SB2026051585 - openEuler 22.03 LTS SP4 update for kernel
Published: May 15, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 33 vulnerabilities.
1) NULL Pointer Dereference (CVE-ID: CVE-2026-23317)
The vulnerability allows a local user to execute arbitrary code and escalate privileges.
The vulnerability exists due to improper error handling in the vmw_translate_ptr functions in the drm/vmwgfx subsystem when translating pointers. A local user can trigger a use of an uninitialized pointer to cause out-of-bounds memory accesses and execute arbitrary code.
Successful exploitation may lead to privilege escalation and system compromise.
2) Use-after-free (CVE-ID: CVE-2026-31404)
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to a use-after-free in NFSD export cache object cleanup when accessing export information through RCU readers concurrently with cache entry removal. A local attacker can trigger concurrent export cache cleanup and access to freed sub-objects to cause a denial of service.
The issue can result in a NULL pointer dereference in d_path when ex_path or ex_client->name related sub-objects are freed before the RCU grace period completes.
3) Use-after-free (CVE-ID: CVE-2026-31419)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in bond_xmit_broadcast() when transmitting broadcast packets during concurrent slave enslave or release operations. A local user can trigger concurrent network interface state changes and packet transmission to cause a denial of service.
The issue arises because the determination of the last slave can change during RCU-protected iteration, leading to double consumption and double free of the original skb.
4) Improper resource shutdown or release (CVE-ID: CVE-2026-31441)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource shutdown or release in idxd workqueue reset handling when resetting a workqueue. A local user can trigger a workqueue reset to cause a denial of service.
5) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-31448)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper state management in ext4_ext_map_blocks() and ext4_xattr_block_set() when handling mkdir or mknod operations after a failed extent insertion. A local user can trigger filesystem operations that leave residual extent metadata to cause a denial of service.
The issue can result in an infinite loop and prolonged blocking while the inode lock is not released.
6) Improper access control (CVE-ID: CVE-2026-31476)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper access control in ksmbd session binding handling when processing a multichannel session binding request failure. A remote attacker can send a binding request with a wrong password to cause a denial of service.
The issue occurs because the target session looked up during binding can belong to another connection's user.
7) Use-after-free (CVE-ID: CVE-2026-31504)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in packet_release() and fanout group handling when processing a concurrent NETDEV_UP event during socket release. A local user can trigger a race condition to cause a denial of service.
The issue affects fanout sockets during a race that can leave a dangling pointer in the fanout array.
8) Heap-based buffer overflow (CVE-ID: CVE-2026-31515)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a buffer overflow in pfkey_send_migrate() when processing migration requests with invalid old or new address families. A local user can trigger the vulnerable code path to cause a denial of service.
9) Out-of-bounds read (CVE-ID: CVE-2026-31521)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in simplify_symbols() when parsing a crafted module ELF file with an invalid section index. A local user can load a specially crafted module to cause a denial of service.
This can be triggered when the module ELF legitimately uses SHN_XINDEX or when the file is corrupted.
10) Race condition (CVE-ID: CVE-2026-31523)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a race condition in nvme-pci polled queue handling when polling a queue during a reset while queue mappings are being updated. A local user can change the polled queue count at run time to trigger double completions and cause a denial of service.
The issue occurs during a brief window before the block layer has updated the queue maps.
11) Use-after-free (CVE-ID: CVE-2026-31555)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper handling of a stale pointer in futex_lock_pi() retry path in kernel/futex/core.c when retrying priority-inheritance futex locking after owner exit handling. A local user can trigger repeated futex_lock_pi() operations to cause a kernel warning and crash.
12) NULL pointer dereference (CVE-ID: CVE-2026-31560)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a null pointer dereference in spi-dw-dma error logging when handling an error after a transaction finishes without a current message. A local user can trigger an error condition to cause a denial of service.
13) Improper locking (CVE-ID: CVE-2026-31592)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper locking in sev_mem_enc_register_region() when handling KVM ioctls during SEV guest initialization failure paths. A local user can issue crafted ioctl calls to trigger a general protection fault and kernel crash.
The issue can occur if KVM_SEV_INIT{2} fails and KVM attempts to add to an uninitialized sev->regions_list.
14) Information disclosure (CVE-ID: CVE-2026-31628)
The vulnerability allows a local attacker to disclose sensitive information.
The vulnerability exists due to improper isolation of partial divider results in x86 CPU handling when executing division operations on Zen1 processors. A local attacker can run a thread that observes residual partial results from previous operations to disclose sensitive information.
Exploitation requires another thread to access leaked partial results left by a previous operation under certain circumstances.
15) Stack-based buffer overflow (CVE-ID: CVE-2026-31630)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a stack-based buffer overflow in the AF_RXRPC procfs helpers when formatting socket addresses for procfs output with "%pISpc". A local user can trigger address formatting with a specially crafted IPv6 address representation to cause a denial of service.
The issue occurs because the fixed 50-byte stack buffers are too small for the longest current IPv6-with-port textual form, including certain ISATAP address formats.
16) Improper locking (CVE-ID: CVE-2026-31667)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper lock management in the uinput force-feedback handling path when processing force-feedback operations and device lifecycle events. A local user can trigger a circular locking dependency to cause a denial of service.
The issue can be triggered when using a force-feedback gamepad with uinput.
17) Use-after-free (CVE-ID: CVE-2026-31673)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in UNIX_DIAG_VFS handling in af_unix when processing UNIX diagnostic lookups. A local user can trigger a race condition to cause a denial of service.
