SB20260529222 - openEuler 24.03 LTS SP3 update for kernel
Published: May 29, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 15 vulnerabilities.
1) Improper access control (CVE-ID: CVE-2026-31503)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper access control in the UDP socket bind conflict check when binding a wildcard address after multiple sockets are already bound to the same local port. A local user can bind sockets to multiple specific local addresses on the same port and then bind a wildcard address to bypass conflict detection and cause a denial of service.
The issue affects IPv6 wildcard, IPv4 wildcard, and IPv4-mapped wildcard addresses when the bind bucket count exceeds 10.
2) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-43054)
CWE-ID: CWE-664 - Improper control of a resource through its lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper state management in tcm_loop_target_reset() when handling SCSI target reset recovery. A local user can trigger a reset while commands remain in flight to cause a denial of service.
The issue can leak a LUN reference and cause configfs LUN unlink to hang in D-state.
3) Always-Incorrect Control Flow Implementation (CVE-ID: CVE-2026-43057)
CWE-ID: CWE-670 - Always-Incorrect Control Flow Implementation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper handling of checksum offload fallback in the IPv6 GSO fallback logic when processing tunneled IPv6 traffic with extension headers or without an inner IP protocol. A local user can send specially crafted packets to cause a denial of service.
The issue affects tunneled traffic, including cases where the inner header rather than the outer network header must be validated.
4) Race condition (CVE-ID: CVE-2026-43119)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a data race in hdev->req_status handling in the Bluetooth hci_sync subsystem when processing concurrent command synchronization operations across workqueues and event completion paths. A local user can trigger concurrent operations to cause a denial of service.
The issue arises because accesses occur from different workqueues and completion or abort paths that can run concurrently on different CPUs.
5) NULL pointer dereference (CVE-ID: CVE-2026-43123)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in fbcon when acquiring new framebuffer console info after fbcon_open() fails. A local user can trigger the vulnerable code path to cause a denial of service.
6) Improper input validation (CVE-ID: CVE-2026-43134)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to bypass an encryption key size check.
The vulnerability exists due to improper input validation in the L2CAP LE connection request handling when processing L2CAP_LE_CONN_REQ packets. A remote attacker can send a specially crafted L2CAP_LE_CONN_REQ packet to bypass an encryption key size check.
7) Improper synchronization (CVE-ID: CVE-2026-43170)
CWE-ID: CWE-662 - Improper Synchronization
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper execution in atomic context in dwc3_gadget_vbus_draw() when invoking power-supply-core APIs. A local user can trigger USB gadget operations to cause a denial of service.
The issue can lead to a kernel panic because some PMIC operations may sleep.
8) Improper resource shutdown or release (CVE-ID: CVE-2026-43223)
CWE-ID: CWE-404 - Improper Resource Shutdown or Release
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource shutdown or release in pvr2_send_request_ex() when submitting USB request blocks. A local user can trigger a failure after a write URB has been submitted but before the corresponding read URB is submitted to cause a denial of service.
The issue is triggered when read URB submission fails while the write URB remains active and is later reused.
9) Improper Check or Handling of Exceptional Conditions (CVE-ID: CVE-2026-43344)
CWE-ID: CWE-703 - Improper Check or Handling of Exceptional Conditions
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper handling of offline CPU and topology lookup conditions in the Intel uncore PMON initialization logic when initializing uncore PCI devices on affected platforms. A local user can trigger the vulnerable code path to cause a denial of service.
The issue can occur when all CPUs associated with a UBOX device are offline or when NUMA is disabled on a NUMA-capable platform.
10) Improper Check for Unusual or Exceptional Conditions (CVE-ID: CVE-2026-43381)
CWE-ID: CWE-754 - Improper Check for Unusual or Exceptional Conditions
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper handling of runtime-suspended devices in nouveau dpcd aux transfer handling when accessing /dev/drm_dp_* while the device is asleep. A local user can access the drm dp device interface while the device is runtime suspended to cause a denial of service.
The issue is triggered when the GPU device is in a runtime suspended state.
11) Improper Initialization (CVE-ID: CVE-2026-43408)
CWE-ID: CWE-665 - Improper Initialization
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper initialization in ceph_mdsc_build_path() callers when handling error paths after building Ceph path information. A local user can trigger a failed ceph_mdsc_build_path() call and subsequent ceph_mdsc_free_path_info() use of an uninitialized ceph_path_info structure to cause a denial of service.
The issue may occur because ceph_mdsc_build_path() initializes the structure only on success, while callers may still free it after an error.
12) NULL pointer dereference (CVE-ID: CVE-2026-43416)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in perf_callchain_user_64 when getting a user callchain while current->mm has already been released. A local user can run a profiling BPF program to cause a denial of service.
The issue can lead to a kernel panic during stack trace collection.
13) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-43472)
CWE-ID: CWE-664 - Improper control of a resource through its lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper state management in unshare_fs() when handling unshare(2) requests with CLONE_NEWNS together with additional namespace flags that can fail after mount namespace creation. A local user can invoke unshare(2) in this state to cause a denial of service.
The issue can leave the calling process with pwd and root pointing to detached isolated mounts after unshare(2) fails, such as after an -ENOMEM error during cgroup namespace setup.
14) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-43483)
CWE-ID: CWE-664 - Improper control of a resource through its lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper state management in the KVM SVM AVIC/CR8 interception logic when activating or deactivating AVIC. A local user can trigger guest operations that lead to a dangling CR8 write intercept to cause a denial of service.
The issue affects SVM and can be fatal to Windows guests when combined with a TPR synchronization bug.
15) Integer underflow (CVE-ID: CVE-2026-43492)
CWE-ID: CWE-191 - Integer underflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to integer underflow in mpi_read_raw_from_sgl() when processing a crafted scatterlist during a KEYCTL_PKEY_ENCRYPT system call. A local user can supply an input buffer of zeroes with a larger out_len than in_len to cause a denial of service.
The issue can cause the kernel to spin forever, resulting in soft lockup splats.
Remediation
Install update from vendor's website.