CVE Catalog

CVE-2026-53286

HighCVSS 7.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.13%

3th percentile — higher than 3% of all known CVEs

Summary

In the Linux kernel's idpf driver, a vulnerability causes double free and use-after-free in auxiliary device error paths. When auxiliary_device_add() fails, the error handling code incorrectly falls through, freeing the same iadev structure twice and accessing freed memory.

Risk Assessment

This vulnerability can cause kernel panics or potential privilege escalation due to uncontrolled kernel memory access. Organizations risk system instability on servers using the idpf driver (e.g., Intel network adapters).

Recommendation

Immediately update the Linux kernel to a version containing the fix (commit 65637c3a1811 and additional error path corrections). Monitor your distribution for a patch and apply it as a priority.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: idpf: fix double free and use-after-free in aux device error paths When auxiliary_device_add() fails in idpf_plug_vport_aux_dev() or idpf_plug_core_aux_dev(), the err_aux_dev_add label calls auxiliary_device_uninit() and falls through to err_aux_dev_init. The uninit call will trigger put_device(), which invokes the release callback (idpf_vport_adev_release / idpf_core_adev_release) that frees iadev. The fall-through then reads adev->id from the freed iadev for ida_free() and double-frees iadev with kfree(). Free the IDA slot and clear the back-pointer before uninit, while adev is still valid, then return immediately. Commit 65637c3a1811 ("idpf: fix UAF in RDMA core aux dev deinitialization") fixed the same use-after-free in the matching unplug path in this file but missed both probe error paths.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS