{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23306", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.993Z", "datePublished": "2026-03-25T10:27:01.719Z", "dateUpdated": "2026-03-25T10:27:01.719Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-03-25T10:27:01.719Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: pm8001: Fix use-after-free in pm8001_queue_command()\n\nCommit e29c47fe8946 (\"scsi: pm8001: Simplify pm8001_task_exec()\") refactors\npm8001_queue_command(), however it introduces a potential cause of a double\nfree scenario when it changes the function to return -ENODEV in case of phy\ndown/device gone state.\n\nIn this path, pm8001_queue_command() updates task status and calls\ntask_done to indicate to upper layer that the task has been handled.\nHowever, this also frees the underlying SAS task. A -ENODEV is then\nreturned to the caller. When libsas sas_ata_qc_issue() receives this error\nvalue, it assumes the task wasn't handled/queued by LLDD and proceeds to\nclean up and free the task again, resulting in a double free.\n\nSince pm8001_queue_command() handles the SAS task in this case, it should\nreturn 0 to the caller indicating that the task has been handled."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/scsi/pm8001/pm8001_sas.c"], "versions": [{"version": "e29c47fe8946cc732b0e0d393b65b13c84bb69d0", "lessThan": "ebbb852ffbc952b95ddb7e3872b67b3e74c6da47", "status": "affected", "versionType": "git"}, {"version": "e29c47fe8946cc732b0e0d393b65b13c84bb69d0", "lessThan": "8b00427317ba7b7ec91252b034009f638d0f311b", "status": "affected", "versionType": "git"}, {"version": "e29c47fe8946cc732b0e0d393b65b13c84bb69d0", "lessThan": "c5dc39f8ae055520fd778b7fb0423f11586f15c4", "status": "affected", "versionType": "git"}, {"version": "e29c47fe8946cc732b0e0d393b65b13c84bb69d0", "lessThan": "824a7672e3540962d5c77d4c6666254d7aa6f0b3", "status": "affected", "versionType": "git"}, {"version": "e29c47fe8946cc732b0e0d393b65b13c84bb69d0", "lessThan": "227ff4af00abc40b95123cc27ee8079069dcd8d7", "status": "affected", "versionType": "git"}, {"version": "e29c47fe8946cc732b0e0d393b65b13c84bb69d0", "lessThan": "38353c26db28efd984f51d426eac2396d299cca7", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/scsi/pm8001/pm8001_sas.c"], "versions": [{"version": "5.18", "status": "affected"}, {"version": "0", "lessThan": "5.18", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.77", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc2", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.18", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.18", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.18", "versionEndExcluding": "6.12.77"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.18", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.18", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.18", "versionEndExcluding": "7.0-rc2"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/ebbb852ffbc952b95ddb7e3872b67b3e74c6da47"}, {"url": "https://git.kernel.org/stable/c/8b00427317ba7b7ec91252b034009f638d0f311b"}, {"url": "https://git.kernel.org/stable/c/c5dc39f8ae055520fd778b7fb0423f11586f15c4"}, {"url": "https://git.kernel.org/stable/c/824a7672e3540962d5c77d4c6666254d7aa6f0b3"}, {"url": "https://git.kernel.org/stable/c/227ff4af00abc40b95123cc27ee8079069dcd8d7"}, {"url": "https://git.kernel.org/stable/c/38353c26db28efd984f51d426eac2396d299cca7"}], "title": "scsi: pm8001: Fix use-after-free in pm8001_queue_command()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: pm8001: Fix use-after-free in pm8001_queue_command()\n\nCommit e29c47fe8946 (\"scsi: pm8001: Simplify pm8001_task_exec()\") refactors\npm8001_queue_command(), however it introduces a potential cause of a double\nfree scenario when it changes the function to return -ENODEV in case of phy\ndown/device gone state.\n\nIn this path, pm8001_queue_command() updates task status and calls\ntask_done to indicate to upper layer that the task has been handled.\nHowever, this also frees the underlying SAS task. A -ENODEV is then\nreturned to the caller. When libsas sas_ata_qc_issue() receives this error\nvalue, it assumes the task wasn't handled/queued by LLDD and proceeds to\nclean up and free the task again, resulting in a double free.\n\nSince pm8001_queue_command() handles the SAS task in this case, it should\nreturn 0 to the caller indicating that the task has been handled."}], "id": "CVE-2026-23306", "lastModified": "2026-03-25T15:41:33.977", "metrics": {}, "published": "2026-03-25T11:16:26.487", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/227ff4af00abc40b95123cc27ee8079069dcd8d7"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/38353c26db28efd984f51d426eac2396d299cca7"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/824a7672e3540962d5c77d4c6666254d7aa6f0b3"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/8b00427317ba7b7ec91252b034009f638d0f311b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c5dc39f8ae055520fd778b7fb0423f11586f15c4"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ebbb852ffbc952b95ddb7e3872b67b3e74c6da47"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{}

{}