SB20260528263 - Red Hat Enterprise Linux 8 update for kernel

Description

This security bulletin contains information about 18 vulnerabilities.

1) Use-after-free (CVE-ID: CVE-2025-39981)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within the net/bluetooth/mgmt_util.h. A local user can escalate privileges on the system.

2) Buffer overflow (CVE-ID: CVE-2025-68183)

CWE-ID: CWE-119 - Memory corruption

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to memory corruption within the ima_protect_xattr(), ima_reset_appraise_flags(), ima_inode_setxattr() and ima_inode_set_acl() functions in security/integrity/ima/ima_appraise.c. A local user can perform a denial of service (DoS) attack.

3) Buffer overflow (CVE-ID: CVE-2025-68347)

CWE-ID: CWE-119 - Memory corruption

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to memory corruption within the hwdep_read() function in sound/firewire/motu/motu-hwdep.c. A local user can escalate privileges on the system.

4) Out-of-bounds read (CVE-ID: CVE-2025-71116)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to an out-of-bounds read error within the decode_pool() function in net/ceph/osdmap.c. A local user can perform a denial of service (DoS) attack.

5) Out-of-bounds read (CVE-ID: CVE-2026-23243)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a boundary error in the RDMA/umad component when processing user-controlled MAD headers. A local user can send a specially crafted request with mismatched MAD header size and RMPP header length to cause a denial of service.

Exploitation requires access to the RDMA UMAD interface. The vulnerability can trigger an out-of-bounds write in kernel memory, leading to system instability or crash.

6) Use After Free (CVE-ID: CVE-2026-23270)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to cause a use-after-free condition.

The vulnerability exists due to improper memory management in the act_ct action handling within the net/sched subsystem when processing packets in the egress path. A local user can attach the act_ct action to non-clsact/ingress qdiscs and trigger packet classification that returns TC_ACT_CONSUMED while the socket buffer (skb) is still held by the defragmentation engine, leading to a use-after-free condition.

The vulnerability specifically arises when act_ct is used in contexts not designed to handle TC_ACT_CONSUMED, particularly outside clsact/ingress qdiscs and shared blocks. Exploitation requires the ability to configure traffic control (tc) actions, implying local access and privileges to modify qdisc configurations.

7) Out-of-bounds read (CVE-ID: CVE-2026-23455)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to an out-of-bounds read in DecodeQ931() in the nf_conntrack_h323 netfilter component when parsing a crafted Q.931 packet with a zero UserUserIE length field. A remote attacker can send a specially crafted packet to disclose sensitive information.

The issue occurs because a 16-bit length value is decremented by 1 to skip the protocol discriminator byte, and an encoded length of 0 wraps to -1 and is then passed to DecodeH323_UserInformation() as a large value.

8) Use-after-free (CVE-ID: CVE-2026-31408)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to use-after-free in sco_recv_frame() when processing Bluetooth SCO frames during concurrent socket closure. A local user can trigger a race condition to cause a denial of service.

The issue occurs because the socket reference is not held after releasing sco_conn_lock() before accessing sk->sk_state.

9) Use-after-free (CVE-ID: CVE-2026-31532)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in raw_rcv() when processing CAN frames after a raw CAN socket is released. A local user can trigger concurrent socket release and packet reception to cause a denial of service.

The issue involves the percpu uniq storage referenced through RCU-delayed receiver deletion.

10) Out-of-bounds read (CVE-ID: CVE-2026-31684)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to an out-of-bounds read in tcf_csum_act() when processing packets with nested in-payload VLAN headers. A remote attacker can send a specially crafted packet to cause a denial of service.

11) Improper input validation (CVE-ID: CVE-2026-31685)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in ip6t_eui64 when processing packets with an invalid MAC header. A remote attacker can send a specially crafted packet to cause a denial of service.

12) Use-after-free (CVE-ID: CVE-2026-43027)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in nf_conntrack_helper_unregister and expectation handling in netfilter nf_conntrack_helper when unregistering a helper while stale expectations remain. A local user can trigger helper unregistration and subsequent expectation access to cause a denial of service.

The issue is triggered because expectations referencing the helper survive cleanup and are later dereferenced during expectation dumps or packet-driven conntrack initialization.

13) Stack-based buffer overflow (CVE-ID: CVE-2026-43020)

CWE-ID: CWE-121 - Stack-based buffer overflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to cause a denial of service or execute arbitrary code.

The vulnerability exists due to a stack-based buffer overflow in the Bluetooth MGMT Long Term Key load and reply handling logic when processing a crafted management LTK record with an oversized enc_size value. A remote user can supply a specially crafted LTK record to overflow a reply stack buffer to cause a denial of service or execute arbitrary code.

14) Out-of-bounds read (CVE-ID: CVE-2026-43051)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to out-of-bounds read in wacom_intuos_bt_irq when processing Bluetooth HID reports. A remote attacker can send a specially crafted short report to disclose sensitive information.

Report ID 0x03 requires at least 22 bytes, and report ID 0x04 requires at least 32 bytes.

15) Out-of-bounds read (CVE-ID: CVE-2026-31709)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to an out-of-bounds read in cifsacl DACL rewrite helpers when processing a server-supplied truncated DACL. A remote attacker can send a malformed ACL response to cause a denial of service.

The issue occurs because the incoming DACL body and each ACE were not structurally validated before chmod/chown security descriptor rebuild paths walked the ACE list.

16) Use-after-free (CVE-ID: CVE-2026-43163)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free race in write_page() when resizing an array while bitmap daemon work is iterating over bitmap->storage.filemap. A local user can trigger concurrent bitmap update and resize operations to cause a denial of service.

The issue occurs because the md thread can continue running during quiesce(), allowing concurrent access to freed pages.

17) Out-of-bounds read (CVE-ID: CVE-2026-43190)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to disclose sensitive information.

The vulnerability exists due to an out-of-bounds read in the xt_tcpmss TCP option parser when parsing a TCP option field whose last byte is not EOL or NOP. A local user can supply a specially crafted packet to disclose sensitive information.

18) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-43158)

CWE-ID: CWE-664 - Improper control of a resource through its lifetime

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper state management in the xfs extended attribute leaf block freemap adjustment code when adding extended attributes to leaf blocks. A local user can set a crafted extended attribute to cause a denial of service.

The issue can corrupt free space accounting so that the name area overlaps the end of the entries array, triggering an assertion and shutting down the filesystem.

Remediation

Install update from vendor's website.

References

• https://access.redhat.com/errata/RHSA-2026:21706