SB20260522109 - openEuler 22.03 LTS SP4 update for kernel
Published: May 22, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 31 vulnerabilities.
1) Use-after-free (CVE-ID: CVE-2025-38488)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the crypt_message() function in fs/smb/client/smb2ops.c. A local user can escalate privileges on the system.
2) Use-after-free (CVE-ID: CVE-2025-39841)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the lpfc_nvmet_defer_rcv() function in drivers/scsi/lpfc/lpfc_nvmet.c. A local user can escalate privileges on the system.
3) Improper locking (CVE-ID: CVE-2025-40261)
CWE-ID: CWE-667 - Improper Locking
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper locking within the nvme_fc_delete_ctrl() function in drivers/nvme/host/fc.c. A local user can perform a denial of service (DoS) attack.
4) Race condition (CVE-ID: CVE-2025-40324)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to a race condition within the nfsd4_read() function in fs/nfsd/nfs4proc.c. A local user can perform a denial of service (DoS) attack.
5) Improper locking (CVE-ID: CVE-2025-68185)
CWE-ID: CWE-667 - Improper Locking
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper locking within the nfs4_setup_readdir() function in fs/nfs/nfs4proc.c. A local user can perform a denial of service (DoS) attack.
6) NULL pointer dereference (CVE-ID: CVE-2025-68214)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to NULL pointer dereference within the __try_to_del_timer_sync() function in kernel/time/timer.c. A local user can perform a denial of service (DoS) attack.
7) Memory leak (CVE-ID: CVE-2025-68288)
CWE-ID: CWE-401 - Missing release of memory after effective lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within the usb_stor_Bulk_transport() function in drivers/usb/storage/transport.c. A local user can perform a denial of service (DoS) attack.
8) NULL pointer dereference (CVE-ID: CVE-2025-68820)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to NULL pointer dereference within the ext4_xattr_inode_dec_ref_all() function in fs/ext4/xattr.c. A local user can perform a denial of service (DoS) attack.
9) Use of uninitialized resource (CVE-ID: CVE-2025-71064)
CWE-ID: CWE-908 - Use of Uninitialized Resource
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to use of uninitialized resource within the hclgevf_knic_setup() function in drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c. A local user can perform a denial of service (DoS) attack.
10) Use After Free (CVE-ID: CVE-2026-23273)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to a use-after-free in the macvlan component of the Linux kernel when handling network interface creation errors. A local attacker can send a specially crafted netlink message to trigger improper RCU grace period handling during macvlan device creation, leading to a use-after-free condition.
Exploitation does not require elevated privileges and can result in a system crash due to access of already freed memory in the kernel network stack.
11) Out-of-bounds read (CVE-ID: CVE-2026-31393)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to disclose adjacent memory contents.
The vulnerability exists due to an out-of-bounds read in l2cap_information_rsp() when processing a truncated L2CAP_INFO_RSP packet with a successful result. A remote attacker can send a specially crafted Bluetooth L2CAP response to disclose adjacent memory contents.
The issue occurs because the code reads response payload data beyond the validated fixed header length for L2CAP_IT_FEAT_MASK and L2CAP_IT_FIXED_CHAN cases.
12) Improper input validation (CVE-ID: CVE-2026-31447)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in ext4 mount handling when mounting a crafted ext4 filesystem with bigalloc enabled and s_first_data_block set to a non-zero value. A local user can mount a specially crafted filesystem image to cause a denial of service.
13) Memory leak (CVE-ID: CVE-2026-31477)
CWE-ID: CWE-401 - Missing release of memory after effective lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a memory leak in smb2_lock() when handling error paths after list_del() detaches smb_lock from lock_list. A local user can trigger unexpected error conditions in lock and unlock processing to cause a denial of service.
The issue affects both the non-UNLOCK path on unexpected vfs_lock_file() errors and the UNLOCK path when vfs_lock_file() returns -ENOENT.
14) NULL pointer dereference (CVE-ID: CVE-2026-31477)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in smb2_lock() when processing SMB lock rollback operations after allocation failure. A local user can trigger allocation failure during lock rollback to cause a denial of service.
15) Use-after-free (CVE-ID: CVE-2026-31527)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in the platform driver core driver_override handling when probing a driver through __driver_attach__(). A local user can trigger concurrent access to the driver_override field to cause a denial of service.
16) Out-of-bounds read (CVE-ID: CVE-2026-31611)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to modify file permissions.
The vulnerability exists due to an out-of-bounds read in parse_dacl() when processing a crafted security descriptor containing an ACE SID with only two sub-authorities that matches the sid_unix_NFS_mode prefix. A remote attacker can send a specially crafted security descriptor to modify file permissions.
The issue occurs when the crafted ACE is placed at the end of the security descriptor, causing 4 bytes past the end of the ACL to be read and masked into the low 9 bits as the file's POSIX mode.
17) Out-of-bounds read (CVE-ID: CVE-2026-31612)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in smb2_get_ea() when handling crafted SMB2 extended attribute requests. A remote attacker can send a specially crafted request to disclose sensitive information.
Uninitialized heap values may be leaked to the client.
18) Integer overflow (CVE-ID: CVE-2026-31704)
CWE-ID: CWE-190 - Integer overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause memory corruption.
