SB2026070176 - SUSE update for the Linux Kernel



SB2026070176 - SUSE update for the Linux Kernel

Published: July 1, 2026

Security Bulletin ID SB2026070176
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 66
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Medium 15% Low 85%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 66 vulnerabilities.


1) Improper access control (CVE-ID: CVE-2025-10263)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to escalate privileges.

The vulnerability exists due to improper access control in Stage 2 translation handling when invalidating translation lookaside buffer entries on affected Arm systems. A remote user can trigger writes from a malicious guest after write permissions have been revoked to escalate privileges.

Only Xen on Arm in multi-core configurations is affected. The issue does not affect reads.


2) Use-after-free (CVE-ID: CVE-2025-68822)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within the alps_disconnect() function in drivers/input/mouse/alps.c. A local user can escalate privileges on the system.


3) Use After Free (CVE-ID: CVE-2026-23392)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to execute arbitrary code or escalate privileges.

The vulnerability exists due to a use-after-free in the netfilter nf_tables component when handling flowtable hooks during error conditions. A local user can trigger a use-after-free condition by exploiting the improper release of a flowtable after an RCU grace period, leading to arbitrary code execution or privilege escalation.

Exploitation requires the ability to interact with the nfnetlink subsystem, typically available to local users with access to netfilter configuration interfaces.


4) Use-after-free (CVE-ID: CVE-2026-31414)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in nf_conntrack_expect when dumping the helper name via ctnetlink or /proc. A local user can trigger access to freed conntrack helper state to cause a denial of service.

The issue involves unsafe use of nfct_help() without holding a reference to the master conntrack.


5) Double free (CVE-ID: CVE-2026-31429)

CWE-ID: CWE-415 - Double Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a cross-cache free in skb_kfree_head() when freeing KFENCE-allocated skb head data. A local user can trigger allocation and freeing of a specially sized skb head object to cause a denial of service.

Exploitation requires KFENCE to be enabled.


6) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-31452)

CWE-ID: CWE-664 - Improper control of a resource through its lifetime

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper state management in ext4_setattr() when processing truncate operations that grow a file beyond inline storage capacity. A local user can truncate a file with inline data to a large size and trigger a write operation to cause a denial of service.

The issue occurs when an inode retains the inline data flag even though the file size exceeds the actual inline capacity, leading to a kernel BUG_ON() during sendfile()-triggered writes.


7) Use-after-free (CVE-ID: CVE-2026-31453)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to use-after-free in xfsaild_push_item tracepoint handling when processing log item push callbacks after the AIL lock is dropped. A local user can trigger background inode reclaim or dquot shrinker activity to cause a denial of service.


8) Use-after-free (CVE-ID: CVE-2026-31469)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to use-after-free in the virtio_net driver transmit path when transmitting packets after the network namespace is destroyed while previously queued skbs are still pending. A local user can trigger packet transmission and network namespace teardown to cause a denial of service.

The issue occurs when the virtio_net driver is configured with napi_tx disabled and the device's IFF_XMIT_DST_RELEASE flag is cleared.


9) Improper Initialization (CVE-ID: CVE-2026-31492)

CWE-ID: CWE-665 - Improper Initialization

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper initialization in irdma_create_qp and irdma_destroy_qp when handling a failure from ib_copy_to_udata during queue pair creation. A local user can trigger an error during queue pair creation to cause a denial of service.


10) Improper input validation (CVE-ID: CVE-2026-31495)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper input validation in ctnetlink when handling netlink attribute values. A local user can send a specially crafted netlink message to cause a denial of service.

The issue involves invalid TCP state, window scale, and flag values accepted through ctnetlink attributes.


11) Deadlock (CVE-ID: CVE-2026-31499)

CWE-ID: CWE-833 - Deadlock

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper locking in l2cap_conn_del() when canceling delayed work items. A local user can trigger Bluetooth L2CAP connection deletion while the associated timer work is executing to cause a denial of service.


