SB2026070614 - openEuler 24.03 LTS SP3 update for kernel



SB2026070614 - openEuler 24.03 LTS SP3 update for kernel

Published: July 6, 2026

Security Bulletin ID SB2026070614
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 47
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Medium 13% Low 87%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 47 vulnerabilities.


1) Out-of-bounds read (CVE-ID: CVE-2026-43350)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to an out-of-bounds read in parse_dacl() when parsing ACE SIDs returned by an SMB server. A remote attacker can send a specially crafted ACE with a truncated NFS mode SID to disclose sensitive information.

The issue occurs because an ACE with only two subauthorities can still match the NFS mode SID pattern, leading to a read of sid.sub_auth[2] past the end of the ACE.


2) Out-of-bounds read (CVE-ID: CVE-2026-43025)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to an out-of-bounds read in the ctnetlink expectation handling code when processing netlink requests that create expectations with a helper different from the existing master conntrack helper. A remote user can send a specially crafted netlink request to disclose sensitive information.

The issue can allow reading kernel memory bytes beyond the expectation boundary.


3) Use of Uninitialized Variable (CVE-ID: CVE-2026-43026)

CWE-ID: CWE-457 - Use of Uninitialized Variable

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to use of uninitialized memory in ctnetlink expectation handling when processing a netlink message without CTA_EXPECT_NAT. A remote user can send a specially crafted netlink message to disclose sensitive information.

The issue can cause stale data from a previous slab allocation to be exposed in a dumped CTA_EXPECT_NAT attribute, and it is relevant only when NAT support is enabled.


4) Use-after-free (CVE-ID: CVE-2026-43091)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in xfrm policy_bydst hash tables during network namespace teardown when concurrent RCU-protected policy lookups are performed. A local user can trigger network namespace teardown while the tables are still being accessed to cause a denial of service.

The issue occurs because the memory can be freed before an RCU grace period has elapsed.


5) Use-after-free (CVE-ID: CVE-2026-43116)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in netfilter ctnetlink expectation handling when processing expectation add, delete, get, or event operations. A local user can trigger access to an invalid master conntrack object to cause a denial of service.


6) Out-of-bounds write (CVE-ID: CVE-2026-43125)

CWE-ID: CWE-787 - Out-of-bounds write

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to an out-of-bounds write in dlm_search_rsb_tree() when processing network messages with an excessive resource name length. A remote attacker can send a specially crafted network message to cause a denial of service.

The length value originates from the len parameter in dlm_dump_rsb_name().


7) Deadlock (CVE-ID: CVE-2026-43127)

CWE-ID: CWE-833 - Deadlock

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a circular locking dependency in run_unpack_ex when handling NTFS metadata operations. A local user can trigger lock acquisition in a conflicting order to cause a denial of service.

The issue arises from an AB-BA deadlock between wnd->rw_lock and ni->file.run_lock.


8) Race condition (CVE-ID: CVE-2026-43220)

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a race condition in the amd iommu tlb invalidation handling when processing concurrent tlb invalidations. A local user can trigger concurrent invalidation activity to cause a denial of service.

The issue can cause completion waits to time out because command completion wait operations may be queued out of sequence.


9) Race condition (CVE-ID: CVE-2026-43239)

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a race condition in smb client query_interfaces() when concurrently updating interfaces. A local user can trigger concurrent interface query work to cause a denial of service.


10) Improper locking (CVE-ID: CVE-2026-43309)

CWE-ID: CWE-667 - Improper Locking

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper state management in the dm-raid target when stopping a RAID array after suspending the device tree from top to bottom and removing the top-level RAID device. A local user can stop and remove a crafted dm-raid managed array to cause a denial of service.

The issue results in an indefinite block because write-intent bitmap operations are attempted against already suspended metadata devices.


11) Improper locking (CVE-ID: CVE-2026-43319)

CWE-ID: CWE-667 - Improper Locking

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper lock management in the spidev driver when handling concurrent write and ioctl operations on the same spidev file descriptor. A local user can perform write() and SPI_IOC_WR_MAX_SPEED_HZ ioctl() calls from separate threads to cause a denial of service.

