Listen to this Post
CVE-2025-71238 is a vulnerability in the Linux kernel’s `qla2xxx` SCSI driver, specifically in the `qla_bsg.c` file which handles SCSI Generic (bsg) requests for QLogic Fibre Channel adapters. The flaw stems from inconsistent error handling in routines like `qla2x00_process_vendor_specific` and qla24xx_bsg_request. Normally, the `bsg_done()` function is called only after successfully processing a request to free associated resources. However, due to a coding error, certain failure paths also invoke bsg_done(). If a request fails after resources have been partially or fully cleaned up, this duplicate call attempts to free memory that has already been released. This double free corrupts the kernel memory manager’s state. When the system later tries to access this freed memory (for example, during a subsequent `sg_copy_buffer` operation as seen in the crash log), it triggers a page fault because the memory mapping is no longer valid, leading to an immediate kernel panic and system crash .
dailycve form:
Platform: Linux Kernel
Version: Multiple versions
Vulnerability: Double Free
Severity: Medium
date: March 4, 2026
Prediction: Patches applied
What Undercode Say:
Analytics:
- Vulnerability Type: Improper resource cleanup in error-handling paths .
- Affected Component: `qla2xxx` driver, files `qla_bsg.c` .
- Attack Vector: Local, requiring access to SCSI BSG interface .
- Privileges Required: Root or `CAP_SYS_RAWIO` .
- Discovered: Via kernel crash dumps showing page faults during DMA .
Exploit:
The vulnerability is triggered by inducing a failure during a vendor-specific BSG command to a QLogic HBA. No public exploit code is required; the flaw is in the error path itself. The fix involved reordering operations to prevent the double free.
// Patch from qla_bsg.c
qla2x00_bsg_job_done(void ptr, int res)
{
struct bsg_job bsg_job = sp->u.bsg_job;
struct fc_bsg_reply bsg_reply = bsg_job->reply;
+ sp->free(sp);
+
bsg_reply->result = res;
bsg_job_done(bsg_job, bsg_reply->result,
bsg_reply->reply_payload_rcv_len);
- sp->free(sp);
}
To check your system’s vulnerability:
Check your current kernel version uname -r Check if the qla2xxx module is loaded lsmod | grep qla2xxx View kernel messages for related crashes (as root) dmesg | grep -E "qla2xxx|page fault|double free" | tail -20
Protection from this CVE:
- Apply the latest stable kernel updates from your distribution .
- If the system cannot be patched immediately, restrict access to the BSG interface :
sudo chmod 600 /dev/bsg/
- Avoid running QLogic firmware update utilities until the kernel is patched .
- Monitor system logs for kernel panics involving the `qla2xxx` driver .
Impact:
Successful exploitation leads to a denial of service (system crash/kernel panic). In enterprise environments with QLogic Fibre Channel HBAs, this can cause significant downtime and data unavailability. There is a potential for memory corruption that could, in theory, be leveraged for privilege escalation, though the primary observed impact is system instability .
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

