HIGH 7.8

CVE-2026-46162

A flaw in the Linux kernel's ice (Intel ice) network driver creates a double-free memory corruption condition in the auxiliary device activation error handler. When the driver attempts to activate a subfunction Ethernet device but the operation fails partway through, the error handling code frees the same memory region twice, corrupting the kernel heap. An attacker with local access and unprivileged user privileges can trigger this condition to escalate privileges or crash the system.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-415
Affected products
1 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: ice: fix double free in ice_sf_eth_activate() error path When auxiliary_device_add() fails, ice_sf_eth_activate() jumps to aux_dev_uninit and calls auxiliary_device_uninit(&sf_dev->adev). The device release callback ice_sf_dev_release() frees sf_dev, but the current error path falls through to sf_dev_free and calls kfree(sf_dev) again, causing a double free. Keep kfree(sf_dev) for the auxiliary_device_init() failure path, but avoid falling through to sf_dev_free after auxiliary_device_uninit().

4 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-46162 is a use-after-free/double-free vulnerability in the ice driver's ice_sf_eth_activate() function. The vulnerable code path occurs when auxiliary_device_add() fails during subfunction device initialization. The error handler calls auxiliary_device_uninit(), which invokes the device release callback ice_sf_dev_release() to free the sf_dev structure. However, the code then falls through to the sf_dev_free label and calls kfree(sf_dev) a second time on already-freed memory. The fix ensures that after auxiliary_device_uninit() is called, the function returns without executing the redundant kfree(), while preserving the kfree() call for the auxiliary_device_init() failure path where the structure has not yet been freed by a release callback.

Business impact

This memory corruption vulnerability can lead to kernel denial of service or privilege escalation from unprivileged local user context. For organizations running Intel-based Linux systems with ice driver support, exploitation could enable lateral movement, data exfiltration, or system takeover by a malicious local user. In containerized or multi-tenant environments, this becomes a container escape vector. The fix is critical for maintaining confidentiality, integrity, and availability of affected systems.

Affected systems

Linux kernel systems using the ice network driver, particularly Intel-based platforms with ice Ethernet adapters. The vulnerability affects the kernel's ice driver component, which is included in standard upstream Linux distributions. Specific affected kernel versions should be verified against vendor advisories; the fix addresses the generic error path and should apply across recent stable and long-term support kernel branches.

Exploitability

Exploitability is moderate to high. The vulnerability requires local user-level access (unprivileged) but does not require administrator or root privileges. Triggering the condition depends on initiating a subfunction Ethernet device activation that fails at the auxiliary_device_add() stage, which may require specific hardware or driver configuration. No public exploit code is known at this time, but the root cause is straightforward and an in-memory corruption primitive could be weaponized by a capable attacker. The local-only attack vector and requirement for user-level execution lower the immediate blast radius compared to network-exploitable flaws.

Remediation

Apply the kernel patch that prevents the double-free by restructuring the error path: ensure auxiliary_device_uninit() exits without falling through to sf_dev_free. Verify the patch version against vendor advisories or upstream kernel repositories. For organizations unable to patch immediately, restrict unprivileged user access to ice driver subfunction operations via SELinux or AppArmor policies if supported, though this is a temporary measure. Long-term, all affected kernel versions must be updated to versions containing this fix.

Patch guidance

Identify your Linux kernel version and distribution via 'uname -r' and 'cat /etc/os-release'. Check vendor advisories for your specific distribution (Red Hat, Debian, Ubuntu, SUSE, etc.) for patched kernel versions and availability via package management. Verify that the patched kernel includes the ice driver fix by reviewing the patch note or commit message. Test the patch in a non-production environment before production rollout to ensure driver stability and hardware compatibility with your ice adapters.

Detection guidance

Monitor kernel logs and crash dumps for heap corruption signatures, use-after-free errors, or ice driver errors during subfunction initialization. Kernel Address Sanitizer (KASAN) or other memory debugging tools will reliably trigger and report the double-free if the system is compiled with debug symbols. In production, observe for unexpected system crashes, kernel oopses, or process failures correlated with ice driver operations. Track ice driver status and error rates via syslog or kernel tracing (e.g., 'trace-cmd' or 'perf') to detect triggering events.

Why prioritize this

This vulnerability rates HIGH priority due to its CVSS 3.1 score of 7.8, driven by high confidentiality, integrity, and availability impact accessible from a local unprivileged context. While it requires local access, the escalation path and kernel memory corruption severity make it critical for any organization running ice driver systems. It is not yet in CISA KEV, meaning fewer targeted exploits exist in the wild, making proactive patching feasible before mainstream weaponization.

Risk score, explained

CVSS 3.1 score of 7.8 (HIGH) reflects: Local attack vector (AV:L) — unprivileged user can trigger via local execution; Low complexity (AC:L) — no special conditions beyond local presence; Low privileges required (PR:L) — unprivileged user context suffices; No user interaction (UI:N) — can be automated; Unchanged scope (S:U) — impacts only the kernel; High confidentiality, integrity, and availability impact (C:H, I:H, A:H) — memory corruption enables privilege escalation and system compromise. The score appropriately reflects the severity of kernel heap corruption with local exploitation.

Frequently asked questions

Does this vulnerability require root or administrator privileges to exploit?

No. The vulnerability can be triggered by any unprivileged local user with the ability to execute code or issue device operations on the system. This makes it attractive to attackers seeking privilege escalation from a foothold on the system.

Is this vulnerability currently being actively exploited in the wild?

No public evidence of active exploitation exists as of the CVE publication date. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. However, the straightforward root cause means a capable attacker could weaponize it once details are widely known.

What systems are most at risk?

Linux servers and workstations equipped with Intel ice Ethernet network adapters, particularly in data center or multi-tenant environments. Virtual machines or containers running on hosts with ice drivers are also vulnerable if the kernel inside the container is affected. Verify your kernel version and driver presence via 'ethtool -i ethX' or modprobe queries.

Can this vulnerability be exploited remotely?

No. This is strictly a local vulnerability. An attacker must have local code execution capability on the affected system. Remote exploitation is not possible, but it remains a serious privilege escalation and system compromise vector for attackers who have already gained initial system access.

This analysis is provided for informational purposes only and does not constitute legal or professional security advice. CVSS scores and severity assessments are derived from official CVE records and should be validated independently. Patch availability, version numbers, and timelines vary by Linux distribution; consult your vendor's official advisories. SEC.co does not provide exploit code or weaponization guidance. Organizations should test patches in non-production environments before deployment and maintain incident response procedures for potential compromise scenarios. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).

Affected vendors

Weaknesses (CWE)

Related vulnerabilities

  • CVE-2026-46129HIGH

    CVE-2026-46129: Linux Kernel Btrfs Double-Free Memory Corruption – Privilege Escalation

  • CVE-2026-46164HIGH

    CVE-2026-46164: Linux Btrfs Double-Free Kernel Vulnerability – Patch Guidance

  • CVE-2026-44422HIGH

    CVE-2026-44422: FreeRDP RDPEAR Double-Free Vulnerability (HIGH Severity)

  • CVE-2026-10001HIGH

    CVE-2026-10001: Chrome Sandbox Escape via PerformanceManager Use-After-Free

  • CVE-2026-10002HIGH

    CVE-2026-10002: Google Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)

  • CVE-2026-10003HIGH

    CVE-2026-10003: Chrome Use-After-Free Code Execution Vulnerability Analysis

  • CVE-2026-10006HIGH

    CVE-2026-10006: Chrome WebAudio Race Condition Remote Code Execution

  • CVE-2026-10007HIGH

    CVE-2026-10007: Chrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)