CVE-2025-71238
Received Received - Intake
Double Free Vulnerability in Linux qla2xxx Driver Causing Kernel Panic

Publication date: 2026-03-04

Last updated on: 2026-03-17

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix bsg_done() causing double free Kernel panic observed on system, [5353358.825191] BUG: unable to handle page fault for address: ff5f5e897b024000 [5353358.825194] #PF: supervisor write access in kernel mode [5353358.825195] #PF: error_code(0x0002) - not-present page [5353358.825196] PGD 100006067 P4D 0 [5353358.825198] Oops: 0002 [#1] PREEMPT SMP NOPTI [5353358.825200] CPU: 5 PID: 2132085 Comm: qlafwupdate.sub Kdump: loaded Tainted: G W L ------- --- 5.14.0-503.34.1.el9_5.x86_64 #1 [5353358.825203] Hardware name: HPE ProLiant DL360 Gen11/ProLiant DL360 Gen11, BIOS 2.44 01/17/2025 [5353358.825204] RIP: 0010:memcpy_erms+0x6/0x10 [5353358.825211] RSP: 0018:ff591da8f4f6b710 EFLAGS: 00010246 [5353358.825212] RAX: ff5f5e897b024000 RBX: 0000000000007090 RCX: 0000000000001000 [5353358.825213] RDX: 0000000000001000 RSI: ff591da8f4fed090 RDI: ff5f5e897b024000 [5353358.825214] RBP: 0000000000010000 R08: ff5f5e897b024000 R09: 0000000000000000 [5353358.825215] R10: ff46cf8c40517000 R11: 0000000000000001 R12: 0000000000008090 [5353358.825216] R13: ff591da8f4f6b720 R14: 0000000000001000 R15: 0000000000000000 [5353358.825218] FS: 00007f1e88d47740(0000) GS:ff46cf935f940000(0000) knlGS:0000000000000000 [5353358.825219] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [5353358.825220] CR2: ff5f5e897b024000 CR3: 0000000231532004 CR4: 0000000000771ef0 [5353358.825221] PKRU: 55555554 [5353358.825222] Call Trace: [5353358.825223] <TASK> [5353358.825224] ? show_trace_log_lvl+0x1c4/0x2df [5353358.825229] ? show_trace_log_lvl+0x1c4/0x2df [5353358.825232] ? sg_copy_buffer+0xc8/0x110 [5353358.825236] ? __die_body.cold+0x8/0xd [5353358.825238] ? page_fault_oops+0x134/0x170 [5353358.825242] ? kernelmode_fixup_or_oops+0x84/0x110 [5353358.825244] ? exc_page_fault+0xa8/0x150 [5353358.825247] ? asm_exc_page_fault+0x22/0x30 [5353358.825252] ? memcpy_erms+0x6/0x10 [5353358.825253] sg_copy_buffer+0xc8/0x110 [5353358.825259] qla2x00_process_vendor_specific+0x652/0x1320 [qla2xxx] [5353358.825317] qla24xx_bsg_request+0x1b2/0x2d0 [qla2xxx] Most routines in qla_bsg.c call bsg_done() only for success cases. However a few invoke it for failure case as well leading to a double free. Validate before calling bsg_done().
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-04
Last Modified
2026-03-17
Generated
2026-05-07
AI Q&A
2026-03-04
EPSS Evaluated
2026-05-05
NVD
CVE-2025-71238
EUVD
EUVD-2025-208273
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 5.16 (inc) to 6.1.164 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.201 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.127 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.74 (exc)
linux linux_kernel From 5.7 (inc) to 5.10.251 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.13 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-415 The product calls free() twice on the same memory address.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's qla2xxx driver, specifically in the bsg_done() function. The issue is that bsg_done() can be called twice in some failure cases, leading to a double free of memory. This double free can cause a kernel panic, which is a critical system crash.

The problem arises because most routines in qla_bsg.c call bsg_done() only when operations succeed, but a few also call it on failure, causing the double free. The fix involves validating before calling bsg_done() to prevent this.


How can this vulnerability impact me? :

This vulnerability can cause a kernel panic on affected systems, leading to an unexpected system crash. Such crashes can result in downtime, loss of data in memory, and disruption of services running on the affected Linux system.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring system logs for kernel panic messages related to the qla2xxx driver. Specifically, look for error messages indicating a page fault or double free in the qla2xxx module, such as kernel panic logs containing 'BUG: unable to handle page fault' and call traces involving qla2x00_process_vendor_specific or qla24xx_bsg_request.

You can use commands like 'dmesg' or 'journalctl -k' to review kernel logs for these signs.

  • dmesg | grep -i qla2xxx
  • journalctl -k | grep -i 'BUG: unable to handle page fault'
  • journalctl -k | grep -i qla2xxx

What immediate steps should I take to mitigate this vulnerability?

The immediate step to mitigate this vulnerability is to update the Linux kernel to a version where the qla2xxx driver has been fixed to prevent the double free in bsg_done().

Until the update can be applied, monitor the system for kernel panics related to this issue and avoid workloads that trigger the qla2xxx driver operations that may cause the fault.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart