SB2026062493 - openEuler 22.03 LTS SP4 update for kernel
Published: June 24, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 33 vulnerabilities.
1) Buffer overflow (CVE-ID: CVE-2025-38702)
CWE-ID: CWE-119 - Memory corruption
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to memory corruption within the do_register_framebuffer() function in drivers/video/fbdev/core/fbmem.c. A local user can escalate privileges on the system.
2) Out-of-bounds read (CVE-ID: CVE-2025-40349)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to an out-of-bounds read error within the fs/hfsplus/hfsplus_fs.h. A local user can perform a denial of service (DoS) attack.
3) Memory leak (CVE-ID: CVE-2026-23058)
CWE-ID: CWE-401 - Missing release of memory after effective lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within the ems_usb_read_bulk_callback() function in drivers/net/can/usb/ems_usb.c. A local user can perform a denial of service (DoS) attack.
4) Double free (CVE-ID: CVE-2026-31507)
CWE-ID: CWE-415 - Double Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to double free in smc_rx_pipe_buf_release() and SMC splice pipe buffer handling when duplicating splice pipe buffers with tee(2) or splice_pipe_to_pipe(). A local user can duplicate an SMC splice buffer to cause a denial of service.
The issue can trigger a slab-use-after-free that leads to a NULL-pointer dereference and kernel panic.
5) Use-after-free (CVE-ID: CVE-2026-31580)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in cached_dev.sb_bio when handling superblock write completion while the device is being stopped. A local user can stop the device during a superblock write to cause a denial of service.
6) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-31585)
CWE-ID: CWE-664 - Improper control of a resource through its lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper state management in vidtv_start_feed() when handling a start_streaming failure. A local user can trigger a start_streaming failure to cause a denial of service.
The issue can corrupt the nfeeds counter and may leave partially allocated mux and channel resources uncleared when the stop path returns early.
7) Use-after-free (CVE-ID: CVE-2026-31586)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in cgwb_release_workfn() when releasing writeback resources and later dereferencing wb->blkcg_css after dropping its last reference. A local user can trigger the race condition to cause a denial of service.
The issue is race-dependent and can be observed as a KASAN-reported slab-use-after-free in blkcg_unpin_online().
8) Improper input validation (CVE-ID: CVE-2026-31596)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in ocfs2_group_extend when handling a crafted filesystem through the resize ioctl. A local user can trigger the resize operation on a crafted filesystem image to cause a denial of service.
The issue occurs because an invalid global bitmap inode can reach the JBD2-managed buffer path and lead to a kernel BUG instead of a clean failure.
9) Use-after-free (CVE-ID: CVE-2026-31597)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in ocfs2_fault() when handling a page fault that returns VM_FAULT_RETRY. A local user can trigger a concurrent munmap() during fault handling to cause a denial of service.
10) Deadlock (CVE-ID: CVE-2026-31598)
CWE-ID: CWE-833 - Deadlock
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an inconsistent lock ordering that can lead to deadlock in ocfs2 unlink and direct I/O write completion handling when concurrent unlink and dio_end_io_write operations are performed. A local user can trigger concurrent file operations to cause a denial of service.
11) NULL pointer dereference (CVE-ID: CVE-2026-31599)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in vidtv_channel_pmt_match_sections when handling a memory allocation failure from vidtv_psi_pmt_stream_init. A local user can trigger the vulnerable code path to cause a denial of service.
12) Division by zero (CVE-ID: CVE-2026-31603)
CWE-ID: CWE-369 - Divide By Zero
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to division by zero in ps_to_hz() when handling a FBIOPUT_VSCREENINFO request with a zero pixclock value. A local user can supply crafted screen information to trigger a division by zero and cause a denial of service.
13) Use of Uninitialized Variable (CVE-ID: CVE-2026-31626)
CWE-ID: CWE-457 - Use of Uninitialized Variable
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use of uninitialized memory in rtw_BIP_verify() when processing BIP data. A local user can trigger the function with crafted input to cause a denial of service.
14) Use-after-free (CVE-ID: CVE-2026-31656)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in intel_engine_park_heartbeat when racing the heartbeat worker and request retirement paths while releasing engine->heartbeat.systole. A local user can trigger concurrent request retirement and heartbeat handling to cause a denial of service.
The issue arises because the same systole request can be released twice after a stale non-NULL pointer is observed in a non-atomic read-and-clear sequence.
15) Heap-based buffer overflow (CVE-ID: CVE-2026-31694)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a heap-based buffer overflow in fuse_add_dirent_to_cache() when processing directory entries returned by a FUSE server. A remote attacker can return a specially crafted directory entry with an oversized name length to cause a denial of service.
The issue occurs when a serialized directory entry exceeds a single page size and is copied into the readdir cache.
16) Use-after-free (CVE-ID: CVE-2026-43027)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in nf_conntrack_helper_unregister and expectation handling in netfilter nf_conntrack_helper when unregistering a helper while stale expectations remain. A local user can trigger helper unregistration and subsequent expectation access to cause a denial of service.
The issue is triggered because expectations referencing the helper survive cleanup and are later dereferenced during expectation dumps or packet-driven conntrack initialization.
17) Improper Null Termination (CVE-ID: CVE-2026-43028)
CWE-ID: CWE-170 - Improper Null Termination
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in x_tables when processing names supplied to functions that expect c-strings. A local user can provide a name that lacks a nul terminator to cause a denial of service.
18) Out-of-bounds read (CVE-ID: CVE-2026-43071)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in dentry_hashtable when processing lookups with dhash_entries set to 1. A local user can trigger filesystem lookup operations to cause a denial of service.
