SB2026042426 - SUSE update for the Linux Kernel
Published: April 24, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 40 secuirty vulnerabilities.
1) Buffer overflow (CVE-ID: CVE-2024-38542)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to memory corruption within the mana_ib_install_cq_cb() function in drivers/infiniband/hw/mana/cq.c. A local user can escalate privileges on the system.
2) Buffer overflow (CVE-ID: CVE-2025-39998)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to memory corruption within the target_lu_gp_members_show() function in drivers/target/target_core_configfs.c. A local user can escalate privileges on the system.
3) Integer underflow (CVE-ID: CVE-2025-68794)
The vulnerability allows a local user to execute arbitrary code.
The vulnerability exists due to integer underflow within the iomap_adjust_read_range() function in fs/iomap/buffered-io.c. A local user can execute arbitrary code.
4) Out-of-bounds read (CVE-ID: CVE-2025-71231)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to an out-of-bounds read error within the function in drivers/crypto/intel/iaa/iaa_crypto_main.c. A local user can perform a denial of service (DoS) attack.
5) Improper Resource Shutdown or Release (CVE-ID: CVE-2025-71268)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a resource management error in the Btrfs filesystem component when handling qgroup data during inline extent insertion. A local user can trigger a reservation leak in error paths to cause a denial of service.
The vulnerability specifically occurs if allocation of a path or transaction join fails, leading to unfreed qgroup reservations. This results in gradual resource exhaustion over time.
6) Resource exhaustion (CVE-ID: CVE-2025-71269)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource management in the btrfs filesystem's qgroup data reservation handling when processing file writes that trigger a fallback from inline extent creation. A local user can perform file operations that cause an ENOSPC condition during inline extent creation, leading to incorrect release of qgroup data reservations while still proceeding with the normal COW path, resulting in unbalanced quota accounting and potential denial of service.
The attacker must have the ability to write to a btrfs filesystem and trigger space allocation under conditions of low available space; this typically requires low-privileged local access but does not require administrative privileges beyond standard user write permissions.
7) Double free (CVE-ID: CVE-2026-23030)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to a double free error within the rockchip_usb2phy_probe() function in drivers/phy/rockchip/phy-rockchip-inno-usb2.c. A local user can perform a denial of service (DoS) attack.
8) Input validation error (CVE-ID: CVE-2026-23047)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the calc_target() function in net/ceph/osd_client.c. A local user can perform a denial of service (DoS) attack.
9) Improper locking (CVE-ID: CVE-2026-23103)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper locking within the ipvlan_port_create(), ipvlan_uninit(), ipvlan_open(), ipvlan_stop(), ipvlan_link_new(), ipvlan_link_delete(), ipvlan_add_addr(), ipvlan_del_addr(), ipvlan_add_addr6(), ipvlan_addr6_validator_event() and ipvlan_addr4_validator_event() functions in drivers/net/ipvlan/ipvlan_main.c. A local user can perform a denial of service (DoS) attack.
10) Race condition within a thread (CVE-ID: CVE-2026-23120)
The vulnerability allows a local user to corrupt data.
The vulnerability exists due to a data race within the l2tp_tunnel_del_work() function in net/l2tp/l2tp_core.c. A local user can corrupt data.
11) Infinite loop (CVE-ID: CVE-2026-23136)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop within the osd_fault() function in net/ceph/osd_client.c. A local user can perform a denial of service (DoS) attack.
12) Use of uninitialized resource (CVE-ID: CVE-2026-23140)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to use of uninitialized resource within the bpf_prog_test_run_xdp() function in net/bpf/test_run.c. A local user can perform a denial of service (DoS) attack.
13) Input validation error (CVE-ID: CVE-2026-23187)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the imx8m_blk_ctrl_remove() function in drivers/pmdomain/imx/imx8m-blk-ctrl.c. A local user can perform a denial of service (DoS) attack.
14) Use-after-free (CVE-ID: CVE-2026-23193)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the iscsit_dec_session_usage_count() function in drivers/target/iscsi/iscsi_target_util.c. A local user can escalate privileges on the system.
15) Use-after-free (CVE-ID: CVE-2026-23201)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the parse_longname() function in fs/ceph/crypto.c. A local user can escalate privileges on the system.
16) NULL pointer dereference (CVE-ID: CVE-2026-23215)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to NULL pointer dereference within the arch/x86/include/asm/vmware.h. A local user can perform a denial of service (DoS) attack.
17) Use-after-free (CVE-ID: CVE-2026-23216)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the iscsit_dec_conn_usage_count() function in drivers/target/iscsi/iscsi_target_util.c. A local user can escalate privileges on the system.
18) Use-after-free (CVE-ID: CVE-2026-23231)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the nf_tables_addchain() function in net/netfilter/nf_tables_api.c. A local user can escalate privileges on the system.
19) NULL Pointer Dereference (CVE-ID: CVE-2026-23242)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in the RDMA/siw component when processing incoming RDMA packets. A local user can trigger improper error handling to cause a denial of service.
Exploitation requires access to RDMA subsystem and the ability to send crafted packets over TCP. The vulnerability affects the siw (Soft iWarp) driver in the Linux kernel.
