SB2026052425 - Anolis OS update for kernel:4.18
Published: May 24, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
1) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-46300)
CWE-ID: CWE-664 - Improper control of a resource through its lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause memory corruption.
The vulnerability exists due to improper state management in skb_try_coalesce() when transferring paged fragments during TCP receive coalescing. A local user can trigger packet processing that moves shared fragments into an unmarked skb to cause memory corruption.
The issue can lead ESP input to incorrectly treat an uncloned nonlinear skb as not having shared fragments and perform in-place decryption over externally owned or page-cache-backed fragments.
2) Improper access control (CVE-ID: CVE-2026-46333)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear
The vulnerability allows a local privileged user to disclose sensitive information.
The vulnerability exists due to improper access control in ptrace_may_access() when checking dumpability for tasks without an associated mm pointer. A local privileged user can inspect kernel thread details to disclose sensitive information.
The issue affects cases involving threads that no longer have a VM or never had one, such as kernel threads.
Remediation
Install update from vendor's website.