CVE-2025-71238 - Vulnerability Details

- scsi: qla2xxx: Fix bsg_done() causing double free

Description

In the Linux kernel, the following vulnerability has been resolved:

scsi: qla2xxx: Fix bsg_done() causing double free

Kernel panic observed on system,

[5353358.825191] BUG: unable to handle page fault for address: ff5f5e897b024000
[5353358.825194] #PF: supervisor write access in kernel mode
[5353358.825195] #PF: error_code(0x0002) - not-present page
[5353358.825196] PGD 100006067 P4D 0
[5353358.825198] Oops: 0002 [#1] PREEMPT SMP NOPTI
[5353358.825200] CPU: 5 PID: 2132085 Comm: qlafwupdate.sub Kdump: loaded Tainted: G W L ------- --- 5.14.0-503.34.1.el9_5.x86_64 #1
[5353358.825203] Hardware name: HPE ProLiant DL360 Gen11/ProLiant DL360 Gen11, BIOS 2.44 01/17/2025
[5353358.825204] RIP: 0010:memcpy_erms+0x6/0x10
[5353358.825211] RSP: 0018:ff591da8f4f6b710 EFLAGS: 00010246
[5353358.825212] RAX: ff5f5e897b024000 RBX: 0000000000007090 RCX: 0000000000001000
[5353358.825213] RDX: 0000000000001000 RSI: ff591da8f4fed090 RDI: ff5f5e897b024000
[5353358.825214] RBP: 0000000000010000 R08: ff5f5e897b024000 R09: 0000000000000000
[5353358.825215] R10: ff46cf8c40517000 R11: 0000000000000001 R12: 0000000000008090
[5353358.825216] R13: ff591da8f4f6b720 R14: 0000000000001000 R15: 0000000000000000
[5353358.825218] FS: 00007f1e88d47740(0000) GS:ff46cf935f940000(0000) knlGS:0000000000000000
[5353358.825219] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[5353358.825220] CR2: ff5f5e897b024000 CR3: 0000000231532004 CR4: 0000000000771ef0
[5353358.825221] PKRU: 55555554
[5353358.825222] Call Trace:
[5353358.825223] <TASK>
[5353358.825224] ? show_trace_log_lvl+0x1c4/0x2df
[5353358.825229] ? show_trace_log_lvl+0x1c4/0x2df
[5353358.825232] ? sg_copy_buffer+0xc8/0x110
[5353358.825236] ? __die_body.cold+0x8/0xd
[5353358.825238] ? page_fault_oops+0x134/0x170
[5353358.825242] ? kernelmode_fixup_or_oops+0x84/0x110
[5353358.825244] ? exc_page_fault+0xa8/0x150
[5353358.825247] ? asm_exc_page_fault+0x22/0x30
[5353358.825252] ? memcpy_erms+0x6/0x10
[5353358.825253] sg_copy_buffer+0xc8/0x110
[5353358.825259] qla2x00_process_vendor_specific+0x652/0x1320 [qla2xxx]
[5353358.825317] qla24xx_bsg_request+0x1b2/0x2d0 [qla2xxx]

Most routines in qla_bsg.c call bsg_done() only for success cases.
However a few invoke it for failure case as well leading to a double
free. Validate before calling bsg_done().

Published: 2026-03-04

Score: 7.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The qla2xxx SCSI driver implements a routine called bsg_done() that, when invoked on failure paths, frees memory twice. This double free corrupts kernel memory and can trigger a catastrophic kernel panic, bringing the entire system offline. The flaw is a classic CWE‑415 (double free vulnerability) that directly compromises the integrity and availability of the operating system.

Affected Systems

All Linux kernel releases that ship the qla2xxx SCSI driver before the fix. This includes the wide range of distributions compiling the kernel from source or providing pre‑built kernel packages (e.g., CentOS/RHEL 9, Fedora, Ubuntu). Any host that has a Qlogic SCSI adapter loaded and the qla2xxx module active is potentially affected, regardless of the specific kernel version. Because the vulnerability exists in the legacy code path, every unsynchronized kernel before the patch is at risk.