12) Use-after-free (CVE-ID: CVE-2026-31500)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in btintel_hw_error() when handling a hardware error concurrently with device close operations. A local user can trigger a race condition to cause a denial of service.

The issue occurs because synchronous HCI command paths manipulate shared request state concurrently.


13) Use-after-free (CVE-ID: CVE-2026-31555)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper handling of a stale pointer in futex_lock_pi() retry path in kernel/futex/core.c when retrying priority-inheritance futex locking after owner exit handling. A local user can trigger repeated futex_lock_pi() operations to cause a kernel warning and crash.


14) NULL pointer dereference (CVE-ID: CVE-2026-31560)

CWE-ID: CWE-476 - NULL Pointer Dereference

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a null pointer dereference in spi-dw-dma error logging when handling an error after a transaction finishes without a current message. A local user can trigger an error condition to cause a denial of service.


15) Improper locking (CVE-ID: CVE-2026-31592)

CWE-ID: CWE-667 - Improper Locking

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper locking in sev_mem_enc_register_region() when handling KVM ioctls during SEV guest initialization failure paths. A local user can issue crafted ioctl calls to trigger a general protection fault and kernel crash.

The issue can occur if KVM_SEV_INIT{2} fails and KVM attempts to add to an uninitialized sev->regions_list.


16) Improper Validation of Specified Quantity in Input (CVE-ID: CVE-2026-31593)

CWE-ID: CWE-1284 - Improper Validation of Specified Quantity in Input

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper state validation in the KVM SEV VMSA synchronization logic when synchronizing vCPU state to an already-launched and encrypted vCPU. A local user can issue a crafted ioctl sequence to cause a denial of service.

On hosts with SNP enabled, accessing guest-private memory triggers an RMP page fault that panics the host. In SEV-ES environments without SNP, the issue may clobber guest state instead of panicking the host.


17) Use of uninitialized resource (CVE-ID: CVE-2026-31664)

CWE-ID: CWE-908 - Use of Uninitialized Resource

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to disclose sensitive information.

The vulnerability exists due to uninitialized memory exposure in build_polexpire() when sending netlink multicast notifications to XFRMNLGRP_EXPIRE listeners. A local user can receive a crafted expiration notification to disclose sensitive information.

The issue leaks trailing padding bytes from struct xfrm_user_polexpire to userspace.


18) Use-after-free (CVE-ID: CVE-2026-31665)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in nft_ct_timeout_obj_destroy() when destroying timeout objects during concurrent packet processing. A local user can trigger concurrent packet processing and object destruction to cause a denial of service.

The issue arises because other CPUs may still hold RCU-protected references to the timeout object.


19) Out-of-bounds read (CVE-ID: CVE-2026-31674)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to an out-of-bounds read in rt_mt6() when processing a malformed rt match rule with an oversized addrnr value. A local user can install a specially crafted rule to cause a denial of service.


20) Use-after-free (CVE-ID: CVE-2026-31680)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in ip6fl_seq_show() when reading /proc/net/ip6_flowlabel concurrently with flowlabel release. A local user can trigger concurrent access to dereference freed option state and cause a denial of service.

The issue occurs because the flowlabel remains reachable through the global hash table under RCU after its option state has been freed.


21) Improper Initialization (CVE-ID: CVE-2026-31693)

CWE-ID: CWE-665 - Improper Initialization

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper initialization in cifs replay handling when replaying requests. A local user can trigger request replay to cause a denial of service.


22) Out-of-bounds read (CVE-ID: CVE-2026-31752)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to an out-of-bounds read in br_nd_send when parsing malformed neighbor discovery options. A remote attacker can send a specially crafted neighbor solicitation packet to cause a denial of service.


23) Double free (CVE-ID: CVE-2026-31759)

CWE-ID: CWE-415 - Double Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a double free in ulpi_register_interface() when handling a device registration failure. A local user can trigger the vulnerable error path to cause a denial of service.


