{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23306", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.993Z", "datePublished": "2026-03-25T10:27:01.719Z", "dateUpdated": "2026-03-25T10:27:01.719Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-03-25T10:27:01.719Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: pm8001: Fix use-after-free in pm8001_queue_command()\n\nCommit e29c47fe8946 (\"scsi: pm8001: Simplify pm8001_task_exec()\") refactors\npm8001_queue_command(), however it introduces a potential cause of a double\nfree scenario when it changes the function to return -ENODEV in case of phy\ndown/device gone state.\n\nIn this path, pm8001_queue_command() updates task status and calls\ntask_done to indicate to upper layer that the task has been handled.\nHowever, this also frees the underlying SAS task. A -ENODEV is then\nreturned to the caller. When libsas sas_ata_qc_issue() receives this error\nvalue, it assumes the task wasn't handled/queued by LLDD and proceeds to\nclean up and free the task again, resulting in a double free.\n\nSince pm8001_queue_command() handles the SAS task in this case, it should\nreturn 0 to the caller indicating that the task has been handled."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/scsi/pm8001/pm8001_sas.c"], "versions": [{"version": "e29c47fe8946cc732b0e0d393b65b13c84bb69d0", "lessThan": "ebbb852ffbc952b95ddb7e3872b67b3e74c6da47", "status": "affected", "versionType": "git"}, {"version": "e29c47fe8946cc732b0e0d393b65b13c84bb69d0", "lessThan": "8b00427317ba7b7ec91252b034009f638d0f311b", "status": "affected", "versionType": "git"}, {"version": "e29c47fe8946cc732b0e0d393b65b13c84bb69d0", "lessThan": "c5dc39f8ae055520fd778b7fb0423f11586f15c4", "status": "affected", "versionType": "git"}, {"version": "e29c47fe8946cc732b0e0d393b65b13c84bb69d0", "lessThan": "824a7672e3540962d5c77d4c6666254d7aa6f0b3", "status": "affected", "versionType": "git"}, {"version": "e29c47fe8946cc732b0e0d393b65b13c84bb69d0", "lessThan": "227ff4af00abc40b95123cc27ee8079069dcd8d7", "status": "affected", "versionType": "git"}, {"version": "e29c47fe8946cc732b0e0d393b65b13c84bb69d0", "lessThan": "38353c26db28efd984f51d426eac2396d299cca7", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/scsi/pm8001/pm8001_sas.c"], "versions": [{"version": "5.18", "status": "affected"}, {"version": "0", "lessThan": "5.18", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.77", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc2", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.18", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.18", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.18", "versionEndExcluding": "6.12.77"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.18", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.18", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.18", "versionEndExcluding": "7.0-rc2"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/ebbb852ffbc952b95ddb7e3872b67b3e74c6da47"}, {"url": "https://git.kernel.org/stable/c/8b00427317ba7b7ec91252b034009f638d0f311b"}, {"url": "https://git.kernel.org/stable/c/c5dc39f8ae055520fd778b7fb0423f11586f15c4"}, {"url": "https://git.kernel.org/stable/c/824a7672e3540962d5c77d4c6666254d7aa6f0b3"}, {"url": "https://git.kernel.org/stable/c/227ff4af00abc40b95123cc27ee8079069dcd8d7"}, {"url": "https://git.kernel.org/stable/c/38353c26db28efd984f51d426eac2396d299cca7"}], "title": "scsi: pm8001: Fix use-after-free in pm8001_queue_command()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: pm8001: Fix use-after-free in pm8001_queue_command()\n\nCommit e29c47fe8946 (\"scsi: pm8001: Simplify pm8001_task_exec()\") refactors\npm8001_queue_command(), however it introduces a potential cause of a double\nfree scenario when it changes the function to return -ENODEV in case of phy\ndown/device gone state.\n\nIn this path, pm8001_queue_command() updates task status and calls\ntask_done to indicate to upper layer that the task has been handled.\nHowever, this also frees the underlying SAS task. A -ENODEV is then\nreturned to the caller. When libsas sas_ata_qc_issue() receives this error\nvalue, it assumes the task wasn't handled/queued by LLDD and proceeds to\nclean up and free the task again, resulting in a double free.\n\nSince pm8001_queue_command() handles the SAS task in this case, it should\nreturn 0 to the caller indicating that the task has been handled."