SB2026070612 - openEuler 22.03 LTS SP4 update for kernel
Published: July 6, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 14 vulnerabilities.
1) Use-after-free (CVE-ID: CVE-2026-31414)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in nf_conntrack_expect when dumping the helper name via ctnetlink or /proc. A local user can trigger access to freed conntrack helper state to cause a denial of service.
The issue involves unsafe use of nfct_help() without holding a reference to the master conntrack.
2) Use-after-free (CVE-ID: CVE-2026-31453)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in xfsaild_push_item tracepoint handling when processing log item push callbacks after the AIL lock is dropped. A local user can trigger background inode reclaim or dquot shrinker activity to cause a denial of service.
3) Race condition (CVE-ID: CVE-2026-31455)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a race condition in xfs_unmount_flush_inodes() when unmounting an XFS filesystem while background reclaim and inodegc are still running. A local user can trigger filesystem unmount operations to cause a denial of service.
The issue occurs because inodegc can dirty and insert inodes into the AIL during the flush, while background reclaim can race to abort and free dirty inodes.
4) Out-of-bounds read (CVE-ID: CVE-2026-43112)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to out-of-bounds read in cifs_sanitize_prepath when parsing path strings containing only delimiters or no path content. A local user can supply a crafted path string to cause a denial of service.
The issue can be triggered by an empty string or a string such as "/".
5) Use-after-free (CVE-ID: CVE-2026-43153)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in xfs_attr_leaf_hasname when handling attribute leaf lookups after read or lookup errors. A local user can trigger error conditions to cause a denial of service.
6) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-43158)
CWE-ID: CWE-664 - Improper control of a resource through its lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper state management in the xfs extended attribute leaf block freemap adjustment code when adding extended attributes to leaf blocks. A local user can set a crafted extended attribute to cause a denial of service.
The issue can corrupt free space accounting so that the name area overlaps the end of the entries array, triggering an assertion and shutting down the filesystem.
7) Out-of-bounds read (CVE-ID: CVE-2026-43350)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in parse_dacl() when parsing ACE SIDs returned by an SMB server. A remote attacker can send a specially crafted ACE with a truncated NFS mode SID to disclose sensitive information.
The issue occurs because an ACE with only two subauthorities can still match the NFS mode SID pattern, leading to a read of sid.sub_auth[2] past the end of the ACE.
8) Improper input validation (CVE-ID: CVE-2026-43365)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause filesystem corruption and a denial of service.
The vulnerability exists due to improper input validation in XFS log roundoff handling when mounting or recovering a crafted XFS filesystem with a malformed superblock. A local user can provide a specially crafted filesystem image to cause filesystem corruption and a denial of service.
The issue can result in corrupt logs and an unmountable filesystem on systems using 4k physical sectors.
9) Race condition (CVE-ID: CVE-2026-46135)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a race condition in nvmet_tcp_handle_icreq() and target-side queue teardown when processing an initialization connection request and a connection close concurrently. A remote attacker can send an initialization connection request and immediately close the connection to cause a denial of service.
The issue can lead to a second kref_put() being issued on an already released queue.
10) Out-of-bounds read (CVE-ID: CVE-2026-46149)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in tg_pt_gp_members_show() when formatting and copying LUN paths to a sysfs reader. A local user can read the affected sysfs entry with a long fabric WWN value to disclose sensitive information.
When CONFIG_FORTIFY_SOURCE is enabled, exploitation triggers fortify_panic() instead of leaking adjacent stack contents.
11) Use-after-free (CVE-ID: CVE-2026-46227)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to execute arbitrary code.
The vulnerability exists due to a use-after-free and type confusion in sctp_sendmsg() SCTP_SENDALL path when iterating associations after sctp_sendmsg_to_asoc() drops and reacquires the socket lock. A local user can trigger concurrent association migration or freeing to execute arbitrary code.
The issue is reachable with no effective capabilities, and the type-confusion path can lead to a controlled indirect call via the outqueue.sched->init_sid pointer.
12) Improper locking (CVE-ID: CVE-2026-52946)
CWE-ID: CWE-667 - Improper Locking
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper locking in fs/fcntl.c when handling TCP urgent data signaling for a process group. A remote attacker can send specially crafted TCP URG packets to cause a denial of service.
The issue occurs when FASYNC is configured for a process group.
13) Improper locking (CVE-ID: CVE-2026-53037)
CWE-ID: CWE-667 - Improper Locking
CVSSv4: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows an attacker with physical access to cause a denial of service.
The vulnerability exists due to improper resource management in hid_post_reset() when processing a reset of a crafted USB device that includes both HID and storage or UAS components. An attacker with physical access can connect a crafted USB device to trigger a deadlock and cause a denial of service.
The issue occurs because the components can be reset only together, placing the affected code in block I/O error handling.
14) Race condition (CVE-ID: CVE-2026-53071)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to corrupt kernel memory.
The vulnerability exists due to a race condition in l2cap_ecred_reconf_rsp in the L2CAP subsystem when processing a crafted L2CAP ECRED reconfiguration response from a remote BLE device. A remote attacker can send a specially crafted L2CAP ECRED reconfiguration response to corrupt kernel memory.
Exploitation requires concurrent channel list iteration by another thread.
Remediation
Install update from vendor's website.