SB2026061291 - openEuler 24.03 LTS SP1 update for kernel
Published: June 12, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 37 vulnerabilities.
1) Resource management error (CVE-ID: CVE-2025-38389)
CWE-ID: CWE-399 - Resource Management Errors
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to resource management error within the ring_context_alloc() function in drivers/gpu/drm/i915/gt/intel_ring_submission.c. A local user can perform a denial of service (DoS) attack.
2) Buffer overflow (CVE-ID: CVE-2025-68183)
CWE-ID: CWE-119 - Memory corruption
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to memory corruption within the ima_protect_xattr(), ima_reset_appraise_flags(), ima_inode_setxattr() and ima_inode_set_acl() functions in security/integrity/ima/ima_appraise.c. A local user can perform a denial of service (DoS) attack.
3) NULL pointer dereference (CVE-ID: CVE-2025-68198)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to NULL pointer dereference within the __crash_shrink_memory() function in kernel/crash_core.c. A local user can perform a denial of service (DoS) attack.
4) NULL pointer dereference (CVE-ID: CVE-2025-68813)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to NULL pointer dereference within the __ip_vs_get_out_rt() function in net/netfilter/ipvs/ip_vs_xmit.c. A local user can perform a denial of service (DoS) attack.
5) Resource management error (CVE-ID: CVE-2025-71085)
CWE-ID: CWE-399 - Resource Management Errors
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to resource management error within the calipso_skbuff_setattr() function in net/ipv6/calipso.c. A local user can perform a denial of service (DoS) attack.
6) Use-after-free (CVE-ID: CVE-2026-31527)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in the platform driver core driver_override handling when probing a driver through __driver_attach__(). A local user can trigger concurrent access to the driver_override field to cause a denial of service.
7) Heap-based buffer overflow (CVE-ID: CVE-2026-31607)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service or execute arbitrary code.
The vulnerability exists due to a heap-based buffer overflow in usbip_pack_ret_submit() when processing a RET_SUBMIT response from a USB/IP server. A remote attacker can send a specially crafted response with an oversized number_of_packets value to cause a denial of service or execute arbitrary code.
The issue occurs because the response value is later used as the loop bound for accesses to urb->iso_frame_desc[], whose allocation size was determined by the original submission.
8) Out-of-bounds read (CVE-ID: CVE-2026-31709)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in cifsacl DACL rewrite helpers when processing a server-supplied truncated DACL. A remote attacker can send a malformed ACL response to cause a denial of service.
The issue occurs because the incoming DACL body and each ACE were not structurally validated before chmod/chown security descriptor rebuild paths walked the ACE list.
9) Improper input validation (CVE-ID: CVE-2026-43024)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in nf_tables verdict handling when processing nftables rules. A local user can create a rule with an immediate NF_QUEUE verdict to cause a denial of service.
The issue is reachable in the arp family even though queue support is not provided there.
10) Out-of-bounds read (CVE-ID: CVE-2026-43038)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in ip6_err_gen_icmpv6_unreach() when processing a forged ICMPv4 error containing a CIPSO IP option and an attacker-controlled inner IPv6 packet. A remote attacker can send a specially crafted ICMP error packet to cause a denial of service.
The issue arises because IPv4 control buffer data is reused as IPv6 control buffer data in a cloned skb, which can lead to a forged home address option offset being used during IPv6 TLV parsing.
11) Out-of-bounds read (CVE-ID: CVE-2026-43071)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in dentry_hashtable when processing lookups with dhash_entries set to 1. A local user can trigger filesystem lookup operations to cause a denial of service.
The issue occurs because a single hash bucket can cause an invalid shift calculation that leads to access of unallocated memory.
12) Use of uninitialized resource (CVE-ID: CVE-2026-43088)
CWE-ID: CWE-908 - Use of Uninitialized Resource
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to an information exposure caused by uninitialized memory in PF_KEY export paths when exporting aligned sockaddr payloads for certain PF_KEY messages. A local user can trigger affected PF_KEY message handling to disclose sensitive information.
The issue affects the SADB_ACQUIRE, SADB_X_NAT_T_NEW_MAPPING, and SADB_X_MIGRATE export paths, while state and policy dump builders are not affected.
13) Improper Initialization (CVE-ID: CVE-2026-43089)
CWE-ID: CWE-665 - Improper Initialization
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to improper initialization in build_mapping() when copying xfrm_usersa_id structures to userspace. A local user can trigger the affected code path to disclose sensitive information.
