Main Vulnerability Database SB2026042519

SB2026042519 - openEuler 24.03 LTS update for kernel

Published: April 25, 2026

Security Bulletin ID SB2026042519

Severity

Medium

Patch available

YES

Number of vulnerabilities 8

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 8 secuirty vulnerabilities.

1) Use-after-free (CVE-ID: CVE-2026-23171)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within the bond_enslave() function in drivers/net/bonding/bond_main.c. A local user can escalate privileges on the system.

2) NULL pointer dereference (CVE-ID: CVE-2026-23439)

The vulnerability allows a local privileged user to cause a denial of service.

The vulnerability exists due to a null pointer dereference in udp_sock_create6() and its caller fou_create() when handling netlink requests with CONFIG_IPV6 disabled. A local privileged user can send a specially crafted netlink request to cause a denial of service.

Only privileged users can trigger the issue, and exploitation requires a kernel built with CONFIG_IPV6 disabled.

3) NULL pointer dereference (CVE-ID: CVE-2026-23450)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to a NULL pointer dereference in smc_tcp_syn_recv_sock() when processing TCP connection requests concurrently with closing an SMC listen socket. A remote attacker can send network traffic that triggers access to a NULL sk_user_data pointer to cause a denial of service.

The issue arises when sk_user_data is set to NULL during the close path while the TCP receive path reads it and dereferences the associated state, leading to a kernel panic.

4) Use-after-free (CVE-ID: CVE-2026-23450)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to a race condition leading to a NULL pointer dereference and use-after-free in smc_tcp_syn_recv_sock() when processing TCP connection requests concurrently with closing an SMC listen socket. A remote attacker can send network traffic that triggers the TCP handshake path to cause a denial of service.

The issue occurs because sk_user_data may become NULL or reference a freed smc_sock while the TCP receive path accesses it, resulting in a kernel panic.

5) Missing Release of Resource after Effective Lifetime (CVE-ID: CVE-2026-31400)

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper resource management in cache_release when closing a reader file descriptor during a partial read of a cache_request. A local user can close a file descriptor in that state to cause a denial of service.

The issue occurs because the request readers count is decremented without freeing the cache_request when the count reaches zero and CACHE_PENDING is clear, which can result in a memory leak.

6) Heap-based buffer overflow (CVE-ID: CVE-2026-31402)

The vulnerability allows a remote attacker to corrupt heap memory.

The vulnerability exists due to a heap-based buffer overflow in the NFSv4.0 LOCK replay cache when encoding denied LOCK operation responses. A remote attacker can trigger conflicting lock requests with a large lock owner value to corrupt heap memory.

The issue is caused by copying an encoded LOCK denied response into a fixed 112-byte inline replay buffer without sufficient bounds checking, resulting in a slab out-of-bounds write of up to 944 bytes. Exploitation requires two cooperating NFSv4.0 clients and can be performed remotely without authentication.

7) Use-after-free (CVE-ID: CVE-2026-31403)

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in the /proc/fs/nfs/exports proc entry handling when reading from a still-open file descriptor after the associated network namespace is torn down. A local user can keep the file descriptor open across namespace teardown and perform subsequent reads to cause a denial of service.

The issue occurs because the open file captures the current network namespace and stores its export cache without holding a reference to the namespace for the lifetime of the file descriptor.

8) Use-after-free (CVE-ID: CVE-2026-31426)

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to use-after-free in acpi_ec_space_handler() when handling AML evaluation that accesses an EC OpRegion field after probe deferral leaves a stale handler context. A local user can trigger a sysfs read that causes AML to touch an EC OpRegion to cause a denial of service.

The issue occurs on reduced-hardware EC platforms when the GPIO IRQ provider defers probing.

Remediation

Install update from vendor's website.

References

https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2026-2077

Vulnerable Software

openEuler: 24.03 LTS
python3-perf-debuginfo: before 6.6.0-145.0.4.132
python3-perf: before 6.6.0-145.0.4.132
perf-debuginfo: before 6.6.0-145.0.4.132
perf: before 6.6.0-145.0.4.132
kernel-tools-devel: before 6.6.0-145.0.4.132
kernel-tools-debuginfo: before 6.6.0-145.0.4.132
kernel-tools: before 6.6.0-145.0.4.132
kernel-source: before 6.6.0-145.0.4.132
kernel-headers: before 6.6.0-145.0.4.132
kernel-devel: before 6.6.0-145.0.4.132
kernel-debugsource: before 6.6.0-145.0.4.132
kernel-debuginfo: before 6.6.0-145.0.4.132
bpftool-debuginfo: before 6.6.0-145.0.4.132
bpftool: before 6.6.0-145.0.4.132
kernel: before 6.6.0-145.0.4.132

SB2026042519 - openEuler 24.03 LTS update for kernel

Breakdown by Severity

Description

Remediation

References

Please verify you're human