CVE-2026-23306
Published: 25 March 2026
Summary
CVE-2026-23306 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2026-23306 is a use-after-free vulnerability in the Linux kernel's pm8001 SCSI driver, specifically within the pm8001_queue_command() function. The issue stems from a refactor in commit e29c47fe8946 ("scsi: pm8001: Simplify pm8001_task_exec()"), which introduced a double free scenario. When the driver encounters a phy down or device gone state, pm8001_queue_command() updates the task status, calls task_done to free the underlying SAS task, and returns -ENODEV to the caller. This causes libsas sas_ata_qc_issue() to assume the task was not handled and free it again.
A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity and no user interaction, as indicated by its CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Exploitation occurs in the described error path during SCSI command queuing, potentially leading to high impacts on confidentiality, integrity, and availability through memory corruption from the double free.
Mitigation requires applying the relevant stable kernel patches, available at the following git.kernel.org commits: https://git.kernel.org/stable/c/227ff4af00abc40b95123cc27ee8079069dcd8d7, https://git.kernel.org/stable/c/38353c26db28efd984f51d426eac2396d299cca7, https://git.kernel.org/stable/c/824a7672e3540962d5c77d4c6666254d7aa6f0b3, https://git.kernel.org/stable/c/8b00427317ba7b7ec91252b034009f638d0f311b, and https://git.kernel.org/stable/c/c5dc39f8ae055520fd778b7fb0423f11586f15c4. The fix ensures pm8001_queue_command() returns 0 in this path to indicate the task was handled, preventing the double free.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-15246
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: scsi: pm8001: Fix use-after-free in pm8001_queue_command() Commit e29c47fe8946 ("scsi: pm8001: Simplify pm8001_task_exec()") refactors pm8001_queue_command(), however it introduces a potential cause of a double free scenario when it changes the function…
more
to return -ENODEV in case of phy down/device gone state. In this path, pm8001_queue_command() updates task status and calls task_done to indicate to upper layer that the task has been handled. However, this also frees the underlying SAS task. A -ENODEV is then returned to the caller. When libsas sas_ata_qc_issue() receives this error value, it assumes the task wasn't handled/queued by LLDD and proceeds to clean up and free the task again, resulting in a double free. Since pm8001_queue_command() handles the SAS task in this case, it should return 0 to the caller indicating that the task has been handled.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel double-free in SCSI driver enables memory corruption for privilege escalation from low-privileged user context.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely identification, reporting, and patching of the double free flaw in the pm8001_queue_command() function of the Linux kernel pm8001 SCSI driver.
Vulnerability scanning detects Linux kernel versions vulnerable to CVE-2026-23306 prior to exploitation.
Kernel memory protections such as KASLR and SMEP mitigate exploitation of the use-after-free memory corruption triggered by the double free.