SB2026041131 - openEuler 24.03 LTS update for kernel
Published: April 11, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 45 secuirty vulnerabilities.
1) Input validation error (CVE-ID: CVE-2025-68315)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the include/linux/f2fs_fs.h. A local user can perform a denial of service (DoS) attack.
2) Buffer overflow (CVE-ID: CVE-2025-68727)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to memory corruption within the ntfs_link_inode() function in fs/ntfs3/inode.c. A local user can perform a denial of service (DoS) attack.
3) Use-after-free (CVE-ID: CVE-2026-23231)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the nf_tables_addchain() function in net/netfilter/nf_tables_api.c. A local user can escalate privileges on the system.
4) Double free (CVE-ID: CVE-2026-23240)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to a double free error within the tls_sw_cancel_work_tx() function in net/tls/tls_sw.c. A local user can perform a denial of service (DoS) attack.
5) Buffer over-read (CVE-ID: CVE-2026-23245)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper memory management in the net/sched: act_gate component when handling action replacement while the hrtimer callback or dump path is walking the schedule list. A local user can trigger a race condition to cause a denial of service.
Exploitation requires access to the network scheduling subsystem and occurs due to lack of proper synchronization during parameter updates.
6) Improper Check for Unusual or Exceptional Conditions (CVE-ID: CVE-2026-23254)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in the UDP GRO complete stage when handling network packets. A remote attacker can send specially crafted network packets to cause a denial of service.
The issue arises because the udp4_gro_complete() function uses an incorrect network offset to compute the outer UDP header pseudo checksum when the 'encapsulation' flag is set, leading to checksum validation errors and subsequent packet processing failures.
7) Out-of-bounds read (CVE-ID: CVE-2026-23255)
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to improper input validation in the /proc/net/ptype component when handling RCU-protected network device references. A local attacker can exploit a race condition during iteration of packet types to cause a denial of service.
The issue arises from missing RCU protection when accessing pt->dev in ptype_seq_show() and ptype_seq_next(), allowing concurrent modifications to trigger an RCU stall.
8) Use After Free (CVE-ID: CVE-2026-23270)
The vulnerability allows a local user to cause a use-after-free condition.
The vulnerability exists due to improper memory management in the act_ct action handling within the net/sched subsystem when processing packets in the egress path. A local user can attach the act_ct action to non-clsact/ingress qdiscs and trigger packet classification that returns TC_ACT_CONSUMED while the socket buffer (skb) is still held by the defragmentation engine, leading to a use-after-free condition.
The vulnerability specifically arises when act_ct is used in contexts not designed to handle TC_ACT_CONSUMED, particularly outside clsact/ingress qdiscs and shared blocks. Exploitation requires the ability to configure traffic control (tc) actions, implying local access and privileges to modify qdisc configurations.
9) Exposure of resource to wrong sphere (CVE-ID: CVE-2026-23274)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in the netfilter xt_IDLETIMER module when processing timer rules with reused labels. A local user can insert a revision 0 IDLETIMER rule with a label that was previously used by a revision 1 rule with XT_IDLETIMER_ALARM, leading to modification of an uninitialized timer_list object, which can trigger debugobjects warnings and potentially cause a kernel panic when panic_on_warn=1 is enabled.
Exploitation requires the ability to load netfilter rules. The impact is limited to denial of service via system crash under specific kernel configurations.
10) Uncontrolled Recursion (CVE-ID: CVE-2026-23276)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in tunnel xmit functions (iptunnel_xmit, ip6tunnel_xmit) when handling network packets in a specific tunnel and bonding configuration. A remote attacker can send specially crafted network traffic that triggers infinite recursion between bond_xmit_broadcast() and ip_tunnel_xmit()/ip6_tnl_xmit(), leading to kernel stack overflow and system crash.
The issue specifically occurs when a bond device in broadcast mode has GRE tap interfaces as slaves and those GRE tunnels route back through the bond, causing multicast/broadcast traffic to trigger unbounded recursion. The existing XMIT_RECURSION_LIMIT is insufficient because tunnel recursion consumes more stack per level due to route lookups and full IP output processing.
11) NULL Pointer Dereference (CVE-ID: CVE-2026-23277)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in the teql network scheduler component when handling packet transmission through a gretap tunnel configured as a TEQL slave. A remote attacker can send a specially crafted network request to trigger a NULL pointer dereference in iptunnel_xmit, leading to a kernel page fault and system crash.
Exploitation does not require authentication or elevated privileges. The issue arises because the skb->dev field is not updated to the slave device before transmission, causing iptunnel_xmit_stats to access uninitialized tstats via a NULL pointer.
12) Resource exhaustion (CVE-ID: CVE-2026-23278)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper memory management in the netfilter nf_tables component when processing transaction batches containing multiple catchall elements. A local user can provide a specially crafted batch request to cause a denial of service.
