SB2026050126 - SUSE update for the Linux Kernel
Published: May 1, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 17 secuirty vulnerabilities.
1) Error handling (CVE-ID: CVE-2024-26584)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to an error when handling backlogging of crypto requests in net/tls/tls_sw.c. A remote attacker can send specially crafted traffic to the system and perform a denial of service attack.
2) Improper locking (CVE-ID: CVE-2025-38234)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper locking within the find_lowest_rq() and find_lock_lowest_rq() functions in kernel/sched/rt.c. A local user can perform a denial of service (DoS) attack.
3) Use-after-free (CVE-ID: CVE-2025-39759)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the btrfs_check_quota_leak() and btrfs_qgroup_rescan() functions in fs/btrfs/qgroup.c. A local user can escalate privileges on the system.
4) Improper Resource Shutdown or Release (CVE-ID: CVE-2025-71268)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a resource management error in the Btrfs filesystem component when handling qgroup data during inline extent insertion. A local user can trigger a reservation leak in error paths to cause a denial of service.
The vulnerability specifically occurs if allocation of a path or transaction join fails, leading to unfreed qgroup reservations. This results in gradual resource exhaustion over time.
5) Resource exhaustion (CVE-ID: CVE-2025-71269)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource management in the btrfs filesystem's qgroup data reservation handling when processing file writes that trigger a fallback from inline extent creation. A local user can perform file operations that cause an ENOSPC condition during inline extent creation, leading to incorrect release of qgroup data reservations while still proceeding with the normal COW path, resulting in unbalanced quota accounting and potential denial of service.
The attacker must have the ability to write to a btrfs filesystem and trigger space allocation under conditions of low available space; this typically requires low-privileged local access but does not require administrative privileges beyond standard user write permissions.
6) Input validation error (CVE-ID: CVE-2026-22990)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the osdmap_apply_incremental() function in net/ceph/osdmap.c. A local user can perform a denial of service (DoS) attack.
7) Improper locking (CVE-ID: CVE-2026-23103)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper locking within the ipvlan_port_create(), ipvlan_uninit(), ipvlan_open(), ipvlan_stop(), ipvlan_link_new(), ipvlan_link_delete(), ipvlan_add_addr(), ipvlan_del_addr(), ipvlan_add_addr6(), ipvlan_addr6_validator_event() and ipvlan_addr4_validator_event() functions in drivers/net/ipvlan/ipvlan_main.c. A local user can perform a denial of service (DoS) attack.
8) Race condition within a thread (CVE-ID: CVE-2026-23120)
The vulnerability allows a local user to corrupt data.
The vulnerability exists due to a data race within the l2tp_tunnel_del_work() function in net/l2tp/l2tp_core.c. A local user can corrupt data.
9) Out-of-bounds read (CVE-ID: CVE-2026-23243)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a boundary error in the RDMA/umad component when processing user-controlled MAD headers. A local user can send a specially crafted request with mismatched MAD header size and RMPP header length to cause a denial of service.
Exploitation requires access to the RDMA UMAD interface. The vulnerability can trigger an out-of-bounds write in kernel memory, leading to system instability or crash.
10) Out-of-bounds write (CVE-ID: CVE-2026-23262)
The vulnerability allows a local user to cause memory corruption and incorrect statistics reporting.
The vulnerability exists due to improper buffer size management in the gve driver's statistics reporting region when changing the number of queues. A local user can trigger a queue count change to cause the NIC to write past the allocated stats region or create gaps in stats reporting.
The issue arises because the driver and NIC miscalculate offsets into the shared memory region during queue count changes, potentially leading to memory corruption or incorrect statistics.
11) Use After Free (CVE-ID: CVE-2026-23272)
The vulnerability allows a local user to execute arbitrary code, escalate privileges, and cause a denial of service.
The vulnerability exists due to a use-after-free in the netfilter nf_tables component when handling set element insertion in a full set. A local user can send a specially crafted request to trigger improper RCU handling, leading to a use-after-free condition.
Exploitation requires non-administrative local privileges and does not require user interaction. The vulnerability occurs during normal operation of netfilter rules with full sets.
12) NULL Pointer Dereference (CVE-ID: CVE-2026-23277)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in the teql network scheduler component when handling packet transmission through a gretap tunnel configured as a TEQL slave. A remote attacker can send a specially crafted network request to trigger a NULL pointer dereference in iptunnel_xmit, leading to a kernel page fault and system crash.
Exploitation does not require authentication or elevated privileges. The issue arises because the skb->dev field is not updated to the slave device before transmission, causing iptunnel_xmit_stats to access uninitialized tstats via a NULL pointer.
13) Out-of-bounds read (CVE-ID: CVE-2026-23318)
The vulnerability allows an attacker with physical access to cause a denial of service.
The vulnerability exists due to improper input validation in the ALSA usb-audio driver when handling USB audio descriptors from a UAC3 device. An attacker with physical access can connect a malicious USB device presenting a truncated UAC3 header to cause out-of-bounds reads, leading to a denial of service.
Exploitation requires physical access to attach a malicious USB device.
14) Memory corruption (CVE-ID: CVE-2026-23362)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper memory management in the CAN BCM (Broadcast Manager) subsystem when handling runtime updates of bcm_op structures. A local user can send a specially crafted request to trigger a use of an uninitialized spinlock, leading to a system crash.
The issue specifically occurs in the bcm_rx_setup() function, where the bcm_tx_lock is not initialized when the RX_RTR_FRAME flag is set, which can lead to undefined behavior during lock operations.
15) NULL Pointer Dereference (CVE-ID: CVE-2026-23382)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper pointer validation in HID subsystem raw_event callbacks when processing input from unclaimed HID devices. A remote attacker can send specially crafted HID reports to trigger a NULL pointer dereference and crash the system.
Exploitation does not require user interaction or prior authentication.
16) Out-of-bounds write (CVE-ID: CVE-2026-23386)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a boundary error in the gve_tx_clean_pending_packets() function in the Google Virtual Ethernet (gve) driver when handling packet transmission cleanup in DQ-QPL mode. A local user can trigger improper buffer cleanup by causing the transmission path to fail, leading to out-of-bounds memory access and system crash.
The issue arises because the function incorrectly uses the RDA buffer cleanup path in QPL mode, resulting in accessing memory beyond the bounds of the dma array, which shares storage with tx_qpl_buf_ids. This can be triggered during normal operation under specific error conditions.
17) NULL pointer dereference (CVE-ID: CVE-2026-23398)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in the icmp_tag_validation function when handling ICMP Fragmentation Needed error messages with a quoted inner IP header containing an unregistered protocol number. A remote attacker can send a specially crafted ICMP packet to cause a kernel panic in softirq context.
Exploitation requires the target system to have ip_no_pmtu_disc set to 3 (hardened PMTU mode).
Remediation
Install update from vendor's website.