Cyber Resilience

CVE-2026-23306

HighUpdated

Published: 25 March 2026

Published
25 March 2026
Modified
28 May 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 4.9th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23306 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2026-23306 is a use-after-free vulnerability in the Linux kernel's pm8001 SCSI driver, specifically within the pm8001_queue_command() function. The issue stems from a refactor in commit e29c47fe8946 ("scsi: pm8001: Simplify pm8001_task_exec()"), which introduced a double free scenario. When the driver encounters a phy down or device gone state, pm8001_queue_command() updates the task status, calls task_done to free the underlying SAS task, and returns -ENODEV to the caller. This causes libsas sas_ata_qc_issue() to assume the task was not handled and free it again.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity and no user interaction, as indicated by its CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Exploitation occurs in the described error path during SCSI command queuing, potentially leading to high impacts on confidentiality, integrity, and availability through memory corruption from the double free.

Mitigation requires applying the relevant stable kernel patches, available at the following git.kernel.org commits: https://git.kernel.org/stable/c/227ff4af00abc40b95123cc27ee8079069dcd8d7, https://git.kernel.org/stable/c/38353c26db28efd984f51d426eac2396d299cca7, https://git.kernel.org/stable/c/824a7672e3540962d5c77d4c6666254d7aa6f0b3, https://git.kernel.org/stable/c/8b00427317ba7b7ec91252b034009f638d0f311b, and https://git.kernel.org/stable/c/c5dc39f8ae055520fd778b7fb0423f11586f15c4. The fix ensures pm8001_queue_command() returns 0 in this path to indicate the task was handled, preventing the double free.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: scsi: pm8001: Fix use-after-free in pm8001_queue_command() Commit e29c47fe8946 ("scsi: pm8001: Simplify pm8001_task_exec()") refactors pm8001_queue_command(), however it introduces a potential cause of a double free scenario when it changes the function…

more

to return -ENODEV in case of phy down/device gone state. In this path, pm8001_queue_command() updates task status and calls task_done to indicate to upper layer that the task has been handled. However, this also frees the underlying SAS task. A -ENODEV is then returned to the caller. When libsas sas_ata_qc_issue() receives this error value, it assumes the task wasn't handled/queued by LLDD and proceeds to clean up and free the task again, resulting in a double free. Since pm8001_queue_command() handles the SAS task in this case, it should return 0 to the caller indicating that the task has been handled.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel double-free in SCSI driver enables memory corruption for privilege escalation from low-privileged user context.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2026-43019Same product: Linux Linux Kernel
CVE-2026-23158Same product: Linux Linux Kernel
CVE-2025-21893Same product: Linux Linux Kernel
CVE-2026-31446Same product: Linux Linux Kernel
CVE-2026-31650Same product: Linux Linux Kernel
CVE-2026-23001Same product: Linux Linux Kernel
CVE-2024-50051Same product: Linux Linux Kernel
CVE-2025-21759Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
7.0 · 5.18 — 6.1.167 · 6.2 — 6.6.130 · 6.7 — 6.12.77

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and patching of the double free flaw in the pm8001_queue_command() function of the Linux kernel pm8001 SCSI driver.

detect

Vulnerability scanning detects Linux kernel versions vulnerable to CVE-2026-23306 prior to exploitation.

prevent

Kernel memory protections such as KASLR and SMEP mitigate exploitation of the use-after-free memory corruption triggered by the double free.

References