SB2026062605 - SUSE update for the Linux Kernel
Published: June 26, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 27 vulnerabilities.
1) Improper access control (CVE-ID: CVE-2025-10263)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to escalate privileges.
The vulnerability exists due to improper access control in Stage 2 translation handling when invalidating translation lookaside buffer entries on affected Arm systems. A remote user can trigger writes from a malicious guest after write permissions have been revoked to escalate privileges.
Only Xen on Arm in multi-core configurations is affected. The issue does not affect reads.
2) Use-after-free (CVE-ID: CVE-2025-68324)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the imm_detach() function in drivers/scsi/imm.c. A local user can escalate privileges on the system.
3) Use After Free (CVE-ID: CVE-2026-23392)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to execute arbitrary code or escalate privileges.
The vulnerability exists due to a use-after-free in the netfilter nf_tables component when handling flowtable hooks during error conditions. A local user can trigger a use-after-free condition by exploiting the improper release of a flowtable after an RCU grace period, leading to arbitrary code execution or privilege escalation.
Exploitation requires the ability to interact with the nfnetlink subsystem, typically available to local users with access to netfilter configuration interfaces.
4) Use-after-free (CVE-ID: CVE-2026-31500)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in btintel_hw_error() when handling a hardware error concurrently with device close operations. A local user can trigger a race condition to cause a denial of service.
The issue occurs because synchronous HCI command paths manipulate shared request state concurrently.
5) Out-of-bounds read (CVE-ID: CVE-2026-31697)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in sev_ioctl_do_get_id2 in the ccp/sev ioctl handler when handling a request to retrieve the CPU ID with a userspace buffer and length that are too small after a firmware command failure. A local user can issue a specially crafted ioctl request to disclose sensitive information.
The issue occurs when the firmware command fails due to an invalid length and the kernel still copies the firmware-required byte count to userspace.
6) Out-of-bounds read (CVE-ID: CVE-2026-31698)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in sev_ioctl_do_pdh_export when handling a PDH certificate export ioctl after a firmware command failure caused by an invalid length. A local user can provide a userspace buffer and length that are too small to trigger copying beyond the kernel-allocated buffer to disclose sensitive information.
The issue occurs when retrieving the PDH certificate and the firmware reports the required size after the supplied userspace buffer is too small.
7) Out-of-bounds read (CVE-ID: CVE-2026-31699)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in the sev_ioctl_do_pek_csr ioctl handler when processing a PEK CSR retrieval request after a failed firmware command. A local user can supply a too-small userspace buffer and length to trigger a copy to userspace that discloses sensitive information.
The issue occurs when the firmware reports an invalid length for the requested blob.
8) Double free (CVE-ID: CVE-2026-31759)
CWE-ID: CWE-415 - Double Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a double free in ulpi_register_interface() when handling a device registration failure. A local user can trigger the vulnerable error path to cause a denial of service.
9) Out-of-bounds read (CVE-ID: CVE-2026-31771)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in the Bluetooth HCI event handling logic when processing a short HCI event frame. A local attacker can send a specially crafted HCI event frame to cause a denial of service.
The issue occurs because wake reason storage is reached before per-event minimum payload length validation is enforced.
10) Race condition (CVE-ID: CVE-2026-43023)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a race condition leading to use-after-free in sco_sock_connect() when handling concurrent connect() calls on the same Bluetooth SCO socket. A local user can issue concurrent connect() syscalls on the same socket to cause a denial of service.
The issue can revive a BT_CLOSED and SOCK_ZAPPED socket back to BT_CONNECT during concurrent execution.
11) Use-after-free (CVE-ID: CVE-2026-43074)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in ep_free() in eventpoll.c when handling concurrent eventpoll operations. A local user can trigger a race condition to cause a denial of service.
12) Improper input validation (CVE-ID: CVE-2026-43077)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in algif_aead when processing decryption requests. A local user can provide a crafted receive buffer size to cause a denial of service.
13) Race condition (CVE-ID: CVE-2026-43198)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a race condition in tcp_v6_syn_recv_sock() when handling IPv6 TCP connection requests. A remote attacker can send network traffic that triggers the race to cause a denial of service.
The issue occurs because a child socket may become visible in the TCP ehash table before its IPv6 state is fully initialized.
14) Out-of-bounds write (CVE-ID: CVE-2026-45878)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an out-of-bounds write in the debug address watch handling in drm/amdkfd when processing a crafted watch_id value from userspace. A local user can supply a watch_id larger than INT_MAX to trigger memory access outside the watch_points array and cause a denial of service.
The issue is triggered by integer sign conversion of an unsigned watch_id to a signed value, which can also lead to invalid shift operations.