The issue is caused by a one-byte padding hole after the proto field that is not cleared before the structure is copied out.
14) Improper input validation (CVE-ID: CVE-2026-43107)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in xfrm_get_ae() and xfrm_aevent_msgsize() when handling malformed netlink interactions for xfrm aevent messages. A local user can send a malformed netlink interaction to cause a denial of service.
The issue is triggered for states with if_id set, where the reply skb size calculation does not account for the XFRMA_IF_ID attribute.
15) Race condition (CVE-ID: CVE-2026-43198)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a race condition in tcp_v6_syn_recv_sock() when handling IPv6 TCP connection requests. A remote attacker can send network traffic that triggers the race to cause a denial of service.
The issue occurs because a child socket may become visible in the TCP ehash table before its IPv6 state is fully initialized.
16) Improper locking (CVE-ID: CVE-2026-43216)
CWE-ID: CWE-667 - Improper Locking
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper locking in skb_may_tx_timestamp() when processing transmit timestamps in interrupt context. A local user can trigger transmit timestamp handling to cause a deadlock.
The issue occurs when a driver completes the transmit timestamp from a dedicated interrupt handler while the same lock is already write-locked on the same CPU.
17) Out-of-bounds write (CVE-ID: CVE-2026-43248)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an out-of-bounds write in vdpa_sim when assigning an ASID to a group. A local user can assign a valid ASID to a group equal to ngroups to cause a denial of service.
18) Use-after-free (CVE-ID: CVE-2026-43303)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in the swap subsystem when handling stale page->private values on reallocated and split pages. A local user can trigger swapoff operations after causing affected page state reuse to cause a denial of service.
The issue occurs because tail pages can retain stale page->private values after split_page(), leading swap_count_continued() to follow an invalid continuation list and access poisoned list entries.
19) NULL pointer dereference (CVE-ID: CVE-2026-43413)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in the hisi_sas user_scan() handling path when processing a user-initiated scan request. A local user can write a crafted scan request via sysfs to trigger a kernel crash and cause a denial of service.
The issue is triggered because the driver supports only one channel, but scanning proceeds to an additional channel value.
20) Improper input validation (CVE-ID: CVE-2026-45850)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in ipvs checksum validation when processing IPv6 packets with extension headers. A remote attacker can send specially crafted IPv6 packets to cause a denial of service.
21) Double free (CVE-ID: CVE-2026-45891)
CWE-ID: CWE-415 - Double Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a double free in hns3_set_ringparam() and the ring cleanup path when handling ring reconfiguration after a memory allocation failure. A local user can trigger ring parameter changes that lead to a failed ring initialization to cause a denial of service.
The issue is caused by a stale dangling pointer in the tx_spare field that is mistaken for a newly allocated buffer during error cleanup.
22) Race condition (CVE-ID: CVE-2026-45894)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a race condition in the Intel VT-d scalable mode PASID table entry handling when tearing down an active PASID entry. A local user can trigger concurrent PASID entry teardown to cause a denial of service.
The issue can lead to unpredictable behavior or spurious faults if the IOMMU hardware observes a torn read of the entry.
23) Deadlock (CVE-ID: CVE-2026-45895)
CWE-ID: CWE-833 - Deadlock
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a livelock condition in quotactl_block() when waiting for a frozen filesystem to thaw. A local user can repeatedly toggle quota operations during filesystem freeze activity to cause a denial of service.
The issue is reliably triggered on non-preemptible kernels when the freezer and quota operations run on the same CPU.
24) Improper Check for Unusual or Exceptional Conditions (CVE-ID: CVE-2026-45915)
CWE-ID: CWE-754 - Improper Check for Unusual or Exceptional Conditions
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper handling of link counts in vfat_rmdir() and msdos_rmdir() when processing a corrupted FAT filesystem image during directory removal. A local user can trigger directory removal on a crafted filesystem image to cause a denial of service.
25) Always-Incorrect Control Flow Implementation (CVE-ID: CVE-2026-45919)
CWE-ID: CWE-670 - Always-Incorrect Control Flow Implementation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper logic in rto_next_cpu() when handling RT load balancing on an overloaded CPU. A local user can trigger repeated self-IPIs to cause a denial of service.
