SB20260625283 - Red Hat Enterprise Linux 10 update for kernel
Published: June 25, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 9 vulnerabilities.
1) Out-of-bounds read (CVE-ID: CVE-2026-31636)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in rxgk_verify_authenticator() when parsing malformed RESPONSE authenticators. A remote attacker can send a specially crafted RESPONSE authenticator to cause a denial of service.
2) Out-of-bounds read (CVE-ID: CVE-2026-43038)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in ip6_err_gen_icmpv6_unreach() when processing a forged ICMPv4 error containing a CIPSO IP option and an attacker-controlled inner IPv6 packet. A remote attacker can send a specially crafted ICMP error packet to cause a denial of service.
The issue arises because IPv4 control buffer data is reused as IPv6 control buffer data in a cloned skb, which can lead to a forged home address option offset being used during IPv6 TLV parsing.
3) Race condition (CVE-ID: CVE-2026-43198)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a race condition in tcp_v6_syn_recv_sock() when handling IPv6 TCP connection requests. A remote attacker can send network traffic that triggers the race to cause a denial of service.
The issue occurs because a child socket may become visible in the TCP ehash table before its IPv6 state is fully initialized.
4) Double free (CVE-ID: CVE-2026-43414)
CWE-ID: CWE-415 - Double Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to double free in qla24xx_els_dcmd_iocb() error handling when releasing fcport references. A local user can trigger an error condition to cause a denial of service.
5) Out-of-bounds write (CVE-ID: CVE-2026-45898)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to memory corruption in the RDMA/iwcm workqueue handling logic when processing queued work items. A local user can trigger repeated work submissions to cause a denial of service.
The issue was observed during stress testing with ucmatose in iWARP mode.
6) Improper input validation (CVE-ID: CVE-2026-46117)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to corrupt kernel memory.
The vulnerability exists due to improper input validation in mana_ib_create_qp_rss() when processing user-supplied work queue configurations through the RDMA uAPI. A local user can specify work queues sharing the same completion queue to corrupt kernel memory.
7) Out-of-bounds write (CVE-ID: CVE-2026-46145)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to overwrite kernel memory.
The vulnerability exists due to an out-of-bounds write in the RDMA/mana rx hash key handling when processing a user-supplied uAPI structure. A local user can supply a crafted rx_hash_key_len value to overwrite kernel memory.
8) Race condition (CVE-ID: CVE-2026-46135)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a race condition in nvmet_tcp_handle_icreq() and target-side queue teardown when processing an initialization connection request and a connection close concurrently. A remote attacker can send an initialization connection request and immediately close the connection to cause a denial of service.
The issue can lead to a second kref_put() being issued on an already released queue.
9) Improper access control (CVE-ID: CVE-2026-46054)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to bypass SELinux access controls.
The vulnerability exists due to improper access control in SELinux overlayfs mmap() and mprotect() access checks when handling mmap() and mprotect() operations on overlayfs filesystems. A local user can map or change protections on an overlayfs file to bypass SELinux access controls.
Remediation
Install update from vendor's website.