{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23306", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.993Z", "datePublished": "2026-03-25T10:27:01.719Z", "dateUpdated": "2026-05-11T22:04:19.984Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:04:19.984Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: pm8001: Fix use-after-free in pm8001_queue_command()\n\nCommit e29c47fe8946 (\"scsi: pm8001: Simplify pm8001_task_exec()\") refactors\npm8001_queue_command(), however it introduces a potential cause of a double\nfree scenario when it changes the function to return -ENODEV in case of phy\ndown/device gone state.\n\nIn this path, pm8001_queue_command() updates task status and calls\ntask_done to indicate to upper layer that the task has been handled.\nHowever, this also frees the underlying SAS task. A -ENODEV is then\nreturned to the caller. When libsas sas_ata_qc_issue() receives this error\nvalue, it assumes the task wasn't handled/queued by LLDD and proceeds to\nclean up and free the task again, resulting in a double free.\n\nSince pm8001_queue_command() handles the SAS task in this case, it should\nreturn 0 to the caller indicating that the task has been handled."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/scsi/pm8001/pm8001_sas.c"], "versions": [{"version": "e29c47fe8946cc732b0e0d393b65b13c84bb69d0", "lessThan": "ebbb852ffbc952b95ddb7e3872b67b3e74c6da47", "status": "affected", "versionType": "git"}, {"version": "e29c47fe8946cc732b0e0d393b65b13c84bb69d0", "lessThan": "8b00427317ba7b7ec91252b034009f638d0f311b", "status": "affected", "versionType": "git"}, {"version": "e29c47fe8946cc732b0e0d393b65b13c84bb69d0", "lessThan": "c5dc39f8ae055520fd778b7fb0423f11586f15c4", "status": "affected", "versionType": "git"}, {"version": "e29c47fe8946cc732b0e0d393b65b13c84bb69d0", "lessThan": "824a7672e3540962d5c77d4c6666254d7aa6f0b3", "status": "affected", "versionType": "git"}, {"version": "e29c47fe8946cc732b0e0d393b65b13c84bb69d0", "lessThan": "227ff4af00abc40b95123cc27ee8079069dcd8d7", "status": "affected", "versionType": "git"}, {"version": "e29c47fe8946cc732b0e0d393b65b13c84bb69d0", "lessThan": "38353c26db28efd984f51d426eac2396d299cca7", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/scsi/pm8001/pm8001_sas.c"], "versions": [{"version": "5.18", "status": "affected"}, {"version": "0", "lessThan": "5.18", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.77", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.18", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.18", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.18", "versionEndExcluding": "6.12.77"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.18", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.18", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.18", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/ebbb852ffbc952b95ddb7e3872b67b3e74c6da47"}, {"url": "https://git.kernel.org/stable/c/8b00427317ba7b7ec91252b034009f638d0f311b"}, {"url": "https://git.kernel.org/stable/c/c5dc39f8ae055520fd778b7fb0423f11586f15c4"}, {"url": "https://git.kernel.org/stable/c/824a7672e3540962d5c77d4c6666254d7aa6f0b3"}, {"url": "https://git.kernel.org/stable/c/227ff4af00abc40b95123cc27ee8079069dcd8d7"}, {"url": "https://git.kernel.org/stable/c/38353c26db28efd984f51d426eac2396d299cca7"}], "title": "scsi: pm8001: Fix use-after-free in pm8001_queue_command()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: pm8001: Fix use-after-free in pm8001_queue_command()\n\nCommit e29c47fe8946 (\"scsi: pm8001: Simplify pm8001_task_exec()\") refactors\npm8001_queue_command(), however it introduces a potential cause of a double\nfree scenario when it changes the function to return -ENODEV in case of phy\ndown/device gone state.\n\nIn this path, pm8001_queue_command() updates task status and calls\ntask_done to indicate to upper layer that the task has been handled.\nHowever, this also frees the underlying SAS task. A -ENODEV is then\nreturned to the caller. When libsas sas_ata_qc_issue() receives this error\nvalue, it assumes the task wasn't handled/queued by LLDD and proceeds to\nclean up and free the task again, resulting in a double free.\n\nSince pm8001_queue_command() handles the SAS task in this case, it should\nreturn 0 to the caller indicating that the task has been handled."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nscsi: pm8001: Correcci\u00f3n de uso despu\u00e9s de liberaci\u00f3n en pm8001_queue_command()\n\nEl commit e29c47fe8946 ('scsi: pm8001: Simplificar pm8001_task_exec()') refactoriza pm8001_queue_command(), sin embargo, introduce una causa potencial de un escenario de doble liberaci\u00f3n cuando cambia la funci\u00f3n para que devuelva -ENODEV en caso de estado de phy inactivo/dispositivo desaparecido.\n\nEn esta ruta, pm8001_queue_command() actualiza el estado de la tarea y llama a task_done para indicar a la capa superior que la tarea ha sido gestionada. Sin embargo, esto tambi\u00e9n libera la tarea SAS subyacente. Entonces se devuelve un -ENODEV al llamador. Cuando libsas sas_ata_qc_issue() recibe este valor de error, asume que la tarea no fue gestionada/enviada a la cola por LLDD y procede a limpiar y liberar la tarea de nuevo, resultando en una doble liberaci\u00f3n.\n\nDado que pm8001_queue_command() gestiona la tarea SAS en este caso, deber\u00eda devolver 0 al llamador indicando que la tarea ha sido gestionada."