18) Out-of-bounds read (CVE-ID: CVE-2026-31674)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in rt_mt6() when processing a malformed rt match rule with an oversized addrnr value. A local user can install a specially crafted rule to cause a denial of service.
19) Improper input validation (CVE-ID: CVE-2026-31679)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in openvswitch SET/SET_MASKED action handling for OVS_KEY_ATTR_MPLS when processing crafted MPLS action payload lengths. A local user can send a specially crafted request to cause a denial of service.
20) Out-of-bounds read (CVE-ID: CVE-2026-31682)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in br_nd_send when parsing neighbor discovery options from a non-linear skb. A remote attacker can send a specially crafted ICMPv6 neighbor solicitation request to cause a denial of service.
21) Out-of-bounds read (CVE-ID: CVE-2026-31697)
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in sev_ioctl_do_get_id2 in the ccp/sev ioctl handler when handling a request to retrieve the CPU ID with a userspace buffer and length that are too small after a firmware command failure. A local user can issue a specially crafted ioctl request to disclose sensitive information.
The issue occurs when the firmware command fails due to an invalid length and the kernel still copies the firmware-required byte count to userspace.
22) Out-of-bounds read (CVE-ID: CVE-2026-31698)
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in sev_ioctl_do_pdh_export when handling a PDH certificate export ioctl after a firmware command failure caused by an invalid length. A local user can provide a userspace buffer and length that are too small to trigger copying beyond the kernel-allocated buffer to disclose sensitive information.
The issue occurs when retrieving the PDH certificate and the firmware reports the required size after the supplied userspace buffer is too small.
23) Out-of-bounds read (CVE-ID: CVE-2026-31699)
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in the sev_ioctl_do_pek_csr ioctl handler when processing a PEK CSR retrieval request after a failed firmware command. A local user can supply a too-small userspace buffer and length to trigger a copy to userspace that discloses sensitive information.
The issue occurs when the firmware reports an invalid length for the requested blob.
24) Improper Authentication (CVE-ID: CVE-2026-31773)
The vulnerability allows a remote attacker to bypass authentication requirements.
The vulnerability exists due to improper authentication state handling in the Bluetooth SMP legacy responder STK handling in smp_random() when processing Just Works or Confirm legacy pairing. A remote attacker can initiate a legacy pairing sequence that results in an unauthenticated STK being stored as authenticated to bypass authentication requirements.
The issue affects the legacy responder path and occurs when high security is requested but the pairing flow does not achieve MITM authentication.
25) Double free (CVE-ID: CVE-2026-31787)
The vulnerability allows a local privileged user to circumvent kernel lockdown restrictions.
The vulnerability exists due to double free in the Linux kernel privcmd driver when handling privcmd operations. A local privileged user can trigger a double free of kernel memory to circumvent kernel lockdown restrictions.
Only Linux PVH or HVM domains booted in secure mode are affected; PV domains and non-Linux domains are not vulnerable.
26) Stack-based buffer overflow (CVE-ID: CVE-2026-43020)
The vulnerability allows a remote user to cause a denial of service or execute arbitrary code.
The vulnerability exists due to a stack-based buffer overflow in the Bluetooth MGMT Long Term Key load and reply handling logic when processing a crafted management LTK record with an oversized enc_size value. A remote user can supply a specially crafted LTK record to overflow a reply stack buffer to cause a denial of service or execute arbitrary code.
27) Use-after-free (CVE-ID: CVE-2026-43049)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in the logitech-hidpp force feedback initialization path when probing the Logitech G920 Driving Force Racing Wheel for Xbox One and userspace continues to access sysfs or /dev/input references after initialization failure. A local user can trigger force feedback initialization failure and use dangling references to cause a denial of service.
The issue occurs if force feedback initialization fails before the userspace infrastructure has been torn down.
28) Improper resource shutdown or release (CVE-ID: CVE-2026-43064)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource shutdown or release in the idxd DSA/IAA device workqueue handling when releasing a device object. A local user can trigger release of a crafted or repeatedly created device object to cause a denial of service.
29) Out-of-bounds write (CVE-ID: CVE-2026-43079)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an out-of-bounds write in uncore_pci_pmu_register() when parsing the discovery table for offline dies. A local user can trigger the vulnerable code path to cause a denial of service.
The issue can be triggered when NUMA is disabled and the system boots with fewer CPUs than the number of CPUs in die 0.
30) NULL pointer dereference (CVE-ID: CVE-2026-43124)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper handling of a NULL return value in persistent_ram_vmap() when mapping the persistent ram buffer. A local user can trigger the vulnerable code path to cause a denial of service.
The issue occurs when a failed vmap() call is treated as a successful mapping because a non-zero offset produces a non-NULL pointer, which can later lead to dereference of an invalid address.
31) Resource management error (CVE-ID: CVE-2026-43284)
The vulnerability allows a local user to escalate privileges on the system.
The xfrm-ESP Page-Cache Write vulnerability exists due to improper management of internal resources in esp_input() function in net/ipv4/esp4.c and esp6_input() function in net/ipv6/esp6.c. A local user can execute arbitrary code with root privileges.
Note, this is one of two vulnerabilities reported as Dirty Frag.
32) Improper locking (CVE-ID: CVE-2025-38617)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper locking within the packet_set_ring() function in net/packet/af_packet.c. A local user can perform a denial of service (DoS) attack.
33) Resource management error (CVE-ID: CVE-2026-43500)
The vulnerability allows a local user to escalate privileges on the system.
The RxRPC Page-Cache Write vulnerability exists due to improper management of internal resources. A local user can execute arbitrary code with root privileges.
Note, this vulnerability is one of two issues described as Dirty Frag.
Remediation
Install update from vendor's website.