Bug 2425046 (CVE-2025-68741) - CVE-2025-68741 kernel: scsi: qla2xxx: Fix improper freeing of purex item
Summary: CVE-2025-68741 kernel: scsi: qla2xxx: Fix improper freeing of purex item
Keywords:
Status: NEW
Alias: CVE-2025-68741
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-12-24 13:04 UTC by OSIDB Bzimport
Modified: 2026-05-27 01:42 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2026:10996 0 None None None 2026-04-27 18:02:15 UTC
Red Hat Product Errata RHSA-2026:14339 0 None None None 2026-05-06 20:41:03 UTC
Red Hat Product Errata RHSA-2026:19568 0 None None None 2026-05-20 12:57:32 UTC
Red Hat Product Errata RHSA-2026:19569 0 None None None 2026-05-20 12:15:45 UTC
Red Hat Product Errata RHSA-2026:21209 0 None None None 2026-05-27 01:42:45 UTC
Red Hat Product Errata RHSA-2026:8921 0 None None None 2026-04-20 09:04:41 UTC
Red Hat Product Errata RHSA-2026:9131 0 None None None 2026-04-20 21:01:40 UTC
Red Hat Product Errata RHSA-2026:9135 0 None None None 2026-04-20 20:55:46 UTC
Red Hat Product Errata RHSA-2026:9264 0 None None None 2026-04-21 12:49:09 UTC

Description OSIDB Bzimport 2025-12-24 13:04:27 UTC 
In the Linux kernel, the following vulnerability has been resolved:

scsi: qla2xxx: Fix improper freeing of purex item

In qla2xxx_process_purls_iocb(), an item is allocated via
qla27xx_copy_multiple_pkt(), which internally calls
qla24xx_alloc_purex_item().

The qla24xx_alloc_purex_item() function may return a pre-allocated item
from a per-adapter pool for small allocations, instead of dynamically
allocating memory with kzalloc().

An error handling path in qla2xxx_process_purls_iocb() incorrectly uses
kfree() to release the item. If the item was from the pre-allocated
pool, calling kfree() on it is a bug that can lead to memory corruption.

Fix this by using the correct deallocation function,
qla24xx_free_purex_item(), which properly handles both dynamically
allocated and pre-allocated items.
Comment 1 Alexander B 2025-12-25 06:30:46 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025122415-CVE-2025-68741-894a@gregkh/T
Comment 10 errata-xmlrpc 2026-04-20 09:04:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:8921 https://access.redhat.com/errata/RHSA-2026:8921
Comment 11 errata-xmlrpc 2026-04-20 20:55:45 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:9135 https://access.redhat.com/errata/RHSA-2026:9135
Comment 12 errata-xmlrpc 2026-04-20 21:01:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:9131 https://access.redhat.com/errata/RHSA-2026:9131
Comment 13 errata-xmlrpc 2026-04-21 12:49:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:9264 https://access.redhat.com/errata/RHSA-2026:9264
Comment 15 errata-xmlrpc 2026-04-27 18:01:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2026:10996 https://access.redhat.com/errata/RHSA-2026:10996
Comment 16 errata-xmlrpc 2026-05-06 20:41:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:14339 https://access.redhat.com/errata/RHSA-2026:14339
Comment 17 errata-xmlrpc 2026-05-20 12:15:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:19569 https://access.redhat.com/errata/RHSA-2026:19569
Comment 18 errata-xmlrpc 2026-05-20 12:57:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:19568 https://access.redhat.com/errata/RHSA-2026:19568
Comment 20 errata-xmlrpc 2026-05-27 01:42:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2026:21209 https://access.redhat.com/errata/RHSA-2026:21209
Note You need to log in before you can comment on or make changes to this bug.