vulnerability
Oracle Linux: CVE-2025-40343: ELSA-2026-50006: Unbreakable Enterprise kernel security update (IMPORTANT)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 5 | (AV:L/AC:M/Au:M/C:P/I:P/A:C) | Dec 9, 2025 | Jan 15, 2026 | Jan 15, 2026 |
Severity
5
CVSS
(AV:L/AC:M/Au:M/C:P/I:P/A:C)
Published
Dec 9, 2025
Added
Jan 15, 2026
Modified
Jan 15, 2026
Description
In the Linux kernel, the following vulnerability has been resolved:
nvmet-fc: avoid scheduling association deletion twice
When forcefully shutting down a port via the configfs interface,
nvmet_port_subsys_drop_link() first calls nvmet_port_del_ctrls() and
then nvmet_disable_port(). Both functions will eventually schedule all
remaining associations for deletion.
The current implementation checks whether an association is about to be
removed, but only after the work item has already been scheduled. As a
result, it is possible for the first scheduled work item to free all
resources, and then for the same work item to be scheduled again for
deletion.
Because the association list is an RCU list, it is not possible to take
a lock and remove the list entry directly, so it cannot be looked up
again. Instead, a flag (terminating) must be used to determine whether
the association is already in the process of being deleted.
A flaw was found in the Linux kernel's NVMe over Fibre Channel (nvmet-fc) target subsystem. When forcefully shutting down a port through the configfs interface, both nvmet_port_del_ctrls() and nvmet_disable_port() schedule association deletions. Due to insufficient synchronization, the same work item can be scheduled twice, leading to a double-free condition where resources are freed by the first work item and then the same work item attempts to free them again. This can cause memory corruption, system crashes, or potentially be exploited for privilege escalation.
nvmet-fc: avoid scheduling association deletion twice
When forcefully shutting down a port via the configfs interface,
nvmet_port_subsys_drop_link() first calls nvmet_port_del_ctrls() and
then nvmet_disable_port(). Both functions will eventually schedule all
remaining associations for deletion.
The current implementation checks whether an association is about to be
removed, but only after the work item has already been scheduled. As a
result, it is possible for the first scheduled work item to free all
resources, and then for the same work item to be scheduled again for
deletion.
Because the association list is an RCU list, it is not possible to take
a lock and remove the list entry directly, so it cannot be looked up
again. Instead, a flag (terminating) must be used to determine whether
the association is already in the process of being deleted.
A flaw was found in the Linux kernel's NVMe over Fibre Channel (nvmet-fc) target subsystem. When forcefully shutting down a port through the configfs interface, both nvmet_port_del_ctrls() and nvmet_disable_port() schedule association deletions. Due to insufficient synchronization, the same work item can be scheduled twice, leading to a double-free condition where resources are freed by the first work item and then the same work item attempts to free them again. This can cause memory corruption, system crashes, or potentially be exploited for privilege escalation.
Solution
oracle-linux-upgrade-kernel-uek
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.