Exploitation requires the ability to inject or modify netfilter rules via the nf_tables interface, which is typically restricted to privileged users. The issue occurs during transaction abort processing, leading to a use-after-free condition that triggers a kernel warning and system instability.
13) NULL Pointer Dereference (CVE-ID: CVE-2026-23293)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in the VXLAN network driver when handling packets. A local user can send a specially crafted IPv6 packet into a VXLAN interface when IPv6 is disabled at boot time to trigger a kernel NULL pointer dereference and crash the system.
Exploitation requires the ability to inject packets into the VXLAN interface, which is typically available to local users or processes with network access.
14) NULL Pointer Dereference (CVE-ID: CVE-2026-23300)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a null pointer dereference in the IPv6 routing subsystem when handling a standalone IPv6 nexthop object referencing the loopback device. A local user can create a specially crafted IPv6 nexthop and reference it from an IPv4 route to trigger a NULL pointer dereference in __mkroute_output(), leading to a system crash.
Successful exploitation may result in a kernel panic and denial of service.
15) Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') (CVE-ID: CVE-2026-23302)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a race condition in socket state handling when processing network operations. A local user can trigger concurrent access to socket state variables to cause a denial of service.
The issue arises from improper synchronization of sk->sk_data_ready and sk->sk_write_space pointers during concurrent access by multiple CPUs.
16) Cleartext Storage of Sensitive Information (CVE-ID: CVE-2026-23303)
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to improper output neutralization in the cifs_set_cifscreds function when handling debug logging. A local user can enable debug logging to disclose sensitive information.
The exposure of plaintext usernames and passwords occurs when debug logging is enabled, which may be accessible to local users with access to kernel logs.
17) NULL Pointer Dereference (CVE-ID: CVE-2026-23304)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in the ipv6 routing subsystem when processing IPv6 packets. A remote attacker can send a specially crafted IPv6 packet to trigger a null pointer dereference in ip6_rt_get_dev_rcu(), leading to a system crash.
Exploitation does not require authentication or user interaction and occurs within the network stack during packet processing.
18) Improper Access Control (CVE-ID: CVE-2026-23310)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper access control in the bonding driver when changing the xmit_hash_policy to vlan+srcmac while an XDP program is loaded on a bond interface in 802.3ad or balance-xor mode. A local user can change the xmit_hash_policy to cause an inconsistent state, leading to failure in uninstalling the XDP program and triggering a kernel warning during bond device destruction.
The attacker must have the ability to configure bonding interface settings, which requires local access and privileges to modify network device parameters.
19) Incomplete Blacklist to Cross-Site Scripting (CVE-ID: CVE-2026-23321)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper state management in the MPTCP subsystem when handling endpoint removal. A local user can send a specially crafted sequence of netlink commands to trigger a kernel warning and system instability.
The attacker must be able to create and remove MPTCP endpoints with specific flags and manipulate connection states, which requires access to the MPTCP netlink interface.
20) Integer overflow (CVE-ID: CVE-2026-23343)
The vulnerability allows a local user to execute arbitrary code or cause a denial of service due to memory corruption.
The vulnerability exists due to improper input validation in the XDP (eXpress Data Path) subsystem when handling packet tailroom calculations. A local user can trigger a negative tailroom value that is interpreted as a large unsigned integer, leading to out-of-bounds memory access during XDP frame processing.
The issue arises when Ethernet drivers report fragment sizes smaller than the actual truesize, causing incorrect tailroom computation in functions such as bpf_xdp_frags_increase_tail().
21) Use After Free (CVE-ID: CVE-2026-23351)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in the netfilter nft_set_pipapo component when handling a large number of expired elements during commit-time garbage collection. A local user can trigger prolonged non-preemptible execution to cause a denial of service.
Exploitation requires triggering garbage collection under a large number of expired elements, leading to soft lockup warnings and RCU stall reports.
22) Memory corruption (CVE-ID: CVE-2026-23362)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper memory management in the CAN BCM (Broadcast Manager) subsystem when handling runtime updates of bcm_op structures. A local user can send a specially crafted request to trigger a use of an uninitialized spinlock, leading to a system crash.
The issue specifically occurs in the bcm_rx_setup() function, where the bcm_tx_lock is not initialized when the RX_RTR_FRAME flag is set, which can lead to undefined behavior during lock operations.
23) Uncontrolled Recursion (CVE-ID: CVE-2026-23365)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in the kalmia USB driver when handling USB endpoints during device probing. A remote attacker can connect a malicious USB device with unexpected endpoint configurations to cause a denial of service.
Exploitation does not require authentication or user interaction beyond physically connecting the device; however, the attack vector is considered local due to physical access requirement.
