PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-45891 Linux CVE debrief

A double-free vulnerability exists in the Linux kernel's HNS3 (Hisilicon Network Subsystem 3) Ethernet driver. The flaw occurs in `hns3_set_ringparam()` when modifying ring parameters. During this operation, a temporary copy of the ring structure (`tmp_rings`) is created for rollback purposes, but the `tx_spare` pointer in the original ring structure is not cleared after being saved. If subsequent memory allocation fails in `hns3_init_all_ring()`, the error cleanup path incorrectly treats this stale pointer as a newly allocated buffer and frees it, resulting in a double-free of the backup memory. This vulnerability could lead to kernel memory corruption and potential privilege escalation. The issue was resolved by setting `tx_spare` to NULL in the original ring structure when new allocation fails, ensuring cleanup only frees legitimately allocated buffers.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

Organizations running Linux systems with Hisilicon HNS3 network adapters, cloud providers offering instances with HNS3 networking, and administrators managing kernel networking configurations

Technical summary

The HNS3 driver in the Linux kernel contains a double-free vulnerability in the ring parameter configuration path. When `hns3_set_ringparam()` creates a temporary backup of ring structures, it fails to NULL the `tx_spare` pointer in the original structure after saving its value. During error handling in `hns3_init_all_ring()`, this dangling pointer causes the cleanup code to free already-freed backup memory. The fix ensures `tx_spare` is set to NULL when new allocation fails, preventing erroneous double-free conditions.

Defensive priority

medium

Recommended defensive actions

  • Apply kernel updates containing the fix commits when available from your Linux distribution
  • Monitor vendor security advisories for patched kernel versions
  • If running systems with HNS3 network adapters, prioritize kernel updates to prevent potential memory corruption
  • Review system logs for unexpected kernel panics or crashes related to network interface reconfiguration

Evidence notes

Vulnerability description sourced from official CVE record published 2026-05-27. Root cause identified as stale pointer in HNS3 driver ring parameter handling. Fix confirmed through kernel.org stable tree commits. No CVSS score or severity assigned by NVD at time of disclosure.

Official resources

2026-05-27