Bug 2482184 (CVE-2026-45891) - CVE-2026-45891 kernel: net: hns3: fix double free issue for tx spare buffer
Summary: CVE-2026-45891 kernel: net: hns3: fix double free issue for tx spare buffer
Keywords:
Status: NEW
Alias: CVE-2026-45891
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-05-27 15:15 UTC by OSIDB Bzimport
Modified: 2026-05-28 02:54 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-05-27 15:15:18 UTC 
In the Linux kernel, the following vulnerability has been resolved:

net: hns3: fix double free issue for tx spare buffer

In hns3_set_ringparam(), a temporary copy (tmp_rings) of the ring structure
is created for rollback. However, the tx_spare pointer in the original
ring handle is incorrectly left pointing to the old backup memory.

Later, if memory allocation fails in hns3_init_all_ring() during the setup,
the error path attempts to free all newly allocated rings. Since tx_spare
contains a stale (non-NULL) pointer from the backup, it is mistaken for
a newly allocated buffer and is erroneously freed, leading to a double-free
of the backup memory.

The root cause is that the tx_spare field was not cleared after its value
was saved in tmp_rings, leaving a dangling pointer.

Fix this by setting tx_spare to NULL in the original ring structure
when the creation of the new `tx_spare` fails. This ensures the
error cleanup path only frees genuinely newly allocated buffers.
Comment 1 Keith Grant 2026-05-28 02:53:43 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026052717-CVE-2026-45891-8561@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.