CVE-2026-43414

CRITICAL

scsi: qla2xxx: Completely fix fcport double free

Title source: cna

Description

In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Completely fix fcport double free In qla24xx_els_dcmd_iocb() sp->free is set to qla2x00_els_dcmd_sp_free(). When an error happens, this function is called by qla2x00_sp_release(), when kref_put() releases the first and the last reference. qla2x00_els_dcmd_sp_free() frees fcport by calling qla2x00_free_fcport(). Doing it one more time after kref_put() is a bad idea.

References (2)

Core 2

Core References

https://git.kernel.org/stable/c/d48ea85463f5b34f7b92ea0a13eddf1ab993da7b

https://git.kernel.org/stable/c/c0b7da13a04bd70ef6070bfb9ea85f582294560a

Scores

CVSS v3 9.8

EPSS 0.0006

EPSS Percentile 17.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

Status published

Products (21)

Linux/Linux < 6.9

Linux/Linux 282877633b25d67021a34169c5b5519b1d4ef65e

Linux/Linux 3b9d72442adfbc9ddb0f76dd1b03977b3a578b16

Linux/Linux 4895009c4bb72f71f2e682f1e7d2c2d96e482087 - c0b7da13a04bd70ef6070bfb9ea85f582294560a

Linux/Linux 4895009c4bb72f71f2e682f1e7d2c2d96e482087 - d48ea85463f5b34f7b92ea0a13eddf1ab993da7b

Linux/Linux 5.15.154 - 5.16

Linux/Linux 6.1.84 - 6.2

Linux/Linux 6.19.9 - 6.19.*

Linux/Linux 6.6.24 - 6.7

Linux/Linux 6.7.12 - 6.8

... and 11 more

Published May 08, 2026

Tracked Since May 08, 2026