CVE-2026-43414 - Vulnerability Details

- scsi: qla2xxx: Completely fix fcport double free

Description

In the Linux kernel, the following vulnerability has been resolved:

scsi: qla2xxx: Completely fix fcport double free

In qla24xx_els_dcmd_iocb() sp->free is set to qla2x00_els_dcmd_sp_free().
When an error happens, this function is called by qla2x00_sp_release(),
when kref_put() releases the first and the last reference.

qla2x00_els_dcmd_sp_free() frees fcport by calling qla2x00_free_fcport().
Doing it one more time after kref_put() is a bad idea.

Published: 2026-05-08

Score: 9.8 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel’s qla2xxx SCSI driver contains a double free bug (CWE-1341) that releases an fcport resource twice when an error occurs during command processing, which can corrupt kernel memory and trigger a kernel panic, effectively denying service to the system.

Affected Systems

Systems running Linux kernel versions that include the qla2xxx driver before the fix commit (c0b7da13a04bd70ef6070bfb9ea85f582294560a) are vulnerable. The driver manages Fibre Channel adapters; therefore any host deploying that driver prior to the patch is impacted.

Risk and Exploitability

The CVSS score of 9.8 marks the issue as critical. The EPSS score of less than 1% indicates a low current probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector involves triggering an error path in the driver that causes a double free; however, the exact method of exploitation is not specified in the provided data and therefore remains inferred.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`4895009c4bb72f71f2e682f1e7d2c2d96e482087`	affected	< d48ea85463f5b34f7b92ea0a13eddf1ab993da7b
`4895009c4bb72f71f2e682f1e7d2c2d96e482087`	affected	< c0b7da13a04bd70ef6070bfb9ea85f582294560a
`7861213201838480dc222634c56fb6db113d010d`	affected	—
`3b9d72442adfbc9ddb0f76dd1b03977b3a578b16`	affected	—
`ef23850940d9a52c39936d27254824ccf5e9b6bd`	affected	—
`6c6bf6cacf9461f8d301cfac4f9c175d80cbcc63`	affected	—
`cd10dee1f07a782f5aa05703c55299ca86a85ee4`	affected	—
`b03e626bd6d3f0684f56ee1890d70fc9ca991c04`	affected	—
`282877633b25d67021a34169c5b5519b1d4ef65e`	affected	—
`f85af9f1aa5e2f53694a6cbe72010f754b5ff862`	affected	—
`9b43d2884b54d415caab48878b526dfe2ae9921b`	affected	—
`846fb9f112f618ec6ae181d8dae7961652574774`	affected	—
`5.15.154`	affected	< 5.16
`6.1.84`	affected	< 6.2
`6.6.24`	affected	< 6.7
`6.7.12`	affected	< 6.8
`6.8.3`	affected	< 6.9

Linux

affected

Version	Status	Constraints
`6.9`	affected	—
`0`	unaffected	< 6.9
`6.19.9`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[4895009c4bb72f71f2e682f1e7d2c2d96e482087,d48ea85463f5b34f7b92ea0a13eddf1ab993da7b)`	affected	code_commit	—
`[4895009c4bb72f71f2e682f1e7d2c2d96e482087,c0b7da13a04bd70ef6070bfb9ea85f582294560a)`	affected	code_commit	—
`7861213201838480dc222634c56fb6db113d010d`	affected	code_commit	—
`3b9d72442adfbc9ddb0f76dd1b03977b3a578b16`	affected	code_commit	—
`ef23850940d9a52c39936d27254824ccf5e9b6bd`	affected	code_commit	—
`6c6bf6cacf9461f8d301cfac4f9c175d80cbcc63`	affected	code_commit	—
`cd10dee1f07a782f5aa05703c55299ca86a85ee4`	affected	code_commit	—
`b03e626bd6d3f0684f56ee1890d70fc9ca991c04`	affected	code_commit	—
`282877633b25d67021a34169c5b5519b1d4ef65e`	affected	code_commit	—
`f85af9f1aa5e2f53694a6cbe72010f754b5ff862`	affected	code_commit	—
`9b43d2884b54d415caab48878b526dfe2ae9921b`	affected	code_commit	—
`846fb9f112f618ec6ae181d8dae7961652574774`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.9`	affected	generic	—
`[0,6.9)`	unaffected	generic	—
`[6.19.9,6.19.*]`	unaffected	generic	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the Linux kernel patch that includes commit c0b7da13a04bd70ef6070bfb9ea85f582294560a, which fixes the fcport double free in the qla2xxx driver
Upgrade the system to a kernel version that incorporates the qla2xxx double free fix, such as the latest stable release or a vendor‑issued update
Repeat the patch or upgrade when new kernel releases become available to ensure the driver code no longer contains the double free path

Generated by OpenCVE AI on May 11, 2026 at 09:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00056.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/c0b7da13a04bd70ef6070bfb9ea85f582294560a
https://git.kernel.org/stable/c/d48ea85463f5b34f7b92ea0a13eddf1ab993da7b
https://lore.kernel.org/linux-cve-announce/2026050844-CVE-2026-43414-2950@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-43414
https://www.cve.org/CVERecord?id=CVE-2026-43414

History

Mon, 11 May 2026 07:45:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`	cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Sat, 09 May 2026 04:15:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-416

Sat, 09 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-1341
References		https://lore.kernel.org/linux-cve-announce/2026050844-CVE-2026-43414-2950@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-43414 https://www.cve.org/CVERecord?id=CVE-2026-43414
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Moderate`

Fri, 08 May 2026 17:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416

Fri, 08 May 2026 14:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Completely fix fcport double free In qla24xx_els_dcmd_iocb() sp->free is set to qla2x00_els_dcmd_sp_free(). When an error happens, this function is called by qla2x00_sp_release(), when kref_put() releases the first and the last reference. qla2x00_els_dcmd_sp_free() frees fcport by calling qla2x00_free_fcport(). Doing it one more time after kref_put() is a bad idea.
Title		scsi: qla2xxx: Completely fix fcport double free
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/c0b7da13a04bd70ef6070bfb9ea85f582294560a https://git.kernel.org/stable/c/d48ea85463f5b34f7b92ea0a13eddf1ab993da7b

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-08T14:21:51.604Z

Updated: 2026-05-23T16:06:56.357Z

Reserved: 2026-05-01T14:12:56.008Z

Link: CVE-2026-43414

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-08T15:16:53.353

Modified: 2026-05-12T14:10:27.343

Link: CVE-2026-43414

Redhat

Severity : Moderate

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43414 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-11T09:45:07Z

Weaknesses

CWE-1341

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object