Skip to main content

Linux Kernel qla2xxx CVE-2026-43414

| EUVDEUVD-2026-28720 CRITICAL
Double Free (CWE-415)
2026-05-08 Linux GHSA-qm6r-96cc-q36w
Critical
Disputed · 9.8 Vendor: Linux
Share

Severity by source

Sources disagree (Medium–Critical)
Vendor (Linux) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
CRITICAL
qualitative
Red Hat
5.5 MEDIUM
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorVendor: Linux

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 11, 2026 - 08:34 vuln.today
CVSS changed
May 11, 2026 - 08:22 NVD
9.8 (CRITICAL)
CVE Published
May 08, 2026 - 14:21 nvd
UNKNOWN (no severity yet)
CVE Published
May 08, 2026 - 14:21 nvd
CRITICAL 9.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

scsi: qla2xxx: Completely fix fcport double free

In qla24xx_els_dcmd_iocb() sp->free is set to qla2x00_els_dcmd_sp_free(). When an error happens, this function is called by qla2x00_sp_release(), when kref_put() releases the first and the last reference.

qla2x00_els_dcmd_sp_free() frees fcport by calling qla2x00_free_fcport(). Doing it one more time after kref_put() is a bad idea.

AnalysisAI

Double-free vulnerability in Linux kernel's qla2xxx SCSI driver allows remote code execution or denial of service through malformed Fibre Channel ELS commands. The qla24xx_els_dcmd_iocb() function incorrectly frees fcport structures twice during error handling - once via kref_put() calling qla2x00_els_dcmd_sp_free(), then again explicitly afterward. Despite the CVSS:3.1/AV:N score of 9.8, the network vector appears to reflect the driver's network-facing nature (Fibre Channel over IP or similar) rather than internet-accessible exploitation. EPSS score of 0.02% (5th percentile) indicates extremely low observed exploitation probability. Patches available across multiple stable kernel branches (6.9+, 6.19.9+, 7.0+) per upstream commits.

Technical ContextAI

The qla2xxx driver manages QLogic Fibre Channel Host Bus Adapters in Linux, handling SCSI commands over FC fabric. The vulnerability resides in Extended Link Service (ELS) Distributed Command (DCMD) IOCB handling. In qla24xx_els_dcmd_iocb(), the function pointer sp->free is assigned to qla2x00_els_dcmd_sp_free(). When errors occur, the kernel's reference counting mechanism (kref_put) automatically invokes this free function when the last reference is released, which internally calls qla2x00_free_fcport() to deallocate the fcport structure. The bug manifests when code paths subsequently attempt to free the same fcport again after kref_put() has already released it. This is a classic use-after-free/double-free vulnerability (though no specific CWE is assigned, this matches CWE-415: Double Free). The affected CPE indicates vulnerability across multiple Linux kernel versions, specifically in commits between 4895009c4bb7 and d48ea85463f5, with patches introduced in commits c0b7da13a04b and d48ea85463f5.

RemediationAI

Apply vendor-released kernel patches immediately for systems using QLogic Fibre Channel HBAs. Patch version 7.0, 6.19.9, or commits d48ea85463f5b34f7b92ea0a13eddf1ab993da7b and c0b7da13a04bd70ef6070bfb9ea85f582294560a eliminate the double-free condition in qla2x00_els_dcmd_sp_free(). Upgrade to patched kernel versions through distribution channels (Red Hat, SUSE, Ubuntu, Debian) which backport fixes to stable branches. Patch references available at https://git.kernel.org/stable/c/d48ea85463f5b34f7b92ea0a13eddf1ab993da7b and https://git.kernel.org/stable/c/c0b7da13a04bd70ef6070bfb9ea85f582294560a. Compensating controls if patching is delayed: isolate Fibre Channel storage networks using physical segmentation or VLANs to prevent unauthorized access to FC fabric, restrict FC zone configurations to allow only authorized initiator-target pairs, monitor FC switch logs for unusual ELS frame patterns, disable unused FC ports on HBAs and switches. These mitigations reduce attack surface but do not eliminate the vulnerability - kernel memory corruption could still occur from legitimate but malformed frames. Side effects: Network segmentation may complicate SAN management workflows; monitoring adds operational overhead. Production kernel upgrades require maintenance windows and testing in staging environments first.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43414 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy