Skip to main content

Linux Kernel CVE-2026-45891

| EUVDEUVD-2026-32357 HIGH
Double Free (CWE-415)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-h6g2-742c-p38f
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
5.3 MEDIUM

Local CAP_NET_ADMIN gives PR:L; AC:H because the double-free needs an allocation failure the attacker cannot reliably force; impact is primarily DoS (A:H) with no confidentiality loss.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N
SUSE
4.7 MEDIUM
AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 25, 2026 - 23:33 vuln.today
CVSS changed
Jun 25, 2026 - 21:22 NVD
7.8 (HIGH)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
HIGH 7.8
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

net: hns3: fix double free issue for tx spare buffer

In hns3_set_ringparam(), a temporary copy (tmp_rings) of the ring structure is created for rollback. However, the tx_spare pointer in the original ring handle is incorrectly left pointing to the old backup memory.

Later, if memory allocation fails in hns3_init_all_ring() during the setup, the error path attempts to free all newly allocated rings. Since tx_spare contains a stale (non-NULL) pointer from the backup, it is mistaken for a newly allocated buffer and is erroneously freed, leading to a double-free of the backup memory.

The root cause is that the tx_spare field was not cleared after its value was saved in tmp_rings, leaving a dangling pointer.

Fix this by setting tx_spare to NULL in the original ring structure when the creation of the new tx_spare fails. This ensures the error cleanup path only frees genuinely newly allocated buffers.

AnalysisAI

Local privilege-holder denial of service (and potential kernel memory corruption) in the Linux kernel's HiSilicon hns3 network driver allows a user with CAP_NET_ADMIN to trigger a double-free of the tx_spare backup buffer. The flaw lives in hns3_set_ringparam(), where a temporary ring copy is made for rollback but the original ring's tx_spare pointer is left dangling; if a subsequent allocation in hns3_init_all_ring() fails, the error path frees the stale pointer twice (CWE-415). EPSS is negligible (0.02%, 7th percentile) and there is no public exploit identified at time of analysis, but a vendor-released patch is available across multiple stable trees.

Technical ContextAI

The affected component is the hns3 Ethernet driver (drivers/net/ethernet/hisilicon/hns3) that supports HiSilicon/Huawei network interface controllers found on Kunpeng/Hi16xx ARM64 platforms. The bug is exercised through the ethtool 'set ringparam' operation (hns3_set_ringparam), which reconfigures TX/RX ring sizes at runtime. To support rollback on failure, the driver copies the live ring structures into a temporary array (tmp_rings); however the tx_spare pointer in the original ring handle continued to reference the old backup memory after that memory ownership had logically moved to the copy. When a later allocation in hns3_init_all_ring() fails, the cleanup loop walks all rings and frees buffers it believes were newly allocated, freeing the stale tx_spare a second time. This is a classic CWE-415 Double Free arising from incomplete pointer ownership transfer (the source pointer was not NULLed after its value was preserved elsewhere). The CPE data identifies only cpe:2.3:o:linux:linux_kernel as affected, with no userland package - confirming this is a kernel-space defect.

RemediationAI

Vendor-released patch: update to a fixed stable kernel - 6.1.165, 5.15.202, 6.6.128, 6.12.75, 6.18.14, 6.19.4, or mainline 7.0 (or your distribution's backport carrying the equivalent fix), which sets tx_spare to NULL in the original ring after the new tx_spare allocation fails so the cleanup path only frees genuinely new buffers. The corresponding upstream commits are at https://git.kernel.org/stable/c/6dc10494cfe27b6f1e9adb7e293293ae39c50b7c (and siblings fb6a4c376d45, 43015461662d, 6d2f142b1e4b, c3659273860b, d2c785733dfb, fdbccddb7e78); track distro advisories via the NVD reference above. If immediate patching is not possible, the practical compensating control is to restrict who can change NIC ring parameters: limit or drop CAP_NET_ADMIN for untrusted users/containers and avoid granting unprivileged namespaces network-admin capability, since the trigger is the ethtool set-ringparam path - the trade-off is that operators legitimately needing to tune ring sizes (e.g. for throughput tuning) will lose that ability. Systems that do not use HiSilicon hns3 NICs are not affected and need no action beyond normal patching.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected

Share

CVE-2026-45891 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy