SB20260529224 - openEuler 24.03 LTS update for kernel
Published: May 29, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 30 vulnerabilities.
1) On-Chip Debug and Test Interface With Improper Access Control (CVE-ID: CVE-2026-23292)
CWE-ID: CWE-1191 - On-Chip Debug and Test Interface With Improper Access Control
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper locking mechanism in the SCSI target subsystem when handling configuration file writes. A local user can provide a specially crafted configuration input to cause recursive semaphore locking, leading to a system crash or hang.
Exploitation requires access to the target's configuration filesystem (configfs) and the ability to write to the db_root parameter. No additional privileges beyond standard configfs access are required.
2) Incorrect Control Flow Scoping (CVE-ID: CVE-2026-23296)
CWE-ID: CWE-705 - Incorrect Control Flow Scoping
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper reference counting in the SCSI core subsystem when handling tagset reference counts during SCSI host teardown. A local user can trigger the removal of a SCSI host to cause a denial of service.
Repeated triggering of the issue may lead to system instability or hang due to unbounded reference accumulation.
3) Resource exhaustion (CVE-ID: CVE-2026-23313)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource management in the i40e NAPI poll tracepoint when handling network packets. A local user can trigger the tracepoint to cause a preempt count leak, leading to a denial of service.
The issue arises from using get_cpu() without a corresponding put_cpu() in the tracepoint, which results in an increment of the preempt count that is never decremented.
4) NULL Pointer Dereference (CVE-ID: CVE-2026-23317)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to execute arbitrary code and escalate privileges.
The vulnerability exists due to improper error handling in the vmw_translate_ptr functions in the drm/vmwgfx subsystem when translating pointers. A local user can trigger a use of an uninitialized pointer to cause out-of-bounds memory accesses and execute arbitrary code.
Successful exploitation may lead to privilege escalation and system compromise.
5) Type conversion (CVE-ID: CVE-2026-23352)
CWE-ID: CWE-704 - Type conversion
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to improper memory management in the EFI boot services memory release mechanism when processing memory map initialization during system boot. A local attacker can trigger the early release of boot services memory before deferred memory map initialization is complete, leading to unfreed memory pages and a memory leak.
The issue specifically occurs on systems with CONFIG_DEFERRED_STRUCT_PAGE_INIT enabled, where memblock_free_late() skips uninitialized pages, resulting in a significant memory leak—up to approximately 140MB on constrained systems like EC2 t3a.nano instances with only 512MB RAM.
6) Improper Resource Shutdown or Release (CVE-ID: CVE-2026-23360)
CWE-ID: CWE-404 - Improper Resource Shutdown or Release
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource management in the NVMe subsystem when handling controller resets. A local user can trigger a controller reset to cause a denial of service due to an admin queue leak.
The issue arises when nvme_alloc_admin_tag_set() is called during a controller reset while a previous admin queue still exists, leading to resource exhaustion over time.
7) Improper Synchronization (CVE-ID: CVE-2026-23374)
CWE-ID: CWE-662 - Improper Synchronization
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service or potentially execute arbitrary code.
The vulnerability exists due to improper synchronization in the blktrace component when handling block I/O tracing operations. A local user can trigger a use of __this_cpu_read/write in a preemptible context to cause a kernel BUG and system crash.
The issue arises in process context where preemption is enabled, violating the requirement for preemption to be disabled when accessing per-CPU variables via __this_cpu_read/write. This can lead to undefined behavior including memory corruption.
8) Unchecked Error Condition (CVE-ID: CVE-2026-23383)
CWE-ID: CWE-391 - Unchecked Error Condition
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to execute arbitrary code.
The vulnerability exists due to improper memory alignment in the BPF JIT compiler when handling 64-bit atomic operations on arm64. A local user can trigger execution of a specially crafted BPF program to cause a torn read of a 64-bit jump target, leading to control flow hijacking and arbitrary code execution.
Exploitation requires the ability to load and execute BPF programs, which is typically available to unprivileged users in modern Linux distributions with CONFIG_BPF_JIT enabled.
