CVE-2026-45891
Awaiting Analysis Awaiting Analysis - Queue
Double Free in Linux Kernel HNS3 Driver

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net: hns3: fix double free issue for tx spare buffer In hns3_set_ringparam(), a temporary copy (tmp_rings) of the ring structure is created for rollback. However, the tx_spare pointer in the original ring handle is incorrectly left pointing to the old backup memory. Later, if memory allocation fails in hns3_init_all_ring() during the setup, the error path attempts to free all newly allocated rings. Since tx_spare contains a stale (non-NULL) pointer from the backup, it is mistaken for a newly allocated buffer and is erroneously freed, leading to a double-free of the backup memory. The root cause is that the tx_spare field was not cleared after its value was saved in tmp_rings, leaving a dangling pointer. Fix this by setting tx_spare to NULL in the original ring structure when the creation of the new `tx_spare` fails. This ensures the error cleanup path only frees genuinely newly allocated buffers.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-27
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-45891
EUVD
EUVD-2026-32357
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
linux linux_kernel *
linux_kernel linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's hns3 network driver, specifically in the function hns3_set_ringparam(). A temporary copy of the ring structure is created for rollback purposes, but the tx_spare pointer in the original ring structure incorrectly continues to point to old backup memory.

If memory allocation fails later during the setup in hns3_init_all_ring(), the error handling code attempts to free all newly allocated rings. Because tx_spare still points to the old backup memory (a stale pointer), it is mistakenly freed again, causing a double-free of the backup memory.

The root cause is that the tx_spare pointer was not cleared (set to NULL) after its value was saved in the temporary copy, leaving a dangling pointer that leads to erroneous double freeing.

The fix involves setting tx_spare to NULL in the original ring structure when the creation of a new tx_spare fails, ensuring that only genuinely newly allocated buffers are freed during error cleanup.

Impact Analysis

This vulnerability can lead to a double-free condition in the Linux kernel's network driver, which may cause system instability, crashes, or potentially allow an attacker to execute arbitrary code or escalate privileges by exploiting memory corruption.

Because the double-free occurs in kernel memory management, it can compromise the reliability and security of the affected system, potentially leading to denial of service or other security breaches.

Mitigation Strategies

The vulnerability is fixed by ensuring that the tx_spare pointer is set to NULL after its value is saved in the temporary ring structure, preventing a double-free error.

To mitigate this vulnerability, you should update your Linux kernel to a version that includes this fix for the hns3 driver.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45891. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart