SB2026063095 - Red Hat Enterprise Linux 10 update for kernel
Published: June 30, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 vulnerabilities.
1) Out-of-bounds write (CVE-ID: CVE-2026-43279)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to out-of-bounds write in prepare_silent_urb() when silencing playback URB packets in implicit feedback mode before actual playback. A local user can trigger inconsistent capture and playback stream packet sizing to cause a denial of service.
The issue can occur when the capture stream setup differs from the playback stream setup, such as due to USB core maximum packet size limitations.
2) Use-after-free (CVE-ID: CVE-2026-46090)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in the ALSA aloop peer runtime handling when processing a format-change stop during concurrent stream operations. A local user can trigger concurrent playback start and capture close operations to cause a denial of service.
The issue occurs because a stale peer substream pointer may be used after the capture runtime is detached or freed.
3) Double free (CVE-ID: CVE-2026-46189)
CWE-ID: CWE-415 - Double Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to double free in pvrdma_alloc_ucontext() error path when handling ucontext allocation failures. A local user can trigger the error path to cause a denial of service.
4) Use-after-free (CVE-ID: CVE-2026-46176)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free and double free in mlx5_ib_dev_res_srq_init() when handling an error during SRQ initialization after ib_create_srq() fails for the second SRQ. A local user can trigger the faulty initialization path to cause a denial of service.
The issue occurs because freed and error-pointer SRQ values are stored and later dereferenced during queue pair creation and cleanup.
Remediation
Install update from vendor's website.