SB20260509145 - openEuler 22.03 LTS SP4 update for kernel
Published: May 9, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 8 vulnerabilities.
1) Unchecked Error Condition (CVE-ID: CVE-2026-23383)
The vulnerability allows a local user to execute arbitrary code.
The vulnerability exists due to improper memory alignment in the BPF JIT compiler when handling 64-bit atomic operations on arm64. A local user can trigger execution of a specially crafted BPF program to cause a torn read of a 64-bit jump target, leading to control flow hijacking and arbitrary code execution.
Exploitation requires the ability to load and execute BPF programs, which is typically available to unprivileged users in modern Linux distributions with CONFIG_BPF_JIT enabled.
2) Out-of-bounds read (CVE-ID: CVE-2026-31449)
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in ext4_ext_correct_indexes when processing a corrupted or crafted on-disk extent header. A local user can supply a crafted filesystem image to disclose sensitive information.
3) Race condition (CVE-ID: CVE-2026-31450)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a race condition in ext4_inode_attach_jinode() when handling concurrent fast commit flush operations. A local user can trigger concurrent filesystem activity to cause a denial of service.
The issue occurs because a jinode pointer may be observed as non-NULL before its associated i_vfs_inode field is initialized, leading to a kernel crash when the fast commit flush path dereferences it.
4) Out-of-bounds write (CVE-ID: CVE-2026-31570)
The vulnerability allows a local user to cause a denial of service or corrupt memory.
The vulnerability exists due to an out-of-bounds write in cgw_csum_crc8_rel() when processing CAN gateway crc8 checksum configuration with crafted negative indices. A local user can supply crafted checksum index values to cause a denial of service or corrupt memory.
Exploitation requires CAP_NET_ADMIN to configure the can-gw crc8 checksums.
5) Integer overflow (CVE-ID: CVE-2026-31590)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper handling of an integer overflow condition in sev_pin_memory() when processing a KVM_MEMORY_ENCRYPT_REG_REGION ioctl request with a crafted size value. A local user can submit a specially crafted ioctl request to cause a kernel warning.
The issue is reachable from userspace through the KVM SEV memory encryption region registration interface.
6) Out-of-bounds write (CVE-ID: CVE-2026-31602)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an out-of-bounds access in ct_vm_map() in the ALSA ctxfi driver when handling large aggregate memory allocations for playback streams. A local user can trigger crafted allocation patterns through ioctl operations to cause a denial of service.
The issue is triggered on AMD64 systems when aggregate memory allocations exceed the single-page table coverage limit.
7) Resource exhaustion (CVE-ID: CVE-2026-31677)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource management in af_alg_get_rsgl() when processing recvmsg calls with data extraction into the RX scatterlist. A local user can send a specially crafted recvmsg request to cause a denial of service.
8) Use-after-free (CVE-ID: CVE-2026-31680)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in ip6fl_seq_show() when reading /proc/net/ip6_flowlabel concurrently with flowlabel release. A local user can trigger concurrent access to dereference freed option state and cause a denial of service.
The issue occurs because the flowlabel remains reachable through the global hash table under RCU after its option state has been freed.
Remediation
Install update from vendor's website.