SB2026062630 - Anolis OS update for kernel:4.18



SB2026062630 - Anolis OS update for kernel:4.18

Published: June 26, 2026

Security Bulletin ID SB2026062630
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 17
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Medium 18% Low 82%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 17 vulnerabilities.


1) Use-after-free (CVE-ID: CVE-2026-31419)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in bond_xmit_broadcast() when transmitting broadcast packets during concurrent slave enslave or release operations. A local user can trigger concurrent network interface state changes and packet transmission to cause a denial of service.

The issue arises because the determination of the last slave can change during RCU-protected iteration, leading to double consumption and double free of the original skb.


2) Use-after-free (CVE-ID: CVE-2026-31488)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in the amdgpu display manager stream handling logic when processing KMS commits involving DSC validation and unrelated mode changes. A local user can trigger a crafted display configuration change to cause a denial of service.

The issue can occur when MST/DSC configuration changes happen in the same commit as a separate mode change, leading to incorrect stream lifetime handling when the stream is later disabled.


3) Use-after-free (CVE-ID: CVE-2026-31669)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in __inet_lookup_established when performing concurrent ehash lookups on MPTCP IPv6 subflow child sockets under rcu_read_lock. A local user can trigger socket allocation and freeing patterns to cause a denial of service.

The issue affects MPTCP IPv6 subflow child sockets because they may be allocated from a cache without SLAB_TYPESAFE_BY_RCU, allowing freed memory to be reused during lockless lookups.


4) Out-of-bounds read (CVE-ID: CVE-2026-31786)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to disclose sensitive information, cause a denial of service, or escalate privileges.

The vulnerability exists due to an out-of-bounds read in the Xen-related sysfs buildid handler when reading the /sys/hypervisor/properties/buildid sysfs file. A local user can read the crafted sysfs output to disclose sensitive information, cause a denial of service, or escalate privileges.

In rare cases, the issue may also result in writing past the 4 kB sysfs buffer if no zero byte is found in adjacent data.


5) Double free (CVE-ID: CVE-2026-31787)

CWE-ID: CWE-415 - Double Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local privileged user to circumvent kernel lockdown restrictions.

The vulnerability exists due to double free in the Linux kernel privcmd driver when handling privcmd operations. A local privileged user can trigger a double free of kernel memory to circumvent kernel lockdown restrictions.

Only Linux PVH or HVM domains booted in secure mode are affected; PV domains and non-Linux domains are not vulnerable.


6) Use-after-free (CVE-ID: CVE-2026-43056)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in add_adev() when handling an error path after auxiliary_device_add() fails. A local user can trigger the failure condition to cause a denial of service.


7) Out-of-bounds read (CVE-ID: CVE-2026-43110)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to an out-of-bounds read in brcmf_fweh_handle_if_event() when handling firmware-provided IF events. A remote attacker can supply a crafted bsscfg index to cause a denial of service.


8) Out-of-bounds write (CVE-ID: CVE-2026-43279)

CWE-ID: CWE-787 - Out-of-bounds write

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to out-of-bounds write in prepare_silent_urb() when silencing playback URB packets in implicit feedback mode before actual playback. A local user can trigger inconsistent capture and playback stream packet sizing to cause a denial of service.

The issue can occur when the capture stream setup differs from the playback stream setup, such as due to USB core maximum packet size limitations.


9) Memory corruption (CVE-ID: CVE-2026-43329)

CWE-ID: CWE-119 - Memory corruption

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper restriction of operations within the bounds of a memory buffer in flowtable hardware offload action handling when processing IPv6 flowtable offload configurations with multiple actions. A remote attacker can trigger a flow configuration that exceeds the supported number of actions to cause a denial of service.

The issue can be reached in IPv6 setups involving combinations of ethernet mangling, NAT, double VLAN for QinQ, redirect, and tunnel-related actions.


10) Improper access control (CVE-ID: CVE-2026-46054)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to bypass SELinux access controls.

The vulnerability exists due to improper access control in SELinux overlayfs mmap() and mprotect() access checks when handling mmap() and mprotect() operations on overlayfs filesystems. A local user can map or change protections on an overlayfs file to bypass SELinux access controls.


11) Use-after-free (CVE-ID: CVE-2026-46056)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in SSP passkey handlers when handling Bluetooth SSP passkey and keypress notification events. A local user can trigger concurrent connection teardown during event processing to cause a denial of service.


12) Use-after-free (CVE-ID: CVE-2026-46090)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to use-after-free in the ALSA aloop peer runtime handling when processing a format-change stop during concurrent stream operations. A local user can trigger concurrent playback start and capture close operations to cause a denial of service.

The issue occurs because a stale peer substream pointer may be used after the capture runtime is detached or freed.


13) Use-after-free (CVE-ID: CVE-2026-46125)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in debugfs when handling failed connection preparation for mlo connections. A local user can trigger connection preparation failure and access the affected debugfs state to cause a denial of service.

The issue occurs when debugfs is enabled and an interface is reset from mld to non-mld, which recreates its debugfs entries.


14) Race condition (CVE-ID: CVE-2026-46135)

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to a race condition in nvmet_tcp_handle_icreq() and target-side queue teardown when processing an initialization connection request and a connection close concurrently. A remote attacker can send an initialization connection request and immediately close the connection to cause a denial of service.

The issue can lead to a second kref_put() being issued on an already released queue.


15) Out-of-bounds write (CVE-ID: CVE-2026-46145)

CWE-ID: CWE-787 - Out-of-bounds write

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to overwrite kernel memory.

The vulnerability exists due to an out-of-bounds write in the RDMA/mana rx hash key handling when processing a user-supplied uAPI structure. A local user can supply a crafted rx_hash_key_len value to overwrite kernel memory.


16) Race condition (CVE-ID: CVE-2026-46152)

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause incorrect packet processing.

The vulnerability exists due to a race condition in ieee80211_invoke_fast_rx() when processing packets in parallel RX paths. A local user can trigger concurrent packet processing to cause incorrect packet processing.

This issue arises because concurrent callers share a single rx_result instance, which can be overwritten between ieee80211_rx_mesh_data() and the subsequent switch on the result.


17) Out-of-bounds write (CVE-ID: CVE-2026-46331)

CWE-ID: CWE-787 - Out-of-bounds write

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause memory corruption.

The vulnerability exists due to an out-of-bounds write in tcf_pedit_act() when processing packet edit actions with typed keys and runtime header offsets. A local user can supply crafted pedit parameters that cause writes to a region that has not been properly copy-on-written to cause memory corruption.

The issue can involve negative offsets such as Ethernet header edits at ingress.


Remediation

Install update from vendor's website.