SB2026061292 - openEuler 22.03 LTS SP4 update for kernel
Published: June 12, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 73 vulnerabilities.
1) Use-after-free (CVE-ID: CVE-2025-39759)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the btrfs_check_quota_leak() and btrfs_qgroup_rescan() functions in fs/btrfs/qgroup.c. A local user can escalate privileges on the system.
2) Buffer overflow (CVE-ID: CVE-2025-39952)
CWE-ID: CWE-119 - Memory corruption
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to memory corruption within the drivers/net/wireless/microchip/wilc1000/wlan_cfg.h. A local user can escalate privileges on the system.
3) NULL pointer dereference (CVE-ID: CVE-2025-68330)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to NULL pointer dereference within the drivers/iio/accel/bmc150-accel.h. A local user can perform a denial of service (DoS) attack.
4) NULL pointer dereference (CVE-ID: CVE-2025-68755)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to NULL pointer dereference within the function in drivers/staging/most/i2c/i2c.c. A local user can perform a denial of service (DoS) attack.
5) NULL pointer dereference (CVE-ID: CVE-2025-71184)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to NULL pointer dereference within the include/trace/events/btrfs.h. A local user can perform a denial of service (DoS) attack.
6) Division by zero (CVE-ID: CVE-2026-31605)
CWE-ID: CWE-369 - Divide By Zero
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to divide-by-zero in the udlfb driver when handling FBIOPUT_VSCREENINFO ioctl requests. A local user can submit crafted screen information values to trigger a kernel crash and cause a denial of service.
7) Heap-based buffer overflow (CVE-ID: CVE-2026-31607)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service or execute arbitrary code.
The vulnerability exists due to a heap-based buffer overflow in usbip_pack_ret_submit() when processing a RET_SUBMIT response from a USB/IP server. A remote attacker can send a specially crafted response with an oversized number_of_packets value to cause a denial of service or execute arbitrary code.
The issue occurs because the response value is later used as the loop bound for accesses to urb->iso_frame_desc[], whose allocation size was determined by the original submission.
8) Improper input validation (CVE-ID: CVE-2026-31615)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in standard request handlers in the renesas_usb3 USB gadget driver when processing host-supplied standard USB requests. A remote attacker can send a specially crafted request with an invalid endpoint index to cause a denial of service.
9) Out-of-bounds write (CVE-ID: CVE-2026-31616)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause memory corruption.
The vulnerability exists due to an out-of-bounds write in pn_rx_complete() when processing an unbounded sequence of full-page USB OUT transfers. A remote attacker can send a crafted sequence of full-page USB OUT transfers to cause memory corruption.
The issue affects a Linux gadget exposing a Phonet function and occurs when each transfer is exactly PAGE_SIZE bytes, preventing the skb from being reset.
10) Integer underflow (CVE-ID: CVE-2026-31617)
CWE-ID: CWE-191 - Integer underflow
CVSSv4: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows an attacker with physical access to disclose sensitive information.
The vulnerability exists due to an integer underflow in ncm_unwrap_ntb() in the f_ncm USB gadget component when processing a host-supplied NTB header. An attacker with physical access can provide a crafted NTB header with a too-small block length and out-of-bounds indexes to disclose sensitive information.
The issue can cause adjacent kernel memory to be copied into a network skb.
11) Division by zero (CVE-ID: CVE-2026-31618)
CWE-ID: CWE-369 - Divide By Zero
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to divide-by-zero in the tdfxfb driver when handling FBIOPUT_VSCREENINFO requests. A local user can submit crafted screen information to trigger a kernel crash and cause a denial of service.
12) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: CVE-2026-31700)
CWE-ID: CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to bypass safety checks.
The vulnerability exists due to a time-of-check time-of-use race condition in tpacket_snd() when processing a mmap'd vnet_hdr in the TPACKET TX path with PACKET_VNET_HDR enabled. A local user can modify vnet_hdr fields in the shared ring buffer between validation and use to bypass safety checks.
Only the TPACKET TX path is affected.
13) Out-of-bounds read (CVE-ID: CVE-2026-31786)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information, cause a denial of service, or escalate privileges.
The vulnerability exists due to an out-of-bounds read in the Xen-related sysfs buildid handler when reading the /sys/hypervisor/properties/buildid sysfs file. A local user can read the crafted sysfs output to disclose sensitive information, cause a denial of service, or escalate privileges.
