CVE-2026-43414
Double Free Vulnerability in Linux Kernel QLA2xxx FC Port
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a double free issue in the Linux kernel's qla2xxx SCSI driver. Specifically, in the function qla24xx_els_dcmd_iocb(), a pointer (sp->free) is set to a function that frees a resource called fcport. When an error occurs, this free function is called twice: once during the release of the first reference and again during the release of the last reference via kref_put(). Calling the free function twice on the same resource leads to a double free vulnerability.
How can this vulnerability impact me? :
A double free vulnerability can lead to undefined behavior such as memory corruption, system crashes, or potential exploitation by attackers to execute arbitrary code or escalate privileges. In this case, the double free of the fcport resource in the Linux kernel's SCSI driver could compromise system stability or security.