The issue is triggered by an AB-BA locking pattern involving spi_lock and buf_lock.


12) Integer overflow (CVE-ID: CVE-2026-43323)

CWE-ID: CWE-190 - Integer overflow

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to an integer overflow in the CFS scheduler when handling repeated yield operations across runnable tasks. A local user can trigger repeated yield activity to cause a denial of service.

Systems with multiple cgroups may be more exposed because scheduler tick updates may not reach every cgroup in a timely manner.


13) Improper Check or Handling of Exceptional Conditions (CVE-ID: CVE-2026-43022)

CWE-ID: CWE-703 - Improper Check or Handling of Exceptional Conditions

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper exception handling in hci_cmd_sync_queue_once() when queuing command items. A local user can trigger duplicate queueing conditions to cause a denial of service.

The issue can lead to resource leaks when an already queued item is not reported to the caller.


14) Off-by-one (CVE-ID: CVE-2026-43445)

CWE-ID: CWE-193 - Off-by-one Error

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to an off-by-one error in the e1000 and e1000e TX buffer DMA cleanup logic when handling DMA mapping errors. A local user can trigger DMA mapping failures to cause a denial of service.


15) Race condition (CVE-ID: CVE-2026-43448)

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a race condition in nvme_poll_irqdisable() when handling concurrent device disable and IRQ polling operations. A local user can trigger the race to cause a denial of service.

The issue can lead to an unbalanced IRQ enable warning in the kernel.


16) Always-Incorrect Control Flow Implementation (CVE-ID: CVE-2026-45859)

CWE-ID: CWE-670 - Always-Incorrect Control Flow Implementation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper state handling in nfnetlink_queue when processing UDP GSO packets with an unconfirmed nf_conn entry. A remote attacker can send specially crafted network traffic to cause a denial of service.

The issue occurs when an application has not enabled the F_GSO capability flag.


17) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-46014)

CWE-ID: CWE-664 - Improper control of a resource through its lifetime

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to disrupt virtual machine state handling.

The vulnerability exists due to improper state management in KVM SVM LBR MSR save and restore handling when processing userspace MSR save and restore operations. A local user can trigger incorrect handling of LBR and debug control MSRs to disrupt virtual machine state handling.

Exploitation requires access to userspace interfaces that manage virtual CPU MSR state, and LBR-related behavior depends on LBR virtualization being enabled.


18) Exposure of Resource to Wrong Sphere (CVE-ID: CVE-2026-46174)

CWE-ID: CWE-668 - Exposure of resource to wrong sphere

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause instruction corruption.

The vulnerability exists due to improper isolation of shared resources in Zen2 op cache when executing code on the system. A local user can run code locally to cause instruction corruption.


19) Always-Incorrect Control Flow Implementation (CVE-ID: CVE-2026-46244)

CWE-ID: CWE-670 - Always-Incorrect Control Flow Implementation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to bypass firewall restrictions.

The vulnerability exists due to improper handling of the transport header offset in nft_inner_parse_l2l3() in net/netfilter/nft_inner.c when processing inner IPv6 packets with extension headers. A remote attacker can send specially crafted packets to bypass firewall restrictions.

The issue causes a desynchronization between inner_thoff and l4proto, allowing transport header forgery in the inner IPv6 parsing path.


20) Improper resource shutdown or release (CVE-ID: CVE-2026-46320)

CWE-ID: CWE-404 - Improper Resource Shutdown or Release

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper resource shutdown or release in tap_get_user_xdp() when processing XDP frames. A local user can send a crafted short frame or trigger skb allocation failure to cause a denial of service.

Each rejected frame in a batch leaks one page-frag chunk.


21) Memory leak (CVE-ID: CVE-2026-46321)

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a memory leak in tun_xdp_one() in the tun driver when processing short frames through the tun and vhost-net transmit path. A local user can submit TX descriptors whose payload length is shorter than ETH_HLEN to exhaust host memory and trigger an OOM panic.