In rare cases, the issue may also result in writing past the 4 kB sysfs buffer if no zero byte is found in adjacent data.
14) Improper input validation (CVE-ID: CVE-2026-43077)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in algif_aead when processing decryption requests. A local user can provide a crafted receive buffer size to cause a denial of service.
15) Out-of-bounds write (CVE-ID: CVE-2026-43078)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an out-of-bounds write in af_alg_pull_tsgl when reassigning pages. A local user can trigger page reassignment that reassigns one more page than necessary to cause a denial of service.
16) Use-after-free (CVE-ID: CVE-2026-43091)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in xfrm policy_bydst hash tables during network namespace teardown when concurrent RCU-protected policy lookups are performed. A local user can trigger network namespace teardown while the tables are still being accessed to cause a denial of service.
The issue occurs because the memory can be freed before an RCU grace period has elapsed.
17) Improper input validation (CVE-ID: CVE-2026-43093)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in xdp_umem_reg() when registering UMEM with insufficient headroom and tailroom. A local user can supply a crafted UMEM configuration to cause a denial of service.
The issue can leave insufficient space for a minimum-sized ethernet frame and may corrupt skb_shared_info stored at the end of an XSK frame when multi-buffer operation is involved.
18) Use-after-free (CVE-ID: CVE-2026-43116)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in netfilter ctnetlink expectation handling when processing expectation add, delete, get, or event operations. A local user can trigger access to an invalid master conntrack object to cause a denial of service.
19) Out-of-bounds write (CVE-ID: CVE-2026-43125)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to an out-of-bounds write in dlm_search_rsb_tree() when processing network messages with an excessive resource name length. A remote attacker can send a specially crafted network message to cause a denial of service.
The length value originates from the len parameter in dlm_dump_rsb_name().
20) Improper input validation (CVE-ID: CVE-2026-43130)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper device state validation in dev-IOTLB flushing logic when detaching or releasing a PCIe device in scalable mode after the device link goes down. A local user can trigger device teardown for an inaccessible PCIe device to cause a denial of service.
The issue can hard-lock the system while releasing resources after a VM fails to connect to the PCIe device.
21) Use of Uninitialized Variable (CVE-ID: CVE-2026-43139)
CWE-ID: CWE-457 - Use of Uninitialized Variable
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use of uninitialized memory in xfrm6_get_saddr() when handling IPv6 source address selection failures. A local user can trigger network operations that cause ipv6_dev_get_saddr() to fail and use the uninitialized address to cause a denial of service.
22) Out-of-bounds read (CVE-ID: CVE-2026-43190)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in the xt_tcpmss TCP option parser when parsing a TCP option field whose last byte is not EOL or NOP. A local user can supply a specially crafted packet to disclose sensitive information.
23) Race condition (CVE-ID: CVE-2026-43198)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a race condition in tcp_v6_syn_recv_sock() when handling IPv6 TCP connection requests. A remote attacker can send network traffic that triggers the race to cause a denial of service.
The issue occurs because a child socket may become visible in the TCP ehash table before its IPv6 state is fully initialized.
24) Out-of-bounds read (CVE-ID: CVE-2026-43233)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in decode_choice() in nf_conntrack_h323 when processing a crafted Q.931 SETUP message containing a User-User Information Element with PER-encoded data. A remote attacker can send a specially crafted network message to disclose sensitive information.
Exploitation requires the nf_conntrack_h323 helper to be active and can be triggered via port 1720.
25) Improper locking (CVE-ID: CVE-2026-43253)
CWE-ID: CWE-667 - Improper Locking
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper lock management in iommu_completion_wait() when waiting for command completion with iommu.strict=1 under stressed conditions. A local user can trigger IOMMU activity that causes the kernel to busy-wait under a spinlock with interrupts disabled to cause a denial of service.
The issue can result in soft lockups because wait_on_sem() polls a hardware-updated semaphore while the spinlock is held.
26) Improper locking (CVE-ID: CVE-2026-43319)
CWE-ID: CWE-667 - Improper Locking
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper lock management in the spidev driver when handling concurrent write and ioctl operations on the same spidev file descriptor. A local user can perform write() and SPI_IOC_WR_MAX_SPEED_HZ ioctl() calls from separate threads to cause a denial of service.
