SB20260625277 - SUSE update for the Linux Kernel
Published: June 25, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 29 vulnerabilities.
1) Improper access control (CVE-ID: CVE-2025-10263)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to escalate privileges.
The vulnerability exists due to improper access control in Stage 2 translation handling when invalidating translation lookaside buffer entries on affected Arm systems. A remote user can trigger writes from a malicious guest after write permissions have been revoked to escalate privileges.
Only Xen on Arm in multi-core configurations is affected. The issue does not affect reads.
2) Use-after-free (CVE-ID: CVE-2025-68324)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the imm_detach() function in drivers/scsi/imm.c. A local user can escalate privileges on the system.
3) Use After Free (CVE-ID: CVE-2026-23392)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to execute arbitrary code or escalate privileges.
The vulnerability exists due to a use-after-free in the netfilter nf_tables component when handling flowtable hooks during error conditions. A local user can trigger a use-after-free condition by exploiting the improper release of a flowtable after an RCU grace period, leading to arbitrary code execution or privilege escalation.
Exploitation requires the ability to interact with the nfnetlink subsystem, typically available to local users with access to netfilter configuration interfaces.
4) Out-of-bounds read (CVE-ID: CVE-2026-31405)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to an out-of-bounds read in handle_one_ule_extension() extension handler tables when processing network-controlled ULE extension header data. A remote attacker can send a specially crafted SNDU with an extension header type value of 255 to execute arbitrary code.
The out-of-bounds value may be dereferenced and called as a function pointer.
5) Use-after-free (CVE-ID: CVE-2026-31473)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in the media request and videobuf queue handling code when reinitializing media requests concurrently with queue teardown. A local user can trigger concurrent MEDIA_REQUEST_IOC_REINIT and VIDIOC_REQBUFS(0) operations to cause a denial of service.
Only request-capable devices are affected.
6) Use-after-free (CVE-ID: CVE-2026-31500)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in btintel_hw_error() when handling a hardware error concurrently with device close operations. A local user can trigger a race condition to cause a denial of service.
The issue occurs because synchronous HCI command paths manipulate shared request state concurrently.
7) Out-of-bounds read (CVE-ID: CVE-2026-31613)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to out-of-bounds read in the SMB client symlink response parser when parsing a crafted symlink error response from an untrusted server. A remote attacker can send a specially crafted SMB response to disclose sensitive information.
The exposed heap bytes are UTF-16-decoded into the symlink target and returned to userspace via readlink(2).
8) Out-of-bounds read (CVE-ID: CVE-2026-31697)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in sev_ioctl_do_get_id2 in the ccp/sev ioctl handler when handling a request to retrieve the CPU ID with a userspace buffer and length that are too small after a firmware command failure. A local user can issue a specially crafted ioctl request to disclose sensitive information.
The issue occurs when the firmware command fails due to an invalid length and the kernel still copies the firmware-required byte count to userspace.
9) Out-of-bounds read (CVE-ID: CVE-2026-31698)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in sev_ioctl_do_pdh_export when handling a PDH certificate export ioctl after a firmware command failure caused by an invalid length. A local user can provide a userspace buffer and length that are too small to trigger copying beyond the kernel-allocated buffer to disclose sensitive information.
The issue occurs when retrieving the PDH certificate and the firmware reports the required size after the supplied userspace buffer is too small.
10) Out-of-bounds read (CVE-ID: CVE-2026-31699)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in the sev_ioctl_do_pek_csr ioctl handler when processing a PEK CSR retrieval request after a failed firmware command. A local user can supply a too-small userspace buffer and length to trigger a copy to userspace that discloses sensitive information.
The issue occurs when the firmware reports an invalid length for the requested blob.
11) Use-after-free (CVE-ID: CVE-2026-31758)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in usbtmc_release when handling pending anchored URBs during device release. A local user can trigger release while anchored URBs are still pending to cause a denial of service.
12) Double free (CVE-ID: CVE-2026-31759)
CWE-ID: CWE-415 - Double Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a double free in ulpi_register_interface() when handling a device registration failure. A local user can trigger the vulnerable error path to cause a denial of service.
13) Improper input validation (CVE-ID: CVE-2026-43077)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in algif_aead when processing decryption requests. A local user can provide a crafted receive buffer size to cause a denial of service.
14) Race condition (CVE-ID: CVE-2026-43198)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a race condition in tcp_v6_syn_recv_sock() when handling IPv6 TCP connection requests. A remote attacker can send network traffic that triggers the race to cause a denial of service.
The issue occurs because a child socket may become visible in the TCP ehash table before its IPv6 state is fully initialized.
15) Improper input validation (CVE-ID: CVE-2026-43366)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper state validation in the io_uring kernel buffer recycling logic when recycling a previously grabbed buffer. A local user can trigger recycling of a buffer after the target buffer list has changed type to cause a denial of service.
This can occur when the request is forced via io-wq.
16) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-43503)
CWE-ID: CWE-664 - Improper control of a resource through its lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to modify the page cache of a root-owned read-only file.
