CVE-2026-23306
In the Linux kernel, the following vulnerability has been resolved: scsi: pm8001: Fix use-after-free in pm8001_queue_command() Commit e29c47fe8946 ("scsi: pm8001: Simplify pm8001_task_exec()") refactors pm8001_queue_command(), however it introduces a potential cause of a double free scenario when it changes the function to return -ENODEV in case of phy down/device gone state. In this path, pm8001_queue_command() updates task status and calls task_done to indicate to upper layer that the task has been handled. However, this also frees the underlying SAS task. A -ENODEV is then returned to the caller. When libsas sas_ata_qc_issue() receives this error value, it assumes the task wasn't handled/queued by LLDD and proceeds to clean up and free the task again, resulting in a double free. Since pm8001_queue_command() handles the SAS task in this case, it should return 0 to the caller indicating that the task has been handled.
EPSS 0.02% · 4.9th percentile
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Linux | Linux | 7.0, 6.18.17, e29c47fe8946cc732b0e0d393b65b13c84bb69d0 |
| linux | linux_kernel | 5.18, 5.18, 5.18 |
Exploit Intelligence
- CIRCL seen: CVE-2026-23306 (circl-sighting)
- CIRCL seen: CVE-2026-23306 (circl-sighting)
- CIRCL seen: CVE-2026-23306 (circl-sighting)
- https://git.kernel.org/stable/c/ebbb852ffbc952b95ddb7e3872b67b3e74c6da47 (circl)
- https://git.kernel.org/stable/c/8b00427317ba7b7ec91252b034009f638d0f311b (circl)
- https://git.kernel.org/stable/c/c5dc39f8ae055520fd778b7fb0423f11586f15c4 (circl)
- https://git.kernel.org/stable/c/824a7672e3540962d5c77d4c6666254d7aa6f0b3 (circl)
- https://git.kernel.org/stable/c/227ff4af00abc40b95123cc27ee8079069dcd8d7 (circl)
- https://git.kernel.org/stable/c/38353c26db28efd984f51d426eac2396d299cca7 (circl)
- 4628.1.0.yml (github-poc)
…and 19 more exploits
Timeline
- Mar 25, 2026 EPSS Score
- Mar 25, 2026 Coalition ESS Score
- Mar 25, 2026 CVE Published
- Mar 29, 2026 Security Advisory
- Mar 29, 2026 PoC Published
- Mar 31, 2026 Security Advisory
- Mar 31, 2026 Security Advisory
- Mar 31, 2026 Security Advisory
- Mar 31, 2026 Security Advisory
- Mar 31, 2026 Security Advisory
- Mar 31, 2026 Security Advisory
- Mar 31, 2026 Security Advisory
References
- https://git.kernel.org/stable/c/ebbb852ffbc952b95ddb7e3872b67b3e74c6da47 url
- https://git.kernel.org/stable/c/8b00427317ba7b7ec91252b034009f638d0f311b url
- https://git.kernel.org/stable/c/c5dc39f8ae055520fd778b7fb0423f11586f15c4 url
- https://git.kernel.org/stable/c/824a7672e3540962d5c77d4c6666254d7aa6f0b3 url
- https://git.kernel.org/stable/c/227ff4af00abc40b95123cc27ee8079069dcd8d7 url
- https://git.kernel.org/stable/c/38353c26db28efd984f51d426eac2396d299cca7 url
- https://nvd.nist.gov/vuln/detail/CVE-2026-23306 advisory
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32748 advisory
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-4438 advisory
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23347 advisory
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23268 advisory
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23392 advisory
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23319 advisory
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23253 advisory
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23296 advisory
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23364 advisory
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23368 advisory
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-27654 advisory
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-30922 advisory
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23286 advisory
…and 131 more