PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-23389 Linux CVE debrief

A memory leak vulnerability exists in the Intel Ethernet Connection E800 Series (ice) driver within the Linux kernel. The flaw occurs in the `ice_set_ringparam()` function during ring parameter reconfiguration. When `tx_rings` and `xdp_rings` are successfully allocated but subsequent `rx_rings` allocation or individual Rx ring setup fails, the error handling paths fail to properly free all previously allocated resources. Specifically, if `rx_rings` allocation fails, the code jumps to the `done` label without freeing `tx_rings` or `xdp_rings`. If an individual Rx ring setup fails during the loop, the code jumps to the `free_tx` label which releases `tx_rings` but leaks `xdp_rings`. The fix introduces a `free_xdp` label and updates error paths to ensure both `xdp_rings` and `tx_rings` are properly freed when Rx ring allocation or setup fails. This vulnerability requires local privileges to trigger ring parameter changes and could lead to memory exhaustion over repeated operations, resulting in denial of service. The issue was identified through a prototype static analysis tool and code review, with compile-tested patches provided.

Vendor
Linux
Product
Unknown
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-25
Original CVE updated
2026-06-01
Advisory published
2026-03-25
Advisory updated
2026-06-01

Who should care

Linux system administrators operating servers with Intel E800 series (ice) network adapters; kernel maintainers and distribution packagers; security teams monitoring for local privilege-based denial of service conditions in network infrastructure.

Technical summary

The `ice_set_ringparam()` function in the Intel ice Ethernet driver allocates `tx_rings` and `xdp_rings` before `rx_rings`. Two error paths leak memory: (1) when `rx_rings` allocation fails, jumping to `done` leaks both `tx_rings` and `xdp_rings`; (2) when individual Rx ring setup fails, jumping to `free_tx` releases `tx_rings` but leaks `xdp_rings`. The fix adds a `free_xdp` label and corrects jump targets to ensure complete cleanup. Attack requires local privileges (CAP_NET_ADMIN typically) to modify ring parameters via ethtool. Impact is availability degradation through memory exhaustion, not confidentiality or integrity compromise.

Defensive priority

medium

Recommended defensive actions

  • Apply the appropriate stable kernel patch for your Linux distribution version. Patches are available for multiple stable branches.
  • Monitor kernel memory usage on systems utilizing Intel E800 series (ice) network adapters if patching is delayed.
  • Upgrade to a fixed kernel version: 6.12.81 or later for the 6.12.x branch, 6.18.22 or later for the 6.18.x branch, 6.19.7 or later for the 6.19.x branch, or a fixed 7.0 release candidate or final release.
  • Restrict local access to systems running affected kernels to trusted administrators, as local privileges are required to trigger the vulnerable code path via ethtool ring parameter changes.
  • Review system logs for repeated ethtool ring configuration changes that could indicate exploitation attempts or trigger the memory leak condition.

Evidence notes

The vulnerability description explicitly states the memory leak occurs in `ice_set_ringparam()` when `rx_rings` allocation fails (leaking both `tx_rings` and `xdp_rings`) or when individual Rx ring setup fails (leaking `xdp_rings` via the `free_tx` label). The fix introduces a `free_xdp` label for proper cleanup. CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H confirms local attack vector with low complexity and low privileges required, resulting in high availability impact. CWE-401 (Missing Release of Memory after Effective Lifetime) is the assigned weakness. Multiple stable kernel patches are referenced. CPE criteria indicate affected versions from 4.17 through 6.12.80, 6.13 through 6.18.21, 6.19 through 6.19.6, and 7.0-rc1 through 7.0-rc7.

Official resources

2026-03-25T11:16:39.440Z