SB2026070287 - Red Hat Enterprise Linux 10 update for kernel



SB2026070287 - Red Hat Enterprise Linux 10 update for kernel

Published: July 2, 2026

Security Bulletin ID SB2026070287
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 7
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Medium 29% Low 71%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 7 vulnerabilities.


1) Out-of-bounds read (CVE-ID: CVE-2026-43112)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to out-of-bounds read in cifs_sanitize_prepath when parsing path strings containing only delimiters or no path content. A local user can supply a crafted path string to cause a denial of service.

The issue can be triggered by an empty string or a string such as "/".


2) Use-after-free (CVE-ID: CVE-2026-45998)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to use-after-free in rxrpc_input_packet() and rxrpc_io_thread() when handling RxRPC packets after skb_unshare() failure. A local user can trigger an allocation failure condition to cause a denial of service.


3) Integer overflow (CVE-ID: CVE-2026-46209)

CWE-ID: CWE-190 - Integer overflow

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to perform out-of-bounds read or write operations.

The vulnerability exists due to an integer overflow in drm_gem_fb_init_with_funcs() when initializing framebuffer plane dimensions for sub-sampled pixel formats. A local user can create a specially crafted framebuffer configuration to perform out-of-bounds read or write operations.

The issue can occur for certain pixel format and dimension combinations where plane height calculation truncates instead of rounding up, causing the GEM object size check to accept an undersized object.


4) Always-Incorrect Control Flow Implementation (CVE-ID: CVE-2026-46244)

CWE-ID: CWE-670 - Always-Incorrect Control Flow Implementation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to bypass firewall restrictions.

The vulnerability exists due to improper handling of the transport header offset in nft_inner_parse_l2l3() in net/netfilter/nft_inner.c when processing inner IPv6 packets with extension headers. A remote attacker can send specially crafted packets to bypass firewall restrictions.

The issue causes a desynchronization between inner_thoff and l4proto, allowing transport header forgery in the inner IPv6 parsing path.


5) Improper locking (CVE-ID: CVE-2025-10263)

CWE-ID: CWE-667 - Improper Locking

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper memory synchronization in broadcast TLB invalidation completion handling in the arm64 CPU errata logic when performing broadcast TLB invalidation on affected Arm CPUs. A local user can trigger memory access patterns that rely on invalidated TLB entries to cause a denial of service.

The issue affects only completion of memory accesses translated by an invalidated TLB entry and does not prevent the actual invalidation of TLB entries.


6) Improper access control (CVE-ID: CVE-2025-10263)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to escalate privileges.

The vulnerability exists due to improper access control in Stage 2 translation handling when invalidating translation lookaside buffer entries on affected Arm systems. A remote user can trigger writes from a malicious guest after write permissions have been revoked to escalate privileges.

Only Xen on Arm in multi-core configurations is affected. The issue does not affect reads.


7) Double free (CVE-ID: CVE-2026-46316)

CWE-ID: CWE-415 - Double Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a double free in vgic_its_invalidate_cache() in the KVM arm64 vgic-its translation cache when invalidating cache entries concurrently. A local user can trigger concurrent cache invalidation paths to cause a denial of service.

The issue occurs because multiple contexts can drain the same cache at the same time, allowing an entry to be freed while an ITE still maps it.


Remediation

Install update from vendor's website.