Skip to main content

Linux Kernel EUVDEUVD-2026-32789

| CVE-2026-46162 HIGH
Double Free (CWE-415)
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-cw9h-69mp-f4jq
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.0 HIGH

Local-only kernel bug (AV:L); needs CAP_NET_ADMIN and a forced auxiliary_device_add() failure plus slab grooming, so PR:L and AC:H; successful double-free exploitation yields full kernel compromise (C/I/A:H).

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Red Hat
7.0 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 10, 2026 - 21:23 vuln.today
CVSS changed
Jun 10, 2026 - 21:22 NVD
7.8 (HIGH)
Patch available
May 28, 2026 - 12:01 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)
CVE Published
May 28, 2026 - 10:16 nvd
HIGH 7.8

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

ice: fix double free in ice_sf_eth_activate() error path

When auxiliary_device_add() fails, ice_sf_eth_activate() jumps to aux_dev_uninit and calls auxiliary_device_uninit(&sf_dev->adev).

The device release callback ice_sf_dev_release() frees sf_dev, but the current error path falls through to sf_dev_free and calls kfree(sf_dev) again, causing a double free.

Keep kfree(sf_dev) for the auxiliary_device_init() failure path, but avoid falling through to sf_dev_free after auxiliary_device_uninit().

AnalysisAI

Double-free memory corruption in the Linux kernel's Intel ice (E810) network driver occurs in the ice_sf_eth_activate() error path when auxiliary_device_add() fails, causing sf_dev to be freed twice. Affecting Linux kernel versions starting at 6.12 through pre-patch builds, a local privileged user triggering the failure path can corrupt kernel heap state, with no public exploit identified at time of analysis and a very low EPSS score of 0.02%.

Technical ContextAI

The flaw lives in drivers/net/ethernet/intel/ice, the Intel ice driver supporting E810-series 100GbE NICs and its subfunction (SF) port feature, which exposes child auxiliary devices via the kernel auxiliary bus. When ice_sf_eth_activate() registers a new SF auxiliary device, auxiliary_device_uninit() invokes the driver's release callback ice_sf_dev_release(), which already kfree()s the sf_dev structure; the buggy error path then fell through to a sf_dev_free label that called kfree(sf_dev) a second time. This is a classic CWE-415 Double Free on the kernel slab allocator, the type of corruption commonly leveraged for slab-based heap exploitation primitives.

RemediationAI

Upstream fix available (commits 9aab1c3d7299, 2ca30340b502, 121d1f253aed, d0c6a4816609) and Vendor-released patch: Linux 6.12.88, 6.18.30, 7.0.7, and 7.1-rc1 per EUVD-2026-32789 - upgrade to one of these or any later stable point release on your branch; distribution kernels should pull the backported ice driver fix. As a compensating control on hosts that cannot be rebooted immediately, unload or blacklist the ice module (modprobe -r ice / install ice /bin/true in modprobe.d) on systems that do not use Intel E810-class NICs, accepting loss of networking on those interfaces; on hosts that do use ice, disable the subfunction port feature in devlink (devlink port del / avoid 'devlink port add ... flavour pcisf') so the vulnerable activation path is not reached, accepting the loss of SR-IOV-style SF partitioning. Standard local-attack hardening - restricting CAP_NET_ADMIN and devlink access to root - also reduces who can drive the failure path. Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-46162 and the per-commit pages under https://git.kernel.org/stable/c/.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected

Share

EUVD-2026-32789 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy