SB2026052403 - Debian update for linux

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026052403

SB2026052403 - Debian update for linux

Published: May 24, 2026

Security Bulletin ID SB2026052403
CSH Severity
Low
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Local access
Highest impact Code execution

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 vulnerabilities.


1) Use-after-free (CVE-ID: CVE-2026-23171)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within the bond_enslave() function in drivers/net/bonding/bond_main.c. A local user can escalate privileges on the system.


2) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-43503)

CWE-ID: CWE-664 - Improper control of a resource through its lifetime

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to modify the page cache of a root-owned read-only file.

The vulnerability exists due to improper state management in frag-transfer helpers in the Linux kernel networking stack when moving fragment descriptors between socket buffers. A local user can trigger packet processing through a duplicated skb path to modify the page cache of a root-owned read-only file.

One demonstrated path involves ESP input after a packet is duplicated through an nft 'dup to' rule or another nf_dup_ipv4() / xt_TEE caller.


3) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-46300)

CWE-ID: CWE-664 - Improper control of a resource through its lifetime

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause memory corruption.

The vulnerability exists due to improper state management in skb_try_coalesce() when transferring paged fragments during TCP receive coalescing. A local user can trigger packet processing that moves shared fragments into an unmarked skb to cause memory corruption.

The issue can lead ESP input to incorrectly treat an uncloned nonlinear skb as not having shared fragments and perform in-place decryption over externally owned or page-cache-backed fragments.


Remediation

Install update from vendor's website.

References