CVE-2026-23306
Published: March 26, 2026Last modified: April 9, 2026
Description
In the Linux kernel, the following vulnerability has been resolved: scsi: pm8001: Fix use-after-free in pm8001_queue_command() Commit e29c47fe8946 ("scsi: pm8001: Simplify pm8001_task_exec()") refactors pm8001_queue_command(), however it introduces a potential cause of a double free scenario when it changes the function to return -ENODEV in case of phy down/device gone state. In this path, pm8001_queue_command() updates task status and calls task_done to indicate to upper layer that the task has been handled. However, this also frees the underlying SAS task. A -ENODEV is then returned to the caller. When libsas sas_ata_qc_issue() receives this error value, it assumes the task wasn't handled/queued by LLDD and proceeds to clean up and free the task again, resulting in a double free. Since pm8001_queue_command() handles the SAS task in this case, it should return 0 to the caller indicating that the task has been handled.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 7.8 |
| Attack Vector | LOCAL |
| Attack complexity | LOW |
| Privileges required | LOW |
| User interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality | HIGH |
| Integrity impact | HIGH |
| Availability impact | HIGH |
| Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Status
| Product | Release | Package | Status |
|---|---|---|---|
| Alpaquita Linux | 23 LTS | linux-lts | Fixed (6.1.167-r0) |
| 25 LTS | linux-lts | Fixed (6.12.80-r0) | |
| Stream | linux-lts | Fixed (6.12.80-r0) |
References
- https://git.kernel.org/stable/c/227ff4af00abc40b95123cc27ee8079069dcd8d7
- https://git.kernel.org/stable/c/38353c26db28efd984f51d426eac2396d299cca7
- https://git.kernel.org/stable/c/824a7672e3540962d5c77d4c6666254d7aa6f0b3
- https://git.kernel.org/stable/c/8b00427317ba7b7ec91252b034009f638d0f311b
- https://git.kernel.org/stable/c/c5dc39f8ae055520fd778b7fb0423f11586f15c4
- https://git.kernel.org/stable/c/ebbb852ffbc952b95ddb7e3872b67b3e74c6da47