SB2026051583 - openEuler 24.03 LTS SP1 update for kernel
Published: May 15, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 23 vulnerabilities.
1) Double free (CVE-ID: CVE-2026-31436)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a double completion in llist_abort_desc() when aborting descriptor lists. A local user can trigger descriptor completion handling to cause a denial of service.
The issue can also result in descriptor leaks.
2) Race condition (CVE-ID: CVE-2026-31486)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a race condition in pmbus regulator operations when accessing PMBus registers and shared data. A local user can trigger concurrent regulator callbacks and voltage operations to cause a denial of service.
3) Use-after-free (CVE-ID: CVE-2026-31504)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in packet_release() and fanout group handling when processing a concurrent NETDEV_UP event during socket release. A local user can trigger a race condition to cause a denial of service.
The issue affects fanout sockets during a race that can leave a dangling pointer in the fanout array.
4) Heap-based buffer overflow (CVE-ID: CVE-2026-31515)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a buffer overflow in pfkey_send_migrate() when processing migration requests with invalid old or new address families. A local user can trigger the vulnerable code path to cause a denial of service.
5) Race condition (CVE-ID: CVE-2026-31575)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a race condition in mfill_atomic_hugetlb() when handling userfaultfd hugetlb faults. A local user can trigger faults on different addresses within the same huge page to cause a denial of service.
The issue can corrupt the reservation map and trigger the BUG_ON in resv_map_release().
6) Integer overflow (CVE-ID: CVE-2026-31624)
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to an undefined shift caused by improper input validation in s32ton() when processing a malicious HID report descriptor during output report construction. A local attacker can supply a broken HID device with an oversized report_size field to cause a denial of service.
The issue is triggered when an output report is built via hid_output_field() or hid_set_field().
7) NULL pointer dereference (CVE-ID: CVE-2026-31625)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in alps_raw_event() when processing raw HID events. A local user can trigger the vulnerable code path to cause a denial of service.
8) Use-after-free (CVE-ID: CVE-2026-31673)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in UNIX_DIAG_VFS handling in af_unix when processing UNIX diagnostic lookups. A local user can trigger a race condition to cause a denial of service.
9) Out-of-bounds read (CVE-ID: CVE-2026-31674)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in rt_mt6() when processing a malformed rt match rule with an oversized addrnr value. A local user can install a specially crafted rule to cause a denial of service.
10) Out-of-bounds read (CVE-ID: CVE-2026-31682)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in br_nd_send when parsing neighbor discovery options from a non-linear skb. A remote attacker can send a specially crafted ICMPv6 neighbor solicitation request to cause a denial of service.
11) NULL pointer dereference (CVE-ID: CVE-2026-43013)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in mlx5_ldev_add_debugfs() when accessing debugfs entries created without a valid LAG context. A local user can access a specially exposed debugfs interface to cause a denial of service.
The issue occurs when debugfs entries are created even though no valid ldev pointer is available.
12) Improper input validation (CVE-ID: CVE-2026-43017)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in the Bluetooth MGMT mesh send handler when processing a crafted MGMT_OP_MESH_SEND command. A local user can send a specially crafted command with a truncated advertising payload length to cause a denial of service.
The issue arises because the supplied flexible adv_data[] array bytes may not match the embedded adv_data_len field, allowing the async mesh send path to read past the end of the queued command buffer.
13) Use-after-free (CVE-ID: CVE-2026-43018)
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to use-after-free in hci_le_remote_conn_param_req_evt when handling Bluetooth LE remote connection parameter request events. A local attacker can trigger concurrent connection handling to cause a denial of service.
14) Use-after-free (CVE-ID: CVE-2026-43019)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in set_cig_params_sync when accessing hci_conn objects concurrently. A local user can trigger concurrent operations to cause a denial of service.
15) Race condition (CVE-ID: CVE-2026-43214)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper synchronization in __get_sregs2() when reading PDPTR registers during ioctl handling. A local user can issue a crafted ioctl request to cause a denial of service.
The issue is triggered when reading PDPTRs causes access to guest memory through memslot lookups without the required SRCU read-side protection.
16) Improper input validation (CVE-ID: CVE-2026-43265)
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to improper state validation in KVM x86 nested virtualization handling when processing userspace-supplied MP_STATE or injected events for a blocked vCPU while L2 is active. A remote user can place the vCPU into an invalid state to cause a denial of service.
The issue can result in a spurious userspace exit, typically with KVM_EXIT_UNKNOWN, after exiting a blocking state.
17) Resource management error (CVE-ID: CVE-2026-43284)
The vulnerability allows a local user to escalate privileges on the system.
The xfrm-ESP Page-Cache Write vulnerability exists due to improper management of internal resources in esp_input() function in net/ipv4/esp4.c and esp6_input() function in net/ipv6/esp6.c. A local user can execute arbitrary code with root privileges.
Note, this is one of two vulnerabilities reported as Dirty Frag.
18) NULL pointer dereference (CVE-ID: CVE-2026-43313)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a null-pointer dereference in acpi_processor_errata_piix4() when processing PCI device lookups. A local user can trigger the vulnerable code path to cause a denial of service.
19) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-43363)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper hardware state management in lapic_resume() when resuming from s2ram. A local user can trigger a suspend and resume cycle to cause a denial of service.
This occurs when firmware re-enables x2apic mode while the kernel continues using the xapic interface, which can lead to system hangs on bare metal systems.
20) Race condition (CVE-ID: CVE-2026-43420)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a race condition in ceph_unlink() when processing asynchronous unlink operations. A local user can trigger concurrent unlink completion handling to cause a denial of service.
Only the asynchronous unlink code path is affected.
21) Resource exhaustion (CVE-ID: CVE-2026-43429)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper handling of user-controlled timeout values in the usbtmc driver when processing ioctl commands. A local user can supply an arbitrarily long timeout value to hang a kernel thread indefinitely and cause a denial of service.
The issue affects usb_bulk_msg() calls that use unkillable waits.
22) Improper locking (CVE-ID: CVE-2025-38617)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper locking within the packet_set_ring() function in net/packet/af_packet.c. A local user can perform a denial of service (DoS) attack.
23) Resource management error (CVE-ID: CVE-2026-43500)
The vulnerability allows a local user to escalate privileges on the system.
The RxRPC Page-Cache Write vulnerability exists due to improper management of internal resources. A local user can execute arbitrary code with root privileges.
Note, this vulnerability is one of two issues described as Dirty Frag.
Remediation
Install update from vendor's website.