24) Race condition (CVE-ID: CVE-2026-43023)

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a race condition leading to use-after-free in sco_sock_connect() when handling concurrent connect() calls on the same Bluetooth SCO socket. A local user can issue concurrent connect() syscalls on the same socket to cause a denial of service.

The issue can revive a BT_CLOSED and SOCK_ZAPPED socket back to BT_CONNECT during concurrent execution.


25) Improper input validation (CVE-ID: CVE-2026-43024)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper input validation in nf_tables verdict handling when processing nftables rules. A local user can create a rule with an immediate NF_QUEUE verdict to cause a denial of service.

The issue is reachable in the arp family even though queue support is not provided there.


26) Improper Null Termination (CVE-ID: CVE-2026-43028)

CWE-ID: CWE-170 - Improper Null Termination

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper input validation in x_tables when processing names supplied to functions that expect c-strings. A local user can provide a name that lacks a nul terminator to cause a denial of service.


27) Improper Initialization (CVE-ID: CVE-2026-43035)

CWE-ID: CWE-665 - Improper Initialization

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to disclose sensitive information.

The vulnerability exists due to improper initialization in tc_chain_fill_node() when building netlink messages. A local user can trigger the kernel to generate a netlink message to disclose sensitive information.

Kernel heap memory may be exposed to userspace through the 4-byte tcm_info field of struct tcmsg.


28) Use of uninitialized resource (CVE-ID: CVE-2026-43036)

CWE-ID: CWE-908 - Use of Uninitialized Resource

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local attacker to cause a denial of service.

The vulnerability exists due to improper handling of packet header data in gso_features_check() when processing packets injected through PF_PACKET paths. A local attacker can inject a specially crafted packet to cause a denial of service.

The issue occurs because the IPv4 header access may rely on skb header offsets that are not always safe for direct dereference in this context.


29) Use-after-free (CVE-ID: CVE-2026-43049)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in the logitech-hidpp force feedback initialization path when probing the Logitech G920 Driving Force Racing Wheel for Xbox One and userspace continues to access sysfs or /dev/input references after initialization failure. A local user can trigger force feedback initialization failure and use dangling references to cause a denial of service.

The issue occurs if force feedback initialization fails before the userspace infrastructure has been torn down.


30) Improper input validation (CVE-ID: CVE-2026-43077)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper input validation in algif_aead when processing decryption requests. A local user can provide a crafted receive buffer size to cause a denial of service.


31) Out-of-bounds read (CVE-ID: CVE-2026-43083)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to an out-of-bounds read in __ioam6_fill_trace_data() when processing packets with trace->type.bit6 set on the RX path. A local user can trigger the kernel to access an invalid transmit queue index to cause a denial of service.

The issue occurs when the ingress device has more RX queues than the egress device has TX queues.


32) NULL pointer dereference (CVE-ID: CVE-2026-43101)

CWE-ID: CWE-476 - NULL Pointer Dereference

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a null pointer dereference in __ioam6_fill_trace_data() when processing ipv6 ioam trace data. A local user can trigger the vulnerable code path to cause a denial of service.


33) Out-of-bounds read (CVE-ID: CVE-2026-43112)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to out-of-bounds read in cifs_sanitize_prepath when parsing path strings containing only delimiters or no path content. A local user can supply a crafted path string to cause a denial of service.

The issue can be triggered by an empty string or a string such as "/".


34) Race condition (CVE-ID: CVE-2026-43119)

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a data race in hdev->req_status handling in the Bluetooth hci_sync subsystem when processing concurrent command synchronization operations across workqueues and event completion paths. A local user can trigger concurrent operations to cause a denial of service.

The issue arises because accesses occur from different workqueues and completion or abort paths that can run concurrently on different CPUs.


35) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-43158)

CWE-ID: CWE-664 - Improper control of a resource through its lifetime

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper state management in the xfs extended attribute leaf block freemap adjustment code when adding extended attributes to leaf blocks. A local user can set a crafted extended attribute to cause a denial of service.

