Description
In the Linux kernel, the following vulnerability has been resolved:

ice: fix potential NULL pointer deref in error path of ice_set_ringparam()

ice_set_ringparam nullifies tstamp_ring of temporary tx_rings, without
clearing ICE_TX_RING_FLAGS_TXTIME bit.
When ICE_TX_RING_FLAGS_TXTIME is set and the subsequent
ice_setup_tx_ring() call fails, a NULL pointer dereference could happen
in the unwinding sequence:

ice_clean_tx_ring()
-> ice_is_txtime_cfg() == true (ICE_TX_RING_FLAGS_TXTIME is set)
-> ice_free_tx_tstamp_ring()
-> ice_free_tstamp_ring()
-> tstamp_ring->desc (NULL deref)

Clear ICE_TX_RING_FLAGS_TXTIME bit to avoid the potential issue.

Note that this potential issue is found by manual code review.
Compile test only since unfortunately I don't have E830 devices.
Published: 2026-06-24
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A null pointer dereference occurs in the Linux kernel's ice driver when an error path in ice_set_ringparam() leaves the ICE_TX_RING_FLAGS_TXTIME flag set while the underlying tstamp_ring is NULL. During unwinding, the driver attempts to access tstamp_ring->desc, causing a kernel panic or crash. The impact is a local denial of service, potentially allowing an attacker to crash the system by leveraging faulty network interface configuration or error conditions. The weakness corresponds to CWE-476, Null Pointer Dereference.

Affected Systems

The vulnerability exists in any Linux kernel that includes the ice driver for Intel E810/E830 network interfaces. Specific version ranges are not disclosed in the advisory, but the issue was identified during code review of recent kernel source revisions and will be present in unpatched kernels containing the affected function. Systems running these kernels on any architecture that loads the ice module are potentially impacted.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity, and the EPSS score of less than 1% suggests a very low probability of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog, indicating it is not a known widely The likely attack vector requires local access to trigger an error in ice_set_ringparam(), meaning the attacker would need the capability to configure network cause the driver to fail during normal operation. Because the issue is exposed only when the ICE_TX_RING_FLAGS_TXTIME flag is set and the subsequent setup fails, exploitation would likely require privileged system access, making the risk higher for compromised or administrative systems while still limiting external exposure. The impact remains a denial of service via kernel crash.

Generated by OpenCVE AI on June 26, 2026 at 02:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that includes the patch clearing the ICE_TX_RING_FLAGS_TXTIME flag in ice_set_ringparam()
  • Restart the affected network interfaces or reboot to reload the corrected ice module if an update cannot be applied immediately
  • Monitor system logs for crashes related to ice driver errors and plan for a timely kernel upgrade to mitigate the denial of service risk

Generated by OpenCVE AI on June 26, 2026 at 02:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low


Wed, 24 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ice: fix potential NULL pointer deref in error path of ice_set_ringparam() ice_set_ringparam nullifies tstamp_ring of temporary tx_rings, without clearing ICE_TX_RING_FLAGS_TXTIME bit. When ICE_TX_RING_FLAGS_TXTIME is set and the subsequent ice_setup_tx_ring() call fails, a NULL pointer dereference could happen in the unwinding sequence: ice_clean_tx_ring() -> ice_is_txtime_cfg() == true (ICE_TX_RING_FLAGS_TXTIME is set) -> ice_free_tx_tstamp_ring() -> ice_free_tstamp_ring() -> tstamp_ring->desc (NULL deref) Clear ICE_TX_RING_FLAGS_TXTIME bit to avoid the potential issue. Note that this potential issue is found by manual code review. Compile test only since unfortunately I don't have E830 devices.
Title ice: fix potential NULL pointer deref in error path of ice_set_ringparam()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-24T16:29:18.570Z

Reserved: 2026-06-09T07:44:35.378Z

Link: CVE-2026-53007

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-53007 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T02:15:15Z

Weaknesses