PT-2026-22917 · Linux+1 · Linux Kernel+1

Published

2026-03-04

·

Updated

2026-05-26

·

CVE-2025-71238

CVSS v3.1

7.8

High

VectorAV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 5.14.0-503.34.1.el9 5
Description The Linux kernel contains a flaw within the qla2xxx SCSI driver related to the bsg done() function. Specifically, certain routines in qla bsg.c incorrectly call bsg done() in both success and failure scenarios, leading to a double-free condition. This can result in a kernel panic, as demonstrated by observed system crashes and page fault errors. The issue stems from a lack of proper validation before invoking bsg done().
Recommendations Update the Linux kernel to version 5.14.0-503.34.1.el9 5 or a later version to address this issue.

Exploit

Fix

DoS

Double Free

Weakness Enumeration

CWE-415

Related Identifiers

ALSA-2026:6053
ALSA-2026:6571
ALSA-2026:6572
AZL-78647
CVE-2025-71238
ECHO-FB35-6C16-70F7
OESA-2026-1760
OPENSUSE-SU-2026:10387-1
OPENSUSE-SU-2026:20826-1
RHSA-2026:10756
RHSA-2026:13664
RHSA-2026:13932
RHSA-2026:14165
RHSA-2026:19875
RHSA-2026:6053
RHSA-2026:6571
RHSA-2026:6572
RHSA-2026:6954
RHSA-2026:8342
RHSA-2026:9870
SUSE-SU-2026:2068-1
SUSE-SU-2026:21841-1
SUSE-SU-2026:21845-1
SUSE-SU-2026:21860-1
SUSE-SU-2026:21876-1
SUSE-SU-2026:21877-1
SUSE-SU-2026:21916-1
SUSE-SU-2026:21919-1
SUSE-SU-2026:2217-1
SUSE-SU-2026:2238-1

Affected Products

Linux Kernel
Rocky Linux