The issue can corrupt free space accounting so that the name area overlaps the end of the entries array, triggering an assertion and shutting down the filesystem.


36) Integer underflow (CVE-ID: CVE-2026-43171)

CWE-ID: CWE-191 - Integer underflow

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to disclose sensitive information, cause a denial of service, or trigger a kernel oops.

The vulnerability exists due to an integer underflow in cper_print_fw_err() when processing a malformed firmware error record with an offset beyond the actual record length. A local user can provide a crafted error record to disclose sensitive information, cause a denial of service, or trigger a kernel oops.

The issue occurs on systems with bad or malformed firmware error records.


37) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-43187)

CWE-ID: CWE-664 - Improper control of a resource through its lifetime

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause data loss.

The vulnerability exists due to improper state management in the XFS extended attribute leaf freemap handling code when processing setxattr operations. A local user can set extended attributes in a way that causes xattr namevalue entries to be allocated on top of the entries array to cause data loss.

The issue involves zero-length freemap entries with a nonzero base and can lead to overlapping freemap entries with the same base but different sizes.


38) Race condition (CVE-ID: CVE-2026-43198)

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to a race condition in tcp_v6_syn_recv_sock() when handling IPv6 TCP connection requests. A remote attacker can send network traffic that triggers the race to cause a denial of service.

The issue occurs because a child socket may become visible in the TCP ehash table before its IPv6 state is fully initialized.


39) Race condition (CVE-ID: CVE-2026-43239)

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a race condition in smb client query_interfaces() when concurrently updating interfaces. A local user can trigger concurrent interface query work to cause a denial of service.


40) Use-after-free (CVE-ID: CVE-2026-43339)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to use-after-free in addrconf_permanent_addr() when handling an exceptional condition in IPv6 address configuration. A local user can trigger the warning path to cause a denial of service.


41) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-43345)

CWE-ID: CWE-664 - Improper control of a resource through its lifetime

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper register field definition in the IPA GSI event ring configuration logic when initializing event rings on IPA v5.0+ hardware. A local user can trigger channel operations that wait for transfer completion to cause a denial of service.

The issue can cause runtime suspend, system suspend, and remoteproc stop operations to hang indefinitely, and the IPA data path may become non-functional.


42) Signed to Unsigned Conversion Error (CVE-ID: CVE-2026-43405)

CWE-ID: CWE-195 - Signed to Unsigned Conversion Error

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper handling of signedness conversion in ceph_monmap_decode() when parsing an incoming monitor map message. A remote attacker can send a specially crafted message with a very large num_mon value to cause a denial of service.

The issue can trigger an attempt to allocate an excessively large chunk of memory and results in -ENOMEM being returned instead of rejecting the input as invalid.


43) Improper locking (CVE-ID: CVE-2026-43469)

CWE-ID: CWE-667 - Improper Locking

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper state management in the xprtrdma receive handling logic when exiting early from receive work request posting. A local user can trigger memory pressure conditions to cause a denial of service.

The issue can cause the system to hang because the re_receiving counter is not decremented on certain early exit paths, preventing completion during transport drain.


44) Improper input validation (CVE-ID: CVE-2026-43491)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in the qrtr namespace service when handling NEW_SERVER messages. A remote attacker can send a flood of NEW_SERVER messages to cause a denial of service.

Exploitation can exhaust memory by registering excessive servers for a node.


45) Improper input validation (CVE-ID: CVE-2026-45840)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper input validation in the openvswitch vport netlink reply helpers when handling a crafted upcall PID array in vport mutation operations. A local user can supply an oversized PID array to trigger a kernel BUG and cause a denial of service.

On systems with unprivileged user namespaces enabled, the issue is reachable via unshare -Urn.


46) Division by zero (CVE-ID: CVE-2026-45841)

CWE-ID: CWE-369 - Divide By Zero

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to divide-by-zero in nf_osf_match_one() in nfnetlink_osf when processing a subsequent matching TCP SYN after a crafted fingerprint is added via nfnetlink. A local user can add a fingerprint with a zero wss value to trigger a kernel panic.