20) Out-of-bounds read (CVE-ID: CVE-2026-23243)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a boundary error in the RDMA/umad component when processing user-controlled MAD headers. A local user can send a specially crafted request with mismatched MAD header size and RMPP header length to cause a denial of service.
Exploitation requires access to the RDMA UMAD interface. The vulnerability can trigger an out-of-bounds write in kernel memory, leading to system instability or crash.
21) Out-of-bounds read (CVE-ID: CVE-2026-23255)
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to improper input validation in the /proc/net/ptype component when handling RCU-protected network device references. A local attacker can exploit a race condition during iteration of packet types to cause a denial of service.
The issue arises from missing RCU protection when accessing pt->dev in ptype_seq_show() and ptype_seq_next(), allowing concurrent modifications to trigger an RCU stall.
22) Use After Free (CVE-ID: CVE-2026-23259)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in io_uring/rw component when handling read/write requests. A local user can trigger improper cleanup of allocated iovec structures to cause a denial of service.
Exploitation requires access to the io_uring subsystem and the ability to submit read/write requests.
23) Use After Free (CVE-ID: CVE-2026-23270)
The vulnerability allows a local user to cause a use-after-free condition.
The vulnerability exists due to improper memory management in the act_ct action handling within the net/sched subsystem when processing packets in the egress path. A local user can attach the act_ct action to non-clsact/ingress qdiscs and trigger packet classification that returns TC_ACT_CONSUMED while the socket buffer (skb) is still held by the defragmentation engine, leading to a use-after-free condition.
The vulnerability specifically arises when act_ct is used in contexts not designed to handle TC_ACT_CONSUMED, particularly outside clsact/ingress qdiscs and shared blocks. Exploitation requires the ability to configure traffic control (tc) actions, implying local access and privileges to modify qdisc configurations.
24) Use After Free (CVE-ID: CVE-2026-23272)
The vulnerability allows a local user to execute arbitrary code, escalate privileges, and cause a denial of service.
The vulnerability exists due to a use-after-free in the netfilter nf_tables component when handling set element insertion in a full set. A local user can send a specially crafted request to trigger improper RCU handling, leading to a use-after-free condition.
Exploitation requires non-administrative local privileges and does not require user interaction. The vulnerability occurs during normal operation of netfilter rules with full sets.
25) Exposure of resource to wrong sphere (CVE-ID: CVE-2026-23274)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in the netfilter xt_IDLETIMER module when processing timer rules with reused labels. A local user can insert a revision 0 IDLETIMER rule with a label that was previously used by a revision 1 rule with XT_IDLETIMER_ALARM, leading to modification of an uninitialized timer_list object, which can trigger debugobjects warnings and potentially cause a kernel panic when panic_on_warn=1 is enabled.
Exploitation requires the ability to load netfilter rules. The impact is limited to denial of service via system crash under specific kernel configurations.
26) NULL Pointer Dereference (CVE-ID: CVE-2026-23277)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in the teql network scheduler component when handling packet transmission through a gretap tunnel configured as a TEQL slave. A remote attacker can send a specially crafted network request to trigger a NULL pointer dereference in iptunnel_xmit, leading to a kernel page fault and system crash.
Exploitation does not require authentication or elevated privileges. The issue arises because the skb->dev field is not updated to the slave device before transmission, causing iptunnel_xmit_stats to access uninitialized tstats via a NULL pointer.
27) Resource exhaustion (CVE-ID: CVE-2026-23278)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper memory management in the netfilter nf_tables component when processing transaction batches containing multiple catchall elements. A local user can provide a specially crafted batch request to cause a denial of service.
Exploitation requires the ability to inject or modify netfilter rules via the nf_tables interface, which is typically restricted to privileged users. The issue occurs during transaction abort processing, leading to a use-after-free condition that triggers a kernel warning and system instability.
28) Use After Free (CVE-ID: CVE-2026-23281)
The vulnerability allows a local user to execute arbitrary code or cause a denial of service.
The vulnerability exists due to use-after-free in lbs_free_adapter() function in the Linux kernel's libertas Wi-Fi driver when handling timer cleanup during device adapter release. A local user can trigger the release of the adapter structure while timer callbacks are still executing, leading to access of freed memory and potential execution of arbitrary code or system crash.
Exploitation requires the ability to trigger device cleanup, which is typically available to users with access to network device interfaces.
29) On-Chip Debug and Test Interface With Improper Access Control (CVE-ID: CVE-2026-23292)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper locking mechanism in the SCSI target subsystem when handling configuration file writes. A local user can provide a specially crafted configuration input to cause recursive semaphore locking, leading to a system crash or hang.
Exploitation requires access to the target's configuration filesystem (configfs) and the ability to write to the db_root parameter. No additional privileges beyond standard configfs access are required.
30) NULL Pointer Dereference (CVE-ID: CVE-2026-23293)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in the VXLAN network driver when handling packets. A local user can send a specially crafted IPv6 packet into a VXLAN interface when IPv6 is disabled at boot time to trigger a kernel NULL pointer dereference and crash the system.