}], "id": "CVE-2026-23306", "lastModified": "2026-03-25T15:41:33.977", "metrics": {}, "published": "2026-03-25T11:16:26.487", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/227ff4af00abc40b95123cc27ee8079069dcd8d7"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/38353c26db28efd984f51d426eac2396d299cca7"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/824a7672e3540962d5c77d4c6666254d7aa6f0b3"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/8b00427317ba7b7ec91252b034009f638d0f311b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c5dc39f8ae055520fd778b7fb0423f11586f15c4"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ebbb852ffbc952b95ddb7e3872b67b3e74c6da47"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: scsi: pm8001: Fix use-after-free in pm8001_queue_command()", "id": "2451240", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451240"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["A flaw was found in the Linux kernel, specifically within the `pm8001` SCSI driver and the `libsas` library. An incorrect return value in the `pm8001_queue_command()` function, when a physical device is down or gone, can lead to a double free vulnerability. This occurs because the function frees a Serial Attached SCSI (SAS) task but then returns an error, causing the `libsas` layer to attempt to free the same task again. This double free can result in system instability or a denial of service (DoS)."], "name": "CVE-2026-23306", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23306\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23306\nhttps://lore.kernel.org/linux-cve-announce/2026032528-CVE-2026-23306-8854@gregkh/T"], "statement": "This flaw affects systems using PMC-Sierra PM8001 SAS/SATA host bus adapters. The double-free occurs when a device goes offline during command processing. The incorrect return value causes libsas to free an already-freed task structure. While primarily a DoS issue, double-free vulnerabilities can potentially be exploited for code execution in some circumstances.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[e29c47fe8946cc732b0e0d393b65b13c84bb69d0,ebbb852ffbc952b95ddb7e3872b67b3e74c6da47)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[e29c47fe8946cc732b0e0d393b65b13c84bb69d0,8b00427317ba7b7ec91252b034009f638d0f311b)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[e29c47fe8946cc732b0e0d393b65b13c84bb69d0,c5dc39f8ae055520fd778b7fb0423f11586f15c4)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[e29c47fe8946cc732b0e0d393b65b13c84bb69d0,824a7672e3540962d5c77d4c6666254d7aa6f0b3)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[e29c47fe8946cc732b0e0d393b65b13c84bb69d0,227ff4af00abc40b95123cc27ee8079069dcd8d7)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[e29c47fe8946cc732b0e0d393b65b13c84bb69d0,38353c26db28efd984f51d426eac2396d299cca7)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "5.18"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,5.18)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.167,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.130,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.77,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.17,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.7,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc2,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-03-26T03:50:19.357134+00:00", "value": {"mitigation_remediation": ["Update the Linux kernel to the latest release that includes the pm8001 Queue Command patch.", "If the distributed kernel cannot be updated immediately, apply the patch manually by applying commit e29c47fe8946 or the following commit that corrects pm8001_queue_command().", "After updating, verify that the kernel module reports no double\u2011free or memory corruption by monitoring dmesg or using kernel debugging tools.", "Maintain standard kernel hardening practices, such as enabling SELinux or AppArmor, to reduce local privilege impact if an exploit were present."], "summary": {"action": "Apply Patch", "impact": "Memory Corruption"}, "threat_synthesis": {"affected_systems": "All Linux kernel builds that include the pm8001 SCSI driver are affected until the commit that reverts the double\u2011free logic is applied. The issue is present in general Linux kernel releases that use the legacy pm8001 driver. No specific vendor name beyond \"Linux\" appears; the vulnerability affects the scsi:pm8001 module across all distributions that ship the current mainline kernel before the patch.", "description_and_impact": "The vulnerability involves a double free within the pm8001 SCSI driver in the Linux kernel. When a device is in a \"phy down\" or \"device gone\" state, the pm8001_queue_command() function frees a SAS task and returns a negative error code, after which the upper\u2011layer handler also frees the same task. This results in a use\u2011after\u2011free that can corrupt kernel memory. The impact includes the possibility of a kernel crash, denial of service, or, if memory is reused, potential kernel\u2011level privilege escalation. The weakness is consistent with CWE\u2011416 (Use\u2011After\u2011Free).", "risk_and_exploitability": "The CVSS score of 5.5 indicates a moderate severity, and the EPSS score of less than 1% shows a low likelihood of public exploitation. The vulnerability is not listed in CISA\u2019s KEV catalog. The attack surface is limited to local or privileged users with access to the block device that uses the pm8001 driver, so remote exploitation is unlikely unless a higher\u2011level vulnerability can be leveraged. Updating to a kernel that incorporates the patch will eliminate the double\u2011free path and remove the associated risk."}}}}, "created": "2026-03-25T21:15:24.154599+00:00", "updated": "2026-03-26T12:16:50.654691+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"], "weaknesses": ["CWE-416"]}