Exploitation requires CAP_NET_ADMIN privileges.


47) Improper Initialization (CVE-ID: CVE-2026-45862)

CWE-ID: CWE-665 - Improper Initialization

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper initialization in the PASID table handling in the Intel VT-d IOMMU subsystem when using a freshly allocated PASID table before its cache flush completes. A local user can trigger use of the PASID table with stale memory contents to cause a denial of service.

The issue affects systems with non-coherent IOMMU hardware.


48) Improper resource shutdown or release (CVE-ID: CVE-2026-45870)

CWE-ID: CWE-404 - Improper Resource Shutdown or Release

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper resource shutdown or release in the SUNRPC auth_gss XDR decoding functions when decoding GSSX context, status, or name data. A local user can trigger a decoding failure after memory has been allocated to cause a denial of service.

The issue occurs on error paths where previously allocated buffers remain unreferenced if a subsequent decode step fails.


49) Race condition (CVE-ID: CVE-2026-45894)

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a race condition in the Intel VT-d scalable mode PASID table entry handling when tearing down an active PASID entry. A local user can trigger concurrent PASID entry teardown to cause a denial of service.

The issue can lead to unpredictable behavior or spurious faults if the IOMMU hardware observes a torn read of the entry.


50) Improper Check for Unusual or Exceptional Conditions (CVE-ID: CVE-2026-45940)

CWE-ID: CWE-754 - Improper Check for Unusual or Exceptional Conditions

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper handling of descriptor length calculation in stmmac_napi_poll_rx when processing packets with split header enabled on GMAC4 hardware. A remote attacker can send network traffic that triggers incorrect payload length handling to cause a denial of service.

The issue occurs in rare cases when the hardware does not fill buf2 of the first descriptor with payload.


51) Improper resource shutdown or release (CVE-ID: CVE-2026-45961)

CWE-ID: CWE-404 - Improper Resource Shutdown or Release

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper resource shutdown or release in gfs2_fill_super() and gfs2_make_fs_rw() when transitioning a filesystem to read-write mode and handling error paths. A local user can trigger failures during this process to cause a denial of service.

The issue involves memory leaks of created kernel threads and an allocated quota bitmap buffer during specific failure conditions.


52) Missing Release of Resource after Effective Lifetime (CVE-ID: CVE-2026-45964)

CWE-ID: CWE-772 - Missing Release of Resource after Effective Lifetime

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a reference count leak in gss_alloc_msg() in the SUNRPC gss_auth handling code when processing a non-NULL service name and memory allocation fails in kstrdup_const(). A local user can trigger the error path to cause a denial of service.

The issue occurs because the gss_auth reference is not released on the err_put_pipe_version error path, which can prevent the structure from being freed.


53) NULL pointer dereference (CVE-ID: CVE-2026-45965)

CWE-ID: CWE-476 - NULL Pointer Dereference

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a NULL pointer dereference in rawdata_get_link_base in apparmorfs when resolving symbolic links to rawdata for a replaced profile after the export_binary parameter has been disabled at runtime. A local user can read a crafted rawdata symbolic link to cause a denial of service.

The issue occurs for profiles loaded before export_binary was disabled and then replaced, leaving the rawdata pointer NULL while the symbolic link remains accessible.


54) Out-of-bounds read (CVE-ID: CVE-2026-45974)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to an out-of-bounds read in btrfs_quota_enable() when processing crafted btrfs filesystem metadata. A local user can trigger quota enablement on a malformed filesystem image to cause a denial of service.


55) Missing Release of Resource after Effective Lifetime (CVE-ID: CVE-2026-46005)

CWE-ID: CWE-772 - Missing Release of Resource after Effective Lifetime

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a resource leak in xfs_alloc_buftarg() when handling an error path. A local user can trigger the vulnerable error condition to cause a denial of service.