The issue occurs because a single hash bucket can cause an invalid shift calculation that leads to access of unallocated memory.
19) Improper Check or Handling of Exceptional Conditions (CVE-ID: CVE-2026-43132)
CWE-ID: CWE-703 - Improper Check or Handling of Exceptional Conditions
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper handling of error pointers in verity_fec_ctr() when creating dm-bufio clients. A local user can trigger a failure in dm_bufio_client_create() to cause a denial of service.
20) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-43187)
CWE-ID: CWE-664 - Improper control of a resource through its lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause data loss.
The vulnerability exists due to improper state management in the XFS extended attribute leaf freemap handling code when processing setxattr operations. A local user can set extended attributes in a way that causes xattr namevalue entries to be allocated on top of the entries array to cause data loss.
The issue involves zero-length freemap entries with a nonzero base and can lead to overlapping freemap entries with the same base but different sizes.
21) NULL pointer dereference (CVE-ID: CVE-2026-43207)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a null pointer dereference in the mtk-mdp probe function when handling a failed return from vpu_get_plat_device(). A local user can trigger the vulnerable code path to cause a denial of service.
22) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-43245)
CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper memory allocation in ntfs dentry comparison and hash handling when processing filesystem path lookups. A local user can trigger blocking allocation in this context to cause a denial of service.
23) Improper locking (CVE-ID: CVE-2026-43382)
CWE-ID: CWE-667 - Improper Locking
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper lock handling in batadv_v_elp_get_throughput() and batadv_get_real_netdev() when cancelling a delayed work item while the RTNL lock is already held. A local user can trigger the affected code path to cause a denial of service.
The issue can result in a deadlock during ELP metric worker processing for cfg80211 interfaces.
24) Use-after-free (CVE-ID: CVE-2026-43437)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in snd_pcm_drain() when handling a linked stream runtime after releasing the stream lock. A local user can trigger a concurrent close() on the linked stream's file descriptor to cause a denial of service.
The issue occurs because the drain path dereferences stale runtime fields from a linked stream after the runtime can be freed by concurrent unlink and detach operations.
25) Use-after-free (CVE-ID: CVE-2026-45970)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in the rlb_arp_recv function in the bonding ALB RX path when processing ARP messages during rapid bond up/down cycles. A local user can trigger concurrent bond up/down operations while ARP traffic is being received to cause a denial of service.
The issue is triggered by a race condition between rlb_arp_recv() and rlb_deinitialize().
26) Improper Initialization (CVE-ID: CVE-2026-46027)
CWE-ID: CWE-665 - Improper Initialization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper access to uninitialized state in smc_clc_wait_msg() when handling a CLC decline during an early handshake stage before link group association. A remote attacker can send a specially crafted decline message to cause a denial of service.
The issue occurs for first-contact declines received before link group setup has completed.
27) Use-after-free (CVE-ID: CVE-2026-46099)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in seg6 and rpl lwtunnels when processing IPv6 routing lookups and caching a NOREF destination entry. A local user can trigger a race condition to cause a denial of service.
Exploitation requires PREEMPT_RT without PREEMPT_RT_NEEDS_BH_LOCK and a concurrent task able to release a shared nexthop per-cpu route entry.
28) Improper locking (CVE-ID: CVE-2026-46112)
CWE-ID: CWE-667 - Improper Locking
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to corrupt memory.
The vulnerability exists due to improper locking in hns_roce_create_qp_common() and hns_roce_qp_remove() when handling error unwind during queue pair creation. A local user can trigger the error path to corrupt memory.
29) Exposure of Resource to Wrong Sphere (CVE-ID: CVE-2026-46174)
CWE-ID: CWE-668 - Exposure of resource to wrong sphere
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause instruction corruption.
The vulnerability exists due to improper isolation of shared resources in Zen2 op cache when executing code on the system. A local user can run code locally to cause instruction corruption.
30) Double free (CVE-ID: CVE-2026-46189)
CWE-ID: CWE-415 - Double Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to double free in pvrdma_alloc_ucontext() error path when handling ucontext allocation failures. A local user can trigger the error path to cause a denial of service.
31) Incorrect calculation (CVE-ID: CVE-2026-46193)
CWE-ID: CWE-682 - Incorrect Calculation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper handling of ESN high bits in async callbacks in the AH implementation when processing AH packets with ESN enabled using an asynchronous AH implementation. A local user can send specially crafted AH traffic to cause a denial of service.
The issue affects both IPv4 and IPv6 AH paths, and exploitation requires ESN to be enabled with an asynchronous AH implementation selected.
32) Out-of-bounds write (CVE-ID: CVE-2026-46294)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local privileged user to cause a buffer overflow.
The vulnerability exists due to a buffer overflow in dm-ioctl retrieve_status when processing device mapper ioctl output buffers. A local privileged user can supply a crafted buffer layout to cause a buffer overflow.
Exploitation requires issuing device mapper ioctls, and the issue does not occur accidentally with commonly used libraries because they use 8-byte-aligned buffer sizes.
33) Out-of-bounds write (CVE-ID: CVE-2026-46331)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause memory corruption.
The vulnerability exists due to an out-of-bounds write in tcf_pedit_act() when processing packet edit actions with typed keys and runtime header offsets. A local user can supply crafted pedit parameters that cause writes to a region that has not been properly copy-on-written to cause memory corruption.
The issue can involve negative offsets such as Ethernet header edits at ingress.
Remediation
Install update from vendor's website.