9) Improper access control (CVE-ID: CVE-2026-31503)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper access control in the UDP socket bind conflict check when binding a wildcard address after multiple sockets are already bound to the same local port. A local user can bind sockets to multiple specific local addresses on the same port and then bind a wildcard address to bypass conflict detection and cause a denial of service.
The issue affects IPv6 wildcard, IPv4 wildcard, and IPv4-mapped wildcard addresses when the bind bucket count exceeds 10.
10) Out-of-bounds read (CVE-ID: CVE-2026-31752)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in br_nd_send when parsing malformed neighbor discovery options. A remote attacker can send a specially crafted neighbor solicitation packet to cause a denial of service.
11) Improper Initialization (CVE-ID: CVE-2026-43053)
CWE-ID: CWE-665 - Improper Initialization
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper state management in the XFS extended attribute dabtree inactivation logic when processing inode inactivation and log recovery. A local user can trigger a log shutdown during attribute fork inactivation to cause a denial of service.
The issue affects inodes with node-format extended attributes and can lead to metadata verification failures on the next mount during recovery processing.
12) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-43054)
CWE-ID: CWE-664 - Improper control of a resource through its lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper state management in tcm_loop_target_reset() when handling SCSI target reset recovery. A local user can trigger a reset while commands remain in flight to cause a denial of service.
The issue can leak a LUN reference and cause configfs LUN unlink to hang in D-state.
13) Always-Incorrect Control Flow Implementation (CVE-ID: CVE-2026-43057)
CWE-ID: CWE-670 - Always-Incorrect Control Flow Implementation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper handling of checksum offload fallback in the IPv6 GSO fallback logic when processing tunneled IPv6 traffic with extension headers or without an inner IP protocol. A local user can send specially crafted packets to cause a denial of service.
The issue affects tunneled traffic, including cases where the inner header rather than the outer network header must be validated.
14) Race condition (CVE-ID: CVE-2026-43119)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a data race in hdev->req_status handling in the Bluetooth hci_sync subsystem when processing concurrent command synchronization operations across workqueues and event completion paths. A local user can trigger concurrent operations to cause a denial of service.
The issue arises because accesses occur from different workqueues and completion or abort paths that can run concurrently on different CPUs.
15) NULL pointer dereference (CVE-ID: CVE-2026-43123)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in fbcon when acquiring new framebuffer console info after fbcon_open() fails. A local user can trigger the vulnerable code path to cause a denial of service.
16) Improper input validation (CVE-ID: CVE-2026-43134)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to bypass an encryption key size check.
The vulnerability exists due to improper input validation in the L2CAP LE connection request handling when processing L2CAP_LE_CONN_REQ packets. A remote attacker can send a specially crafted L2CAP_LE_CONN_REQ packet to bypass an encryption key size check.
17) Deadlock (CVE-ID: CVE-2026-43147)
CWE-ID: CWE-833 - Deadlock
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a deadlock in the SR-IOV handling logic when writing to sysfs entries to disable virtual functions and remove a PCI device. A local user can write crafted values to the sriov_numvfs and remove sysfs attributes to cause a denial of service.
The issue is triggered by recursive acquisition of pci_rescan_remove_lock during device removal.
18) Improper synchronization (CVE-ID: CVE-2026-43170)
CWE-ID: CWE-662 - Improper Synchronization
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper execution in atomic context in dwc3_gadget_vbus_draw() when invoking power-supply-core APIs. A local user can trigger USB gadget operations to cause a denial of service.
The issue can lead to a kernel panic because some PMIC operations may sleep.
19) Improper resource shutdown or release (CVE-ID: CVE-2026-43223)
CWE-ID: CWE-404 - Improper Resource Shutdown or Release
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource shutdown or release in pvr2_send_request_ex() when submitting USB request blocks. A local user can trigger a failure after a write URB has been submitted but before the corresponding read URB is submitted to cause a denial of service.
The issue is triggered when read URB submission fails while the write URB remains active and is later reused.
20) Observable discrepancy (CVE-ID: CVE-2026-43261)
CWE-ID: CWE-203 - Observable discrepancy
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to disclose sensitive information.
The vulnerability exists due to observable timing discrepancy in branch prediction on TSV110 arm64 processors when executing code that influences branch history. A local attacker can perform a Spectre-BHB side-channel attack to disclose sensitive information.
