216.73.216.233

CVE-2026-45891

· Published 27/05/2026 16:17 · Author: The MITRE Corporation

Labels: CVE-2026-45891 2026-05-27416baaa9-dc9f-4396-8d5f-8c081fb06d67CVE-2026-45891

Essential information

Published
27/05/2026 16:17
Modified
Author
The MITRE Corporation
Creator
The MITRE Corporation
CVSS
7.8 HIGH (v3.1)
CISA KEV
No
CWE
CWE-415
EPSS (First)
P6.9% ?EPSS percentile: rank of this vulnerability versus all others. Higher percentile = more likely to be exploited. Learn more (score 0.00173)
CVSS vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS metrics

Description

In the Linux kernel, the following vulnerability has been resolved: net: hns3: fix double free issue for tx spare buffer In hns3_set_ringparam(), a temporary copy (tmp_rings) of the ring structure is created for rollback. However, the tx_spare pointer in the original ring handle is incorrectly left pointing to the old backup memory. Later, if memory allocation fails in hns3_init_all_ring() during the setup, the error path attempts to free all newly allocated rings. Since tx_spare contains a stale (non-NULL) pointer from the backup, it is mistaken for a newly allocated buffer and is erroneously freed, leading to a double-free of the backup memory. The root cause is that the tx_spare field was not cleared after its value was saved in tmp_rings, leaving a dangling pointer. Fix this by setting tx_spare to NULL in the original ring structure when the creation of the new `tx_spare` fails. This ensures the error cleanup path only frees genuinely newly allocated buffers.

NVD status

NVD
View on NVD