Description
In the Linux kernel, the following vulnerability has been resolved:

net: hns3: fix double free issue for tx spare buffer

In hns3_set_ringparam(), a temporary copy (tmp_rings) of the ring structure
is created for rollback. However, the tx_spare pointer in the original
ring handle is incorrectly left pointing to the old backup memory.

Later, if memory allocation fails in hns3_init_all_ring() during the setup,
the error path attempts to free all newly allocated rings. Since tx_spare
contains a stale (non-NULL) pointer from the backup, it is mistaken for
a newly allocated buffer and is erroneously freed, leading to a double-free
of the backup memory.

The root cause is that the tx_spare field was not cleared after its value
was saved in tmp_rings, leaving a dangling pointer.

Fix this by setting tx_spare to NULL in the original ring structure
when the creation of the new `tx_spare` fails. This ensures the
error cleanup path only frees genuinely newly allocated buffers.
Published: 2026-05-27
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability occurs in the hns3 network driver of the Linux kernel. During ring parameter configuration, a temporary copy of the ring structure is created for rollback. The tx_spare pointer in the original ring remains pointing to the old backup memory after a failure during allocation. Later, when the error cleanup path attempts to free newly allocated rings, this stale pointer is mistakenly freed as a new buffer, causing a double‑free. This double‑free flaw, classified as CWE‑825, leads to memory corruption in the kernel.

Affected Systems

All Linux kernel releases that include the hns3 driver are potentially affected. The CPE entry indicates the Linux kernel, and no specific version ranges are provided, so any kernel containing the hns3 driver before the fix is at risk until patched.

Risk and Exploitability

The CVSS score is 5.5. The EPSS score is &lt; 1%. The vulnerability is not listed in CISA's KEV catalog. This double‑free flaw can lead to memory corruption in the Linux kernel. Based on the fact that the flaw occurs at privileged kernel level, it is inferred that exploitation would require an attacker with local access to the system.

Generated by OpenCVE AI on May 28, 2026 at 17:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest kernel patch that includes the fix for the hns3 double‑free bug
  • Reboot the system after the patch to ensure the driver loads the new code
  • If a patch cannot be applied immediately, consider disabling the hns3 driver or preventing its load on systems where it is not needed to avoid the double‑free path

Generated by OpenCVE AI on May 28, 2026 at 17:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 14:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-415

Thu, 28 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Wed, 27 May 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-415

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net: hns3: fix double free issue for tx spare buffer In hns3_set_ringparam(), a temporary copy (tmp_rings) of the ring structure is created for rollback. However, the tx_spare pointer in the original ring handle is incorrectly left pointing to the old backup memory. Later, if memory allocation fails in hns3_init_all_ring() during the setup, the error path attempts to free all newly allocated rings. Since tx_spare contains a stale (non-NULL) pointer from the backup, it is mistaken for a newly allocated buffer and is erroneously freed, leading to a double-free of the backup memory. The root cause is that the tx_spare field was not cleared after its value was saved in tmp_rings, leaving a dangling pointer. Fix this by setting tx_spare to NULL in the original ring structure when the creation of the new `tx_spare` fails. This ensures the error cleanup path only frees genuinely newly allocated buffers.
Title net: hns3: fix double free issue for tx spare buffer
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-27T12:17:02.306Z

Reserved: 2026-05-13T15:03:33.083Z

Link: CVE-2026-45891

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:03.183

Modified: 2026-05-27T14:48:31.480

Link: CVE-2026-45891

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-45891 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T17:15:21Z

Weaknesses
  • CWE-825

    Expired Pointer Dereference