24) Incorrect Register Defaults or Module Parameters (CVE-ID: CVE-2026-23368)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper locking order in the phy_led_triggers_register function when handling LED triggers during PHY device probe. A local user can trigger a system call that leads to conflicting lock acquisition sequences, resulting in an AB-BA deadlock between the RTNL mutex and the triggers_list_lock, ultimately causing a kernel deadlock and system hang.
The issue arises when LEDS_TRIGGER_NETDEV and LED_TRIGGER_PHY are both enabled, allowing conflicting lock acquisition orders depending on execution context.
25) Improper Check or Handling of Exceptional Conditions (CVE-ID: CVE-2026-23371)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper state management in the deadline scheduler (sched/deadline) when handling priority inheritance (PI) de-boosting. A local user can manipulate scheduling parameters via sched_setscheduler() on a SCHED_DEADLINE task that holds a PI mutex, leading to missing ENQUEUE_REPLENISH flag and subsequent bandwidth accounting corruption, which may trigger a kernel warning and result in a denial of service.
Exploitation requires the ability to create and control SCHED_DEADLINE tasks and manipulate their scheduling policy while holding PI mutexes.
26) Out-of-bounds read (CVE-ID: CVE-2026-23375)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper access control in the file_thp_enabled() function when handling files on anonymous inodes via processing memory operations. A local user can trigger memory operations such as MADV_COLLAPSE or rely on khugepaged activity to cause a kernel crash or trigger erroneous memory failure reports.
Exploitation does not require elevated privileges but requires the ability to create or access files on anonymous inodes such as guest_memfd or secretmem. The impact includes system crash or spurious memory failure warnings in the kernel log.
27) NULL Pointer Dereference (CVE-ID: CVE-2026-23381)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in the bridge component when handling packets. A remote attacker can send a specially crafted ICMPv6 Neighbor Discovery packet to trigger a kernel NULL pointer dereference.
IPv6 must be disabled via the 'ipv6.disable=1' kernel parameter for the vulnerability to be exploitable.
28) Resource exhaustion (CVE-ID: CVE-2026-23391)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource management in the netfilter xt_CT module when handling packet queueing. A local user can trigger the queuing of packets that reference templates, which, upon removal of the template, are not properly flushed, leading to resource exhaustion and system instability.
Templates such as connection tracking helpers or timeout policies may be removed during module unloading or via nfnetlink_cttimeout, leaving packets enqueued without valid references.
29) Use After Free (CVE-ID: CVE-2026-23392)
The vulnerability allows a local user to execute arbitrary code or escalate privileges.
The vulnerability exists due to a use-after-free in the netfilter nf_tables component when handling flowtable hooks during error conditions. A local user can trigger a use-after-free condition by exploiting the improper release of a flowtable after an RCU grace period, leading to arbitrary code execution or privilege escalation.
Exploitation requires the ability to interact with the nfnetlink subsystem, typically available to local users with access to netfilter configuration interfaces.
30) Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') (CVE-ID: CVE-2026-23393)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a race condition in the bridge CFM component when handling peer MEP deletion. A local user can trigger the deletion of a peer MEP, leading to a use-after-free condition if a delayed work item is rescheduled after cancellation but before memory is freed, resulting in a system crash.
The race condition occurs because br_cfm_frame_rx() runs in softirq context under RCU read lock and can re-schedule the delayed work between the cancellation and the memory release.
31) Double Free (CVE-ID: CVE-2026-23394)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a race condition in the af_unix garbage collection mechanism when handling MSG_PEEK system calls. A local user can send a specially crafted sequence of system calls involving MSG_PEEK and socket closure to trigger incorrect garbage collection of active Unix domain sockets, leading to a denial of service.
The issue arises when MSG_PEEK increases a file reference count without synchronizing with garbage collection, causing the collector to incorrectly identify live sockets as dead and purge their receive queues.
32) Out-of-bounds write (CVE-ID: CVE-2026-23395)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in the Bluetooth L2CAP component when handling L2CAP_ECRED_CONN_REQ packets. A remote attacker can send a specially crafted sequence of L2CAP connection requests with the same command identifier to cause an overflow in channel allocation, leading to a denial of service.
Exploitation requires proximity to initiate a Bluetooth connection. The issue arises from failure to check for duplicate command identifiers during Enhanced Credit Control connection setup.
33) Out-of-bounds read (CVE-ID: CVE-2026-23397)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in the nfnetlink_osf component when handling TCP option fingerprints. A remote attacker can send a specially crafted request to cause a denial of service.
Exploitation involves sending malicious TCP packets with zero-length options or MSS options with length less than 4, leading to null pointer dereference and out-of-bounds reads during packet matching.
