SB2026050316 - openEuler 24.03 LTS SP1 update for kernel
Published: May 3, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 21 vulnerabilities.
1) Insufficient verification of data authenticity (CVE-ID: CVE-2025-27558)
The vulnerability allows an attacker to perform spoofing attack.
The vulnerability exists due to insufficient verification of data authenticity in mesh networks using Wi-Fi Protected Access (WPA, WPA2, or WPA3) or Wired Equivalent Privacy (WEP). A remote attacker on the local network can inject arbitrary frames towards devices that support receiving non-SSP A-MSDU frames and perform spoofing attack.
2) Out-of-bounds write (CVE-ID: CVE-2026-23378)
The vulnerability allows a local user to execute arbitrary code or cause a denial of service.
The vulnerability exists due to improper memory access in the net/sched: act_ife component when updating metadata lists during packet processing. A local user can send a specially crafted request to trigger out-of-bounds memory write via the ife_tlv_meta_encode function.
Exploitation requires the ability to configure or trigger traffic control (tc) actions within the kernel, which is typically available to local users with sufficient privileges to manipulate network scheduling policies.
3) NULL pointer dereference (CVE-ID: CVE-2026-23398)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in the icmp_tag_validation function when handling ICMP Fragmentation Needed error messages with a quoted inner IP header containing an unregistered protocol number. A remote attacker can send a specially crafted ICMP packet to cause a kernel panic in softirq context.
Exploitation requires the target system to have ip_no_pmtu_disc set to 3 (hardened PMTU mode).
4) Out-of-bounds write (CVE-ID: CVE-2026-23406)
The vulnerability allows a local user to cause a denial of service or potentially execute arbitrary code.
The vulnerability exists due to improper pointer arithmetic in the AppArmor match_char() macro within the Linux kernel's DFA matching logic when processing path permissions during file open operations. A local user can provide a specially crafted file access request that triggers differential encoding chain traversal with a post-incremented string pointer, causing the pointer to advance multiple times per iteration and resulting in out-of-bounds memory reads. This can lead to kernel memory corruption and system instability.
The vulnerability is exploitable during AppArmor policy enforcement when opening files, and may allow privilege escalation or system crash.
5) Out-of-bounds write (CVE-ID: CVE-2026-23407)
The vulnerability allows a local user to execute arbitrary code or cause a denial of service.
The vulnerability exists due to improper bounds checking in the AppArmor verify_dfa() function when parsing a malformed DFA policy. A local user can provide a specially crafted AppArmor policy with differential encoding that triggers out-of-bounds memory access to execute arbitrary code or crash the kernel.
Successful exploitation requires the ability to load a malicious AppArmor profile, which requires user privileges but no special administrative rights beyond those needed to manage AppArmor policies.
6) NULL pointer dereference (CVE-ID: CVE-2026-23442)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in seg6_hmac_validate_skb() and ipv6_srh_rcv() when processing SRv6 paths on a device without IPv6 configuration. A remote attacker can send specially crafted IPv6 traffic to cause a denial of service.
The issue occurs when __in6_dev_get() returns NULL, such as on a device with no IPv6 configuration, including after device unregister or when the MTU is below the IPv6 minimum MTU.
7) Out-of-bounds read (CVE-ID: CVE-2026-23447)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in cdc_ncm_rx_verify_ndp32() when processing a crafted NDP32 structure in a received NTB. A remote attacker can send a specially crafted network packet to disclose sensitive information.
The issue occurs because the DPE array size is validated against the total skb length without accounting for ndpoffset, allowing reads beyond the intended bounds when the NDP32 is placed near the end of the NTB.
8) Double free (CVE-ID: CVE-2026-23449)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a double free in teql_master_xmit in the TEQL qdisc handling code when resetting a TEQL device with a lockless qdisc as root while racing with the datapath. A local user can trigger concurrent qdisc operations to cause a denial of service.
The issue can lead to kernel crashes. Exploitation requires local access to interact with the affected traffic control functionality.
9) Use-after-free (CVE-ID: CVE-2026-23452)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in pm_runtime_work() when handling device removal during runtime power management. A local user can trigger a race condition involving device removal to cause a denial of service.
The issue is caused by dereferencing the dev->parent pointer after the parent device has been freed. It is reproducible sporadically with blktest block/001 and results in a KASAN-reported slab-use-after-free.
