Skip to main content

Linux Kernel EUVDEUVD-2026-39891

| CVE-2026-53286 HIGH
Double Free (CWE-415)
2026-06-26 Linux GHSA-xv2m-p78g-cm3m
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.0 HIGH

Local privileged access needed (AV:L/PR:L) and the fault triggers only on a hard-to-force aux-device probe error, so AC:H; kernel memory corruption yields high C/I/A.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 08, 2026 - 04:09 vuln.today
CVSS changed
Jul 08, 2026 - 04:07 NVD
7.8 (HIGH)
Patch available
Jun 26, 2026 - 21:02 EUVD
CVE Published
Jun 26, 2026 - 19:40 nvd
HIGH 7.8
CVE Published
Jun 26, 2026 - 19:40 cve.org
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

idpf: fix double free and use-after-free in aux device error paths

When auxiliary_device_add() fails in idpf_plug_vport_aux_dev() or idpf_plug_core_aux_dev(), the err_aux_dev_add label calls auxiliary_device_uninit() and falls through to err_aux_dev_init. The uninit call will trigger put_device(), which invokes the release callback (idpf_vport_adev_release / idpf_core_adev_release) that frees iadev. The fall-through then reads adev->id from the freed iadev for ida_free() and double-frees iadev with kfree().

Free the IDA slot and clear the back-pointer before uninit, while adev is still valid, then return immediately.

Commit 65637c3a1811 ("idpf: fix UAF in RDMA core aux dev deinitialization") fixed the same use-after-free in the matching unplug path in this file but missed both probe error paths.

AnalysisAI

Memory corruption (double free and use-after-free, CWE-415) in the Linux kernel's Intel idpf network driver allows a local low-privileged actor to corrupt kernel heap memory when the auxiliary device probe error path executes. The idpf_plug_vport_aux_dev() and idpf_plug_core_aux_dev() routines free the iadev structure via a release callback during auxiliary_device_uninit(), then fall through and read adev->id from the freed object for ida_free() and kfree() it again. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local privileged access on idpf host
Delivery
Induce aux device probe failure
Exploit
auxiliary_device_uninit frees iadev
Execution
Fall-through reads/frees stale pointer
Persist
Corrupt kernel heap
Impact
Escalate privileges or crash kernel

Vulnerability AssessmentAI

Exploitation Exploitation requires local access to a host running the idpf driver, which in turn requires Intel IDPF-capable NIC/IPU hardware to be present and the driver loaded. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals point consistently to a low-to-moderate, non-urgent priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local low-privileged user or a co-resident process on a host with an Intel idpf NIC induces or races an auxiliary device probe failure (e.g. during device plug/hotplug), causing the driver to free the iadev structure and then re-read and re-free it, corrupting kernel heap memory. …
Remediation Patch available per vendor advisory: update to a Linux kernel build containing the fix, which frees the IDA slot and clears the back-pointer before auxiliary_device_uninit() and returns immediately. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify Linux systems using Intel idpf network drivers via kernel logs and device enumeration. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39891 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy