SB20260522110 - openEuler 20.03 LTS SP4 update for kernel
Published: May 22, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 6 vulnerabilities.
1) Use-after-free (CVE-ID: CVE-2026-31527)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in the platform driver core driver_override handling when probing a driver through __driver_attach__(). A local user can trigger concurrent access to the driver_override field to cause a denial of service.
2) Out-of-bounds read (CVE-ID: CVE-2026-31698)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in sev_ioctl_do_pdh_export when handling a PDH certificate export ioctl after a firmware command failure caused by an invalid length. A local user can provide a userspace buffer and length that are too small to trigger copying beyond the kernel-allocated buffer to disclose sensitive information.
The issue occurs when retrieving the PDH certificate and the firmware reports the required size after the supplied userspace buffer is too small.
3) Out-of-bounds read (CVE-ID: CVE-2026-31699)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in the sev_ioctl_do_pek_csr ioctl handler when processing a PEK CSR retrieval request after a failed firmware command. A local user can supply a too-small userspace buffer and length to trigger a copy to userspace that discloses sensitive information.
The issue occurs when the firmware reports an invalid length for the requested blob.
4) Out-of-bounds write (CVE-ID: CVE-2026-43047)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows an attacker with physical access to cause a denial of service or perform an out-of-bounds write.
The vulnerability exists due to an out-of-bounds write in the HID multitouch feature report handling when processing a device response to a feature request. An attacker with physical access can provide a malicious device that responds with a mismatched report ID to cause a denial of service or perform an out-of-bounds write.
The issue is triggered when a device returns a different report ID than the one originally requested.
5) Out-of-bounds write (CVE-ID: CVE-2026-43048)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to out-of-bounds read and out-of-bounds write in hid_report_raw_event() when processing an incoming event buffer that is smaller than the associated report size. A local attacker can provide a crafted HID event buffer to cause a denial of service.
6) Improper access control (CVE-ID: CVE-2026-46333)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear
The vulnerability allows a local privileged user to disclose sensitive information.
The vulnerability exists due to improper access control in ptrace_may_access() when checking dumpability for tasks without an associated mm pointer. A local privileged user can inspect kernel thread details to disclose sensitive information.
The issue affects cases involving threads that no longer have a VM or never had one, such as kernel threads.
Remediation
Install update from vendor's website.