Exploitation requires the ability to open /dev/net/tun and /dev/vhost-net and to attach a tun/tap device as the vhost-net backend.


22) Memory leak (CVE-ID: CVE-2026-46322)

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a memory leak in tun_xdp_one() when handling a build_skb() allocation failure. A local user can trigger this error path to cause a denial of service.

The issue occurs because a page allocated for the frame is not freed on the failure path, and the per-buffer error may be discarded during batch processing.


23) Use-after-free (CVE-ID: CVE-2026-46323)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in skb_gro_receive in the GRO subsystem when merging zerocopy skbs. A local user can trigger GRO processing with zerocopy skbs to cause a denial of service.

The issue occurs when either the source skb or the last skb in the GRO chain is zerocopy and uses managed fragment references.


24) Use-after-free (CVE-ID: CVE-2026-46330)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to use-after-free in the SMC TCP ULP support in net/smc/af_smc.c when converting an active TCP socket into an SMC socket by modifying open-file VFS structures in place. A local user can trigger the flawed socket conversion to cause a denial of service.

The issue stems from in-place modification of struct file, dentry, and inode objects that are expected to remain immutable for an open file.


25) Use-after-free (CVE-ID: CVE-2026-31453)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to use-after-free in xfsaild_push_item tracepoint handling when processing log item push callbacks after the AIL lock is dropped. A local user can trigger background inode reclaim or dquot shrinker activity to cause a denial of service.


26) Improper locking (CVE-ID: CVE-2025-10263)

CWE-ID: CWE-667 - Improper Locking

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper memory synchronization in broadcast TLB invalidation completion handling in the arm64 CPU errata logic when performing broadcast TLB invalidation on affected Arm CPUs. A local user can trigger memory access patterns that rely on invalidated TLB entries to cause a denial of service.

The issue affects only completion of memory accesses translated by an invalidated TLB entry and does not prevent the actual invalidation of TLB entries.


27) Improper access control (CVE-ID: CVE-2025-10263)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to escalate privileges.

The vulnerability exists due to improper access control in Stage 2 translation handling when invalidating translation lookaside buffer entries on affected Arm systems. A remote user can trigger writes from a malicious guest after write permissions have been revoked to escalate privileges.

Only Xen on Arm in multi-core configurations is affected. The issue does not affect reads.


28) Improper locking (CVE-ID: CVE-2025-39932)

CWE-ID: CWE-667 - Improper Locking

CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper locking within the smbd_destroy() function in fs/smb/client/smbdirect.c. A local user can perform a denial of service (DoS) attack.


29) Memory leak (CVE-ID: CVE-2025-71203)

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within the do_trap_ecall_u() function in arch/riscv/kernel/traps.c. A local user can perform a denial of service (DoS) attack.


30) Missing release of memory after effective lifetime (CVE-ID: CVE-2026-23261)

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper memory resource management in the NVMe/FC controller initialization component when processing controller setup operations. A local user can trigger a failure during controller initialization to cause a denial of service.

The issue arises because the admin tagset is not released if initialization fails, leading to memory resource leaks. This requires the ability to create and initialize an NVMe/FC controller, which is restricted to users with appropriate privileges.


31) Out-of-bounds read (CVE-ID: CVE-2026-23346)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper input validation in the ioremap_prot() function when handling memory protection settings from user mappings. A local user can trigger access to a specially crafted user memory region to cause a kernel memory access violation, leading to a system crash.

The issue specifically affects arm64 systems where user page protection flags are incorrectly processed during physical memory access, resulting in an unreadable memory access from kernel space.


32) Out-of-bounds write (CVE-ID: CVE-2026-23377)

CWE-ID: CWE-787 - Out-of-bounds write

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper input validation in the ice driver's XDP RxQ configuration when handling XDP buffer size parameters. A local user can trigger a negative tailroom condition by using the XDP_ADJUST_TAIL_GROW_MULTI_BUFF xskxceiver test with a large packet size and offset to cause a kernel panic.

