CVE-2026-43414 Overview
CVE-2026-43414 is a double free vulnerability in the Linux kernel's qla2xxx SCSI driver, which supports QLogic Fibre Channel host bus adapters. The flaw resides in the qla24xx_els_dcmd_iocb() function, where the fcport structure can be freed twice during error handling. After kref_put() releases the final reference and triggers qla2x00_sp_release(), the registered sp->free callback (qla2x00_els_dcmd_sp_free()) invokes qla2x00_free_fcport() a second time. The condition corrupts kernel memory and can lead to privilege escalation or denial of service.
Critical Impact
A successful exploit allows attackers to corrupt kernel memory through a double free of the fcport structure, potentially resulting in arbitrary code execution in kernel context.
Affected Products
- Linux kernel versions containing the unpatched qla2xxx SCSI driver
- Systems using QLogic Fibre Channel host bus adapters with the qla24xx code path
- Distributions shipping affected stable kernel branches prior to the fix commits
Discovery Timeline
- 2026-05-08 - CVE-2026-43414 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-43414
Vulnerability Analysis
The qla2xxx driver handles Extended Link Service (ELS) commands through qla24xx_els_dcmd_iocb(). This function assigns qla2x00_els_dcmd_sp_free() as the cleanup callback by setting sp->free. The cleanup callback is responsible for releasing the fcport structure with qla2x00_free_fcport().
When an error occurs during command submission, the driver invokes qla2x00_sp_release(). This release path calls kref_put(), which drops the final reference on the service request and triggers the registered sp->free callback. The callback then frees fcport. The original error-handling code subsequently frees fcport a second time, producing a classic double free condition.
The vulnerability is categorized as Double Free, a memory corruption flaw that can be leveraged for arbitrary kernel memory writes when combined with heap manipulation primitives.
Root Cause
The root cause is duplicated ownership tracking of the fcport structure between the synchronous error path in qla24xx_els_dcmd_iocb() and the asynchronous cleanup callback registered via sp->free. Both paths assume responsibility for releasing the same allocation, and there is no flag or null assignment preventing the second free after kref_put() completes.
Attack Vector
Triggering the bug requires reaching the error path in qla24xx_els_dcmd_iocb() on a system using affected QLogic Fibre Channel hardware or driver code. Once the double free occurs, an attacker controlling subsequent slab allocations can manipulate kernel objects placed in the freed memory region. This primitive can be escalated to kernel code execution or used to crash the host, depending on slab cache reuse and the attacker's local access.
The vulnerability is described in the upstream commits referenced below. See the Linux Kernel Commit c0b7da13 and Linux Kernel Commit d48ea854 for the complete fix.
Detection Methods for CVE-2026-43414
Indicators of Compromise
- Unexpected kernel panics or BUG: KASAN: double-free messages referencing qla2x00_free_fcport in dmesg output
- Slab corruption warnings (SLUB: double free detected) tied to the qla2xxx driver
- Repeated Fibre Channel ELS command failures preceding kernel instability
Detection Strategies
- Enable Kernel Address Sanitizer (KASAN) on test systems to catch double free conditions in the SCSI subsystem
- Audit installed kernel package versions against vendor advisories that backport the upstream fix commits
- Correlate hardware error logs from Fibre Channel HBAs with kernel oops events to identify exploitation attempts
Monitoring Recommendations
- Forward /var/log/kern.log and dmesg output to a centralized logging platform for anomaly detection on SCSI and qla2xxx subsystem messages
- Monitor host uptime and unexplained reboots on storage and SAN-attached servers
- Track unauthorized loading or modification of the qla2xxx kernel module via auditd rules on /lib/modules
How to Mitigate CVE-2026-43414
Immediate Actions Required
- Apply the upstream kernel patches from commits c0b7da13a04b and d48ea85463f5 or update to a distribution kernel that includes the backport
- Inventory systems using QLogic Fibre Channel HBAs and prioritize patching for SAN-attached storage hosts
- Restrict local access on affected systems until the patched kernel is deployed
Patch Information
The fix removes the duplicate free of fcport in the error path of qla24xx_els_dcmd_iocb(), leaving cleanup exclusively to the sp->free callback after kref_put() releases the final reference. The patches are available at Linux Kernel Commit c0b7da13 and Linux Kernel Commit d48ea854. Apply vendor-provided kernel updates from your Linux distribution as soon as they become available.
Workarounds
- Unload the qla2xxx module on systems that do not require Fibre Channel connectivity using modprobe -r qla2xxx
- Blacklist the qla2xxx driver in /etc/modprobe.d/ on hosts without QLogic HBAs to prevent automatic loading
- Limit local user access and tighten container escape boundaries on affected systems until patching completes
# Blacklist the qla2xxx module on systems that do not require it
echo "blacklist qla2xxx" | sudo tee /etc/modprobe.d/blacklist-qla2xxx.conf
sudo update-initramfs -u
sudo reboot
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
