SB20260509147 - openEuler 24.03 LTS SP3 update for kernel

Description

This security bulletin contains information about 11 vulnerabilities.

1) Double free (CVE-ID: CVE-2025-71089)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to a double free error within the iommu_sva_bind_device() function in drivers/iommu/iommu-sva.c. A local user can perform a denial of service (DoS) attack.

2) NULL pointer dereference (CVE-ID: CVE-2026-23442)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to a NULL pointer dereference in seg6_hmac_validate_skb() and ipv6_srh_rcv() when processing SRv6 paths on a device without IPv6 configuration. A remote attacker can send specially crafted IPv6 traffic to cause a denial of service.

The issue occurs when __in6_dev_get() returns NULL, such as on a device with no IPv6 configuration, including after device unregister or when the MTU is below the IPv6 minimum MTU.

3) Improper input validation (CVE-ID: CVE-2026-31407)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in the sctp netlink attribute handling when processing crafted netlink attributes. A remote attacker can supply an invalid CTA_PROTOINFO_SCTP_STATE value to cause a denial of service.

4) Out-of-bounds read (CVE-ID: CVE-2026-31407)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to an out-of-bounds read in the sctp and ctnetlink netlink attribute handling when processing crafted netlink attributes. A remote attacker can send specially crafted netlink messages to disclose sensitive information.

The issue is caused by missing validation of user-supplied netlink attribute values before they are used by the kernel.

5) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-31418)

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper resource management in mtype_del in the ipset netfilter subsystem when deleting entries from buckets containing only deleted slots below the current position. A local user can trigger bucket deletion handling with crafted set operations to cause a denial of service.

6) Improper input validation (CVE-ID: CVE-2026-31420)

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper input validation in br_mrp_start_test(), br_mrp_start_in_test(), and br_mrp_start_in_test_parse() when processing user-supplied netlink attributes. A local user can supply a zero interval value to cause a denial of service.

A zero interval causes delayed work to be rescheduled with no delay, creating a tight loop that allocates and transmits MRP test frames until system memory is exhausted and the kernel panics via OOM deadlock.

7) Division by zero (CVE-ID: CVE-2026-31423)

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a divide-by-zero error in rtsc_min() in the HFSC scheduler when processing crafted traffic control parameters. A local user can supply values that make the truncated divisor become zero to cause a denial of service.

The issue is triggered in the concave-curve intersection path.

8) Improper access control (CVE-ID: CVE-2026-31424)

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper access control in xt_check_match/xt_check_target extension validation in x_tables when processing ARP chains through nft_compat. A local user can load a match or target with incompatible hook assumptions to cause a denial of service.

The issue can result in a NULL pointer dereference and kernel panic when extensions registered with NFPROTO_UNSPEC are used on ARP hooks with different semantics.

9) Out-of-bounds write (CVE-ID: CVE-2026-31602)

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to an out-of-bounds access in ct_vm_map() in the ALSA ctxfi driver when handling large aggregate memory allocations for playback streams. A local user can trigger crafted allocation patterns through ioctl operations to cause a denial of service.

The issue is triggered on AMD64 systems when aggregate memory allocations exceed the single-page table coverage limit.

10) Use-after-free (CVE-ID: CVE-2026-31680)

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in ip6fl_seq_show() when reading /proc/net/ip6_flowlabel concurrently with flowlabel release. A local user can trigger concurrent access to dereference freed option state and cause a denial of service.

The issue occurs because the flowlabel remains reachable through the global hash table under RCU after its option state has been freed.

11) Out-of-bounds read (CVE-ID: CVE-2026-31782)

The vulnerability allows a local user to disclose sensitive information.

The vulnerability exists due to an out-of-bounds read in intel_pmu_set_acr_caused_constr when handling groups of events that include software events during auto counter reload. A local user can trigger this condition to disclose sensitive information.

The issue occurs because a software event PMU may be processed through the hybrid helper path even though it is not an x86 event.

Remediation

Install update from vendor's website.

References

• https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2026-2232