SB2026060549 - openEuler 20.03 LTS SP4 update for kernel
Published: June 5, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 34 vulnerabilities.
1) Use-after-free (CVE-ID: CVE-2025-38263)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the CLOSURE_CALLBACK() function in drivers/md/bcache/super.c. A local user can escalate privileges on the system.
2) Use of uninitialized resource (CVE-ID: CVE-2025-38403)
CWE-ID: CWE-908 - Use of Uninitialized Resource
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to use of uninitialized resource within the vmci_transport_packet_init() function in net/vmw_vsock/vmci_transport.c. A local user can perform a denial of service (DoS) attack.
3) Improper locking (CVE-ID: CVE-2025-38459)
CWE-ID: CWE-667 - Improper Locking
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper locking within the clip_mkip() function in net/atm/clip.c. A local user can perform a denial of service (DoS) attack.
4) NULL pointer dereference (CVE-ID: CVE-2025-38602)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to NULL pointer dereference within the iwl_bg_restart(), iwl_setup_deferred_work(), iwl_op_mode_dvm_start() and iwl_cancel_deferred_work() functions in drivers/net/wireless/intel/iwlwifi/dvm/main.c. A local user can perform a denial of service (DoS) attack.
5) Use of uninitialized resource (CVE-ID: CVE-2025-38644)
CWE-ID: CWE-908 - Use of Uninitialized Resource
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to use of uninitialized resource within the ieee80211_tdls_oper() function in net/mac80211/tdls.c. A local user can perform a denial of service (DoS) attack.
6) Infinite loop (CVE-ID: CVE-2025-39738)
CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop within the create_reloc_root() function in fs/btrfs/relocation.c. A local user can perform a denial of service (DoS) attack.
7) Out-of-bounds read (CVE-ID: CVE-2025-40020)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to an out-of-bounds read error within the peak_usb_update_ts_now() function in drivers/net/can/usb/peak_usb/pcan_usb_core.c. A local user can perform a denial of service (DoS) attack.
8) Resource management error (CVE-ID: CVE-2025-68340)
CWE-ID: CWE-399 - Resource Management Errors
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to resource management error within the team_port_add() function in drivers/net/team/team_core.c. A local user can perform a denial of service (DoS) attack.
9) Out-of-bounds read (CVE-ID: CVE-2026-23243)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a boundary error in the RDMA/umad component when processing user-controlled MAD headers. A local user can send a specially crafted request with mismatched MAD header size and RMPP header length to cause a denial of service.
Exploitation requires access to the RDMA UMAD interface. The vulnerability can trigger an out-of-bounds write in kernel memory, leading to system instability or crash.
10) Use After Free (CVE-ID: CVE-2026-23273)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to a use-after-free in the macvlan component of the Linux kernel when handling network interface creation errors. A local attacker can send a specially crafted netlink message to trigger improper RCU grace period handling during macvlan device creation, leading to a use-after-free condition.
Exploitation does not require elevated privileges and can result in a system crash due to access of already freed memory in the kernel network stack.
11) Use-after-free (CVE-ID: CVE-2026-31586)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in cgwb_release_workfn() when releasing writeback resources and later dereferencing wb->blkcg_css after dropping its last reference. A local user can trigger the race condition to cause a denial of service.
The issue is race-dependent and can be observed as a KASAN-reported slab-use-after-free in blkcg_unpin_online().
12) Use-after-free (CVE-ID: CVE-2026-31588)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in complete_emulated_mmio() when servicing an emulated MMIO write that splits a page boundary across MMIO pages. A local user can trigger crafted KVM_RUN operations to cause a denial of service.
The issue occurs for write payloads of 8 bytes or less and is most visible when the second KVM_RUN is performed by a separate task.
13) Race condition (CVE-ID: CVE-2026-31678)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a race condition in the openvswitch tunnel device destruction path when destroying a tunnel vport after device unregistration. A local user can trigger concurrent access to a detached device reference to cause a denial of service.
14) Double free (CVE-ID: CVE-2026-31759)
CWE-ID: CWE-415 - Double Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a double free in ulpi_register_interface() when handling a device registration failure. A local user can trigger the vulnerable error path to cause a denial of service.
15) Observable discrepancy (CVE-ID: CVE-2026-31781)
CWE-ID: CWE-203 - Observable discrepancy
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to improper restriction of speculative execution in drm_compat_ioctl when processing a user-controlled pointer used as an index into a function pointer table. A local user can supply a crafted index value to disclose sensitive information.
The issue affects the drm compat ioctl path.
16) Stack-based buffer overflow (CVE-ID: CVE-2026-43037)
CWE-ID: CWE-121 - Stack-based buffer overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to a stack-based buffer overflow in ip4ip6_err() and __ip_options_echo() when processing a crafted packet that triggers ICMP error handling on a cloned skb. A remote attacker can send a specially crafted packet to execute arbitrary code.
The issue is caused by reusing skb cb[] data written by the IPv6 receive path as IPv4 metadata, allowing attacker-controlled packet data to influence the copied option length.
17) Out-of-bounds read (CVE-ID: CVE-2026-43038)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in ip6_err_gen_icmpv6_unreach() when processing a forged ICMPv4 error containing a CIPSO IP option and an attacker-controlled inner IPv6 packet. A remote attacker can send a specially crafted ICMP error packet to cause a denial of service.
The issue arises because IPv4 control buffer data is reused as IPv6 control buffer data in a cloned skb, which can lead to a forged home address option offset being used during IPv6 TLV parsing.
18) Use of Uninitialized Variable (CVE-ID: CVE-2026-43139)
CWE-ID: CWE-457 - Use of Uninitialized Variable
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use of uninitialized memory in xfrm6_get_saddr() when handling IPv6 source address selection failures. A local user can trigger network operations that cause ipv6_dev_get_saddr() to fail and use the uninitialized address to cause a denial of service.
19) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-43158)
CWE-ID: CWE-664 - Improper control of a resource through its lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper state management in the xfs extended attribute leaf block freemap adjustment code when adding extended attributes to leaf blocks. A local user can set a crafted extended attribute to cause a denial of service.
The issue can corrupt free space accounting so that the name area overlaps the end of the entries array, triggering an assertion and shutting down the filesystem.
20) Race condition (CVE-ID: CVE-2026-43180)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to double submission of an active URB in kaweth_set_rx_mode when handling rx mode changes during transmission. A local user can trigger network interface state changes to cause a denial of service.
The issue is caused by premature transmission queue wake-up while tx_urb is still in flight, which triggers the warning "URB submitted while active".
21) Out-of-bounds read (CVE-ID: CVE-2026-43190)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in the xt_tcpmss TCP option parser when parsing a TCP option field whose last byte is not EOL or NOP. A local user can supply a specially crafted packet to disclose sensitive information.
22) Out-of-bounds read (CVE-ID: CVE-2026-43233)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in decode_choice() in nf_conntrack_h323 when processing a crafted Q.931 SETUP message containing a User-User Information Element with PER-encoded data. A remote attacker can send a specially crafted network message to disclose sensitive information.
Exploitation requires the nf_conntrack_h323 helper to be active and can be triggered via port 1720.
23) Out-of-bounds read (CVE-ID: CVE-2026-43281)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an out-of-bounds access in fw_mbox_index_xlate() when processing device tree mailbox definitions with #mbox-cells = <0> and no fw_xlate or of_xlate handler. A local user can supply a crafted device tree configuration to cause a denial of service.
The issue occurs when the default translation function is used for the mailbox controller.
24) Double free (CVE-ID: CVE-2026-43328)
CWE-ID: CWE-415 - Double Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a double free in cpufreq_dbs_governor_init() when handling a failure from kobject_init_and_add(). A local user can trigger the error path to cause a denial of service.
25) Sensitive Information in Resource Not Removed Before Reuse (CVE-ID: CVE-2026-43336)
CWE-ID: CWE-226 - Sensitive Information in Resource Not Removed Before Reuse
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to missing zeroization of sensitive data in the ChaCha implementation in lib/crypto/chacha when processing cryptographic state on the stack. A local user can read residual stack memory to disclose sensitive information.
The permuted state is sufficient to reconstruct the original state, including the key.
26) Race condition (CVE-ID: CVE-2026-43427)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to a race condition in the cdc-wdm read code path when processing read operations. A local user can trigger the race and read uninitialized memory to disclose sensitive information.
27) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-43466)
CWE-ID: CWE-664 - Improper control of a resource through its lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper state management in the mlx5e transmit queue recovery logic when handling a TX error CQE during SQ recovery. A local user can trigger a TX error CQE recovery flow to cause a denial of service.
The issue can desynchronize the DMA FIFO producer and consumer counters, leading to stale DMA addresses being unmapped and a kernel warning.
28) Improper input validation (CVE-ID: CVE-2026-45840)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in the openvswitch vport netlink reply helpers when handling a crafted upcall PID array in vport mutation operations. A local user can supply an oversized PID array to trigger a kernel BUG and cause a denial of service.
On systems with unprivileged user namespaces enabled, the issue is reachable via unshare -Urn.
29) Integer overflow (CVE-ID: CVE-2026-46006)
CWE-ID: CWE-190 - Integer overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to integer overflow in nouveau_gem_pushbuf_reloc_apply() when validating relocation bounds checks. A local user can provide a crafted relocation offset to cause a denial of service.
30) Use-after-free (CVE-ID: CVE-2026-46021)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in thermal_set_governor() and thermal_zone_device_unregister() when handling concurrent governor updates via sysfs during thermal zone unregistration. A local user can trigger a governor update race to cause a denial of service.
The issue can occur if thermal_zone_device_register_with_trips() fails after adding a thermal governor to the thermal zone being registered.
31) Integer overflow (CVE-ID: CVE-2026-46023)
CWE-ID: CWE-190 - Integer overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to integer overflow in create_dirty_log() when parsing a device mapper table string. A local user can supply a crafted param_count value to trigger out-of-bounds reads on the argv array to disclose sensitive information.
32) Out-of-bounds read (CVE-ID: CVE-2026-46033)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an out-of-bounds access in the authencesn ESN encrypt/decrypt paths when handling AF_ALG requests with a too-short authentication tag inherited from an ahash digest size of 1 to 3 bytes. A local user can select an ahash with a digest size of 1 to 3 bytes and trigger ESN tail handling to cause a denial of service.
33) Always-Incorrect Control Flow Implementation (CVE-ID: CVE-2026-46052)
CWE-ID: CWE-670 - Always-Incorrect Control Flow Implementation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper handling of negative dentries in fs/ceph/dir.c when processing Ceph lookup or atomic_open operations with reused cached negative dentries. A local user can trigger lookup paths that call d_add() on an already-hashed negative dentry to cause a denial of service.
The issue can corrupt the dcache hash bucket, potentially creating a self-loop that causes __d_lookup() to spin forever and trigger RCU stall reports.
34) Use-after-free (CVE-ID: CVE-2026-46227)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to execute arbitrary code.
The vulnerability exists due to a use-after-free and type confusion in sctp_sendmsg() SCTP_SENDALL path when iterating associations after sctp_sendmsg_to_asoc() drops and reacquires the socket lock. A local user can trigger concurrent association migration or freeing to execute arbitrary code.
The issue is reachable with no effective capabilities, and the type-confusion path can lead to a controlled indirect call via the outqueue.sched->init_sid pointer.
Remediation
Install update from vendor's website.