Description
In the Linux kernel, the following vulnerability has been resolved:

net: hns3: fix double free issue for tx spare buffer

In hns3_set_ringparam(), a temporary copy (tmp_rings) of the ring structure
is created for rollback. However, the tx_spare pointer in the original
ring handle is incorrectly left pointing to the old backup memory.

Later, if memory allocation fails in hns3_init_all_ring() during the setup,
the error path attempts to free all newly allocated rings. Since tx_spare
contains a stale (non-NULL) pointer from the backup, it is mistaken for
a newly allocated buffer and is erroneously freed, leading to a double-free
of the backup memory.

The root cause is that the tx_spare field was not cleared after its value
was saved in tmp_rings, leaving a dangling pointer.

Fix this by setting tx_spare to NULL in the original ring structure
when the creation of the new `tx_spare` fails. This ensures the
error cleanup path only frees genuinely newly allocated buffers.
Published: 2026-05-27
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability occurs in the hns3 network driver of the Linux kernel. During ring parameter configuration, a temporary copy of the ring structure is created for rollback. The tx_spare pointer in the original ring remains pointing to the old backup memory after a failure during allocation. Later, when the error cleanup path attempts to free newly allocated rings, this stale pointer is mistakenly freed as a new buffer, causing a double free. This results in memory corruption that can be leveraged by a local attacker to achieve arbitrary code execution or crash the kernel, leading to a denial of service.

Affected Systems

All Linux kernel releases that include the hns3 driver are potentially affected. The CPE entry indicates the Linux kernel, and no specific version ranges are provided, so any kernel containing the hns3 driver before the fix is at risk until patched.

Risk and Exploitability

The double‑free flaw can destabilize the kernel and provide a vector for privilege escalation to the attacker. The CVSS score and EPSS metric are not available, and the vulnerability is not listed in CISA’s KEV catalog, suggesting no widely known exploit. Nevertheless, because the flaw occurs at privileged level, the risk is high for systems that enable the hns3 driver. The attack vector is local; an attacker with access to the affected system or the ability to influence driver configuration needs to trigger the failing path.

Generated by OpenCVE AI on May 27, 2026 at 16:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest kernel patch that includes the fix for the hns3 double‑free bug
  • Reboot the system after the patch to ensure the driver loads the new code
  • If a patch cannot be applied immediately, consider disabling the hns3 driver or preventing its load on systems where it is not needed to avoid the double‑free path

Generated by OpenCVE AI on May 27, 2026 at 16:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-415

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net: hns3: fix double free issue for tx spare buffer In hns3_set_ringparam(), a temporary copy (tmp_rings) of the ring structure is created for rollback. However, the tx_spare pointer in the original ring handle is incorrectly left pointing to the old backup memory. Later, if memory allocation fails in hns3_init_all_ring() during the setup, the error path attempts to free all newly allocated rings. Since tx_spare contains a stale (non-NULL) pointer from the backup, it is mistaken for a newly allocated buffer and is erroneously freed, leading to a double-free of the backup memory. The root cause is that the tx_spare field was not cleared after its value was saved in tmp_rings, leaving a dangling pointer. Fix this by setting tx_spare to NULL in the original ring structure when the creation of the new `tx_spare` fails. This ensures the error cleanup path only frees genuinely newly allocated buffers.
Title net: hns3: fix double free issue for tx spare buffer
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-27T12:17:02.306Z

Reserved: 2026-05-13T15:03:33.083Z

Link: CVE-2026-45891

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:03.183

Modified: 2026-05-27T14:48:31.480

Link: CVE-2026-45891

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T17:45:32Z

Weaknesses