The issue can lead to a CPU hardlockup when HAVE_RT_PUSH_IPI is enabled and the affected CPU remains overloaded while other CPUs run pull_rt_task().
26) Double free (CVE-ID: CVE-2026-45920)
CWE-ID: CWE-415 - Double Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a double free in ext4 block allocation handling when processing filesystem shutdown error paths. A local user can trigger a filesystem shutdown during block allocation operations to cause a denial of service.
The issue can lead to an inconsistent dirty cluster counter state and trigger a kernel warning in ext4_put_super().
27) Race condition (CVE-ID: CVE-2026-45942)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a race condition in ext4 buddy bitmap handling when processing mixed huge-page workloads and concurrent page migration. A local user can trigger filesystem activity that hits the race window to cause a denial of service.
The issue can lead to ext4 e4b bitmap inconsistency reports and false-positive corruption reports during stress conditions.
28) Race condition (CVE-ID: CVE-2026-45944)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to a race condition in the Intel VT-d IOMMU context entry teardown logic when tearing down context entries. A local attacker can trigger use of a torn context entry to cause a denial of service.
The issue arises because the hardware may observe a partially updated 128-bit context entry while the Present bit remains set, resulting in unpredictable behavior or spurious faults.
29) Memory leak (CVE-ID: CVE-2026-45948)
CWE-ID: CWE-401 - Missing release of memory after effective lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a memory leak in ext4_ext_shift_extents() when shifting extents. A local user can trigger the vulnerable code path to cause a denial of service.
30) Out-of-bounds write (CVE-ID: CVE-2026-45968)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to an out-of-bounds index in the cpuidle ladder governor when selecting an idle state on systems with only one available idle state. A local attacker can trigger the vulnerable code path to cause a denial of service.
This issue occurs on certain platforms where cpuidle registers only a single polling idle state, which can result in a NULL enter callback being invoked and a system crash.
31) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-45985)
CWE-ID: CWE-664 - Improper control of a resource through its lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to improper extent state handling in ext4_split_convert_extents() when allocating blocks during within-EOF direct I/O and writeback with dioread_nolock enabled. A local user can trigger a failed direct I/O write that splits an unwritten extent to disclose sensitive information.
The issue can occur when a temporary ENOSPC condition happens during extent splitting, causing inconsistency between the on-disk extent state and the extent status tree.
32) Improper Check or Handling of Exceptional Conditions (CVE-ID: CVE-2026-46032)
CWE-ID: CWE-703 - Improper Check or Handling of Exceptional Conditions
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper error handling in nested_svm_vmexit() in KVM nSVM when handling a nested #VMEXIT after a failure to restore the host CR3. A local user can trigger a failure while loading L1's CR3 to cause a denial of service.
The issue can leave the guest running with corrupted state after the error is ignored.
33) Use-after-free (CVE-ID: CVE-2026-46065)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in fbdev deferred I/O handling when accessing a memory mapping after device hot-unplug. A local user can keep an active mapping of graphics memory and access it after hot-unplug to cause a denial of service.
Access to the invalidated mapping may result in a SIGBUS signal.
34) Improper resource shutdown or release (CVE-ID: CVE-2026-46153)
CWE-ID: CWE-404 - Improper Resource Shutdown or Release
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource shutdown or release in vlan_dev_set_egress_priority() when repeatedly setting and clearing egress priority mappings with distinct skb priorities. A local user can trigger repeated set and clear operations to cause a denial of service.
The issue results in mapping nodes being retained until device teardown, leading to memory consumption over time.
35) Use-after-free (CVE-ID: CVE-2026-46242)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause memory corruption.
The vulnerability exists due to a use-after-free in ep_remove() in fs/eventpoll.c when removing epoll file references during a race with file release handling. A local user can trigger a race condition to cause memory corruption.
The issue involves the epoll-watches-epoll case and a concurrent __fput() path that can lead to operations on freed structures.
36) NULL pointer dereference (CVE-ID: CVE-2026-46245)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in amdgpu_dm_hpd_init() in drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_irq.c when initializing HPD interrupts for connectors without a valid dc_link. A local user can trigger handling of such a connector to cause a denial of service.
37) Use-after-free (CVE-ID: CVE-2026-46259)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in do_task_stat() in procfs when reading /proc/[pid]/stat. A local user can trigger access to a stale real_parent task reference to cause a denial of service.
Remediation
Install update from vendor's website.