34) Memory leak (CVE-ID: CVE-2026-23399)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper memory management in the nf_tables subsystem when handling stateful expressions in dynamic sets. A local user can trigger a memory leak by causing a failure during the cloning of stateful expressions, leading to unbounded memory consumption over time.
The issue occurs in the nft_dynset component when GFP_ATOMIC allocation fails, leaving the first stateful expression unreleased.
35) Improper resource shutdown or release (CVE-ID: CVE-2026-23401)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper handling of SPTE updates in KVM MMU when installing emulated MMIO SPTEs. A local user can trigger a page fault after host userspace modifies guest memory mappings to switch from memslot to emulated MMIO, leading to an attempt to mark an already present SPTE as MMIO, which results in a kernel warning and potential guest crash. A local user can send a specially crafted request to cause a denial of service.
The issue arises when KVM fails to drop the existing shadow-present SPTE before installing an MMIO SPTE, resulting in inconsistent MMU state and triggering a kernel warning that can crash the guest.
36) Memory leak (CVE-ID: CVE-2026-23403)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper memory management in the AppArmor subsystem when processing multiple profiles during profile unpacking. A local user can provide specially crafted profile data to cause a memory leak, leading to resource exhaustion.
Exploitation requires the ability to load AppArmor profiles, which is restricted to users with appropriate privileges.
37) Uncontrolled Recursion (CVE-ID: CVE-2026-23404)
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to improper input validation in AppArmor profile removal functionality when handling deeply nested profiles. A local attacker can send a specially crafted request to cause a denial of service.
Exploitation requires the ability to load AppArmor profiles and trigger their removal, which is typically available to unprivileged users on systems where AppArmor is enabled.
38) Resource exhaustion (CVE-ID: CVE-2026-23405)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource management in the AppArmor policy namespace subsystem when creating nested policy namespaces. A local user can create deeply nested policy namespaces to cause a denial of service.
Exploitation requires the ability to create AppArmor policy namespaces, which is available to unprivileged users in a user namespace.
39) Double free (CVE-ID: CVE-2026-23408)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a double free in the AppArmor profile replacement component when processing user-supplied profile data. A local user can send a specially crafted request to cause a denial of service.
40) Resource exhaustion (CVE-ID: CVE-2026-23409)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in AppArmor's differential encoding verification when processing encoded profile data. A local user can provide a specially crafted differential-encoded profile that creates loops in the chain to cause a denial of service.
Successful exploitation requires the ability to load AppArmor profiles, which is restricted to privileged users. However, since no additional authentication beyond standard system privileges is required, the attacker capability is considered as a local user with low privileges in the context of the vulnerability.
41) Use-after-free (CVE-ID: CVE-2026-23410)
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to a use-after-free in AppArmor rawdata inode handling when opening rawdata files while simultaneously removing the corresponding profile. A local attacker can trigger a race condition to access freed memory and cause a denial of service.
42) Race condition (CVE-ID: CVE-2026-23411)
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to a race condition in the AppArmor i_private data management when accessing filesystem callback functions after reference removal. A local attacker can trigger a use-after-free condition by exploiting the race between freeing data and filesystem access to trigger a denial of service.
The issue arises when the inode persists beyond AppArmor data cleanup and filesystem callbacks are invoked after the reference has been released. This race condition primarily affects data stored in i_private, including rawdata/loaddata interfaces.
43) Use-after-free (CVE-ID: CVE-2026-23413)
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to use-after-free in the clsact qdisc when handling init and destroy rollback after a replacement failure. A local attacker can trigger a replacement failure during clsact initialization to cause a denial of service.
The issue occurs because ingress may be initialized before egress initialization fails, after which destroy logic can operate on stale state from the previous clsact instance.
44) Memory leak (CVE-ID: CVE-2026-23414)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource management in tls_decrypt_async_wait() and the async_hold queue when processing pending asynchronous TLS decrypt operations. A local user can trigger a partial failure during message hold handling to cause a denial of service.
This issue results in a memory leak because cloned skbs added to the async_hold queue may not be released in some fallback paths after pending AEAD operations are synchronized. No user interaction is required.
45) Improper Privilege Management (CVE-ID: CVE-2026-31788)
The vulnerability allows a local user to escalate privileges and modify kernel memory contents, breaking secure boot protections.
The vulnerability exists due to improper access control in the Xen privcmd driver when handling hypercalls from user space processes in an unprivileged domU running with secure boot enabled. A local user can exploit this by issuing arbitrary hypercalls to escalate privileges and modify kernel memory, compromising the integrity of the secure boot environment.
Exploitation requires the user to have root privileges within the unprivileged domU guest. The impact is particularly severe when secure boot is enabled, as it allows bypassing memory integrity protections.
Remediation
Install update from vendor's website.