Description
In the Linux kernel, the following vulnerability has been resolved:

idpf: fix double free and use-after-free in aux device error paths

When auxiliary_device_add() fails in idpf_plug_vport_aux_dev() or
idpf_plug_core_aux_dev(), the err_aux_dev_add label calls
auxiliary_device_uninit() and falls through to err_aux_dev_init. The
uninit call will trigger put_device(), which invokes the release
callback (idpf_vport_adev_release / idpf_core_adev_release) that frees
iadev. The fall-through then reads adev->id from the freed iadev for
ida_free() and double-frees iadev with kfree().

Free the IDA slot and clear the back-pointer before uninit, while adev
is still valid, then return immediately.

Commit 65637c3a1811 ("idpf: fix UAF in RDMA core aux dev deinitialization")
fixed the same use-after-free in the matching unplug path in this file but
missed both probe error paths.
Published: 2026-06-26
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The idpf driver contains an error path in its auxiliary device handling that can cause a double free and a use‑after‑free when a device addition fails. The bug triggers the release callback before freeing the same object twice and then reads a pointer from the freed structure, corrupting kernel memory. This corruption can lead to a kernel panic or, in the worst case, arbitrary code execution with kernel privileges. It is inferred that an attacker who can force the error path may exploit the memory corruption to obtain elevated privileges.

Affected Systems

All installations of the Linux kernel that include the idpf driver and have not incorporated the patch introduced by commit 65637c3a1811 are affected. Because the affected code is part of the kernel’s mainline tree, any kernel build prior to that commit remains vulnerable. No explicit version range is provided, so the vulnerability applies to all kernels before the patch, regardless of series.

Risk and Exploitability

No CVSS score is disclosed and the EPSS score is not available, so the exact severity and likelihood cannot be quantified from the data. The flaw manifests only during a failure in the auxiliary device creation path, which typically requires privileged context or control over devices that use the idpf driver. It is inferred that a local attacker with the ability to influence device addition could trigger the vulnerable path and potentially exploit the resulting memory corruption. The vulnerability is not listed in the CISA KEV catalog, suggesting no confirmed widespread exploitation incidents yet.

Generated by OpenCVE AI on June 26, 2026 at 22:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that includes commit 65637c3a1811 to remove the double free and use‑after‑free in the idpf driver.
  • If an immediate kernel upgrade is not possible, disable idpf auxiliary device support the appropriate kernel configuration option or blacklist the module) to avoid exercising the vulnerable error path.
  • Regularly monitor vendor advisories for future security updates related to the idpf driver and apply them as soon as they become available.

Generated by OpenCVE AI on June 26, 2026 at 22:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-415
CWE-416

Fri, 26 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: idpf: fix double free and use-after-free in aux device error paths When auxiliary_device_add() fails in idpf_plug_vport_aux_dev() or idpf_plug_core_aux_dev(), the err_aux_dev_add label calls auxiliary_device_uninit() and falls through to err_aux_dev_init. The uninit call will trigger put_device(), which invokes the release callback (idpf_vport_adev_release / idpf_core_adev_release) that frees iadev. The fall-through then reads adev->id from the freed iadev for ida_free() and double-frees iadev with kfree(). Free the IDA slot and clear the back-pointer before uninit, while adev is still valid, then return immediately. Commit 65637c3a1811 ("idpf: fix UAF in RDMA core aux dev deinitialization") fixed the same use-after-free in the matching unplug path in this file but missed both probe error paths.
Title idpf: fix double free and use-after-free in aux device error paths
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-26T19:40:47.210Z

Reserved: 2026-06-09T07:44:35.396Z

Link: CVE-2026-53286

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T23:00:09Z

Weaknesses