Use-After-Free Vulnerability in Linux Kernel SCSI Module by Vendor
CVE-2022-49730

Currently unrated

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 26 February 2025

Summary

A use-after-free vulnerability has been identified in the Linux kernel's SCSI module. This issue arises when an ELS LOGO (Extended Link Services Log Out) operation is aborted, leading to a potential crash due to the improper handling of the nodelist structure. Upon prematurely releasing the structure, the configuration log verbosity setting for the respective vport may still be accessed, which can result in undefined behaviors or system instability. To mitigate this vulnerability, the lpfc_cmpl_els_logo() function has been adjusted to restrict the possibility of duplicate calls that lead to the release of the nodelist, ensuring safe and reliable handling of resource management.

Affected Version(s)

Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 5e83869e29448958f8ae2c6911f350318f75e4fc

Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

References

https://git.kernel.org/stable/c/5e83869e29448958f8ae2c691...

https://git.kernel.org/stable/c/eea34ce23dc3a595695856dc7...

https://git.kernel.org/stable/c/b1b3440f437b75fb2a9b0cfe5...

Timeline

Vulnerability published
Feb 26, 2025
Vulnerability Reserved
Feb 26, 2025