SB20260509144 - openEuler 24.03 LTS update for kernel

Main Vulnerability Database SB20260509144

SB20260509144 - openEuler 24.03 LTS update for kernel

Published: May 9, 2026

Security Bulletin ID SB20260509144

CSH Severity

Low

Patch available

YES

Number of vulnerabilities 9

Exploitation vector Local access

Highest impact Denial of service

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 9 vulnerabilities.

1) Improper input validation (CVE-ID: CVE-2026-31407)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in the sctp netlink attribute handling when processing crafted netlink attributes. A remote attacker can supply an invalid CTA_PROTOINFO_SCTP_STATE value to cause a denial of service.

2) Out-of-bounds read (CVE-ID: CVE-2026-31407)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to an out-of-bounds read in the sctp and ctnetlink netlink attribute handling when processing crafted netlink attributes. A remote attacker can send specially crafted netlink messages to disclose sensitive information.

The issue is caused by missing validation of user-supplied netlink attribute values before they are used by the kernel.

3) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-31418)

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper resource management in mtype_del in the ipset netfilter subsystem when deleting entries from buckets containing only deleted slots below the current position. A local user can trigger bucket deletion handling with crafted set operations to cause a denial of service.

4) Improper input validation (CVE-ID: CVE-2026-31420)

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper input validation in br_mrp_start_test(), br_mrp_start_in_test(), and br_mrp_start_in_test_parse() when processing user-supplied netlink attributes. A local user can supply a zero interval value to cause a denial of service.

A zero interval causes delayed work to be rescheduled with no delay, creating a tight loop that allocates and transmits MRP test frames until system memory is exhausted and the kernel panics via OOM deadlock.

5) Division by zero (CVE-ID: CVE-2026-31423)

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a divide-by-zero error in rtsc_min() in the HFSC scheduler when processing crafted traffic control parameters. A local user can supply values that make the truncated divisor become zero to cause a denial of service.

The issue is triggered in the concave-curve intersection path.

6) Improper access control (CVE-ID: CVE-2026-31424)

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper access control in xt_check_match/xt_check_target extension validation in x_tables when processing ARP chains through nft_compat. A local user can load a match or target with incompatible hook assumptions to cause a denial of service.

The issue can result in a NULL pointer dereference and kernel panic when extensions registered with NFPROTO_UNSPEC are used on ARP hooks with different semantics.

7) Out-of-bounds write (CVE-ID: CVE-2026-31602)

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to an out-of-bounds access in ct_vm_map() in the ALSA ctxfi driver when handling large aggregate memory allocations for playback streams. A local user can trigger crafted allocation patterns through ioctl operations to cause a denial of service.

The issue is triggered on AMD64 systems when aggregate memory allocations exceed the single-page table coverage limit.

8) Use-after-free (CVE-ID: CVE-2026-31680)

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in ip6fl_seq_show() when reading /proc/net/ip6_flowlabel concurrently with flowlabel release. A local user can trigger concurrent access to dereference freed option state and cause a denial of service.

The issue occurs because the flowlabel remains reachable through the global hash table under RCU after its option state has been freed.

9) Out-of-bounds read (CVE-ID: CVE-2026-31782)

The vulnerability allows a local user to disclose sensitive information.

The vulnerability exists due to an out-of-bounds read in intel_pmu_set_acr_caused_constr when handling groups of events that include software events during auto counter reload. A local user can trigger this condition to disclose sensitive information.

The issue occurs because a software event PMU may be processed through the hybrid helper path even though it is not an x86 event.

Remediation

Install update from vendor's website.

References

https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2026-2235

Vulnerable Software

openEuler: 24.03 LTS
kernel: before 6.6.0-145.0.9.136
bpftool: before 6.6.0-145.0.9.136
bpftool-debuginfo: before 6.6.0-145.0.9.136
kernel-debuginfo: before 6.6.0-145.0.9.136
kernel-debugsource: before 6.6.0-145.0.9.136
kernel-devel: before 6.6.0-145.0.9.136
kernel-headers: before 6.6.0-145.0.9.136
kernel-source: before 6.6.0-145.0.9.136
kernel-tools: before 6.6.0-145.0.9.136
kernel-tools-debuginfo: before 6.6.0-145.0.9.136
kernel-tools-devel: before 6.6.0-145.0.9.136
perf: before 6.6.0-145.0.9.136
perf-debuginfo: before 6.6.0-145.0.9.136
python3-perf: before 6.6.0-145.0.9.136
python3-perf-debuginfo: before 6.6.0-145.0.9.136