{ "threat_severity" : "Low", "public_date" : "2025-12-24T00:00:00Z", "bugzilla" : { "description" : "kernel: scsi: qedi: Fix use after free bug in qedi_remove()", "id" : "2425099", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2425099" }, "cvss3" : { "cvss3_base_score" : "5.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-825", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nscsi: qedi: Fix use after free bug in qedi_remove()\nIn qedi_probe() we call __qedi_probe() which initializes\n&qedi->recovery_work with qedi_recovery_handler() and\n&qedi->board_disable_work with qedi_board_disable_work().\nWhen qedi_schedule_recovery_handler() is called, schedule_delayed_work()\nwill finally start the work.\nIn qedi_remove(), which is called to remove the driver, the following\nsequence may be observed:\nFix this by finishing the work before cleanup in qedi_remove().\nCPU0 CPU1\n|qedi_recovery_handler\nqedi_remove |\n__qedi_remove |\niscsi_host_free |\nscsi_host_put |\n//free shost |\n|iscsi_host_for_each_session\n|//use qedi->shost\nCancel recovery_work and board_disable_work in __qedi_remove().", "A use-after-free vulnerability was found in the Linux kernel's QLogic qedi iSCSI driver. When the driver is removed via qedi_remove(), the SCSI host structure may be freed while recovery_work or board_disable_work are still running. The work handlers then access the freed qedi->shost structure, causing a use-after-free condition." ], "statement" : "This flaw affects systems with QLogic iSCSI HBAs using the qedi driver. The race condition occurs during driver removal when recovery or board disable operations are in progress. While the UAF requires specific timing between driver removal and recovery work execution, it can cause kernel crashes on affected systems.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2024-05-22T00:00:00Z", "advisory" : "RHSA-2024:3138", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-553.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-04-30T00:00:00Z", "advisory" : "RHSA-2024:2394", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.13.1.el9_4" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-04-30T00:00:00Z", "advisory" : "RHSA-2024:2394", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.13.1.el9_4" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-54100\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-54100\nhttps://lore.kernel.org/linux-cve-announce/2025122410-CVE-2023-54100-91a9@gregkh/T" ], "name" : "CVE-2023-54100", "mitigation" : { "value" : "To mitigate this issue, ensure no iSCSI sessions are active before removing the qedi driver, or prevent the qedi module from being loaded if not required. See https://access.redhat.com/solutions/41278 for instructions.", "lang" : "en:us" }, "csaw" : false }