The issue is triggered by an AB-BA locking pattern involving spi_lock and buf_lock.
27) Use-after-free (CVE-ID: CVE-2026-43339)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in addrconf_permanent_addr() when handling an exceptional condition in IPv6 address configuration. A local user can trigger the warning path to cause a denial of service.
28) Information Exposure Through Timing Discrepancy (CVE-ID: CVE-2026-43383)
CWE-ID: CWE-208 - Information Exposure Through Timing Discrepancy
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to observable timing differences in tcp-md5 MAC comparison when verifying TCP MD5 signatures. A remote attacker can measure response timing during crafted network interactions to disclose sensitive information.
29) Out-of-bounds read (CVE-ID: CVE-2026-43450)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to out-of-bounds read in nfnl_cthelper_dump_table() when handling netlink dump requests after a previously saved helper entry is deleted between dump rounds. A local user can trigger the affected dump logic to cause a denial of service.
The issue is triggered when the saved "last" helper is deleted between dump rounds, causing a restart path to bypass the loop bounds check.
30) Out-of-bounds read (CVE-ID: CVE-2026-43452)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in the xt_tcpudp and xt_dccp option walkers when parsing malformed TCP or DCCP options. A remote attacker can send a specially crafted packet to cause a denial of service.
31) Out-of-bounds read (CVE-ID: CVE-2026-43453)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to disclose sensitive information.
The vulnerability exists due to out-of-bounds read in pipapo_drop() when processing nftables set data. A local attacker can trigger the vulnerable code path to disclose sensitive information.
The issue occurs on the last iteration when evaluating rulemap[i + 1].n, causing a read 4 bytes past the end of the stack-allocated rulemap array.
32) Use-after-free (CVE-ID: CVE-2026-43499)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in remove_waiter() when rolling back a proxy lock from futex_requeue(). A local user can trigger the affected rtmutex slowlock and proxy-lock rollback path to cause a denial of service.
The issue can leave waiter task state uncleared and operate on the wrong top priority waiter task.
33) Improper input validation (CVE-ID: CVE-2026-45840)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in the openvswitch vport netlink reply helpers when handling a crafted upcall PID array in vport mutation operations. A local user can supply an oversized PID array to trigger a kernel BUG and cause a denial of service.
On systems with unprivileged user namespaces enabled, the issue is reachable via unshare -Urn.
34) Out-of-bounds read (CVE-ID: CVE-2026-45843)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in slhc_uncompress() when parsing a short VJ-compressed TCP header with optional fields requested in the change byte. A remote attacker can send a specially crafted compressed packet to disclose sensitive information.
The over-read bytes are incorporated into cached connection state and may be reflected into subsequent reconstructed packets.
35) Double free (CVE-ID: CVE-2026-45852)
CWE-ID: CWE-415 - Double Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to double free in rxe_srq_from_init in the RDMA rxe subsystem when handling a failed copy_to_user operation during SRQ creation. A local user can trigger an error path to cause a denial of service.
36) Improper Initialization (CVE-ID: CVE-2026-45862)
CWE-ID: CWE-665 - Improper Initialization
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper initialization in the PASID table handling in the Intel VT-d IOMMU subsystem when using a freshly allocated PASID table before its cache flush completes. A local user can trigger use of the PASID table with stale memory contents to cause a denial of service.
The issue affects systems with non-coherent IOMMU hardware.
37) Race condition (CVE-ID: CVE-2026-45894)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a race condition in the Intel VT-d scalable mode PASID table entry handling when tearing down an active PASID entry. A local user can trigger concurrent PASID entry teardown to cause a denial of service.
The issue can lead to unpredictable behavior or spurious faults if the IOMMU hardware observes a torn read of the entry.
38) Race condition (CVE-ID: CVE-2026-45905)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a race condition in icmp_route_lookup() reverse path handling when processing packets that trigger ICMP error generation. A local user can trigger concurrent route lookup and address changes to cause a denial of service.
The issue occurs when a route returned by ip_route_input() becomes a local route and is then used for ICMP output, leading to a WARN_ON via ip_rt_bug().
39) Race condition (CVE-ID: CVE-2026-45914)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a race condition in the ibmpex hwmon driver sysfs sensor handling when reading sensor files during device removal. A local user can read a sensor sysfs file during the removal sequence to cause a kernel crash.
The issue occurs because driver data may be cleared while a sysfs callback still dereferences it.
