{ "threat_severity" : "Moderate", "public_date" : "2026-03-25T00:00:00Z", "bugzilla" : { "description" : "kernel: scsi: pm8001: Fix use-after-free in pm8001_queue_command()", "id" : "2451240", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2451240" }, "cvss3" : { "cvss3_base_score" : "5.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "draft" }, "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nscsi: pm8001: Fix use-after-free in pm8001_queue_command()\nCommit e29c47fe8946 (\"scsi: pm8001: Simplify pm8001_task_exec()\") refactors\npm8001_queue_command(), however it introduces a potential cause of a double\nfree scenario when it changes the function to return -ENODEV in case of phy\ndown/device gone state.\nIn this path, pm8001_queue_command() updates task status and calls\ntask_done to indicate to upper layer that the task has been handled.\nHowever, this also frees the underlying SAS task. A -ENODEV is then\nreturned to the caller. When libsas sas_ata_qc_issue() receives this error\nvalue, it assumes the task wasn't handled/queued by LLDD and proceeds to\nclean up and free the task again, resulting in a double free.\nSince pm8001_queue_command() handles the SAS task in this case, it should\nreturn 0 to the caller indicating that the task has been handled.", "A flaw was found in the Linux kernel, specifically within the `pm8001` SCSI driver and the `libsas` library. An incorrect return value in the `pm8001_queue_command()` function, when a physical device is down or gone, can lead to a double free vulnerability. This occurs because the function frees a Serial Attached SCSI (SAS) task but then returns an error, causing the `libsas` layer to attempt to free the same task again. This double free can result in system instability or a denial of service (DoS)." ], "statement" : "This flaw affects systems using PMC-Sierra PM8001 SAS/SATA host bus adapters. The double-free occurs when a device goes offline during command processing. The incorrect return value causes libsas to free an already-freed task structure. While primarily a DoS issue, double-free vulnerabilities can potentially be exploited for code execution in some circumstances.", "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-23306\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23306\nhttps://lore.kernel.org/linux-cve-announce/2026032528-CVE-2026-23306-8854@gregkh/T" ], "name" : "CVE-2026-23306", "csaw" : false }