SB2026051111 - Red Hat Enterprise Linux 10 update for kernel

Description

This security bulletin contains information about 6 vulnerabilities.

1) Improper locking (CVE-ID: CVE-2026-23097)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper locking within the unmap_and_move_huge_page() function in mm/migrate.c. A local user can perform a denial of service (DoS) attack.

2) Incorrect calculation (CVE-ID: CVE-2026-23139)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to incorrect calculation within the __nf_conncount_add() function in net/netfilter/nf_conncount.c. A local user can perform a denial of service (DoS) attack.

3) Out-of-bounds read (CVE-ID: CVE-2026-23243)

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a boundary error in the RDMA/umad component when processing user-controlled MAD headers. A local user can send a specially crafted request with mismatched MAD header size and RMPP header length to cause a denial of service.

Exploitation requires access to the RDMA UMAD interface. The vulnerability can trigger an out-of-bounds write in kernel memory, leading to system instability or crash.

4) Improper resource shutdown or release (CVE-ID: CVE-2026-23401)

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper handling of SPTE updates in KVM MMU when installing emulated MMIO SPTEs. A local user can trigger a page fault after host userspace modifies guest memory mappings to switch from memslot to emulated MMIO, leading to an attempt to mark an already present SPTE as MMIO, which results in a kernel warning and potential guest crash. A local user can send a specially crafted request to cause a denial of service.

The issue arises when KVM fails to drop the existing shadow-present SPTE before installing an MMIO SPTE, resulting in inconsistent MMU state and triggering a kernel warning that can crash the guest.

5) Heap-based buffer overflow (CVE-ID: CVE-2026-31402)

The vulnerability allows a remote attacker to corrupt heap memory.

The vulnerability exists due to a heap-based buffer overflow in the NFSv4.0 LOCK replay cache when encoding denied LOCK operation responses. A remote attacker can trigger conflicting lock requests with a large lock owner value to corrupt heap memory.

The issue is caused by copying an encoded LOCK denied response into a fixed 112-byte inline replay buffer without sufficient bounds checking, resulting in a slab out-of-bounds write of up to 944 bytes. Exploitation requires two cooperating NFSv4.0 clients and can be performed remotely without authentication.

6) Use-after-free (CVE-ID: CVE-2026-31532)

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in raw_rcv() when processing CAN frames after a raw CAN socket is released. A local user can trigger concurrent socket release and packet reception to cause a denial of service.

The issue involves the percpu uniq storage referenced through RCU-delayed receiver deletion.

Remediation

Install update from vendor's website.

References

• https://access.redhat.com/errata/RHSA-2026:15883