Description
In the Linux kernel, the following vulnerability has been resolved:

scsi: qla2xxx: Completely fix fcport double free

In qla24xx_els_dcmd_iocb() sp->free is set to qla2x00_els_dcmd_sp_free().
When an error happens, this function is called by qla2x00_sp_release(),
when kref_put() releases the first and the last reference.

qla2x00_els_dcmd_sp_free() frees fcport by calling qla2x00_free_fcport().
Doing it one more time after kref_put() is a bad idea.
Published: 2026-05-08
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The qla2xxx SCSI driver in the Linux kernel contains a double free bug that can release an fcport resource twice when an error occurs during command processing. Based on the description, it is inferred that this double free can trigger a use‑after‑free condition, potentially causing memory corruption within the kernel. In kernel code, such corruption can result in a kernel panic (denial of service) or provide an attacker with a vector to execute arbitrary code with kernel privileges.

Affected Systems

Linux kernel releases compiled with the legacy qla2xxx driver before the fix commit (c0b7da13a04bd70ef6070bfb9ea85f582294560a) are susceptible. The code path includes qla24xx_els_dcmd_iocb and qla2x00_els_dcmd_sp_free. The driver is used to manage Fibre Channel adapters; while the CVE description does not state the vendor, it can be inferred from the driver name that the hardware is typically QLogic devices. The issue affects systems that use the qla2xxx driver before the fix.

Risk and Exploitability

No EPSS score is publicly available, and the vulnerability is not listed in the CISA KEV catalog. The CVSS score is 5.5, indicating a medium severity vulnerability. Attackers must be able to trigger the error path in the driver; thus the likely attack vector is local privilege escalation, or if an attacker can gain direct access to the Fibre Channel controller, a remote attack via the storage network is possible. This inference is based on the description of a double free in the driver, which suggests that an attacker could trigger the error path with locally executed code or through storage network traffic.

Generated by OpenCVE AI on May 9, 2026 at 05:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Linux kernel patch that includes commit c0b7da13a04bd70ef6070bfb9ea85f582294560a, which fixes the fcport double free in the qla2xxx driver
  • Upgrade to a kernel version that incorporates the qla2xxx double free fix (e.g., latest stable kernel releases or vendor‑specific updated patches)
  • Repeat the patch or upgrade when new kernel versions are released, ensuring the driver code no longer contains the error path that triggers the double free

Generated by OpenCVE AI on May 9, 2026 at 05:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 09 May 2026 04:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Sat, 09 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1341
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Fri, 08 May 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Fri, 08 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Completely fix fcport double free In qla24xx_els_dcmd_iocb() sp->free is set to qla2x00_els_dcmd_sp_free(). When an error happens, this function is called by qla2x00_sp_release(), when kref_put() releases the first and the last reference. qla2x00_els_dcmd_sp_free() frees fcport by calling qla2x00_free_fcport(). Doing it one more time after kref_put() is a bad idea.
Title scsi: qla2xxx: Completely fix fcport double free
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-08T14:21:51.604Z

Reserved: 2026-05-01T14:12:56.008Z

Link: CVE-2026-43414

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T15:16:53.353

Modified: 2026-05-08T15:16:53.353

Link: CVE-2026-43414

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43414 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T05:30:16Z

Weaknesses