Description
In the Linux kernel, the following vulnerability has been resolved:

scsi: pm8001: Fix use-after-free in pm8001_queue_command()

Commit e29c47fe8946 ("scsi: pm8001: Simplify pm8001_task_exec()") refactors
pm8001_queue_command(), however it introduces a potential cause of a double
free scenario when it changes the function to return -ENODEV in case of phy
down/device gone state.

In this path, pm8001_queue_command() updates task status and calls
task_done to indicate to upper layer that the task has been handled.
However, this also frees the underlying SAS task. A -ENODEV is then
returned to the caller. When libsas sas_ata_qc_issue() receives this error
value, it assumes the task wasn't handled/queued by LLDD and proceeds to
clean up and free the task again, resulting in a double free.

Since pm8001_queue_command() handles the SAS task in this case, it should
return 0 to the caller indicating that the task has been handled.
Published: 2026-03-25
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

The Linux kernel’s pm8001 SCSI driver contains a use‑after‑free bug that can trigger a double‑free when a target device is reported as offline or removed. The driver frees the underlying SAS task, returns -ENODEV to the caller, and libsas subsequently frees the same task again. This double‑free can corrupt kernel memory and cause a crash, resulting in a denial of service and loss of availability.

Affected Systems

Any Linux distribution that runs a kernel containing the unpatched pm8001 driver is affected. The CNA does not provide a specific kernel version range, so all kernel releases older than the commit that introduced the fix are potentially vulnerable. No vendor‑specific distribution information is provided, so the impact applies broadly to Linux systems with pm8001 devices.

Risk and Exploitability

The flaw has a CVSS score of 7.8, indicating high severity, but the EPSS score is below 1 % and it is not listed in the CISA KEV catalog, implying low exploitation likelihood. Exploitation would require local or privileged access to manipulate a target’s state and issue a SCSI command that reaches the double‑free path. The attack vector is inferred from the need to control the device, likely through a local account with device administration rights. Overall risk is moderate, driven primarily by kernel crash potential rather than ease of attack.

Generated by OpenCVE AI on April 2, 2026 at 23:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest kernel update that includes the pm8001_queue_command fix (commit e29c47f).
  • Verify that the patched kernel is active on all affected systems by checking the kernel version or confirming that the pm8001 driver is loaded.
  • If an immediate kernel upgrade cannot be performed, consider disabling unused pm8001 devices or unloading the pm8001 driver until the patch is applied.
  • Monitor system logs for kernel panic, OOPS, or BUG messages related to scsi_pm8001 to confirm the issue has been resolved.

Generated by OpenCVE AI on April 2, 2026 at 23:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Thu, 02 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 27 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Fri, 27 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Thu, 26 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Thu, 26 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Wed, 25 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: scsi: pm8001: Fix use-after-free in pm8001_queue_command() Commit e29c47fe8946 ("scsi: pm8001: Simplify pm8001_task_exec()") refactors pm8001_queue_command(), however it introduces a potential cause of a double free scenario when it changes the function to return -ENODEV in case of phy down/device gone state. In this path, pm8001_queue_command() updates task status and calls task_done to indicate to upper layer that the task has been handled. However, this also frees the underlying SAS task. A -ENODEV is then returned to the caller. When libsas sas_ata_qc_issue() receives this error value, it assumes the task wasn't handled/queued by LLDD and proceeds to clean up and free the task again, resulting in a double free. Since pm8001_queue_command() handles the SAS task in this case, it should return 0 to the caller indicating that the task has been handled.
Title scsi: pm8001: Fix use-after-free in pm8001_queue_command()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-13T06:04:03.239Z

Reserved: 2026-01-13T15:37:45.993Z

Link: CVE-2026-23306

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T11:16:26.487

Modified: 2026-04-02T15:16:30.703

Link: CVE-2026-23306

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-25T00:00:00Z

Links: CVE-2026-23306 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:39:07Z

Weaknesses