Cyber Resilience

CVE-2025-71238

High

Published: 04 March 2026

Published
04 March 2026
Modified
17 March 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 1.7th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-71238 is a high-severity Double Free (CWE-415) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 1.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-11 (Error Handling).

Deeper analysis

CVE-2025-71238 is a double free vulnerability (CWE-415) in the Linux kernel's qla2xxx SCSI driver, specifically within the qla_bsg.c file. The issue arises because some routines incorrectly call bsg_done() in failure cases, in addition to success cases, leading to a double free. This was observed to trigger a kernel panic during operations like qlafwupdate.sub on systems such as HPE ProLiant DL360 Gen11 running kernel 5.14.0-503.34.1.el9_5.x86_64, with the panic occurring in memcpy_erms during sg_copy_buffer as part of qla2x00_process_vendor_specific and qla24xx_bsg_request.

A local attacker with low privileges (AV:L/AC:L/PR:L/UI:N) can exploit this vulnerability due to its low attack complexity. Successful exploitation could result in high confidentiality, integrity, and availability impacts (CVSS 7.8), potentially causing kernel crashes via page faults or enabling further kernel memory corruption through the double free.

Mitigation involves applying upstream kernel patches from the referenced stable commits, including 057a5bdc481e58ab853117254867ffb22caf9f6e, 27ac9679c43a09e54e2d9aae9980ada045b428e0, 31f33b856d2324d86bcaef295f4d210477a1c018, 708003e1bc857dd014d4c44278d7d77c26f91b1c, and 74e7458537cd9349cf019862e51491f670871707, which add validation before calling bsg_done() to prevent the double free.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix bsg_done() causing double free Kernel panic observed on system, [5353358.825191] BUG: unable to handle page fault for address: ff5f5e897b024000 [5353358.825194] #PF: supervisor write access in kernel mode…

more

[5353358.825195] #PF: error_code(0x0002) - not-present page [5353358.825196] PGD 100006067 P4D 0 [5353358.825198] Oops: 0002 [#1] PREEMPT SMP NOPTI [5353358.825200] CPU: 5 PID: 2132085 Comm: qlafwupdate.sub Kdump: loaded Tainted: G W L ------- --- 5.14.0-503.34.1.el9_5.x86_64 #1 [5353358.825203] Hardware name: HPE ProLiant DL360 Gen11/ProLiant DL360 Gen11, BIOS 2.44 01/17/2025 [5353358.825204] RIP: 0010:memcpy_erms+0x6/0x10 [5353358.825211] RSP: 0018:ff591da8f4f6b710 EFLAGS: 00010246 [5353358.825212] RAX: ff5f5e897b024000 RBX: 0000000000007090 RCX: 0000000000001000 [5353358.825213] RDX: 0000000000001000 RSI: ff591da8f4fed090 RDI: ff5f5e897b024000 [5353358.825214] RBP: 0000000000010000 R08: ff5f5e897b024000 R09: 0000000000000000 [5353358.825215] R10: ff46cf8c40517000 R11: 0000000000000001 R12: 0000000000008090 [5353358.825216] R13: ff591da8f4f6b720 R14: 0000000000001000 R15: 0000000000000000 [5353358.825218] FS: 00007f1e88d47740(0000) GS:ff46cf935f940000(0000) knlGS:0000000000000000 [5353358.825219] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [5353358.825220] CR2: ff5f5e897b024000 CR3: 0000000231532004 CR4: 0000000000771ef0 [5353358.825221] PKRU: 55555554 [5353358.825222] Call Trace: [5353358.825223] <TASK> [5353358.825224] ? show_trace_log_lvl+0x1c4/0x2df [5353358.825229] ? show_trace_log_lvl+0x1c4/0x2df [5353358.825232] ? sg_copy_buffer+0xc8/0x110 [5353358.825236] ? __die_body.cold+0x8/0xd [5353358.825238] ? page_fault_oops+0x134/0x170 [5353358.825242] ? kernelmode_fixup_or_oops+0x84/0x110 [5353358.825244] ? exc_page_fault+0xa8/0x150 [5353358.825247] ? asm_exc_page_fault+0x22/0x30 [5353358.825252] ? memcpy_erms+0x6/0x10 [5353358.825253] sg_copy_buffer+0xc8/0x110 [5353358.825259] qla2x00_process_vendor_specific+0x652/0x1320 [qla2xxx] [5353358.825317] qla24xx_bsg_request+0x1b2/0x2d0 [qla2xxx] Most routines in qla_bsg.c call bsg_done() only for success cases. However a few invoke it for failure case as well leading to a double free. Validate before calling bsg_done().

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Double-free in kernel driver enables local memory corruption exploitable for privilege escalation (T1068); also supports DoS via kernel panic but primary mapping is escalation.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23387Same product: Linux Linux Kernel
CVE-2024-57980Same product: Linux Linux Kernel
CVE-2026-31489Same product: Linux Linux Kernel
CVE-2026-23162Same product: Linux Linux Kernel
CVE-2026-23068Same product: Linux Linux Kernel
CVE-2026-31475Same product: Linux Linux Kernel
CVE-2026-31468Same product: Linux Linux Kernel
CVE-2024-56766Same product: Linux Linux Kernel
CVE-2024-58055Same product: Linux Linux Kernel
CVE-2026-31471Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
5.7 — 5.10.251 · 5.11 — 5.15.201 · 5.16 — 6.1.164

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates timely remediation of the double free flaw in the qla2xxx driver via kernel patches to prevent kernel panics and exploitation.

prevent

Requires secure error handling to prevent failure paths in qla_bsg.c from invoking bsg_done() twice, addressing the root cause of the double free.

prevent

Deploys memory protection mechanisms that mitigate exploitation of the double free vulnerability by restricting unauthorized memory access and corruption.

References