The issue is specific to TSV110 processors.
21) Always-Incorrect Control Flow Implementation (CVE-ID: CVE-2026-43289)
CWE-ID: CWE-670 - Always-Incorrect Control Flow Implementation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper handling of overlapping executable sections in kexec_load_purgatory() when loading a purgatory object. A local user can supply a purgatory object with multiple executable sections that overlap in sh_addr to cause a denial of service.
The issue can trigger a kernel WARN during kexec_file_load.
22) Improper Check or Handling of Exceptional Conditions (CVE-ID: CVE-2026-43344)
CWE-ID: CWE-703 - Improper Check or Handling of Exceptional Conditions
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper handling of offline CPU and topology lookup conditions in the Intel uncore PMON initialization logic when initializing uncore PCI devices on affected platforms. A local user can trigger the vulnerable code path to cause a denial of service.
The issue can occur when all CPUs associated with a UBOX device are offline or when NUMA is disabled on a NUMA-capable platform.
23) Improper Check for Unusual or Exceptional Conditions (CVE-ID: CVE-2026-43381)
CWE-ID: CWE-754 - Improper Check for Unusual or Exceptional Conditions
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper handling of runtime-suspended devices in nouveau dpcd aux transfer handling when accessing /dev/drm_dp_* while the device is asleep. A local user can access the drm dp device interface while the device is runtime suspended to cause a denial of service.
The issue is triggered when the GPU device is in a runtime suspended state.
24) Improper Initialization (CVE-ID: CVE-2026-43408)
CWE-ID: CWE-665 - Improper Initialization
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper initialization in ceph_mdsc_build_path() callers when handling error paths after building Ceph path information. A local user can trigger a failed ceph_mdsc_build_path() call and subsequent ceph_mdsc_free_path_info() use of an uninitialized ceph_path_info structure to cause a denial of service.
The issue may occur because ceph_mdsc_build_path() initializes the structure only on success, while callers may still free it after an error.
25) NULL pointer dereference (CVE-ID: CVE-2026-43416)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in perf_callchain_user_64 when getting a user callchain while current->mm has already been released. A local user can run a profiling BPF program to cause a denial of service.
The issue can lead to a kernel panic during stack trace collection.
26) Race condition (CVE-ID: CVE-2026-43427)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to a race condition in the cdc-wdm read code path when processing read operations. A local user can trigger the race and read uninitialized memory to disclose sensitive information.
27) Improper Check or Handling of Exceptional Conditions (CVE-ID: CVE-2026-43470)
CWE-ID: CWE-703 - Improper Check or Handling of Exceptional Conditions
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper handling of directory aliases in nfs3_proc_create when processing concurrent file creation and removal operations with the same name. A local user can trigger concurrent create and open operations without O_EXCL to cause a denial of service.
The issue can result in a kernel oops when a negative dentry is supplied to do_dentry_open during finish_open.
28) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-43472)
CWE-ID: CWE-664 - Improper control of a resource through its lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper state management in unshare_fs() when handling unshare(2) requests with CLONE_NEWNS together with additional namespace flags that can fail after mount namespace creation. A local user can invoke unshare(2) in this state to cause a denial of service.
The issue can leave the calling process with pwd and root pointing to detached isolated mounts after unshare(2) fails, such as after an -ENOMEM error during cgroup namespace setup.
29) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-43483)
CWE-ID: CWE-664 - Improper control of a resource through its lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper state management in the KVM SVM AVIC/CR8 interception logic when activating or deactivating AVIC. A local user can trigger guest operations that lead to a dangling CR8 write intercept to cause a denial of service.
The issue affects SVM and can be fatal to Windows guests when combined with a TPR synchronization bug.
30) Integer underflow (CVE-ID: CVE-2026-43492)
CWE-ID: CWE-191 - Integer underflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to integer underflow in mpi_read_raw_from_sgl() when processing a crafted scatterlist during a KEYCTL_PKEY_ENCRYPT system call. A local user can supply an input buffer of zeroes with a larger out_len than in_len to cause a denial of service.
The issue can cause the kernel to spin forever, resulting in soft lockup splats.
Remediation
Install update from vendor's website.