Bug 2451240 (CVE-2026-23306) - CVE-2026-23306 kernel: scsi: pm8001: Fix use-after-free in pm8001_queue_command()
Summary: CVE-2026-23306 kernel: scsi: pm8001: Fix use-after-free in pm8001_queue_comma...
Keywords:
Status: NEW
Alias: CVE-2026-23306
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-03-25 11:06 UTC by OSIDB Bzimport
Modified: 2026-03-25 14:01 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-03-25 11:06:32 UTC 
In the Linux kernel, the following vulnerability has been resolved:

scsi: pm8001: Fix use-after-free in pm8001_queue_command()

Commit e29c47fe8946 ("scsi: pm8001: Simplify pm8001_task_exec()") refactors
pm8001_queue_command(), however it introduces a potential cause of a double
free scenario when it changes the function to return -ENODEV in case of phy
down/device gone state.

In this path, pm8001_queue_command() updates task status and calls
task_done to indicate to upper layer that the task has been handled.
However, this also frees the underlying SAS task. A -ENODEV is then
returned to the caller. When libsas sas_ata_qc_issue() receives this error
value, it assumes the task wasn't handled/queued by LLDD and proceeds to
clean up and free the task again, resulting in a double free.

Since pm8001_queue_command() handles the SAS task in this case, it should
return 0 to the caller indicating that the task has been handled.
Comment 1 Alexander B 2026-03-25 13:57:48 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026032528-CVE-2026-23306-8854@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.