The vulnerability exists due to an integer overflow in set_posix_acl_entries_dacl() and set_ntacl_dacl() when processing files with many POSIX ACL entries. A local user can create a file with many POSIX ACL entries to cause memory corruption.
The accumulated DACL size can wrap past 65535, causing subsequent writes to overwrite earlier ACE entries and resulting in a truncated DACL size value.
19) Out-of-bounds read (CVE-ID: CVE-2026-31708)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in smb2_ioctl_query_info() when processing a crafted QUERY_INFO response from an SMB server. A remote attacker can return a malformed response with an OutputBufferLength larger than the actual response buffer to disclose sensitive information.
20) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-31754)
CWE-ID: CWE-664 - Improper control of a resource through its lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper state management in the cdns3 gadget role-switch handling when switching from a failed gadget initialization to host mode via sysfs. A local user can trigger a role switch after gadget startup failure to cause a denial of service.
The issue can result in a synchronous external abort in xhci_gen_setup() during host controller setup.
21) NULL pointer dereference (CVE-ID: CVE-2026-31755)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in __cdns3_gadget_ep_queue() when queueing requests on a disabled or unconfigured gadget endpoint. A local user can trigger the vulnerable code path to cause a denial of service.
22) Out-of-bounds read (CVE-ID: CVE-2026-31771)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in the Bluetooth HCI event handling logic when processing a short HCI event frame. A local attacker can send a specially crafted HCI event frame to cause a denial of service.
The issue occurs because wake reason storage is reached before per-event minimum payload length validation is enforced.
23) Out-of-bounds write (CVE-ID: CVE-2026-43047)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows an attacker with physical access to cause a denial of service or perform an out-of-bounds write.
The vulnerability exists due to an out-of-bounds write in the HID multitouch feature report handling when processing a device response to a feature request. An attacker with physical access can provide a malicious device that responds with a mismatched report ID to cause a denial of service or perform an out-of-bounds write.
The issue is triggered when a device returns a different report ID than the one originally requested.
24) Out-of-bounds write (CVE-ID: CVE-2026-43048)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to out-of-bounds read and out-of-bounds write in hid_report_raw_event() when processing an incoming event buffer that is smaller than the associated report size. A local attacker can provide a crafted HID event buffer to cause a denial of service.
25) Integer underflow (CVE-ID: CVE-2026-43171)
CWE-ID: CWE-191 - Integer underflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information, cause a denial of service, or trigger a kernel oops.
The vulnerability exists due to an integer underflow in cper_print_fw_err() when processing a malformed firmware error record with an offset beyond the actual record length. A local user can provide a crafted error record to disclose sensitive information, cause a denial of service, or trigger a kernel oops.
The issue occurs on systems with bad or malformed firmware error records.
26) Improper input validation (CVE-ID: CVE-2026-43212)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in cpumask_of_node() when handling a NUMA_NO_NODE index. A local user can trigger the vulnerable code path to cause a denial of service.
The issue affects the LoongArch architecture-specific implementation.
27) Observable discrepancy (CVE-ID: CVE-2026-43261)
CWE-ID: CWE-203 - Observable discrepancy
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to disclose sensitive information.
The vulnerability exists due to observable timing discrepancy in branch prediction on TSV110 arm64 processors when executing code that influences branch history. A local attacker can perform a Spectre-BHB side-channel attack to disclose sensitive information.
The issue is specific to TSV110 processors.
28) Improper resource shutdown or release (CVE-ID: CVE-2026-43428)
CWE-ID: CWE-404 - Improper Resource Shutdown or Release
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource shutdown or release in usb_control_msg(), usb_bulk_msg(), and usb_interrupt_msg() APIs in usbcore when handling USB message timeouts. A local user can trigger an excessively long synchronous timeout to cause a denial of service.
Exploitation can leave a task stuck in an uninterruptible wait until the target device is unplugged.
29) Improper Check or Handling of Exceptional Conditions (CVE-ID: CVE-2026-43488)
CWE-ID: CWE-703 - Improper Check or Handling of Exceptional Conditions
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper error handling in xhci_irq() when handling a host controller error during UAS storage device plug/unplug scenarios. A local user can trigger repeated device plug/unplug events to cause a denial of service.
The issue can result in an interrupt storm that leads to severe system-level faults.
30) Improper access control (CVE-ID: CVE-2026-46333)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear
The vulnerability allows a local privileged user to disclose sensitive information.
The vulnerability exists due to improper access control in ptrace_may_access() when checking dumpability for tasks without an associated mm pointer. A local privileged user can inspect kernel thread details to disclose sensitive information.
The issue affects cases involving threads that no longer have a VM or never had one, such as kernel threads.
31) Improper locking (CVE-ID: CVE-2024-50047)
CWE-ID: CWE-667 - Improper Locking
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper locking within the SMB2_negotiate() function in fs/smb/client/smb2pdu.c, within the smb2_get_enc_key(), crypt_message(), smb3_init_transform_rq() and decrypt_raw_data() functions in fs/smb/client/smb2ops.c. A local user can perform a denial of service (DoS) attack.
Remediation
Install update from vendor's website.