Description
In the Linux kernel, the following vulnerability has been resolved:

idpf: fix double free and use-after-free in aux device error paths

When auxiliary_device_add() fails in idpf_plug_vport_aux_dev() or
idpf_plug_core_aux_dev(), the err_aux_dev_add label calls
auxiliary_device_uninit() and falls through to err_aux_dev_init. The
uninit call will trigger put_device(), which invokes the release
callback (idpf_vport_adev_release / idpf_core_adev_release) that frees
iadev. The fall-through then reads adev->id from the freed iadev for
ida_free() and double-frees iadev with kfree().

Free the IDA slot and clear the back-pointer before uninit, while adev
is still valid, then return immediately.

Commit 65637c3a1811 ("idpf: fix UAF in RDMA core aux dev deinitialization")
fixed the same use-after-free in the matching unplug path in this file but
missed both probe error paths.
Published: 2026-06-26
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The idpf driver contains an error path in its auxiliary device handling that can cause a double free and a use‑after‑free when a device addition fails. The bug triggers the release callback before freeing the same object twice and then reads a pointer from the freed structure, corrupting kernel memory. This corruption can lead to a kernel panic or, in the worst case, arbitrary code execution with kernel privileges. It is inferred that an attacker who can force the error path may exploit the memory corruption to obtain elevated privileges.

Affected Systems

All installations of the Linux kernel that include the idpf driver and have not incorporated the patch introduced by commit 65637c3a1811 are affected. Because the affected code is part of the kernel’s mainline tree, any kernel build prior to that commit remains vulnerable. No explicit version range is provided, so the vulnerability applies to all kernels before the patch, regardless of series.

Risk and Exploitability

The CVSS score is 5.5, the EPSS score is < 1%, and the vulnerability is not listed in the CISA KEV catalog. The flaw manifests only during a failure in the auxiliary device creation path, which typically requires privileged context or control over devices that use the idpf driver. It is inferred that a local attacker with the ability to influence device addition could trigger the vulnerable path and potentially exploit the resulting memory corruption.

Generated by OpenCVE AI on June 29, 2026 at 13:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that includes commit 65637c3a1811 to remove the double free and use‑after‑free in the idpf driver.
  • If an immediate kernel upgrade is not possible, disable idpf auxiliary device support the appropriate kernel configuration option or blacklist the module to avoid exercising the vulnerable error path.
  • Regularly monitor vendor advisories for future security updates related to the idpf driver and apply them as soon as they become available.

Generated by OpenCVE AI on June 29, 2026 at 13:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-364
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate


Fri, 26 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-415
CWE-416

Fri, 26 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: idpf: fix double free and use-after-free in aux device error paths When auxiliary_device_add() fails in idpf_plug_vport_aux_dev() or idpf_plug_core_aux_dev(), the err_aux_dev_add label calls auxiliary_device_uninit() and falls through to err_aux_dev_init. The uninit call will trigger put_device(), which invokes the release callback (idpf_vport_adev_release / idpf_core_adev_release) that frees iadev. The fall-through then reads adev->id from the freed iadev for ida_free() and double-frees iadev with kfree(). Free the IDA slot and clear the back-pointer before uninit, while adev is still valid, then return immediately. Commit 65637c3a1811 ("idpf: fix UAF in RDMA core aux dev deinitialization") fixed the same use-after-free in the matching unplug path in this file but missed both probe error paths.
Title idpf: fix double free and use-after-free in aux device error paths
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-26T19:40:47.210Z

Reserved: 2026-06-09T07:44:35.396Z

Link: CVE-2026-53286

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-26T00:00:00Z

Links: CVE-2026-53286 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T13:30:05Z

Weaknesses