56) Out-of-bounds read (CVE-ID: CVE-2026-46037)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to an out-of-bounds read in the ipv4 icmp reply handling logic when processing extended echo replies. A remote attacker can send a specially crafted icmp packet to cause a denial of service.


57) Improper input validation (CVE-ID: CVE-2026-46101)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper input validation in nft_bitwise when initializing left and right shift expressions with a zero shift operand. A local user can create a malformed rule to cause a denial of service.

The issue is triggered in the control plane before malformed rules reach the packet path.


58) Out-of-bounds read (CVE-ID: CVE-2026-46119)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to an out-of-bounds read in libceph auth message processing when handling a crafted CEPH_MSG_AUTH_REPLY message. A remote attacker can send a specially crafted auth reply message to disclose sensitive information.

The issue occurs when a positive result value is misinterpreted as the size of the front segment to send, which can cause memory beyond the allocated buffer to be transmitted.


59) Out-of-bounds read (CVE-ID: CVE-2026-46123)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local attacker to disclose sensitive information.

The vulnerability exists due to an out-of-bounds read in virtbt_rx_work() and virtbt_rx_handle() when processing device-reported receive lengths from the virtio Bluetooth backend. A local attacker can provide a crafted length value to cause the kernel to read uninitialized memory and disclose sensitive information.

The issue can be triggered when the backend reports a receive length larger than the 1000-byte buffer exposed to the device, or when it reports an empty completion with a zero length.


60) Improper access control (CVE-ID: CVE-2026-46150)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to bypass permission checks.

The vulnerability exists due to improper access control in fsnotify_get_mark_safe() when processing fanotify permission events. A local user can trigger permission events in the presence of an unrelated detached mark to bypass permission checks.


61) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-46160)

CWE-ID: CWE-664 - Improper control of a resource through its lifetime

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause filesystem corruption and a denial of service.

The vulnerability exists due to improper state update in the btrfs directory unlink handling when removing a directory and later fsyncing it through an open file descriptor. A local user can remove a directory, retain a file descriptor to it, and trigger fsync to cause filesystem corruption and a denial of service.

The issue can cause log replay to fail with an -EIO error when the filesystem is mounted.


62) Double free (CVE-ID: CVE-2026-46162)

CWE-ID: CWE-415 - Double Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a double free in ice_sf_eth_activate() when handling an auxiliary_device_add() failure. A local user can trigger the error path to cause a denial of service.


63) Memory leak (CVE-ID: CVE-2026-46172)

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to a memory leak in xfrm6_rcv_encap() when processing IPv6 packets that trigger an error route lookup. A remote attacker can send specially crafted packets to cause a denial of service.

Repeated packets hitting this path leak dst entries.


64) Always-Incorrect Control Flow Implementation (CVE-ID: CVE-2026-46244)

CWE-ID: CWE-670 - Always-Incorrect Control Flow Implementation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to bypass firewall restrictions.

The vulnerability exists due to improper handling of the transport header offset in nft_inner_parse_l2l3() in net/netfilter/nft_inner.c when processing inner IPv6 packets with extension headers. A remote attacker can send specially crafted packets to bypass firewall restrictions.

The issue causes a desynchronization between inner_thoff and l4proto, allowing transport header forgery in the inner IPv6 parsing path.


65) Use-after-free (CVE-ID: CVE-2026-46259)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in do_task_stat() in procfs when reading /proc/[pid]/stat. A local user can trigger access to a stale real_parent task reference to cause a denial of service.


66) Improper Check or Handling of Exceptional Conditions (CVE-ID: CVE-2026-46273)

CWE-ID: CWE-703 - Improper Check or Handling of Exceptional Conditions

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper handling of segmentation offload constraints in ibmveth when processing gso packets with a small mss. A local user can send specially crafted packets to cause a denial of service.

The issue is triggered when the hardware performs segmentation with more than one segment and an MSS smaller than 224 bytes; single-segment GSO packets do not trigger the affected code path.


Remediation

Install update from vendor's website.