SB2026061111 - Red Hat Enterprise Linux 10 update for kernel
Published: June 11, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 7 vulnerabilities.
1) Use-after-free (CVE-ID: CVE-2026-31419)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in bond_xmit_broadcast() when transmitting broadcast packets during concurrent slave enslave or release operations. A local user can trigger concurrent network interface state changes and packet transmission to cause a denial of service.
The issue arises because the determination of the last slave can change during RCU-protected iteration, leading to double consumption and double free of the original skb.
2) Resource exhaustion (CVE-ID: CVE-2026-31467)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource management in the erofs bio completion path when processing decompression in process context. A local user can trigger memory pressure during this operation to cause a denial of service.
The issue can lead to a deadlock when memory reclaim causes swap I/O through submit_bio_wait.
3) Use-after-free (CVE-ID: CVE-2026-31532)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in raw_rcv() when processing CAN frames after a raw CAN socket is released. A local user can trigger concurrent socket release and packet reception to cause a denial of service.
The issue involves the percpu uniq storage referenced through RCU-delayed receiver deletion.
4) Use-after-free (CVE-ID: CVE-2026-31581)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in usb6fire_chip_abort() in the ALSA 6fire USB driver when handling device disconnect. A local user can trigger a device disconnect to cause a denial of service.
The issue occurs because the card private data may be freed synchronously when no file handles are open, after which the code accesses the freed chip structure.
5) Stack-based buffer overflow (CVE-ID: CVE-2026-43037)
CWE-ID: CWE-121 - Stack-based buffer overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to a stack-based buffer overflow in ip4ip6_err() and __ip_options_echo() when processing a crafted packet that triggers ICMP error handling on a cloned skb. A remote attacker can send a specially crafted packet to execute arbitrary code.
The issue is caused by reusing skb cb[] data written by the IPv6 receive path as IPv4 metadata, allowing attacker-controlled packet data to influence the copied option length.
6) Out-of-bounds write (CVE-ID: CVE-2026-43501)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an out-of-bounds write in ipv6_rpl_srh_rcv() and skb_mac_header_rebuild() when processing a crafted IPv6 packet with a recompressed type-3 source routing header. A local user can send a specially crafted raw IPv6 packet to trigger an out-of-bounds write and cause a denial of service.
Exploitation requires the ability to send an AF_INET6 SOCK_RAW packet with IPV6_HDRINCL over the loopback interface.
7) Improper access control (CVE-ID: CVE-2026-46054)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to bypass SELinux access controls.
The vulnerability exists due to improper access control in SELinux overlayfs mmap() and mprotect() access checks when handling mmap() and mprotect() operations on overlayfs filesystems. A local user can map or change protections on an overlayfs file to bypass SELinux access controls.
Remediation
Install update from vendor's website.