Exploitation requires the ability to inject packets into the VXLAN interface, which is typically available to local users or processes with network access.
31) NULL Pointer Dereference (CVE-ID: CVE-2026-23317)
The vulnerability allows a local user to execute arbitrary code and escalate privileges.
The vulnerability exists due to improper error handling in the vmw_translate_ptr functions in the drm/vmwgfx subsystem when translating pointers. A local user can trigger a use of an uninitialized pointer to cause out-of-bounds memory accesses and execute arbitrary code.
Successful exploitation may lead to privilege escalation and system compromise.
32) Use After Free (CVE-ID: CVE-2026-23319)
The vulnerability allows a local user to execute arbitrary code or escalate privileges.
The vulnerability exists due to a use-after-free in the bpf_trampoline_link_cgroup_shim component when handling BPF trampoline link operations. A local user can trigger a race condition to exploit a dangling reference in the cgroup shim trampoline program list and achieve arbitrary code execution or privilege escalation.
The issue arises because the reference count is reduced to zero and the resource is released before all references are fully cleaned up, creating a window where an already-freed resource can be accessed.
33) Improper Synchronization (CVE-ID: CVE-2026-23361)
The vulnerability allows a local user to cause a denial of service, disclose sensitive information, and potentially execute arbitrary code.
The vulnerability exists due to improper synchronization in the PCI driver's MSI-X interrupt handling when unmapping the outbound ATU entry. A local user can trigger the dw_pcie_ep_raise_msix_irq() function to raise an MSI-X interrupt via a posted write transaction that may not complete before the associated ATU entry is unmapped, leading to memory corruption or IOMMU faults.
The issue arises because the writel() operation used to generate the PCI posted write transaction can return before the write reaches its destination, creating a race condition with the subsequent unmap operation. This can result in memory corruption on the host system, including potential access to unauthorized memory regions or system instability.
34) Function Call with Incorrectly Specified Arguments (CVE-ID: CVE-2026-23379)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in the ets_offload_change function when handling traffic control (tc) commands for ETS qdisc offloading. A local user can send a specially crafted request to trigger a divide-by-zero error, leading to a kernel oops and system crash.
The issue arises from unsigned 32-bit integer overflows in 'q_sum' and 'q_psum' variables during WRR weight computation, which can result in division by zero in the offload path.
35) NULL Pointer Dereference (CVE-ID: CVE-2026-23381)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in the bridge component when handling packets. A remote attacker can send a specially crafted ICMPv6 Neighbor Discovery packet to trigger a kernel NULL pointer dereference.
IPv6 must be disabled via the 'ipv6.disable=1' kernel parameter for the vulnerability to be exploitable.
36) Out-of-bounds write (CVE-ID: CVE-2026-23386)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a boundary error in the gve_tx_clean_pending_packets() function in the Google Virtual Ethernet (gve) driver when handling packet transmission cleanup in DQ-QPL mode. A local user can trigger improper buffer cleanup by causing the transmission path to fail, leading to out-of-bounds memory access and system crash.
The issue arises because the function incorrectly uses the RDA buffer cleanup path in QPL mode, resulting in accessing memory beyond the bounds of the dma array, which shares storage with tx_qpl_buf_ids. This can be triggered during normal operation under specific error conditions.
37) NULL pointer dereference (CVE-ID: CVE-2026-23398)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in the icmp_tag_validation function when handling ICMP Fragmentation Needed error messages with a quoted inner IP header containing an unregistered protocol number. A remote attacker can send a specially crafted ICMP packet to cause a kernel panic in softirq context.
Exploitation requires the target system to have ip_no_pmtu_disc set to 3 (hardened PMTU mode).
38) Use-after-free (CVE-ID: CVE-2026-23413)
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to use-after-free in the clsact qdisc when handling init and destroy rollback after a replacement failure. A local attacker can trigger a replacement failure during clsact initialization to cause a denial of service.
The issue occurs because ingress may be initialized before egress initialization fails, after which destroy logic can operate on stale state from the previous clsact instance.
39) Memory leak (CVE-ID: CVE-2026-23414)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource management in tls_decrypt_async_wait() and the async_hold queue when processing pending asynchronous TLS decrypt operations. A local user can trigger a partial failure during message hold handling to cause a denial of service.
This issue results in a memory leak because cloned skbs added to the async_hold queue may not be released in some fallback paths after pending AEAD operations are synchronized. No user interaction is required.
40) Improper Privilege Management (CVE-ID: CVE-2026-31788)
The vulnerability allows a local user to escalate privileges and modify kernel memory contents, breaking secure boot protections.
The vulnerability exists due to improper access control in the Xen privcmd driver when handling hypercalls from user space processes in an unprivileged domU running with secure boot enabled. A local user can exploit this by issuing arbitrary hypercalls to escalate privileges and modify kernel memory, compromising the integrity of the secure boot environment.
Exploitation requires the user to have root privileges within the unprivileged domU guest. The impact is particularly severe when secure boot is enabled, as it allows bypassing memory integrity protections.
Remediation
Install update from vendor's website.