CVE-2025-71235
Received Received - Intake
Use-After-Free Vulnerability in Linux qla2xxx Driver Causes System Crash

Publication date: 2026-02-18

Last updated on: 2026-03-18

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Delay module unload while fabric scan in progress System crash seen during load/unload test in a loop. [105954.384919] RBP: ffff914589838dc0 R08: 0000000000000000 R09: 0000000000000086 [105954.384920] R10: 000000000000000f R11: ffffa31240904be5 R12: ffff914605f868e0 [105954.384921] R13: ffff914605f86910 R14: 0000000000008010 R15: 00000000ddb7c000 [105954.384923] FS: 0000000000000000(0000) GS:ffff9163fec40000(0000) knlGS:0000000000000000 [105954.384925] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [105954.384926] CR2: 000055d31ce1d6a0 CR3: 0000000119f5e001 CR4: 0000000000770ee0 [105954.384928] PKRU: 55555554 [105954.384929] Call Trace: [105954.384931] <IRQ> [105954.384934] qla24xx_sp_unmap+0x1f3/0x2a0 [qla2xxx] [105954.384962] ? qla_async_scan_sp_done+0x114/0x1f0 [qla2xxx] [105954.384980] ? qla24xx_els_ct_entry+0x4de/0x760 [qla2xxx] [105954.384999] ? __wake_up_common+0x80/0x190 [105954.385004] ? qla24xx_process_response_queue+0xc2/0xaa0 [qla2xxx] [105954.385023] ? qla24xx_msix_rsp_q+0x44/0xb0 [qla2xxx] [105954.385040] ? __handle_irq_event_percpu+0x3d/0x190 [105954.385044] ? handle_irq_event+0x58/0xb0 [105954.385046] ? handle_edge_irq+0x93/0x240 [105954.385050] ? __common_interrupt+0x41/0xa0 [105954.385055] ? common_interrupt+0x3e/0xa0 [105954.385060] ? asm_common_interrupt+0x22/0x40 The root cause of this was that there was a free (dma_free_attrs) in the interrupt context. There was a device discovery/fabric scan in progress. A module unload was issued which set the UNLOADING flag. As part of the discovery, after receiving an interrupt a work queue was scheduled (which involved a work to be queued). Since the UNLOADING flag is set, the work item was not allocated and the mapped memory had to be freed. The free occurred in interrupt context leading to system crash. Delay the driver unload until the fabric scan is complete to avoid the crash.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-18
Last Modified
2026-03-18
Generated
2026-05-07
AI Q&A
2026-02-18
EPSS Evaluated
2026-05-05
NVD
CVE-2025-71235
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.19 (inc) to 6.19.1 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.164 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.201 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.125 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.72 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.11 (exc)
linux linux_kernel From 4.8 (inc) to 5.10.251 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's qla2xxx SCSI driver. It occurs when the driver module is unloaded while a fabric scan (device discovery) is still in progress. During this process, an interrupt triggers a work queue to be scheduled. However, if the module unload has already set an UNLOADING flag, the work item is not allocated, and the memory that was mapped must be freed immediately in the interrupt context. Freeing memory in this context causes a system crash.

The root cause is that the driver attempts to free DMA memory during an interrupt, which is unsafe. The fix delays the module unload until the fabric scan completes, preventing the crash.


How can this vulnerability impact me? :

This vulnerability can cause your Linux system to crash unexpectedly during load and unload operations of the qla2xxx driver module, especially when a fabric scan is in progress. Such crashes can lead to system downtime, potential data loss, and disruption of services relying on the affected system.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability manifests as a system crash during load/unload tests of the qla2xxx driver module, particularly when a fabric scan is in progress.

Detection can involve monitoring system logs for crash traces related to the qla2xxx driver. Look for kernel messages similar to the provided call trace involving qla24xx_sp_unmap and related functions.

Commands to help detect this issue include checking the kernel ring buffer for relevant errors:

  • dmesg | grep qla2xxx
  • journalctl -k | grep qla2xxx
  • modinfo qla2xxx

Additionally, monitoring for repeated module load/unload cycles or fabric scans in progress may help identify the vulnerable state.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is caused by unloading the qla2xxx driver module while a fabric scan is in progress, leading to a system crash.

Immediate mitigation steps include:

  • Avoid unloading the qla2xxx kernel module while a fabric scan or device discovery is active.
  • Delay the module unload until the fabric scan completes to prevent freeing memory in interrupt context.
  • If possible, update the Linux kernel to a version where this issue is resolved.

Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart