scsi: pm8001: Fix use-after-free in pm8001_queue_command()_CVE-2026-23306

7.8 / 10

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

scsi: pm8001: Fix use-after-free in pm8001_queue_command()

Commit e29c47fe8946 ("scsi: pm8001: Simplify pm8001_task_exec()") refactors
pm8001_queue_command(), however it introduces a potential cause of a double
free scenario when it changes the function to return -ENODEV in case of phy
down/device gone state.

In this path, pm8001_queue_command() updates task status and calls
task_done to indicate to upper layer that the task has been handled.
However, this also frees the underlying SAS task. A -ENODEV is then
returned to the caller. When libsas sas_ata_qc_issue() receives this error
value, it assumes the task wasn't handled/queued by LLDD and proceeds to
clean up and free the task again, resulting in a double free.

Since pm8001_queue_command() handles the SAS task in this case, it should
return 0 to the caller indicating that the task has been handled.

Basic Information

ID CVE-2026-23306

Source Linux

Published Mar 25, 2026 at 10:27

Modified Apr 2, 2026 at 14:44

Affected Product

Vendor Linux

Product Linux

Version e29c47fe8946cc732b0e0d393b65b13c84bb69d0

Affected Versions Linux Linux e29c47fe8946cc732b0e0d393b65b13c84bb69d0
Linux Linux e29c47fe8946cc732b0e0d393b65b13c84bb69d0
Linux Linux e29c47fe8946cc732b0e0d393b65b13c84bb69d0
Linux Linux e29c47fe8946cc732b0e0d393b65b13c84bb69d0
Linux Linux e29c47fe8946cc732b0e0d393b65b13c84bb69d0
Linux Linux e29c47fe8946cc732b0e0d393b65b13c84bb69d0
Linux Linux 5.18

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: pm8001: Fix use-after-free in pm8001_queue_command()\n\nCommit e29c47fe8946 (\"scsi: pm8001: Simplify pm8001_task_exec()\") refactors\npm8001_queue_command(), however it introduces a potential cause of a double\nfree scenario when it changes the function to return -ENODEV in case of phy\ndown/device gone state.\n\nIn this path, pm8001_queue_command() updates task status and calls\ntask_done to indicate to upper layer that the task has been handled.\nHowever, this also frees the underlying SAS task. A -ENODEV is then\nreturned to the caller. When libsas sas_ata_qc_issue() receives this error\nvalue, it assumes the task wasn't handled/queued by LLDD and proceeds to\nclean up and free the task again, resulting in a double free.\n\nSince pm8001_queue_command() handles the SAS task in this case, it should\nreturn 0 to the caller indicating that the task has been handled.",
    "published": "2026-03-25T10:27:01.719Z",
    "modified": "2026-04-02T14:44:15.148Z",
    "type": "cve",
    "title": "scsi: pm8001: Fix use-after-free in pm8001_queue_command()",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/ebbb852ffbc952b95ddb7e3872b67b3e74c6da47\nhttps://git.kernel.org/stable/c/8b00427317ba7b7ec91252b034009f638d0f311b\nhttps://git.kernel.org/stable/c/c5dc39f8ae055520fd778b7fb0423f11586f15c4\nhttps://git.kernel.org/stable/c/824a7672e3540962d5c77d4c6666254d7aa6f0b3\nhttps://git.kernel.org/stable/c/227ff4af00abc40b95123cc27ee8079069dcd8d7\nhttps://git.kernel.org/stable/c/38353c26db28efd984f51d426eac2396d299cca7",
    "id": "CVE-2026-23306",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux e29c47fe8946cc732b0e0d393b65b13c84bb69d0\nLinux Linux e29c47fe8946cc732b0e0d393b65b13c84bb69d0\nLinux Linux e29c47fe8946cc732b0e0d393b65b13c84bb69d0\nLinux Linux e29c47fe8946cc732b0e0d393b65b13c84bb69d0\nLinux Linux e29c47fe8946cc732b0e0d393b65b13c84bb69d0\nLinux Linux e29c47fe8946cc732b0e0d393b65b13c84bb69d0\nLinux Linux 5.18",
    "sourceHref": "",
    "cvss": {
        "score": 7.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "e29c47fe8946cc732b0e0d393b65b13c84bb69d0",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply