SB20260619116 - Red Hat Enterprise Linux 10 update for kernel

Description

This security bulletin contains information about 15 vulnerabilities.

1) Use-after-free (CVE-ID: CVE-2026-31474)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in isotp_sendmsg() when closing an ISO-TP socket while a transmission is still in progress and the close wait is interrupted by a signal. A local user can trigger a race condition to cause a denial of service.

2) Use-after-free (CVE-ID: CVE-2026-31669)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in __inet_lookup_established when performing concurrent ehash lookups on MPTCP IPv6 subflow child sockets under rcu_read_lock. A local user can trigger socket allocation and freeing patterns to cause a denial of service.

The issue affects MPTCP IPv6 subflow child sockets because they may be allocated from a cache without SLAB_TYPESAFE_BY_RCU, allowing freed memory to be reused during lockless lookups.

3) Heap-based buffer overflow (CVE-ID: CVE-2026-31641)

CWE-ID: CWE-122 - Heap-based Buffer Overflow

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to execute arbitrary code.

The vulnerability exists due to a heap-based buffer overflow in rxrpc_preparse_xdr_yfs_rxgk() when processing a crafted XDR token through add_key(). A local user can supply a token with oversized length values that trigger integer wraparound and overflow a heap buffer to execute arbitrary code.

The issue is reachable from an unprivileged add_key() call.

4) Double free (CVE-ID: CVE-2026-31787)

CWE-ID: CWE-415 - Double Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local privileged user to circumvent kernel lockdown restrictions.

The vulnerability exists due to double free in the Linux kernel privcmd driver when handling privcmd operations. A local privileged user can trigger a double free of kernel memory to circumvent kernel lockdown restrictions.

Only Linux PVH or HVM domains booted in secure mode are affected; PV domains and non-Linux domains are not vulnerable.

5) Out-of-bounds read (CVE-ID: CVE-2026-31786)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to disclose sensitive information, cause a denial of service, or escalate privileges.

The vulnerability exists due to an out-of-bounds read in the Xen-related sysfs buildid handler when reading the /sys/hypervisor/properties/buildid sysfs file. A local user can read the crafted sysfs output to disclose sensitive information, cause a denial of service, or escalate privileges.

In rare cases, the issue may also result in writing past the 4 kB sysfs buffer if no zero byte is found in adjacent data.

6) Use-after-free (CVE-ID: CVE-2026-43056)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in add_adev() when handling an error path after auxiliary_device_add() fails. A local user can trigger the failure condition to cause a denial of service.

7) Stack-based buffer overflow (CVE-ID: CVE-2026-31772)

CWE-ID: CWE-121 - Stack-based buffer overflow

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to stack-based buffer overflow in hci_le_big_create_sync when processing a crafted ISO socket configuration. A local user can bind an ISO socket with a large number of BIS entries and call listen() to cause a denial of service.

The issue is triggered when the number of BIS entries is between 18 and 31, leading to a stack out-of-bounds write in the HCI command sync worker.

8) Missing Release of Resource after Effective Lifetime (CVE-ID: CVE-2026-43260)

CWE-ID: CWE-772 - Missing Release of Resource after Effective Lifetime

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper resource management in the bnxt_en RSS context delete logic when deleting RSS contexts during interface close and subsequent restoration. A local user can trigger repeated RSS context deletion and restoration cycles to cause a denial of service.

The issue can cause firmware VNIC resources to be leaked, and subsequent open operations may fail to restore active RSS contexts.

9) Out-of-bounds read (CVE-ID: CVE-2026-43330)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to cause memory corruption.

The vulnerability exists due to an out-of-bounds read in the caam crypto driver when processing HMAC keys longer than the block size. A local user can supply a specially crafted long HMAC key to cause memory corruption.

The issue occurs because the copied key buffer is rounded to DMA cache alignment, which can result in reading past the end of the source key buffer.

10) Out-of-bounds write (CVE-ID: CVE-2026-46331)

CWE-ID: CWE-787 - Out-of-bounds write

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to cause memory corruption.

The vulnerability exists due to an out-of-bounds write in tcf_pedit_act() when processing packet edit actions with typed keys and runtime header offsets. A local user can supply crafted pedit parameters that cause writes to a region that has not been properly copy-on-written to cause memory corruption.

The issue can involve negative offsets such as Ethernet header edits at ingress.

11) Use-after-free (CVE-ID: CVE-2026-46056)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in SSP passkey handlers when handling Bluetooth SSP passkey and keypress notification events. A local user can trigger concurrent connection teardown during event processing to cause a denial of service.

12) Race condition (CVE-ID: CVE-2026-46152)

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to cause incorrect packet processing.

The vulnerability exists due to a race condition in ieee80211_invoke_fast_rx() when processing packets in parallel RX paths. A local user can trigger concurrent packet processing to cause incorrect packet processing.

This issue arises because concurrent callers share a single rx_result instance, which can be overwritten between ieee80211_rx_mesh_data() and the subsequent switch on the result.

13) Use-after-free (CVE-ID: CVE-2026-46125)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in debugfs when handling failed connection preparation for mlo connections. A local user can trigger connection preparation failure and access the affected debugfs state to cause a denial of service.

The issue occurs when debugfs is enabled and an interface is reset from mld to non-mld, which recreates its debugfs entries.

14) Use-after-free (CVE-ID: CVE-2026-46173)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to cause memory corruption.

The vulnerability exists due to use-after-free in make_task_dead()/do_task_dead() task exit handling when an already-exiting task oopses during task exit. A local user can trigger an oops in a file_operations::release handler to cause memory corruption.

This can result in two tasks running on the same stack.

15) Use-after-free (CVE-ID: CVE-2026-46166)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in radar detect work in mac80211 when cancelling dfs cac during list iteration. A local user can trigger the affected workflow to cause a denial of service.

Remediation

Install update from vendor's website.

References

• https://access.redhat.com/errata/RHSA-2026:27288