CVE-2025-71238
Published: 04 March 2026
Summary
CVE-2025-71238 is a high-severity Double Free (CWE-415) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 1.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-11 (Error Handling).
Deeper analysis
CVE-2025-71238 is a double free vulnerability (CWE-415) in the Linux kernel's qla2xxx SCSI driver, specifically within the qla_bsg.c file. The issue arises because some routines incorrectly call bsg_done() in failure cases, in addition to success cases, leading to a double free. This was observed to trigger a kernel panic during operations like qlafwupdate.sub on systems such as HPE ProLiant DL360 Gen11 running kernel 5.14.0-503.34.1.el9_5.x86_64, with the panic occurring in memcpy_erms during sg_copy_buffer as part of qla2x00_process_vendor_specific and qla24xx_bsg_request.
A local attacker with low privileges (AV:L/AC:L/PR:L/UI:N) can exploit this vulnerability due to its low attack complexity. Successful exploitation could result in high confidentiality, integrity, and availability impacts (CVSS 7.8), potentially causing kernel crashes via page faults or enabling further kernel memory corruption through the double free.
Mitigation involves applying upstream kernel patches from the referenced stable commits, including 057a5bdc481e58ab853117254867ffb22caf9f6e, 27ac9679c43a09e54e2d9aae9980ada045b428e0, 31f33b856d2324d86bcaef295f4d210477a1c018, 708003e1bc857dd014d4c44278d7d77c26f91b1c, and 74e7458537cd9349cf019862e51491f670871707, which add validation before calling bsg_done() to prevent the double free.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-208273
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix bsg_done() causing double free Kernel panic observed on system, [5353358.825191] BUG: unable to handle page fault for address: ff5f5e897b024000 [5353358.825194] #PF: supervisor write access in kernel mode…
more
[5353358.825195] #PF: error_code(0x0002) - not-present page [5353358.825196] PGD 100006067 P4D 0 [5353358.825198] Oops: 0002 [#1] PREEMPT SMP NOPTI [5353358.825200] CPU: 5 PID: 2132085 Comm: qlafwupdate.sub Kdump: loaded Tainted: G W L ------- --- 5.14.0-503.34.1.el9_5.x86_64 #1 [5353358.825203] Hardware name: HPE ProLiant DL360 Gen11/ProLiant DL360 Gen11, BIOS 2.44 01/17/2025 [5353358.825204] RIP: 0010:memcpy_erms+0x6/0x10 [5353358.825211] RSP: 0018:ff591da8f4f6b710 EFLAGS: 00010246 [5353358.825212] RAX: ff5f5e897b024000 RBX: 0000000000007090 RCX: 0000000000001000 [5353358.825213] RDX: 0000000000001000 RSI: ff591da8f4fed090 RDI: ff5f5e897b024000 [5353358.825214] RBP: 0000000000010000 R08: ff5f5e897b024000 R09: 0000000000000000 [5353358.825215] R10: ff46cf8c40517000 R11: 0000000000000001 R12: 0000000000008090 [5353358.825216] R13: ff591da8f4f6b720 R14: 0000000000001000 R15: 0000000000000000 [5353358.825218] FS: 00007f1e88d47740(0000) GS:ff46cf935f940000(0000) knlGS:0000000000000000 [5353358.825219] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [5353358.825220] CR2: ff5f5e897b024000 CR3: 0000000231532004 CR4: 0000000000771ef0 [5353358.825221] PKRU: 55555554 [5353358.825222] Call Trace: [5353358.825223] <TASK> [5353358.825224] ? show_trace_log_lvl+0x1c4/0x2df [5353358.825229] ? show_trace_log_lvl+0x1c4/0x2df [5353358.825232] ? sg_copy_buffer+0xc8/0x110 [5353358.825236] ? __die_body.cold+0x8/0xd [5353358.825238] ? page_fault_oops+0x134/0x170 [5353358.825242] ? kernelmode_fixup_or_oops+0x84/0x110 [5353358.825244] ? exc_page_fault+0xa8/0x150 [5353358.825247] ? asm_exc_page_fault+0x22/0x30 [5353358.825252] ? memcpy_erms+0x6/0x10 [5353358.825253] sg_copy_buffer+0xc8/0x110 [5353358.825259] qla2x00_process_vendor_specific+0x652/0x1320 [qla2xxx] [5353358.825317] qla24xx_bsg_request+0x1b2/0x2d0 [qla2xxx] Most routines in qla_bsg.c call bsg_done() only for success cases. However a few invoke it for failure case as well leading to a double free. Validate before calling bsg_done().
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Double-free in kernel driver enables local memory corruption exploitable for privilege escalation (T1068); also supports DoS via kernel panic but primary mapping is escalation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates timely remediation of the double free flaw in the qla2xxx driver via kernel patches to prevent kernel panics and exploitation.
Requires secure error handling to prevent failure paths in qla_bsg.c from invoking bsg_done() twice, addressing the root cause of the double free.
Deploys memory protection mechanisms that mitigate exploitation of the double free vulnerability by restricting unauthorized memory access and corruption.