Risk and Exploitability

The CVSS score of 7.8 indicates a high‑severity impact, while the EPSS score of less than 1 % reflects a low probability of mass exploitation at present. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires the vulnerable driver to be loaded and that a Qlogic SCSI device be present to interact with the firmware or send commands that trigger the fault. The attack vector is local or through malicious SCSI command streams, so untrusted users on the host or potentially remote attackers who can influence SCSI traffic would be able to trigger the double free. The consequence is an immediate system crash, denying availability to all users and services on the host.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`1b81e7f3019d632a707e07927e946ffbbc102910`	affected	< 057a5bdc481e58ab853117254867ffb22caf9f6e
`1b81e7f3019d632a707e07927e946ffbbc102910`	affected	< f2bbb4db0e4a4fbd5e649c0b5d8733f61da24720
`1b81e7f3019d632a707e07927e946ffbbc102910`	affected	< 27ac9679c43a09e54e2d9aae9980ada045b428e0
`1b81e7f3019d632a707e07927e946ffbbc102910`	affected	< 74e7458537cd9349cf019862e51491f670871707
`1b81e7f3019d632a707e07927e946ffbbc102910`	affected	< 871f6236da96c4a9712b8a29d7f555f767a47e95
`1b81e7f3019d632a707e07927e946ffbbc102910`	affected	< 31f33b856d2324d86bcaef295f4d210477a1c018
`1b81e7f3019d632a707e07927e946ffbbc102910`	affected	< 708003e1bc857dd014d4c44278d7d77c26f91b1c
`1b81e7f3019d632a707e07927e946ffbbc102910`	affected	< c2c68225b1456f4d0d393b5a8778d51bb0d5b1d0

Linux

affected

Version	Status	Constraints
`5.7`	affected	—
`0`	unaffected	< 5.7
`5.10.251`	unaffected	≤ 5.10.*
`5.15.201`	unaffected	≤ 5.15.*
`6.1.164`	unaffected	≤ 6.1.*
`6.6.127`	unaffected	≤ 6.6.*
`6.12.74`	unaffected	≤ 6.12.*
`6.18.13`	unaffected	≤ 6.18.*
`6.19.3`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,057a5bdc481e58ab853117254867ffb22caf9f6e)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,f2bbb4db0e4a4fbd5e649c0b5d8733f61da24720)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,27ac9679c43a09e54e2d9aae9980ada045b428e0)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,74e7458537cd9349cf019862e51491f670871707)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,871f6236da96c4a9712b8a29d7f555f767a47e95)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,31f33b856d2324d86bcaef295f4d210477a1c018)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,708003e1bc857dd014d4c44278d7d77c26f91b1c)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,c2c68225b1456f4d0d393b5a8778d51bb0d5b1d0)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[5.10.251,5.11.0)`	unaffected	semver	—
`[5.15.201,5.16.0)`	unaffected	semver	—
`[6.1.164,6.2.0)`	unaffected	semver	—
`[6.6.127,6.7.0)`	unaffected	semver	—
`[6.12.74,6.13.0)`	unaffected	semver	—
`[6.18.13,6.19.0)`	unaffected	semver	—
`[6.19.3,6.20.0)`	unaffected	semver	—
`[7.0-rc1,*]`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to any release that contains the patch for the qla2xxx driver
If an upgrade cannot be applied immediately, unload or blacklist the qla2xxx module or physically disconnect Qlogic SCSI adapters from the system until the kernel is updated
Enable kernel hardening options such as CONFIG_BUG and CONFIG_PROVE_LOCKING to help detect and mitigate similar memory corruption issues earlier

Generated by OpenCVE AI on April 20, 2026 at 20:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4498-1	linux security update
Debian DLA	DLA-4499-1	linux-6.1 security update
Debian DSA	DSA-6163-1	linux security update
Debian DSA	DSA-6162-1	linux security update

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0001.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/057a5bdc481e58ab853117254867ffb22caf9f6e
https://git.kernel.org/stable/c/27ac9679c43a09e54e2d9aae9980ada045b428e0
https://git.kernel.org/stable/c/31f33b856d2324d86bcaef295f4d210477a1c018
https://git.kernel.org/stable/c/708003e1bc857dd014d4c44278d7d77c26f91b1c
https://git.kernel.org/stable/c/74e7458537cd9349cf019862e51491f670871707
https://git.kernel.org/stable/c/871f6236da96c4a9712b8a29d7f555f767a47e95
https://git.kernel.org/stable/c/c2c68225b1456f4d0d393b5a8778d51bb0d5b1d0
https://git.kernel.org/stable/c/f2bbb4db0e4a4fbd5e649c0b5d8733f61da24720
https://lore.kernel.org/linux-cve-announce/2026030437-CVE-2025-71238-76bc@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2025-71238
https://www.cve.org/CVERecord?id=CVE-2025-71238

