Skip to main content

Linux CVE-2026-23306

| EUVDEUVD-2026-15246 HIGH
Use After Free (CWE-416)
2026-03-25 Linux GHSA-m6g2-mpp7-vr6r
High
Disputed · 7.8 NVD
Share

Severity by source

Sources disagree (Low–High)
NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
3.1 LOW
AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:H/A:H
Red Hat
5.5 MEDIUM
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 10:45 euvd
EUVD-2026-15246
Analysis Generated
Mar 25, 2026 - 10:45 vuln.today
CVE Published
Mar 25, 2026 - 10:27 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

scsi: pm8001: Fix use-after-free in pm8001_queue_command()

Commit e29c47fe8946 ("scsi: pm8001: Simplify pm8001_task_exec()") refactors pm8001_queue_command(), however it introduces a potential cause of a double free scenario when it changes the function to return -ENODEV in case of phy down/device gone state.

In this path, pm8001_queue_command() updates task status and calls task_done to indicate to upper layer that the task has been handled. However, this also frees the underlying SAS task. A -ENODEV is then returned to the caller. When libsas sas_ata_qc_issue() receives this error value, it assumes the task wasn't handled/queued by LLDD and proceeds to clean up and free the task again, resulting in a double free.

Since pm8001_queue_command() handles the SAS task in this case, it should return 0 to the caller indicating that the task has been handled.

AnalysisAI

A use-after-free vulnerability exists in the Linux kernel's pm8001 SCSI driver where the pm8001_queue_command() function incorrectly returns -ENODEV after already freeing a SAS task, causing the upper-layer libsas driver to attempt a second free operation. This affects all Linux kernel versions with the vulnerable pm8001 driver code, and while not remotely exploitable by default, it can lead to kernel memory corruption and denial of service on systems using PM8001-compatible SCSI controllers. No CVSS score, EPSS data, or active KEV status is currently available, but multiple stable kernel patches have been released across multiple branches.

Technical ContextAI

The vulnerability resides in the Linux kernel's pm8001 driver (cpe:2.3:a:linux:linux), which implements the Adaptec PMC-Sierra PM8001 SCSI HBA (Host Bus Adapter) controller support. The root cause is classified as a use-after-free defect (CWE-416) introduced in commit e29c47fe8946, where a refactoring of pm8001_queue_command() changed error handling in the device-gone/phy-down code path. When this condition occurs, the function calls task_done() to signal completion and free the SAS task structure, but then returns -ENODEV to the caller. The upper-layer libsas driver (specifically sas_ata_qc_issue()) interprets this error code as indicating the task was never queued and attempts cleanup, resulting in a double-free of the same memory region. This is a memory safety defect in kernel space affecting the SCSI subsystem's ATA integration.

RemediationAI

Apply kernel updates that include the fix for pm8001 use-after-free. The patches are available in the Linux stable kernel trees at the following commits: ebbb852ffbc952b95ddb7e3872b67b3e74c6da47, 8b00427317ba7b7ec91252b034009f638d0f311b, c5dc39f8ae055520fd778b7fb0423f11586f15c4, 824a7672e3540962d5c77d4c6666254d7aa6f0b3, 227ff4af00abc40b95123cc27ee8079069dcd8d7, and 38353c26db28efd984f51d426eac2396d299cca7 (visible at https://git.kernel.org/stable/). Upgrade your Linux kernel to a version containing one of these patches. For immediate mitigation on production systems, avoid phy-down or device removal conditions by ensuring stable SAS controller operation and firmware updates. If PM8001 controller use is non-critical, disabling the driver module (modprobe -r pm8001) will prevent the vulnerability from being triggered.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye not-affected - -
bullseye (security) fixed 5.10.251-1 -
bookworm vulnerable 6.1.159-1 -
bookworm (security) vulnerable 6.1.164-1 -
trixie vulnerable 6.12.73-1 -
trixie (security) vulnerable 6.12.74-2 -
forky, sid fixed 6.19.8-1 -
(unstable) fixed 6.19.8-1 -

SUSE

Severity: Low
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-23306 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy