SB2026061057 - SUSE update for the Linux Kernel

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026061057

SB2026061057 - SUSE update for the Linux Kernel

Published: June 10, 2026

Security Bulletin ID SB2026061057
CSH Severity
High
Patch available
YES
Number of vulnerabilities 10
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 10% Medium 30% Low 60%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 10 vulnerabilities.


1) Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') (CVE-ID: CVE-2026-23271)

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to execute arbitrary code, escalate privileges, and cause a denial of service.

The vulnerability exists due to a race condition in the perf subsystem when handling performance events. A local user can trigger a use-after-free condition during event overflow processing to execute arbitrary code, escalate privileges, and cause a denial of service.

The issue arises from improper synchronization between __perf_event_overflow() and perf_remove_from_context(), where the overflow handler may access memory after it has been freed by context removal routines. The attacker must be able to create and manipulate perf events, which typically requires low-privileged user access to the perf subsystem.


2) Heap-based buffer overflow (CVE-ID: CVE-2026-31402)

CWE-ID: CWE-122 - Heap-based Buffer Overflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to corrupt heap memory.

The vulnerability exists due to a heap-based buffer overflow in the NFSv4.0 LOCK replay cache when encoding denied LOCK operation responses. A remote attacker can trigger conflicting lock requests with a large lock owner value to corrupt heap memory.

The issue is caused by copying an encoded LOCK denied response into a fixed 112-byte inline replay buffer without sufficient bounds checking, resulting in a slab out-of-bounds write of up to 944 bytes. Exploitation requires two cooperating NFSv4.0 clients and can be performed remotely without authentication.


3) Heap-based buffer overflow (CVE-ID: CVE-2026-31607)

CWE-ID: CWE-122 - Heap-based Buffer Overflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service or execute arbitrary code.

The vulnerability exists due to a heap-based buffer overflow in usbip_pack_ret_submit() when processing a RET_SUBMIT response from a USB/IP server. A remote attacker can send a specially crafted response with an oversized number_of_packets value to cause a denial of service or execute arbitrary code.

The issue occurs because the response value is later used as the loop bound for accesses to urb->iso_frame_desc[], whose allocation size was determined by the original submission.


4) Improper input validation (CVE-ID: CVE-2026-31685)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in ip6t_eui64 when processing packets with an invalid MAC header. A remote attacker can send a specially crafted packet to cause a denial of service.


5) Stack-based buffer overflow (CVE-ID: CVE-2026-43037)

CWE-ID: CWE-121 - Stack-based buffer overflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to a stack-based buffer overflow in ip4ip6_err() and __ip_options_echo() when processing a crafted packet that triggers ICMP error handling on a cloned skb. A remote attacker can send a specially crafted packet to execute arbitrary code.

The issue is caused by reusing skb cb[] data written by the IPv6 receive path as IPv4 metadata, allowing attacker-controlled packet data to influence the copied option length.


6) Use-after-free (CVE-ID: CVE-2026-43126)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service or execute arbitrary code.

The vulnerability exists due to a use-after-free in the ALSA OSS mixer layer when handling OSS mixer accesses during device disconnection. A local user can trigger concurrent mixer control operations on a disconnecting sound card to cause a denial of service or execute arbitrary code.

The issue arises because pending kcontrol operation calls may not be caught while the device is being disconnected.


7) Out-of-bounds read (CVE-ID: CVE-2026-43190)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to disclose sensitive information.

The vulnerability exists due to an out-of-bounds read in the xt_tcpmss TCP option parser when parsing a TCP option field whose last byte is not EOL or NOP. A local user can supply a specially crafted packet to disclose sensitive information.


8) Use-after-free (CVE-ID: CVE-2026-43437)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in snd_pcm_drain() when handling a linked stream runtime after releasing the stream lock. A local user can trigger a concurrent close() on the linked stream's file descriptor to cause a denial of service.

The issue occurs because the drain path dereferences stale runtime fields from a linked stream after the runtime can be freed by concurrent unlink and detach operations.


9) Use-after-free (CVE-ID: CVE-2026-43499)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to use-after-free in remove_waiter() when rolling back a proxy lock from futex_requeue(). A local user can trigger the affected rtmutex slowlock and proxy-lock rollback path to cause a denial of service.

The issue can leave waiter task state uncleared and operate on the wrong top priority waiter task.


10) Improper input validation (CVE-ID: CVE-2026-46243)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to disclose sensitive information, modify data, or cause a denial of service.

The vulnerability exists due to improper input validation in the cifs.spnego key description handling in fs/smb/client/cifs_spnego.c when processing userspace-created cifs.spnego keys through request_key(2) or add_key(2). A local user can supply a crafted cifs.spnego description to disclose sensitive information, modify data, or cause a denial of service.

The issue arises because authority-bearing fields such as pid, uid, creduid, and upcall_target may be treated by cifs.upcall as kernel-originating inputs.


Remediation

Install update from vendor's website.

References