CVE-2025-68741

Vulnerability

Details

In the Linux kernel's qla2xxx SCSI driver, the function qla2xxx_process_purls_iocb() allocates a purex item via qla27xx_copy_multiple_pkt(), which internally calls qla24xx_alloc_purex_item(). This allocator may return a pre-allocated item from a per-adapter pool for small allocations, rather than dynamically allocating memory with kzalloc(). An error handling path in qla2xxx_process_purls_iocb() incorrectly uses kfree() to release the item, causing a mismatch if the item was from the pre-allocated pool [1][2].

Exploitation

To exploit this vulnerability, an attacker would need to trigger the error path in the qla2xxx driver. This could be achieved by sending malformed or abnormal SCSI commands that cause an allocation failure or other error condition, requiring local access to the system or the ability to interact with the Fibre Channel device. No special authentication is needed beyond the ability to issue SCSI commands.

Impact

If the item is from the pre-allocated pool, calling kfree() on it leads to memory corruption. This can result in system instability, denial of service, or potentially arbitrary code execution in kernel context, as the corrupted memory may be reused or freed improperly.

Mitigation

The Linux kernel has addressed this issue by replacing the kfree() call with the correct deallocation function qla24xx_free_purex_item(), which properly handles both dynamically allocated and pre-allocated items. The fix is included in stable kernel updates; administrators should update their kernels to include commits cfe3e2f768d2 and 5fa1c8226b453 (or later versions). No workaround is available [1][2].