CVE-2024-26931: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-26931 is a vulnerability in the Linux kernel's qla2xxx SCSI driver, discovered and disclosed in May 2024. The vulnerability occurs when the system is under memory stress and fails to properly handle command flushing during cable pull events, leading to a NULL pointer dereference (NVD).

The vulnerability manifests when the system is under memory stress and unable to allocate an SRB (SCSI Request Block) for error recovery during a cable pull event. The failure to flush commands causes the upper layer to modify scsi_cmnd structures. When memory becomes available and a subsequent cable pull occurs, the driver attempts to DMA unmap the SGL (Scatter Gather List) but accesses a null pointer, resulting in a system crash. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability can lead to a system crash due to NULL pointer dereference when attempting to DMA unmap the SGL during cable pull events under memory stress conditions (NVD).

A patch has been developed that adds a check to ensure commands are flushed back on session tear down to prevent the null pointer access. The fix has been incorporated into various Linux kernel versions including 5.14.0-427.37.1 for RHEL 9 (Red Hat).