SB20260612129 - SUSE update for the Linux Kernel
Published: June 12, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 13 vulnerabilities.
1) Out-of-bounds read (CVE-ID: CVE-2026-31405)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to an out-of-bounds read in handle_one_ule_extension() extension handler tables when processing network-controlled ULE extension header data. A remote attacker can send a specially crafted SNDU with an extension header type value of 255 to execute arbitrary code.
The out-of-bounds value may be dereferenced and called as a function pointer.
2) Use-after-free (CVE-ID: CVE-2026-31629)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in nfc_llcp_recv_hdlc() and nfc_llcp_recv_disc() when handling sockets in the LLCP_CLOSED state. A local user can trigger the affected code path to cause a denial of service.
3) Use-after-free (CVE-ID: CVE-2026-31758)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in usbtmc_release when handling pending anchored URBs during device release. A local user can trigger release while anchored URBs are still pending to cause a denial of service.
4) Stack-based buffer overflow (CVE-ID: CVE-2026-43037)
CWE-ID: CWE-121 - Stack-based buffer overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to a stack-based buffer overflow in ip4ip6_err() and __ip_options_echo() when processing a crafted packet that triggers ICMP error handling on a cloned skb. A remote attacker can send a specially crafted packet to execute arbitrary code.
The issue is caused by reusing skb cb[] data written by the IPv6 receive path as IPv4 metadata, allowing attacker-controlled packet data to influence the copied option length.
5) Out-of-bounds write (CVE-ID: CVE-2026-43206)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to an out-of-bounds write in kfd_event_page_set() when processing a user-supplied buffer size parameter. A local user can pass a small buffer to trigger an out-of-bounds kernel memory write to escalate privileges.
6) Use-after-free (CVE-ID: CVE-2026-43499)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in remove_waiter() when rolling back a proxy lock from futex_requeue(). A local user can trigger the affected rtmutex slowlock and proxy-lock rollback path to cause a denial of service.
The issue can leave waiter task state uncleared and operate on the wrong top priority waiter task.
7) Out-of-bounds write (CVE-ID: CVE-2026-43501)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an out-of-bounds write in ipv6_rpl_srh_rcv() and skb_mac_header_rebuild() when processing a crafted IPv6 packet with a recompressed type-3 source routing header. A local user can send a specially crafted raw IPv6 packet to trigger an out-of-bounds write and cause a denial of service.
Exploitation requires the ability to send an AF_INET6 SOCK_RAW packet with IPV6_HDRINCL over the loopback interface.
8) Double free (CVE-ID: CVE-2026-45852)
CWE-ID: CWE-415 - Double Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to double free in rxe_srq_from_init in the RDMA rxe subsystem when handling a failed copy_to_user operation during SRQ creation. A local user can trigger an error path to cause a denial of service.
9) Use-after-free (CVE-ID: CVE-2026-45970)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in the rlb_arp_recv function in the bonding ALB RX path when processing ARP messages during rapid bond up/down cycles. A local user can trigger concurrent bond up/down operations while ARP traffic is being received to cause a denial of service.
The issue is triggered by a race condition between rlb_arp_recv() and rlb_deinitialize().
10) Use-after-free (CVE-ID: CVE-2026-46021)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in thermal_set_governor() and thermal_zone_device_unregister() when handling concurrent governor updates via sysfs during thermal zone unregistration. A local user can trigger a governor update race to cause a denial of service.
The issue can occur if thermal_zone_device_register_with_trips() fails after adding a thermal governor to the thermal zone being registered.
11) Integer underflow (CVE-ID: CVE-2026-46043)
CWE-ID: CWE-191 - Integer underflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to an integer underflow in rxe_rcv when processing a crafted RDMA packet with a forged BTH pad field and insufficient length. A remote attacker can send a specially crafted packet to cause a denial of service.
The issue occurs because payload_size() uses the attacker-controlled pad value and ICRC size when calculating the payload length.
12) Use-after-free (CVE-ID: CVE-2026-46113)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in KVM shadow paging when handling guest page table changes between VM entries. A local user can modify guest page tables to create a stale reverse-mapping entry and trigger a stale rmap walk to cause a denial of service.
This can be triggered during operations such as dirty logging or MMU notifier invalidations.
13) Improper input validation (CVE-ID: CVE-2026-46243)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information, modify data, or cause a denial of service.
The vulnerability exists due to improper input validation in the cifs.spnego key description handling in fs/smb/client/cifs_spnego.c when processing userspace-created cifs.spnego keys through request_key(2) or add_key(2). A local user can supply a crafted cifs.spnego description to disclose sensitive information, modify data, or cause a denial of service.
The issue arises because authority-bearing fields such as pid, uid, creduid, and upcall_target may be treated by cifs.upcall as kernel-originating inputs.
Remediation
Install update from vendor's website.