CVE-2026-45891
Published: May 27, 2026
Modified: May 27, 2026
Description
In the Linux kernel, the following vulnerability has been resolved: net: hns3: fix double free issue for tx spare buffer In hns3_set_ringparam(), a temporary copy (tmp_rings) of the ring structure is created for rollback. However, the tx_spare pointer in the original ring handle is incorrectly left pointing to the old backup memory. Later, if memory allocation fails in hns3_init_all_ring() during the setup, the error path attempts to free all newly allocated rings. Since tx_spare contains a stale (non-NULL) pointer from the backup, it is mistaken for a newly allocated buffer and is erroneously freed, leading to a double-free of the backup memory. The root cause is that the tx_spare field was not cleared after its value was saved in tmp_rings, leaving a dangling pointer. Fix this by setting tx_spare to NULL in the original ring structure when the creation of the new `tx_spare` fails. This ensures the error cleanup path only frees genuinely newly allocated buffers.
| Vendor | Product | Versions |
|---|---|---|
Linux | Linux | affected 907676b130711fd1f627824559e92259db2061d1 - < fb6a4c376d454b425555b1b0bda36e99f56ec307affected 907676b130711fd1f627824559e92259db2061d1 - < 43015461662d41dcfb3bb95fadd8a2a42ad8eacfaffected 907676b130711fd1f627824559e92259db2061d1 - < 6dc10494cfe27b6f1e9adb7e293293ae39c50b7caffected 907676b130711fd1f627824559e92259db2061d1 - < d2c785733dfb853ea0b53984c75662a1af230a94affected 907676b130711fd1f627824559e92259db2061d1 - < fdbccddb7e7822016601829f95de4008e193f7bc+2 more versions |
Linux | Linux | affected 5.14unaffected 0 - < 5.14unaffected 5.15.202 - <= 5.15.*unaffected 6.1.165 - <= 6.1.*unaffected 6.6.128 - <= 6.6.*+4 more versions |
References
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now