net: hns3: fix double free issue for tx spare buffer

Summary

CVE	CVE-2026-45891
State	PUBLISHED
Assigner	Linux
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-05-27 14:17:03 UTC
Updated	2026-05-27 14:48:31 UTC
Description	In the Linux kernel, the following vulnerability has been resolved: net: hns3: fix double free issue for tx spare buffer In hns3_set_ringparam(), a temporary copy (tmp_rings) of the ring structure is created for rollback. However, the tx_spare pointer in the original ring handle is incorrectly left pointing to the old backup memory. Later, if memory allocation fails in hns3_init_all_ring() during the setup, the error path attempts to free all newly allocated rings. Since tx_spare contains a stale (non-NULL) pointer from the backup, it is mistaken for a newly allocated buffer and is erroneously freed, leading to a double-free of the backup memory. The root cause is that the tx_spare field was not cleared after its value was saved in tmp_rings, leaving a dangling pointer. Fix this by setting tx_spare to NULL in the original ring structure when the creation of the new `tx_spare` fails. This ensures the error cleanup path only frees genuinely newly allocated buffers.

Risk And Classification

EPSS: 0.000240000 probability, percentile 0.073320000 (date 2026-06-01)

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	Linux	Linux	affected 907676b130711fd1f627824559e92259db2061d1 fb6a4c376d454b425555b1b0bda36e99f56ec307 git	Not specified
CNA	Linux	Linux	affected 907676b130711fd1f627824559e92259db2061d1 43015461662d41dcfb3bb95fadd8a2a42ad8eacf git	Not specified
CNA	Linux	Linux	affected 907676b130711fd1f627824559e92259db2061d1 6dc10494cfe27b6f1e9adb7e293293ae39c50b7c git	Not specified
CNA	Linux	Linux	affected 907676b130711fd1f627824559e92259db2061d1 d2c785733dfb853ea0b53984c75662a1af230a94 git	Not specified
CNA	Linux	Linux	affected 907676b130711fd1f627824559e92259db2061d1 fdbccddb7e7822016601829f95de4008e193f7bc git	Not specified
CNA	Linux	Linux	affected 907676b130711fd1f627824559e92259db2061d1 c3659273860bed0c8e573b865e3769abc51225a8 git	Not specified
CNA	Linux	Linux	affected 907676b130711fd1f627824559e92259db2061d1 6d2f142b1e4b203387a92519d9d2e34752a79dbb git	Not specified
CNA	Linux	Linux	affected 5.14	Not specified
CNA	Linux	Linux	unaffected 5.14 semver	Not specified
CNA	Linux	Linux	unaffected 5.15.202 5.15.* semver	Not specified
CNA	Linux	Linux	unaffected 6.1.165 6.1.* semver	Not specified
CNA	Linux	Linux	unaffected 6.6.128 6.6.* semver	Not specified
CNA	Linux	Linux	unaffected 6.12.75 6.12.* semver	Not specified
CNA	Linux	Linux	unaffected 6.18.14 6.18.* semver	Not specified
CNA	Linux	Linux	unaffected 6.19.4 6.19.* semver	Not specified
CNA	Linux	Linux	unaffected 7.0 * original_commit_for_fix	Not specified

References

Reference	Source	Link	Tags
git.kernel.org/stable/c/fb6a4c376d454b425555b1b0bda36e99f56ec307	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/d2c785733dfb853ea0b53984c75662a1af230a94	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/c3659273860bed0c8e573b865e3769abc51225a8	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/fdbccddb7e7822016601829f95de4008e193f7bc	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/6d2f142b1e4b203387a92519d9d2e34752a79dbb	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/6dc10494cfe27b6f1e9adb7e293293ae39c50b7c	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/43015461662d41dcfb3bb95fadd8a2a42ad8eacf	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.