40) Improper Check for Unusual or Exceptional Conditions (CVE-ID: CVE-2026-45915)
CWE-ID: CWE-754 - Improper Check for Unusual or Exceptional Conditions
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper handling of link counts in vfat_rmdir() and msdos_rmdir() when processing a corrupted FAT filesystem image during directory removal. A local user can trigger directory removal on a crafted filesystem image to cause a denial of service.
41) Always-Incorrect Control Flow Implementation (CVE-ID: CVE-2026-45919)
CWE-ID: CWE-670 - Always-Incorrect Control Flow Implementation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper logic in rto_next_cpu() when handling RT load balancing on an overloaded CPU. A local user can trigger repeated self-IPIs to cause a denial of service.
The issue can lead to a CPU hardlockup when HAVE_RT_PUSH_IPI is enabled and the affected CPU remains overloaded while other CPUs run pull_rt_task().
42) Double free (CVE-ID: CVE-2026-45920)
CWE-ID: CWE-415 - Double Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a double free in ext4 block allocation handling when processing filesystem shutdown error paths. A local user can trigger a filesystem shutdown during block allocation operations to cause a denial of service.
The issue can lead to an inconsistent dirty cluster counter state and trigger a kernel warning in ext4_put_super().
43) Heap-based buffer overflow (CVE-ID: CVE-2026-45935)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a heap-based buffer overflow in DeleteIndexEntryRoot in the ntfs3 filesystem code when processing a crafted log record. A local user can supply a maliciously large entry size value to trigger memory corruption and cause a denial of service.
44) Race condition (CVE-ID: CVE-2026-45944)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to a race condition in the Intel VT-d IOMMU context entry teardown logic when tearing down context entries. A local attacker can trigger use of a torn context entry to cause a denial of service.
The issue arises because the hardware may observe a partially updated 128-bit context entry while the Present bit remains set, resulting in unpredictable behavior or spurious faults.
45) Memory leak (CVE-ID: CVE-2026-45948)
CWE-ID: CWE-401 - Missing release of memory after effective lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a memory leak in ext4_ext_shift_extents() when shifting extents. A local user can trigger the vulnerable code path to cause a denial of service.
46) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-45983)
CWE-ID: CWE-664 - Improper control of a resource through its lifetime
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to improper state management in nfs4 compound request handling when processing v4 request compound arguments that trigger idmap lookup upcalls. A remote user can send a crafted NFSv4 request to cause a denial of service.
When idmap lookup upcall responses are delayed beyond the allowed time limit, the request can be dropped before the compound response is encoded, leaving the session slot marked as in use and causing subsequent client requests to fail with NFSERR_JUKEBOX.
47) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-45985)
CWE-ID: CWE-664 - Improper control of a resource through its lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to improper extent state handling in ext4_split_convert_extents() when allocating blocks during within-EOF direct I/O and writeback with dioread_nolock enabled. A local user can trigger a failed direct I/O write that splits an unwritten extent to disclose sensitive information.
The issue can occur when a temporary ENOSPC condition happens during extent splitting, causing inconsistency between the on-disk extent state and the extent status tree.
48) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-45987)
CWE-ID: CWE-664 - Improper control of a resource through its lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper state synchronization in nested SVM interrupt shadow handling when restoring nested virtual machine state. A local user can trigger restoration of nested state with KVM_SET_VCPU_EVENTS preceding KVM_SET_NESTED_STATE to cause a denial of service.
The issue affects L2 guests, where an incorrectly restored interrupt shadow can cause the vCPU to hang.
49) Heap-based buffer overflow (CVE-ID: CVE-2026-45991)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a heap-based buffer overflow in part_descs_loc[] handling in handle_partition_descriptor() when mounting a crafted UDF image with repeated partition descriptors. A local user can supply a specially crafted UDF image to cause a denial of service.
50) Improper input validation (CVE-ID: CVE-2026-46018)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to improper input validation in parse_uac2_sample_rate_range() when parsing a malformed uac2 range response from a usb audio device. A local attacker can provide a specially crafted uac2 range response to cause a denial of service.
The issue can trigger repeated kernel log messages while device probing still holds register_mutex.
51) Integer overflow (CVE-ID: CVE-2026-46023)
CWE-ID: CWE-190 - Integer overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to integer overflow in create_dirty_log() when parsing a device mapper table string. A local user can supply a crafted param_count value to trigger out-of-bounds reads on the argv array to disclose sensitive information.