The vulnerability exists due to improper state management in frag-transfer helpers in the Linux kernel networking stack when moving fragment descriptors between socket buffers. A local user can trigger packet processing through a duplicated skb path to modify the page cache of a root-owned read-only file.
One demonstrated path involves ESP input after a packet is duplicated through an nft 'dup to' rule or another nf_dup_ipv4() / xt_TEE caller.
17) Improper access control (CVE-ID: CVE-2026-45886)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper access control in the bpf_xdp_store_bytes helper prototype when verifying BPF programs that use read-only map values. A local user can load a crafted BPF program to cause a denial of service.
The issue is triggered when the third helper argument points to a value from a BPF_F_RDONLY_PROG map.
18) Use-after-free (CVE-ID: CVE-2026-45970)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in the rlb_arp_recv function in the bonding ALB RX path when processing ARP messages during rapid bond up/down cycles. A local user can trigger concurrent bond up/down operations while ARP traffic is being received to cause a denial of service.
The issue is triggered by a race condition between rlb_arp_recv() and rlb_deinitialize().
19) Use-after-free (CVE-ID: CVE-2026-45984)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in gfs2 inline data write path when handling inline data writes. A local user can trigger an inline write operation to cause a denial of service.
The issue occurs because a buffer head is released before the inline write completes, leaving a stale pointer that is later dereferenced during the write end path.
20) Use-after-free (CVE-ID: CVE-2026-46021)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in thermal_set_governor() and thermal_zone_device_unregister() when handling concurrent governor updates via sysfs during thermal zone unregistration. A local user can trigger a governor update race to cause a denial of service.
The issue can occur if thermal_zone_device_register_with_trips() fails after adding a thermal governor to the thermal zone being registered.
21) Out-of-bounds read (CVE-ID: CVE-2026-46037)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in the ipv4 icmp reply handling logic when processing extended echo replies. A remote attacker can send a specially crafted icmp packet to cause a denial of service.
22) Use-after-free (CVE-ID: CVE-2026-46113)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in KVM shadow paging when handling guest page table changes between VM entries. A local user can modify guest page tables to create a stale reverse-mapping entry and trigger a stale rmap walk to cause a denial of service.
This can be triggered during operations such as dirty logging or MMU notifier invalidations.
23) Use-after-free (CVE-ID: CVE-2026-46116)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in __xfrm_state_delete when deleting xfrm_state list entries during xfrm_state lifecycle handling. A local user can trigger repeated deletion of the same xfrm_state object to cause a denial of service.
The issue was reproduced under syzkaller load during network namespace cleanup in the xfrm subsystem.
24) Use-after-free (CVE-ID: CVE-2026-46120)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in ip6erspan_changelink() when changing link configuration after network namespace migration. A local user can trigger tunnel reinsertion into the wrong per-netns hash to cause a denial of service.
The issue is reachable from an unprivileged user namespace.
25) Out-of-bounds read (CVE-ID: CVE-2026-46123)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in virtbt_rx_work() and virtbt_rx_handle() when processing device-reported receive lengths from the virtio Bluetooth backend. A local attacker can provide a crafted length value to cause the kernel to read uninitialized memory and disclose sensitive information.
The issue can be triggered when the backend reports a receive length larger than the 1000-byte buffer exposed to the device, or when it reports an empty completion with a zero length.
26) Improper access control (CVE-ID: CVE-2026-46150)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to bypass permission checks.
The vulnerability exists due to improper access control in fsnotify_get_mark_safe() when processing fanotify permission events. A local user can trigger permission events in the presence of an unrelated detached mark to bypass permission checks.
27) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: CVE-2026-46159)
CWE-ID: CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to a time-of-check time-of-use race in btrfs_ioctl_space_info() when processing a space information ioctl request while block groups are concurrently removed. A local user can trigger the ioctl and race concurrent block group removal to disclose sensitive information.
The issue can result in copying uninitialized kmalloc heap bytes to userspace.
28) Use-after-free (CVE-ID: CVE-2026-46227)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to execute arbitrary code.
The vulnerability exists due to a use-after-free and type confusion in sctp_sendmsg() SCTP_SENDALL path when iterating associations after sctp_sendmsg_to_asoc() drops and reacquires the socket lock. A local user can trigger concurrent association migration or freeing to execute arbitrary code.
The issue is reachable with no effective capabilities, and the type-confusion path can lead to a controlled indirect call via the outqueue.sched->init_sid pointer.
29) Improper Check or Handling of Exceptional Conditions (CVE-ID: CVE-2026-46273)
CWE-ID: CWE-703 - Improper Check or Handling of Exceptional Conditions
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper handling of segmentation offload constraints in ibmveth when processing gso packets with a small mss. A local user can send specially crafted packets to cause a denial of service.
The issue is triggered when the hardware performs segmentation with more than one segment and an MSS smaller than 224 bytes; single-segment GSO packets do not trigger the affected code path.
Remediation
Install update from vendor's website.