}], "id": "CVE-2026-23306", "lastModified": "2026-04-02T15:16:30.703", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}]}, "published": "2026-03-25T11:16:26.487", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/227ff4af00abc40b95123cc27ee8079069dcd8d7"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/38353c26db28efd984f51d426eac2396d299cca7"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/824a7672e3540962d5c77d4c6666254d7aa6f0b3"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/8b00427317ba7b7ec91252b034009f638d0f311b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c5dc39f8ae055520fd778b7fb0423f11586f15c4"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ebbb852ffbc952b95ddb7e3872b67b3e74c6da47"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: scsi: pm8001: Fix use-after-free in pm8001_queue_command()", "id": "2451240", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451240"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["A flaw was found in the Linux kernel, specifically within the `pm8001` SCSI driver and the `libsas` library. An incorrect return value in the `pm8001_queue_command()` function, when a physical device is down or gone, can lead to a double free vulnerability. This occurs because the function frees a Serial Attached SCSI (SAS) task but then returns an error, causing the `libsas` layer to attempt to free the same task again. This double free can result in system instability or a denial of service (DoS)."], "name": "CVE-2026-23306", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23306\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23306\nhttps://lore.kernel.org/linux-cve-announce/2026032528-CVE-2026-23306-8854@gregkh/T"], "statement": "This flaw affects systems using PMC-Sierra PM8001 SAS/SATA host bus adapters. The double-free occurs when a device goes offline during command processing. The incorrect return value causes libsas to free an already-freed task structure. While primarily a DoS issue, double-free vulnerabilities can potentially be exploited for code execution in some circumstances.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[e29c47fe8946cc732b0e0d393b65b13c84bb69d0,ebbb852ffbc952b95ddb7e3872b67b3e74c6da47)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[e29c47fe8946cc732b0e0d393b65b13c84bb69d0,8b00427317ba7b7ec91252b034009f638d0f311b)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[e29c47fe8946cc732b0e0d393b65b13c84bb69d0,c5dc39f8ae055520fd778b7fb0423f11586f15c4)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[e29c47fe8946cc732b0e0d393b65b13c84bb69d0,824a7672e3540962d5c77d4c6666254d7aa6f0b3)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[e29c47fe8946cc732b0e0d393b65b13c84bb69d0,227ff4af00abc40b95123cc27ee8079069dcd8d7)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[e29c47fe8946cc732b0e0d393b65b13c84bb69d0,38353c26db28efd984f51d426eac2396d299cca7)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "5.18"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,5.18)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.167,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.130,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.77,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.17,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.7,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc2,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-02T23:22:42.005401+00:00", "value": {"mitigation_remediation": ["Apply the latest kernel update that includes the pm8001_queue_command fix (commit e29c47f).", "Verify that the patched kernel is active on all affected systems by checking the kernel version or confirming that the pm8001 driver is loaded.", "If an immediate kernel upgrade cannot be performed, consider disabling unused pm8001 devices or unloading the pm8001 driver until the patch is applied.", "Monitor system logs for kernel panic, OOPS, or BUG messages related to scsi_pm8001 to confirm the issue has been resolved."], "summary": {"action": "Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "Any Linux distribution that runs a kernel containing the unpatched pm8001 driver is affected. The CNA does not provide a specific kernel version range, so all kernel releases older than the commit that introduced the fix are potentially vulnerable. No vendor\u2011specific distribution information is provided, so the impact applies broadly to Linux systems with pm8001 devices.", "description_and_impact": "The Linux kernel\u2019s pm8001 SCSI driver contains a use\u2011after\u2011free bug that can trigger a double\u2011free when a target device is reported as offline or removed. The driver frees the underlying SAS task, returns -ENODEV to the caller, and libsas subsequently frees the same task again. This double\u2011free can corrupt kernel memory and cause a crash, resulting in a denial of service and loss of availability.", "risk_and_exploitability": "The flaw has a CVSS score of 7.8, indicating high severity, but the EPSS score is below 1\u202f% and it is not listed in the CISA KEV catalog, implying low exploitation likelihood. Exploitation would require local or privileged access to manipulate a target\u2019s state and issue a SCSI command that reaches the double\u2011free path. The attack vector is inferred from the need to control the device, likely through a local account with device administration rights. Overall risk is moderate, driven primarily by kernel crash potential rather than ease of attack."}}}}, "created": "2026-03-25T21:15:24.154599+00:00", "updated": "2026-04-03T09:39:07.750330+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"], "weaknesses": ["CWE-416"]}