52) Race condition (CVE-ID: CVE-2026-46028)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper state management in the algif_aead AF_ALG AEAD request handling when processing asynchronous AEAD AIO requests. A local user can trigger concurrent socket activity to cause a denial of service.
The issue arises because in-flight operations depend on a mutable socket-wide IV buffer that can be changed before the original request completes.
53) Improper Check or Handling of Exceptional Conditions (CVE-ID: CVE-2026-46032)
CWE-ID: CWE-703 - Improper Check or Handling of Exceptional Conditions
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper error handling in nested_svm_vmexit() in KVM nSVM when handling a nested #VMEXIT after a failure to restore the host CR3. A local user can trigger a failure while loading L1's CR3 to cause a denial of service.
The issue can leave the guest running with corrupted state after the error is ignored.
54) Integer underflow (CVE-ID: CVE-2026-46043)
CWE-ID: CWE-191 - Integer underflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to an integer underflow in rxe_rcv when processing a crafted RDMA packet with a forged BTH pad field and insufficient length. A remote attacker can send a specially crafted packet to cause a denial of service.
The issue occurs because payload_size() uses the attacker-controlled pad value and ICRC size when calculating the payload length.
55) Improper Initialization (CVE-ID: CVE-2026-46049)
CWE-ID: CWE-665 - Improper Initialization
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper initialization in spdif_passthru_playback_get_resources() when handling S/PDIF passthrough playback setup for 32000 Hz. A local user can trigger audio playback setup to cause a denial of service.
The issue can cause the calculation loop to spin indefinitely because the PLL rate remains 0 after card initialization.
56) Use-after-free (CVE-ID: CVE-2026-46056)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in SSP passkey handlers when handling Bluetooth SSP passkey and keypress notification events. A local user can trigger concurrent connection teardown during event processing to cause a denial of service.
57) Use-after-free (CVE-ID: CVE-2026-46065)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in fbdev deferred I/O handling when accessing a memory mapping after device hot-unplug. A local user can keep an active mapping of graphics memory and access it after hot-unplug to cause a denial of service.
Access to the invalidated mapping may result in a SIGBUS signal.
58) Improper resource shutdown or release (CVE-ID: CVE-2026-46083)
CWE-ID: CWE-404 - Improper Resource Shutdown or Release
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource shutdown or release in spi device setup when registering a device after spi_setup() fails. A local user can trigger device setup failure to cause a denial of service.
59) Improper input validation (CVE-ID: CVE-2026-46088)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an improper buffer length validation in snd_ctl_elem_init_enum_names() when parsing enumeration names from a buffer. A local user can provide a crafted buffer with insufficient remaining length to trigger a kernel panic.
The issue is triggered on systems using CONFIG_FORTIFY_SOURCE where fortified strnlen() checks the remaining object size before the return value is examined.
60) Improper input validation (CVE-ID: CVE-2026-46101)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in nft_bitwise when initializing left and right shift expressions with a zero shift operand. A local user can create a malformed rule to cause a denial of service.
The issue is triggered in the control plane before malformed rules reach the packet path.
61) Missing Release of Resource after Effective Lifetime (CVE-ID: CVE-2026-46102)
CWE-ID: CWE-772 - Missing Release of Resource after Effective Lifetime
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper resource management in strp_abort_strp() when aborting the stream parser after a message assembly timeout. A remote attacker can trigger repeated aborts with partially assembled messages to cause a denial of service.
The issue leaks a reference to a partially assembled message held in strp->skb_head.
62) Improper update of reference count (CVE-ID: CVE-2026-46107)
CWE-ID: CWE-911 - Improper Update of Reference Count
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper reference count handling in the dm-thin rebalance_children function when rebalancing internal btree nodes with a shared child node. A local user can trigger the vulnerable code path to cause a denial of service.
The issue occurs because grandchild node reference counts are not increased when the shared child node is retained, which can lead to "device mapper: space map common: unable to decrement block" errors.
63) Use-after-free (CVE-ID: CVE-2026-46116)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in __xfrm_state_delete when deleting xfrm_state list entries during xfrm_state lifecycle handling. A local user can trigger repeated deletion of the same xfrm_state object to cause a denial of service.
