Main Vulnerability Database SB2026061293

SB2026061293 - openEuler 20.03 LTS SP4 update for kernel

Published: June 12, 2026

Security Bulletin ID SB2026061293

CSH Severity

Low

Patch available

YES

Number of vulnerabilities 19

Exploitation vector Local access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 19 vulnerabilities.

1) Memory leak (CVE-ID: CVE-2021-47237)

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within the mkiss_close() function in drivers/net/hamradio/mkiss.c. A local user can perform a denial of service (DoS) attack.

2) Improper Initialization (CVE-ID: CVE-2021-47261)

CWE-ID: CWE-665 - Improper Initialization

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper initialization within the destroy_cq_user(), create_cq_kernel() and resize_kernel() functions in drivers/infiniband/hw/mlx5/cq.c. A local user can perform a denial of service (DoS) attack.

3) Input validation error (CVE-ID: CVE-2021-47336)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the smk_set_cipso() function in security/smack/smackfs.c. A local user can perform a denial of service (DoS) attack.

4) Memory leak (CVE-ID: CVE-2021-47345)

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within the cma_resolve_ib_route() function in drivers/infiniband/core/cma.c. A local user can perform a denial of service (DoS) attack.

5) NULL pointer dereference (CVE-ID: CVE-2021-47501)

CWE-ID: CWE-476 - NULL Pointer Dereference

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to NULL pointer dereference within the i40e_dbg_dump_desc() function in drivers/net/ethernet/intel/i40e/i40e_debugfs.c. A local user can perform a denial of service (DoS) attack.

6) Use-after-free (CVE-ID: CVE-2021-47520)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within the pch_can_rx_normal() function in drivers/net/can/pch_can.c. A local user can escalate privileges on the system.

7) NULL pointer dereference (CVE-ID: CVE-2023-52806)

CWE-ID: CWE-476 - NULL Pointer Dereference

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to NULL pointer dereference within the snd_hdac_stream_assign() function in sound/hda/hdac_stream.c. A local user can perform a denial of service (DoS) attack.

8) Input validation error (CVE-ID: CVE-2024-35962)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the do_replace() and compat_do_replace() functions in net/ipv6/netfilter/ip6_tables.c, within the do_replace() and compat_do_replace() functions in net/ipv4/netfilter/ip_tables.c, within the do_replace() and compat_do_replace() functions in net/ipv4/netfilter/arp_tables.c. A local user can perform a denial of service (DoS) attack.

9) Improper input validation (CVE-ID: CVE-2026-43077)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper input validation in algif_aead when processing decryption requests. A local user can provide a crafted receive buffer size to cause a denial of service.

10) Out-of-bounds write (CVE-ID: CVE-2026-43078)

CWE-ID: CWE-787 - Out-of-bounds write

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to an out-of-bounds write in af_alg_pull_tsgl when reassigning pages. A local user can trigger page reassignment that reassigns one more page than necessary to cause a denial of service.

11) Improper locking (CVE-ID: CVE-2026-43211)

CWE-ID: CWE-667 - Improper Locking

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper lock handling in pci_slot_trylock() when handling a pci_bus_trylock() failure path. A local user can trigger the affected code path to cause a denial of service.

The issue can result in unlocking a lock that is not held or incorrectly unlocking a lock owned by another thread.

12) Use-after-free (CVE-ID: CVE-2026-43339)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to use-after-free in addrconf_permanent_addr() when handling an exceptional condition in IPv6 address configuration. A local user can trigger the warning path to cause a denial of service.

13) Double free (CVE-ID: CVE-2026-45852)

CWE-ID: CWE-415 - Double Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to double free in rxe_srq_from_init in the RDMA rxe subsystem when handling a failed copy_to_user operation during SRQ creation. A local user can trigger an error path to cause a denial of service.

14) Always-Incorrect Control Flow Implementation (CVE-ID: CVE-2026-45919)

CWE-ID: CWE-670 - Always-Incorrect Control Flow Implementation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper logic in rto_next_cpu() when handling RT load balancing on an overloaded CPU. A local user can trigger repeated self-IPIs to cause a denial of service.

The issue can lead to a CPU hardlockup when HAVE_RT_PUSH_IPI is enabled and the affected CPU remains overloaded while other CPUs run pull_rt_task().

15) Use-after-free (CVE-ID: CVE-2026-45970)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in the rlb_arp_recv function in the bonding ALB RX path when processing ARP messages during rapid bond up/down cycles. A local user can trigger concurrent bond up/down operations while ARP traffic is being received to cause a denial of service.

The issue is triggered by a race condition between rlb_arp_recv() and rlb_deinitialize().

16) Race condition (CVE-ID: CVE-2026-46028)

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper state management in the algif_aead AF_ALG AEAD request handling when processing asynchronous AEAD AIO requests. A local user can trigger concurrent socket activity to cause a denial of service.

The issue arises because in-flight operations depend on a mutable socket-wide IV buffer that can be changed before the original request completes.

17) Integer overflow (CVE-ID: CVE-2026-46209)

CWE-ID: CWE-190 - Integer overflow

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to perform out-of-bounds read or write operations.

The vulnerability exists due to an integer overflow in drm_gem_fb_init_with_funcs() when initializing framebuffer plane dimensions for sub-sampled pixel formats. A local user can create a specially crafted framebuffer configuration to perform out-of-bounds read or write operations.

The issue can occur for certain pixel format and dimension combinations where plane height calculation truncates instead of rounding up, causing the GEM object size check to accept an undersized object.

18) Improper input validation (CVE-ID: CVE-2026-46243)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to disclose sensitive information, modify data, or cause a denial of service.

The vulnerability exists due to improper input validation in the cifs.spnego key description handling in fs/smb/client/cifs_spnego.c when processing userspace-created cifs.spnego keys through request_key(2) or add_key(2). A local user can supply a crafted cifs.spnego description to disclose sensitive information, modify data, or cause a denial of service.

The issue arises because authority-bearing fields such as pid, uid, creduid, and upcall_target may be treated by cifs.upcall as kernel-originating inputs.

19) Use-after-free (CVE-ID: CVE-2026-46259)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in do_task_stat() in procfs when reading /proc/[pid]/stat. A local user can trigger access to a stale real_parent task reference to cause a denial of service.

Remediation

Install update from vendor's website.

References

https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2026-2673

Vulnerable Software

openEuler: 20.03 LTS SP4
kernel: before 4.19.90-2606.3.0.0376
bpftool: before 4.19.90-2606.3.0.0376
bpftool-debuginfo: before 4.19.90-2606.3.0.0376
kernel-debuginfo: before 4.19.90-2606.3.0.0376
kernel-debugsource: before 4.19.90-2606.3.0.0376
kernel-devel: before 4.19.90-2606.3.0.0376
kernel-source: before 4.19.90-2606.3.0.0376
kernel-tools: before 4.19.90-2606.3.0.0376
kernel-tools-debuginfo: before 4.19.90-2606.3.0.0376
kernel-tools-devel: before 4.19.90-2606.3.0.0376
perf: before 4.19.90-2606.3.0.0376
perf-debuginfo: before 4.19.90-2606.3.0.0376
python2-perf: before 4.19.90-2606.3.0.0376
python2-perf-debuginfo: before 4.19.90-2606.3.0.0376
python3-perf: before 4.19.90-2606.3.0.0376
python3-perf-debuginfo: before 4.19.90-2606.3.0.0376

SB2026061293 - openEuler 20.03 LTS SP4 update for kernel

Breakdown by Severity

Description

Remediation

References

Please verify you're human