC/IPU hardware to be present and the driver loaded. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals point consistently to a low-to-moderate, non-urgent priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local low-privileged user or a co-resident process on a host with an Intel idpf NIC induces or races an auxiliary device probe failure (e.g. during device plug/hotplug), causing the driver to free the iadev structure and then re-read and re-free it, corrupting kernel heap memory. … |
| Remediation | Patch available per vendor advisory: update to a Linux kernel build containing the fix, which frees the IDA slot and clears the back-pointer before auxiliary_device_uninit() and returns immediately. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify Linux systems using Intel idpf network drivers via kernel logs and device enumeration. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-415 – Double Free
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39891
GHSA-xv2m-p78g-cm3m