CVE-2026-23306

Published: Mar 25, 2026 Last Modified: Mar 25, 2026
ExploitDB:
Other exploit source:
Google Dorks:

Description

AI Translation Available

In the Linux kernel, the following vulnerability has been resolved:

scsi: pm8001: Fix use-after-free in pm8001_queue_command()

Commit e29c47fe8946 ('scsi: pm8001: Simplify pm8001_task_exec()') refactors
pm8001_queue_command(), however it introduces a potential cause of a double
free scenario when it changes the function to return -ENODEV in case of phy
down/device gone state.

In this path, pm8001_queue_command() updates task status and calls
task_done to indicate to upper layer that the task has been handled.
However, this also frees the underlying SAS task. A -ENODEV is then
returned to the caller. When libsas sas_ata_qc_issue() receives this error
value, it assumes the task wasn't handled/queued by LLDD and proceeds to
clean up and free the task again, resulting in a double free.

Since pm8001_queue_command() handles the SAS task in this case, it should
return 0 to the caller indicating that the task has been handled.

https://git.kernel.org/stable/c/227ff4af00abc40b95123cc27ee…
https://git.kernel.org/stable/c/227ff4af00abc40b95123cc27ee8079069dcd8d7
https://git.kernel.org/stable/c/38353c26db28efd984f51d426ea…
https://git.kernel.org/stable/c/38353c26db28efd984f51d426eac2396d299cca7
https://git.kernel.org/stable/c/824a7672e3540962d5c77d4c666…
https://git.kernel.org/stable/c/824a7672e3540962d5c77d4c6666254d7aa6f0b3
https://git.kernel.org/stable/c/8b00427317ba7b7ec91252b0340…
https://git.kernel.org/stable/c/8b00427317ba7b7ec91252b034009f638d0f311b
https://git.kernel.org/stable/c/c5dc39f8ae055520fd778b7fb04…
https://git.kernel.org/stable/c/c5dc39f8ae055520fd778b7fb0423f11586f15c4
https://git.kernel.org/stable/c/ebbb852ffbc952b95ddb7e3872b…
https://git.kernel.org/stable/c/ebbb852ffbc952b95ddb7e3872b67b3e74c6da47