The issue was reproduced under syzkaller load during network namespace cleanup in the xfrm subsystem.
64) Use of Uninitialized Variable (CVE-ID: CVE-2026-46132)
CWE-ID: CWE-457 - Use of Uninitialized Variable
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to disclose sensitive information.
The vulnerability exists due to uninitialized stack memory in rtnl_fill_vfinfo when handling RTM_GETLINK requests with an IFLA_EXT_MASK attribute carrying RTEXT_FILTER_VF. A local attacker can send a crafted netlink request to disclose sensitive information.
The issue can leak up to 26 bytes of uninitialized kernel stack per virtual function per request to userspace.
65) Memory leak (CVE-ID: CVE-2026-46172)
CWE-ID: CWE-401 - Missing release of memory after effective lifetime
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a memory leak in xfrm6_rcv_encap() when processing IPv6 packets that trigger an error route lookup. A remote attacker can send specially crafted packets to cause a denial of service.
Repeated packets hitting this path leak dst entries.
66) Improper resource shutdown or release (CVE-ID: CVE-2026-46178)
CWE-ID: CWE-404 - Improper Resource Shutdown or Release
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource shutdown or release in mlx4_ib_create_srq() when handling error conditions during SRQ creation. A local user can trigger an error during SRQ creation to cause a denial of service.
67) Improper input validation (CVE-ID: CVE-2026-46184)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows an attacker with physical access to cause a denial of service.
The vulnerability exists due to improper input validation in detect_usb_format() when processing class-specific USB descriptor fields from a connected device. An attacker with physical access can provide a crafted USB device with bNrChannels set to 0 to cause a denial of service.
The issue can lead to a kernel crash in playback_urb_complete() and capture_urb_complete() because a zero frame_bytes value is later used as a divisor.
68) Integer overflow (CVE-ID: CVE-2026-46209)
CWE-ID: CWE-190 - Integer overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform out-of-bounds read or write operations.
The vulnerability exists due to an integer overflow in drm_gem_fb_init_with_funcs() when initializing framebuffer plane dimensions for sub-sampled pixel formats. A local user can create a specially crafted framebuffer configuration to perform out-of-bounds read or write operations.
The issue can occur for certain pixel format and dimension combinations where plane height calculation truncates instead of rounding up, causing the GEM object size check to accept an undersized object.
69) Improper input validation (CVE-ID: CVE-2026-46243)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information, modify data, or cause a denial of service.
The vulnerability exists due to improper input validation in the cifs.spnego key description handling in fs/smb/client/cifs_spnego.c when processing userspace-created cifs.spnego keys through request_key(2) or add_key(2). A local user can supply a crafted cifs.spnego description to disclose sensitive information, modify data, or cause a denial of service.
The issue arises because authority-bearing fields such as pid, uid, creduid, and upcall_target may be treated by cifs.upcall as kernel-originating inputs.
70) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-46250)
CWE-ID: CWE-664 - Improper control of a resource through its lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper control of a register used as a global register variable in arch/mips/kernel/relocate.c when relocating the kernel with LLVM/Clang on MIPS. A local user can trigger kernel relocation in a vulnerable environment to cause a denial of service.
The issue can cause an early kernel crash in init_idle on MIPS systems built with affected LLVM versions.
71) Heap-based buffer overflow (CVE-ID: CVE-2026-46253)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a heap-based buffer overflow and an out-of-bounds read in persistent_ram_save_old() and ramoops_pstore_read() when processing persistent crash records after repeated calls for the same persistent_ram_zone. A local user can trigger a survivable crash sequence with a larger subsequent record to cause a denial of service.
Exploitation requires a prior crash record that did not fill the record size, pstore_update_ms to be enabled, and a non-fatal oops so the system continues running.
72) Use-after-free (CVE-ID: CVE-2026-46259)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in do_task_stat() in procfs when reading /proc/[pid]/stat. A local user can trigger access to a stale real_parent task reference to cause a denial of service.
73) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-46265)
CWE-ID: CWE-664 - Improper control of a resource through its lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource management in the hns_roce_irq_workq workqueue in the RDMA/hns driver when destroying queue pairs during reset handling with sunrpc and rpcrdma in use. A local user can trigger queue pair destruction to cause a denial of service.
The issue can occur when sunrpc is used and a reset is triggered.
Remediation
Install update from vendor's website.