History

Tue, 17 Mar 2026 21:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-415
Metrics	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}`	cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Thu, 05 Mar 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2026030437-CVE-2025-71238-76bc@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2025-71238 https://www.cve.org/CVERecord?id=CVE-2025-71238
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Important`

Wed, 04 Mar 2026 14:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix bsg_done() causing double free Kernel panic observed on system, [5353358.825191] BUG: unable to handle page fault for address: ff5f5e897b024000 [5353358.825194] #PF: supervisor write access in kernel mode [5353358.825195] #PF: error_code(0x0002) - not-present page [5353358.825196] PGD 100006067 P4D 0 [5353358.825198] Oops: 0002 [#1] PREEMPT SMP NOPTI [5353358.825200] CPU: 5 PID: 2132085 Comm: qlafwupdate.sub Kdump: loaded Tainted: G W L ------- --- 5.14.0-503.34.1.el9_5.x86_64 #1 [5353358.825203] Hardware name: HPE ProLiant DL360 Gen11/ProLiant DL360 Gen11, BIOS 2.44 01/17/2025 [5353358.825204] RIP: 0010:memcpy_erms+0x6/0x10 [5353358.825211] RSP: 0018:ff591da8f4f6b710 EFLAGS: 00010246 [5353358.825212] RAX: ff5f5e897b024000 RBX: 0000000000007090 RCX: 0000000000001000 [5353358.825213] RDX: 0000000000001000 RSI: ff591da8f4fed090 RDI: ff5f5e897b024000 [5353358.825214] RBP: 0000000000010000 R08: ff5f5e897b024000 R09: 0000000000000000 [5353358.825215] R10: ff46cf8c40517000 R11: 0000000000000001 R12: 0000000000008090 [5353358.825216] R13: ff591da8f4f6b720 R14: 0000000000001000 R15: 0000000000000000 [5353358.825218] FS: 00007f1e88d47740(0000) GS:ff46cf935f940000(0000) knlGS:0000000000000000 [5353358.825219] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [5353358.825220] CR2: ff5f5e897b024000 CR3: 0000000231532004 CR4: 0000000000771ef0 [5353358.825221] PKRU: 55555554 [5353358.825222] Call Trace: [5353358.825223] <TASK> [5353358.825224] ? show_trace_log_lvl+0x1c4/0x2df [5353358.825229] ? show_trace_log_lvl+0x1c4/0x2df [5353358.825232] ? sg_copy_buffer+0xc8/0x110 [5353358.825236] ? __die_body.cold+0x8/0xd [5353358.825238] ? page_fault_oops+0x134/0x170 [5353358.825242] ? kernelmode_fixup_or_oops+0x84/0x110 [5353358.825244] ? exc_page_fault+0xa8/0x150 [5353358.825247] ? asm_exc_page_fault+0x22/0x30 [5353358.825252] ? memcpy_erms+0x6/0x10 [5353358.825253] sg_copy_buffer+0xc8/0x110 [5353358.825259] qla2x00_process_vendor_specific+0x652/0x1320 [qla2xxx] [5353358.825317] qla24xx_bsg_request+0x1b2/0x2d0 [qla2xxx] Most routines in qla_bsg.c call bsg_done() only for success cases. However a few invoke it for failure case as well leading to a double free. Validate before calling bsg_done().
Title		scsi: qla2xxx: Fix bsg_done() causing double free
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/057a5bdc481e58ab853117254867ffb22caf9f6e https://git.kernel.org/stable/c/27ac9679c43a09e54e2d9aae9980ada045b428e0 https://git.kernel.org/stable/c/31f33b856d2324d86bcaef295f4d210477a1c018 https://git.kernel.org/stable/c/708003e1bc857dd014d4c44278d7d77c26f91b1c https://git.kernel.org/stable/c/74e7458537cd9349cf019862e51491f670871707 https://git.kernel.org/stable/c/871f6236da96c4a9712b8a29d7f555f767a47e95 https://git.kernel.org/stable/c/c2c68225b1456f4d0d393b5a8778d51bb0d5b1d0 https://git.kernel.org/stable/c/f2bbb4db0e4a4fbd5e649c0b5d8733f61da24720

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-03-04T14:36:36.579Z

Updated: 2026-04-13T06:02:28.683Z

Reserved: 2026-02-18T14:25:13.845Z

Link: CVE-2025-71238

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-03-04T15:16:12.700

Modified: 2026-03-17T21:21:58.760

Link: CVE-2025-71238

Redhat

Severity : Important

Publid Date: 2026-03-04T00:00:00Z

Links: CVE-2025-71238 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-20T21:00:12Z

Weaknesses

CWE-415

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object