Skip to main content

Linux Kernel EUVDEUVD-2026-38876

| CVE-2026-53008 MEDIUM
Race Condition (CWE-362)
2026-06-24 Linux GHSA-gqxp-fj3h-cr3v
4.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.7 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
4.7 MEDIUM

Local access only (AV:L), race condition requires precise timing (AC:H), low-privilege local user needed (PR:L), availability-only kernel crash impact (A:H), no C/I impact.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jul 14, 2026 - 22:02 vuln.today
CVSS changed
Jul 14, 2026 - 18:52 NVD
4.7 (MEDIUM)
Patch available
Jun 24, 2026 - 18:02 EUVD
CVE Published
Jun 24, 2026 - 16:29 cve.org
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

ice: fix race condition in TX timestamp ring cleanup

Fix a race condition between ice_free_tx_tstamp_ring() and ice_tx_map() that can cause a NULL pointer dereference.

ice_free_tx_tstamp_ring currently clears the ICE_TX_FLAGS_TXTIME flag after NULLing the tstamp_ring. This could allow a concurrent ice_tx_map call on another CPU to dereference the tstamp_ring, which could lead to a NULL pointer dereference.

CPU A:ice_free_tx_tstamp_ring() | CPU B:ice_tx_map() --------------------------------|--------------------------------- tx_ring->tstamp_ring = NULL |

| ice_is_txtime_cfg() -> true | tstamp_ring = tx_ring->tstamp_ring | tstamp_ring->count // NULL deref! flags &= ~ICE_TX_FLAGS_TXTIME |

Fix by:

  1. Reordering ice_free_tx_tstamp_ring() to clear the flag before

NULLing the pointer, with smp_wmb() to ensure proper ordering.

  1. Adding smp_rmb() in ice_tx_map() after the flag check to order the

flag read before the pointer read, using READ_ONCE() for the pointer, and adding a NULL check as a safety net.

  1. Converting tx_ring->flags from u8 to DECLARE_BITMAP() and using

atomic bitops (set_bit(), clear_bit(), test_bit()) for all flag operations throughout the driver:

  • ICE_TX_RING_FLAGS_XDP
  • ICE_TX_RING_FLAGS_VLAN_L2TAG1
  • ICE_TX_RING_FLAGS_VLAN_L2TAG2
  • ICE_TX_RING_FLAGS_TXTIME

AnalysisAI

NULL pointer dereference in the Linux kernel ICE (Intel Ethernet Controller) driver allows a local low-privileged attacker to trigger a kernel panic via a race condition during TX timestamp ring teardown. The flaw exists in systems using Intel ICE-series NICs with TX timestamping configured, where concurrent execution of ice_free_tx_tstamp_ring() and ice_tx_map() across CPU cores can cause CPU B to dereference a pointer that CPU A has already set to NULL. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Gain local low-privilege shell access
Delivery
Configure SO_TXTIME socket on ICE NIC interface
Exploit
Trigger concurrent TX map on CPU B
Install
Race interface teardown on CPU A
C2
CPU A nulls tstamp_ring before clearing flag
Execute
CPU B dereferences NULL tstamp_ring
Impact
Kernel panic (denial of service)

Vulnerability AssessmentAI

Exploitation Exploitation requires: (1) local shell access with low privileges on the target system; (2) the system must use an Intel ICE-series network controller (E810 or compatible); (3) TX timestamping (ICE_TX_FLAGS_TXTIME / TXTIME feature) must be actively configured on the NIC - this is non-default and requires explicit SO_TXTIME socket configuration or PTP timestamping setup; (4) concurrent execution across at least two CPU cores is required to trigger the race window between ice_free_tx_tstamp_ring() on CPU A and ice_tx_map() on CPU B. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is low-to-moderate for systems running affected kernel versions with Intel ICE-series hardware and TX timestamping enabled. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local user with shell access on a server running an affected Linux kernel version with an Intel ICE NIC and TX timestamping configured repeatedly triggers network transmit operations (e.g., via SO_TXTIME sockets) on one CPU core while simultaneously causing interface teardown or driver reload on another CPU core. If the race window is won - CPU B reads tstamp_ring as NULL after CPU A has already cleared it - the kernel dereferences the NULL pointer in ice_tx_map(), resulting in a kernel oops or panic and a full system denial of service. …
Remediation Apply the vendor-released patch by upgrading to Linux kernel 6.18, 7.0.10, or 7.1 as appropriate to your stable branch, which include the fix commits 097409d20465723283632515df73038a4a853eda and 7c72ec18c2a4111204c2e915f8e4f6d849ce9398. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-38876 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy