CVE-2025-71238 Overview
CVE-2025-71238 is a double free vulnerability in the Linux kernel's qla2xxx SCSI driver that can cause kernel panics and system crashes. The vulnerability exists in the bsg_done() function handling within the qla_bsg.c file, where certain error paths incorrectly invoke bsg_done() for failure cases, leading to a double free condition when memory is freed twice.
Critical Impact
This vulnerability can cause complete system crashes (kernel panic) on systems using QLogic Fibre Channel HBAs, affecting enterprise storage infrastructure and high-availability environments.
Affected Products
- Linux Kernel with qla2xxx SCSI driver module
- Systems using QLogic Fibre Channel Host Bus Adapters (HBAs)
- HPE ProLiant servers and other enterprise systems running affected kernel versions
Discovery Timeline
- 2026-03-04 - CVE CVE-2025-71238 published to NVD
- 2026-03-04 - Last updated in NVD database
Technical Details for CVE-2025-71238
Vulnerability Analysis
The vulnerability stems from improper memory management in the qla2xxx SCSI driver's BSG (Block layer SCSI Generic) request handling. When processing vendor-specific commands through qla2x00_process_vendor_specific() and qla24xx_bsg_request(), certain error conditions trigger a call to bsg_done() even when the function has already been invoked or when the associated memory structures have already been freed.
The kernel panic stack trace reveals the crash occurs in memcpy_erms() during scatter-gather buffer copy operations (sg_copy_buffer()), indicating that the double free corruption has left memory structures in an invalid state. The page fault at address ff5f5e897b024000 with supervisor write access shows that the kernel attempted to access memory that had already been freed and potentially reallocated.
Root Cause
The root cause lies in inconsistent error handling patterns within the qla_bsg.c file. Most routines in this file call bsg_done() only for success cases, completing the BSG request and freeing associated resources. However, a few code paths incorrectly invoke bsg_done() during failure handling as well. When these failure paths are taken after resources have already been partially or fully cleaned up, the duplicate call to bsg_done() attempts to free memory that is no longer valid, resulting in a double free condition.
Attack Vector
The vulnerability is triggered through the BSG interface when firmware update or vendor-specific SCSI commands are issued to QLogic Fibre Channel adapters. The attack vector requires local access to the system with sufficient privileges to interact with the SCSI BSG interface, typically requiring root or CAP_SYS_RAWIO capabilities.
The vulnerability manifests when error conditions occur during BSG request processing. The double free can corrupt kernel memory structures, potentially leading to:
- Immediate kernel panic and system crash (as observed in the error logs)
- Memory corruption affecting other kernel subsystems
- Potential for exploitation if an attacker can control memory allocation patterns
The call trace from the kernel panic shows the execution path: qla24xx_bsg_request() → qla2x00_process_vendor_specific() → sg_copy_buffer() → memcpy_erms(), where the crash occurs due to accessing freed memory.
Detection Methods for CVE-2025-71238
Indicators of Compromise
- Kernel panic messages containing "BUG: unable to handle page fault" with qla2xxx or qla_bsg in the call trace
- System crashes during QLogic HBA firmware updates or vendor-specific operations
- Oops messages indicating double free or use-after-free conditions in SCSI subsystem
- Call traces showing qla2x00_process_vendor_specific or qla24xx_bsg_request functions
Detection Strategies
- Monitor /var/log/messages and /var/log/kern.log for kernel panic messages referencing qla2xxx driver
- Deploy kernel crash dump analysis to identify double free patterns in qla_bsg.c functions
- Use KASAN (Kernel Address Sanitizer) in development/test environments to detect memory corruption issues
- Monitor for unexpected system reboots on servers with QLogic Fibre Channel adapters
Monitoring Recommendations
- Enable kernel crash dumps (kdump) to capture diagnostic information during kernel panics
- Implement automated log monitoring for SCSI and qla2xxx driver error messages
- Track system stability metrics on servers with QLogic HBAs, particularly during maintenance windows
- Configure alerting for repeated kernel oops or panic events
How to Mitigate CVE-2025-71238
Immediate Actions Required
- Apply the kernel patches from the stable kernel tree immediately
- Schedule maintenance windows for kernel updates on affected systems
- Defer firmware updates on QLogic HBAs until patched kernels are deployed
- Implement monitoring for kernel panics to quickly identify affected systems
Patch Information
The Linux kernel maintainers have released fixes through multiple stable kernel branches. The patch adds validation before calling bsg_done() to prevent the double free condition. The fix ensures that BSG completion is only invoked once per request, regardless of the error path taken.
Patches are available through the following kernel git commits:
- Kernel Git Commit 057a5bd
- Kernel Git Commit 27ac967
- Kernel Git Commit 31f33b8
- Kernel Git Commit 708003e
- Kernel Git Commit 74e7458
- Kernel Git Commit 871f623
- Kernel Git Commit c2c6822
- Kernel Git Commit f2bbb4d
Workarounds
- Restrict access to the BSG interface by limiting permissions on /dev/bsg/* device nodes
- Avoid running QLogic HBA firmware update utilities until the kernel is patched
- Consider temporarily blacklisting the qla2xxx module on systems where Fibre Channel is not critical
- Implement SELinux or AppArmor policies to restrict processes that can access SCSI BSG interfaces
# Restrict BSG device access temporarily
chmod 600 /dev/bsg/*
# Check current qla2xxx module status
lsmod | grep qla2xxx
# Verify kernel version includes the fix
uname -r
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
