CVE-2026-23306
Description
In the Linux kernel, the following vulnerability has been resolved:
scsi: pm8001: Fix use-after-free in pm8001_queue_command()
Commit e29c47fe8946 ("scsi: pm8001: Simplify pm8001_task_exec()") refactors pm8001_queue_command(), however it introduces a potential cause of a double free scenario when it changes the function to return -ENODEV in case of phy down/device gone state.
In this path, pm8001_queue_command() updates task status and calls task_done to indicate to upper layer that the task has been handled. However, this also frees the underlying SAS task. A -ENODEV is then returned to the caller. When libsas sas_ata_qc_issue() receives this error value, it assumes the task wasn't handled/queued by LLDD and proceeds to clean up and free the task again, resulting in a double free.
Since pm8001_queue_command() handles the SAS task in this case, it should return 0 to the caller indicating that the task has been handled.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A use-after-free in the Linux kernel's pm8001 SCSI driver occurs when pm8001_queue_command() returns -ENODEV after freeing a SAS task, leading to a double free by libsas.
Root
Cause
CVE-2026-23306 is a use-after-free vulnerability in the Linux kernel's pm8001 SCSI driver. The bug was introduced by commit e29c47fe8946, which refactored pm8001_queue_command(). In the new code path, when the PHY is down or the device is gone, the function updates the task status, calls task_done (which frees the underlying SAS task), and then returns -ENODEV to the caller. The caller, sas_ata_qc_issue() in libsas, interprets the non-zero return value as an indication that the task was not handled and proceeds to clean up and free the task again, resulting in a double free.
Exploitation
An attacker with local access and the ability to trigger a PHY-down or device-gone condition on a system using the pm8001 driver could cause the driver to enter this vulnerable code path. No special privileges beyond the ability to issue SCSI commands are required; the vulnerability is triggered during normal error handling in the SCSI layer. The double free occurs in kernel memory, which can lead to memory corruption.
Impact
Successful exploitation could allow an attacker to corrupt kernel memory, potentially leading to a denial of service (system crash) or, in more sophisticated scenarios, arbitrary code execution with kernel privileges. The CVSS v3 score of 7.8 (High) reflects the potential for high impact on confidentiality, integrity, and availability.
Mitigation
The fix has been applied to the Linux kernel stable tree. The following commits address the issue: [1], [2], [3], [4]. Users should update their kernel to a version containing these patches. No workaround is available; updating the kernel is the recommended mitigation.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- git.kernel.org/stable/c/227ff4af00abc40b95123cc27ee8079069dcd8d7nvd
- git.kernel.org/stable/c/38353c26db28efd984f51d426eac2396d299cca7nvd
- git.kernel.org/stable/c/824a7672e3540962d5c77d4c6666254d7aa6f0b3nvd
- git.kernel.org/stable/c/8b00427317ba7b7ec91252b034009f638d0f311bnvd
- git.kernel.org/stable/c/c5dc39f8ae055520fd778b7fb0423f11586f15c4nvd
- git.kernel.org/stable/c/ebbb852ffbc952b95ddb7e3872b67b3e74c6da47nvd
News mentions
0No linked articles in our index yet.