SB2026051583 - openEuler 24.03 LTS SP1 update for kernel
Published: May 15, 2026 Updated: May 22, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 23 vulnerabilities.
1) Double free (CVE-ID: CVE-2026-31436)
CWE-ID: CWE-415 - Double Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a double completion in llist_abort_desc() when aborting descriptor lists. A local user can trigger descriptor completion handling to cause a denial of service.
The issue can also result in descriptor leaks.
2) Race condition (CVE-ID: CVE-2026-31486)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a race condition in pmbus regulator operations when accessing PMBus registers and shared data. A local user can trigger concurrent regulator callbacks and voltage operations to cause a denial of service.
3) Use-after-free (CVE-ID: CVE-2026-31504)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in packet_release() and fanout group handling when processing a concurrent NETDEV_UP event during socket release. A local user can trigger a race condition to cause a denial of service.
The issue affects fanout sockets during a race that can leave a dangling pointer in the fanout array.
4) Heap-based buffer overflow (CVE-ID: CVE-2026-31515)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a buffer overflow in pfkey_send_migrate() when processing migration requests with invalid old or new address families. A local user can trigger the vulnerable code path to cause a denial of service.
5) Race condition (CVE-ID: CVE-2026-31575)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a race condition in mfill_atomic_hugetlb() when handling userfaultfd hugetlb faults. A local user can trigger faults on different addresses within the same huge page to cause a denial of service.
The issue can corrupt the reservation map and trigger the BUG_ON in resv_map_release().
6) Integer overflow (CVE-ID: CVE-2026-31624)
CWE-ID: CWE-190 - Integer overflow
CVSSv4: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to an undefined shift caused by improper input validation in s32ton() when processing a malicious HID report descriptor during output report construction. A local attacker can supply a broken HID device with an oversized report_size field to cause a denial of service.
The issue is triggered when an output report is built via hid_output_field() or hid_set_field().
7) NULL pointer dereference (CVE-ID: CVE-2026-31625)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in alps_raw_event() when processing raw HID events. A local user can trigger the vulnerable code path to cause a denial of service.
8) Use-after-free (CVE-ID: CVE-2026-31673)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in UNIX_DIAG_VFS handling in af_unix when processing UNIX diagnostic lookups. A local user can trigger a race condition to cause a denial of service.
9) Out-of-bounds read (CVE-ID: CVE-2026-31674)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in rt_mt6() when processing a malformed rt match rule with an oversized addrnr value. A local user can install a specially crafted rule to cause a denial of service.
10) Out-of-bounds read (CVE-ID: CVE-2026-31682)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in br_nd_send when parsing neighbor discovery options from a non-linear skb. A remote attacker can send a specially crafted ICMPv6 neighbor solicitation request to cause a denial of service.
11) NULL pointer dereference (CVE-ID: CVE-2026-43013)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in mlx5_ldev_add_debugfs() when accessing debugfs entries created without a valid LAG context. A local user can access a specially exposed debugfs interface to cause a denial of service.
The issue occurs when debugfs entries are created even though no valid ldev pointer is available.
12) Improper input validation (CVE-ID: CVE-2026-43017)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in the Bluetooth MGMT mesh send handler when processing a crafted MGMT_OP_MESH_SEND command. A local user can send a specially crafted command with a truncated advertising payload length to cause a denial of service.
The issue arises because the supplied flexible adv_data[] array bytes may not match the embedded adv_data_len field, allowing the async mesh send path to read past the end of the queued command buffer.
13) Use-after-free (CVE-ID: CVE-2026-43018)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to use-after-free in hci_le_remote_conn_param_req_evt when handling Bluetooth LE remote connection parameter request events. A local attacker can trigger concurrent connection handling to cause a denial of service.
14) Use-after-free (CVE-ID: CVE-2026-43019)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in set_cig_params_sync when accessing hci_conn objects concurrently. A local user can trigger concurrent operations to cause a denial of service.
15) Race condition (CVE-ID: CVE-2026-43214)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper synchronization in __get_sregs2() when reading PDPTR registers during ioctl handling. A local user can issue a crafted ioctl request to cause a denial of service.
The issue is triggered when reading PDPTRs causes access to guest memory through memslot lookups without the required SRCU read-side protection.
16) Improper input validation (CVE-ID: CVE-2026-43265)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to improper state validation in KVM x86 nested virtualization handling when processing userspace-supplied MP_STATE or injected events for a blocked vCPU while L2 is active. A remote user can place the vCPU into an invalid state to cause a denial of service.
The issue can result in a spurious userspace exit, typically with KVM_EXIT_UNKNOWN, after exiting a blocking state.
17) Resource management error (CVE-ID: CVE-2026-43284)
CWE-ID: CWE-399 - Resource Management Errors
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/U:Amber
The vulnerability allows a local user to escalate privileges on the system.
The xfrm-ESP Page-Cache Write vulnerability exists due to improper management of internal resources in esp_input() function in net/ipv4/esp4.c and esp6_input() function in net/ipv6/esp6.c. A local user can execute arbitrary code with root privileges.
Note, this is one of two vulnerabilities reported as Dirty Frag.
18) NULL pointer dereference (CVE-ID: CVE-2026-43313)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a null-pointer dereference in acpi_processor_errata_piix4() when processing PCI device lookups. A local user can trigger the vulnerable code path to cause a denial of service.
19) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-43363)
CWE-ID: CWE-664 - Improper control of a resource through its lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper hardware state management in lapic_resume() when resuming from s2ram. A local user can trigger a suspend and resume cycle to cause a denial of service.
This occurs when firmware re-enables x2apic mode while the kernel continues using the xapic interface, which can lead to system hangs on bare metal systems.
20) Race condition (CVE-ID: CVE-2026-43420)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a race condition in ceph_unlink() when processing asynchronous unlink operations. A local user can trigger concurrent unlink completion handling to cause a denial of service.
Only the asynchronous unlink code path is affected.
21) Resource exhaustion (CVE-ID: CVE-2026-43429)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper handling of user-controlled timeout values in the usbtmc driver when processing ioctl commands. A local user can supply an arbitrarily long timeout value to hang a kernel thread indefinitely and cause a denial of service.
The issue affects usb_bulk_msg() calls that use unkillable waits.
22) Improper locking (CVE-ID: CVE-2025-38617)
CWE-ID: CWE-667 - Improper Locking
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper locking within the packet_set_ring() function in net/packet/af_packet.c. A local user can perform a denial of service (DoS) attack.
23) Resource management error (CVE-ID: CVE-2026-43500)
CWE-ID: CWE-399 - Resource Management Errors
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/U:Amber
The vulnerability allows a local user to escalate privileges on the system.
The RxRPC Page-Cache Write vulnerability exists due to improper management of internal resources. A local user can execute arbitrary code with root privileges.
Note, this vulnerability is one of two issues described as Dirty Frag.
Remediation
Install update from vendor's website.