15) Improper access control (CVE-ID: CVE-2026-45886)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper access control in the bpf_xdp_store_bytes helper prototype when verifying BPF programs that use read-only map values. A local user can load a crafted BPF program to cause a denial of service.
The issue is triggered when the third helper argument points to a value from a BPF_F_RDONLY_PROG map.
16) Improper access control (CVE-ID: CVE-2026-45932)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to bypass permission checks.
The vulnerability exists due to improper access control in BPF_PROG_DETACH for tcx or netkit devices when detaching a program without providing a program file descriptor. A local user can invoke the detach operation without the required capability checks to bypass permission checks.
The issue occurs only when no program file descriptor is supplied to the detach operation.
17) Use-after-free (CVE-ID: CVE-2026-45984)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in gfs2 inline data write path when handling inline data writes. A local user can trigger an inline write operation to cause a denial of service.
The issue occurs because a buffer head is released before the inline write completes, leaving a stale pointer that is later dereferenced during the write end path.
18) Out-of-bounds read (CVE-ID: CVE-2026-46037)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in the ipv4 icmp reply handling logic when processing extended echo replies. A remote attacker can send a specially crafted icmp packet to cause a denial of service.
19) Use-after-free (CVE-ID: CVE-2026-46090)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in the ALSA aloop peer runtime handling when processing a format-change stop during concurrent stream operations. A local user can trigger concurrent playback start and capture close operations to cause a denial of service.
The issue occurs because a stale peer substream pointer may be used after the capture runtime is detached or freed.
20) Use-after-free (CVE-ID: CVE-2026-46120)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in ip6erspan_changelink() when changing link configuration after network namespace migration. A local user can trigger tunnel reinsertion into the wrong per-netns hash to cause a denial of service.
The issue is reachable from an unprivileged user namespace.
21) Out-of-bounds read (CVE-ID: CVE-2026-46123)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in virtbt_rx_work() and virtbt_rx_handle() when processing device-reported receive lengths from the virtio Bluetooth backend. A local attacker can provide a crafted length value to cause the kernel to read uninitialized memory and disclose sensitive information.
The issue can be triggered when the backend reports a receive length larger than the 1000-byte buffer exposed to the device, or when it reports an empty completion with a zero length.
22) Improper access control (CVE-ID: CVE-2026-46150)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to bypass permission checks.
The vulnerability exists due to improper access control in fsnotify_get_mark_safe() when processing fanotify permission events. A local user can trigger permission events in the presence of an unrelated detached mark to bypass permission checks.
23) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: CVE-2026-46159)
CWE-ID: CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to a time-of-check time-of-use race in btrfs_ioctl_space_info() when processing a space information ioctl request while block groups are concurrently removed. A local user can trigger the ioctl and race concurrent block group removal to disclose sensitive information.
The issue can result in copying uninitialized kmalloc heap bytes to userspace.
24) Out-of-bounds read (CVE-ID: CVE-2026-46197)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to out-of-bounds read in the SVM ioctl handler when processing a user-controlled attribute count. A local user can supply a crafted ioctl request to cause a denial of service.
25) Integer overflow (CVE-ID: CVE-2026-46209)
CWE-ID: CWE-190 - Integer overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform out-of-bounds read or write operations.
The vulnerability exists due to an integer overflow in drm_gem_fb_init_with_funcs() when initializing framebuffer plane dimensions for sub-sampled pixel formats. A local user can create a specially crafted framebuffer configuration to perform out-of-bounds read or write operations.
The issue can occur for certain pixel format and dimension combinations where plane height calculation truncates instead of rounding up, causing the GEM object size check to accept an undersized object.
26) Use-after-free (CVE-ID: CVE-2026-46227)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to execute arbitrary code.
The vulnerability exists due to a use-after-free and type confusion in sctp_sendmsg() SCTP_SENDALL path when iterating associations after sctp_sendmsg_to_asoc() drops and reacquires the socket lock. A local user can trigger concurrent association migration or freeing to execute arbitrary code.
The issue is reachable with no effective capabilities, and the type-confusion path can lead to a controlled indirect call via the outqueue.sched->init_sid pointer.
27) Improper Check or Handling of Exceptional Conditions (CVE-ID: CVE-2026-46273)
CWE-ID: CWE-703 - Improper Check or Handling of Exceptional Conditions
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper handling of segmentation offload constraints in ibmveth when processing gso packets with a small mss. A local user can send specially crafted packets to cause a denial of service.
The issue is triggered when the hardware performs segmentation with more than one segment and an MSS smaller than 224 bytes; single-segment GSO packets do not trigger the affected code path.
Remediation
Install update from vendor's website.