CVE-2026-23306

Published: Mar 25, 2026

Modified: May 11, 2026

PUBLISHED

CVSS v3.1

7.8

HIGH

Description

In the Linux kernel, the following vulnerability has been resolved: scsi: pm8001: Fix use-after-free in pm8001_queue_command() Commit e29c47fe8946 ("scsi: pm8001: Simplify pm8001_task_exec()") refactors pm8001_queue_command(), however it introduces a potential cause of a double free scenario when it changes the function to return -ENODEV in case of phy down/device gone state. In this path, pm8001_queue_command() updates task status and calls task_done to indicate to upper layer that the task has been handled. However, this also frees the underlying SAS task. A -ENODEV is then returned to the caller. When libsas sas_ata_qc_issue() receives this error value, it assumes the task wasn't handled/queued by LLDD and proceeds to clean up and free the task again, resulting in a double free. Since pm8001_queue_command() handles the SAS task in this case, it should return 0 to the caller indicating that the task has been handled.

Vendor	Product	Versions
Linux	Linux	affected `e29c47fe8946cc732b0e0d393b65b13c84bb69d0 - < ebbb852ffbc952b95ddb7e3872b67b3e74c6da47` affected `e29c47fe8946cc732b0e0d393b65b13c84bb69d0 - < 8b00427317ba7b7ec91252b034009f638d0f311b` affected `e29c47fe8946cc732b0e0d393b65b13c84bb69d0 - < c5dc39f8ae055520fd778b7fb0423f11586f15c4` affected `e29c47fe8946cc732b0e0d393b65b13c84bb69d0 - < 824a7672e3540962d5c77d4c6666254d7aa6f0b3` affected `e29c47fe8946cc732b0e0d393b65b13c84bb69d0 - < 227ff4af00abc40b95123cc27ee8079069dcd8d7` +1 more versions
Linux	Linux	affected `5.18` unaffected `0 - < 5.18` unaffected `6.1.167 - <= 6.1.` unaffected `6.6.130 - <= 6.6.` unaffected `6.12.77 - <= 6.12.*` +3 more versions