7.8
CVE-2026-45891
- EPSS 0.13%
- Veröffentlicht 27.05.2026 12:17:02
- Zuletzt bearbeitet 25.06.2026 21:11:03
- Quelle 416baaa9-dc9f-4396-8d5f-8c081f
- CVE-Watchlists
- Unerledigt
net: hns3: fix double free issue for tx spare buffer
In the Linux kernel, the following vulnerability has been resolved: net: hns3: fix double free issue for tx spare buffer In hns3_set_ringparam(), a temporary copy (tmp_rings) of the ring structure is created for rollback. However, the tx_spare pointer in the original ring handle is incorrectly left pointing to the old backup memory. Later, if memory allocation fails in hns3_init_all_ring() during the setup, the error path attempts to free all newly allocated rings. Since tx_spare contains a stale (non-NULL) pointer from the backup, it is mistaken for a newly allocated buffer and is erroneously freed, leading to a double-free of the backup memory. The root cause is that the tx_spare field was not cleared after its value was saved in tmp_rings, leaving a dangling pointer. Fix this by setting tx_spare to NULL in the original ring structure when the creation of the new `tx_spare` fails. This ensures the error cleanup path only frees genuinely newly allocated buffers.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Linux ≫ Linux Kernel Version >= 5.14 < 5.15.202
Linux ≫ Linux Kernel Version >= 5.16 < 6.1.165
Linux ≫ Linux Kernel Version >= 6.2 < 6.6.128
Linux ≫ Linux Kernel Version >= 6.7 < 6.12.75
Linux ≫ Linux Kernel Version >= 6.13 < 6.18.14
Linux ≫ Linux Kernel Version >= 6.19 < 6.19.4
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.13% | 0.029 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.8 | 1.8 | 5.9 |
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
CWE-415 Double Free
The product calls free() twice on the same memory address.
https://git.kernel.org/stable/c/fb6a4c376d454b425555b1b0bda36e99f56ec307
https://git.kernel.org/stable/c/43015461662d41dcfb3bb95fadd8a2a42ad8eacf
https://git.kernel.org/stable/c/6dc10494cfe27b6f1e9adb7e293293ae39c50b7c
https://git.kernel.org/stable/c/d2c785733dfb853ea0b53984c75662a1af230a94
https://git.kernel.org/stable/c/fdbccddb7e7822016601829f95de4008e193f7bc
https://git.kernel.org/stable/c/c3659273860bed0c8e573b865e3769abc51225a8
https://git.kernel.org/stable/c/6d2f142b1e4b203387a92519d9d2e34752a79dbb