CVE-2026-46162 Linux CVE debrief

Who should care

Organizations running Linux systems with Intel E810 series Ethernet controllers using subfunction (SF) features; cloud providers and data centers utilizing SR-IOV or similar virtualization features on Intel NICs; kernel maintainers and distribution security teams responsible for ice driver packaging.

Technical summary

The vulnerability is a classic double-free bug in error handling code. In `ice_sf_eth_activate()`, when `auxiliary_device_add()` fails, the function jumps to `aux_dev_uninit` label and calls `auxiliary_device_uninit(&sf_dev->adev)`. This uninit call triggers the release callback `ice_sf_dev_release()`, which frees `sf_dev`. The problematic code then falls through to `sf_dev_free` label and calls `kfree(sf_dev)` again. The fix separates the cleanup paths: `kfree(sf_dev)` is retained only for the `auxiliary_device_init()` failure path, while the `auxiliary_device_add()` failure path avoids the second free by not falling through to `sf_dev_free`.

Defensive priority

high

Recommended defensive actions

• Apply kernel patches from stable branches (6.1, 6.6, 6.12, 6.14) once available through distribution security updates
• Monitor distribution security advisories for ice driver package updates
• If running affected kernel versions with Intel E810 series NICs using subfunctions, prioritize patching due to potential for memory corruption
• Review system logs for any ice driver-related errors that may indicate trigger conditions
• Consider disabling unused subfunction features if not required as a temporary risk reduction measure

Evidence notes

Vulnerability description sourced from official CVE record and NVD entry. Technical details derived from kernel commit messages describing the double-free condition in `ice_sf_eth_activate()`. Multiple stable kernel branch commits identified (6.1, 6.6, 6.12, 6.14). No CVSS score or severity assigned by NVD at time of disclosure (status: Awaiting Analysis).

Official resources