10) Out-of-bounds read (CVE-ID: CVE-2026-23455)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in DecodeQ931() in the nf_conntrack_h323 netfilter component when parsing a crafted Q.931 packet with a zero UserUserIE length field. A remote attacker can send a specially crafted packet to disclose sensitive information.
The issue occurs because a 16-bit length value is decremented by 1 to skip the protocol discriminator byte, and an encoded length of 0 wraps to -1 and is then passed to DecodeH323_UserInformation() as a large value.
11) Out-of-bounds read (CVE-ID: CVE-2026-23456)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in decode_int() in nf_conntrack_h323 when parsing malformed H.323/RAS packets. A remote attacker can send a specially crafted packet to disclose sensitive information.
The issue can result in a 1-4 byte slab out-of-bounds read.
12) Integer overflow (CVE-ID: CVE-2026-23457)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to integer truncation in nf_conntrack_sip when parsing the SIP Content-Length header in sip_help_tcp() over TCP. A remote attacker can send a specially crafted SIP message with an oversized Content-Length value to cause a denial of service.
On 64-bit systems, a Content-Length value exceeding UINT_MAX can be truncated before the SIP message boundary is computed, causing trailing TCP segment data to be treated as a second SIP message and processed through the SDP parser.
13) Use-after-free (CVE-ID: CVE-2026-23458)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in ctnetlink_dump_exp_ct() and ctnetlink_exp_ct_dump_table() when handling multi-round netlink dump requests. A local user can trigger a netlink dump that spans multiple recvmsg() calls to cause a denial of service.
The issue occurs because a conntrack pointer stored in callback data is dereferenced after its reference is dropped, and the second dump round can access the freed object via nfct_help(ct). The proof of concept shows a slab-use-after-free read detected by KASAN.
14) NULL pointer dereference (CVE-ID: CVE-2026-23475)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a NULL-pointer dereference in the spi controller sysfs attributes when handling sysfs attribute access before controller statistics allocation. A remote attacker can access the affected sysfs attributes during this window to cause a denial of service.
The issue occurs because controller per-cpu statistics are not allocated until after the controller has been registered, creating a race window that can crash the kernel.
15) Use-after-free (CVE-ID: CVE-2026-31389)
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to use-after-free in the spi controller registration logic when handling controller registration failure. A local attacker can trigger controller registration failure to cause a denial of service.
The issue occurs if per-cpu statistics allocation fails during controller registration, which can lead to use-after-free of driver resources and unclocked register accesses.
16) Integer overflow (CVE-ID: CVE-2026-31415)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an integer overflow in ip6_datagram_send_ctl() when processing repeated IPV6_DSTOPTS control messages. A local user can send specially crafted ancillary data to cause a denial of service.
Exploitation can trigger a kernel panic through skb_under_panic(), and unprivileged exploitation is possible in environments where unprivileged user namespaces are enabled and the attacker can obtain namespaced CAP_NET_RAW.
17) Incorrect calculation (CVE-ID: CVE-2026-31416)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper calculation of netlink header size in nfnetlink_log when processing netlink messages. A local user can send a specially crafted netlink message to cause a denial of service.
The issue results in a kernel warning and the affected netlink message being dropped, with no other explicitly stated effects.
18) Use of Uninitialized Variable (CVE-ID: CVE-2026-31427)
The vulnerability allows a remote attacker to cause incorrect SDP address rewriting.
The vulnerability exists due to use of uninitialized memory in process_sdp in nf_conntrack_sip when processing SDP bodies. A remote attacker can send a specially crafted SDP message to cause incorrect SDP address rewriting.
When stack auto-initialization is enabled, the rewritten session-level addresses may become 0.0.0.0; otherwise, stale stack data may be used.
19) Use of Uninitialized Variable (CVE-ID: CVE-2026-31428)
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to uninitialized padding in the NFULA_PAYLOAD netlink attribute in nfnetlink_log when constructing packet messages for the NFLOG netlink socket. A local user can read the leaked padding bytes to disclose sensitive information.
The issue leaks stale heap contents to userspace when the payload length is not 4-byte aligned.
20) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-31431)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to improper memory handling within the authencesn cryptographic template in algif_aead when processing AEAD operations. A local user can trigger the vulnerable code path to execute arbitrary code on the system.
Note, this vulnerability was dubbed "Copy Fail".
21) Spoofing attack (CVE-ID: CVE-2020-24588)
The vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to incorrect processing of user-supplied data in Windows Wireless Networking. A remote attacker on the local network can spoof page content.
Remediation
Install update from vendor's website.