The issue arises specifically from incorrect assumptions about buffer size in the frag_size field, leading to memory corruption during XDP processing.


33) Use-after-free (CVE-ID: CVE-2026-31414)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in nf_conntrack_expect when dumping the helper name via ctnetlink or /proc. A local user can trigger access to freed conntrack helper state to cause a denial of service.

The issue involves unsafe use of nfct_help() without holding a reference to the master conntrack.


34) Out-of-bounds write (CVE-ID: CVE-2026-31432)

CWE-ID: CWE-787 - Out-of-bounds write

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to an out-of-bounds write in smb2_get_info_sec() and build_sec_desc() when processing compound requests that include QUERY_INFO for security descriptors. A remote user can send a specially crafted compound request to cause a denial of service.

The issue is triggered when an earlier command in the same compound request consumes most of the response buffer, such as a READ request preceding QUERY_INFO(Security).


35) Improper resource shutdown or release (CVE-ID: CVE-2026-31440)

CWE-ID: CWE-404 - Improper Resource Shutdown or Release

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper resource shutdown or release in the idxd dmaengine driver when removing a device after a reset. A local user can trigger device removal to cause a denial of service.

The issue occurs because the reset clears configuration registers before event log memory deallocation is checked.


36) NULL pointer dereference (CVE-ID: CVE-2026-31443)

CWE-ID: CWE-476 - NULL Pointer Dereference

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper handling of unallocated memory in the idxd driver event log handling when processing hardware errors that trigger function level reset. A local user can trigger such an error condition to cause a denial of service.

Only systems where reporting errors to the event log is not supported by the hardware are vulnerable.


37) Race condition (CVE-ID: CVE-2025-10263)

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper synchronization in broadcast TLBI completion handling in the arm64 CPU errata logic when performing broadcast TLB invalidation on affected Arm CPUs. A local user can trigger memory management activity to cause a denial of service.

The issue affects completion of memory accesses translated by an invalidated TLB entry, while TLB invalidation itself still occurs correctly.


38) Race condition (CVE-ID: CVE-2026-31466)

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a race condition in softleaf_to_folio() and softleaf_to_page() when handling migration entries during concurrent folio splitting and zap_nonpresent_ptes() processing. A local user can trigger the race to cause a denial of service.

The issue can result in VM_WARN_ON_ONCE() being triggered, and on systems before commit 93976a20345b it can manifest as a BUG_ON().


39) Race condition (CVE-ID: CVE-2026-31508)

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a race condition in the openvswitch port teardown code when unregistering a netdevice. A local user can trigger netdevice unregistration to cause a denial of service.

The issue can occur on PREEMPT_RT kernels if the device is freed before unregistration completes.


40) Race condition (CVE-ID: CVE-2026-31551)

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a race condition in aql_enable_write in the mac80211 debugfs interface when handling concurrent write operations to debugfs. A local user can perform concurrent writes to the aql control file to cause a denial of service.


41) Race condition (CVE-ID: CVE-2026-31557)

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper synchronization in async event work handling on the nvmet workqueue when freeing an NVMe target controller during queue disconnect processing. A local user can trigger queue disconnect and controller cleanup to cause a denial of service.

The issue arises from recursive locking when async event work is flushed from the same worker processing nvmet-wq.


42) Use-after-free (CVE-ID: CVE-2026-31580)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to use-after-free in cached_dev.sb_bio when handling superblock write completion while the device is being stopped. A local user can stop the device during a superblock write to cause a denial of service.


43) Use-after-free (CVE-ID: CVE-2026-31663)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in xfrm_input_resume and transport_finish when processing packets after asynchronous crypto completion. A local user can trigger a race with device teardown to cause a denial of service.


44) Use of uninitialized resource (CVE-ID: CVE-2026-31664)

CWE-ID: CWE-908 - Use of Uninitialized Resource

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to disclose sensitive information.

The vulnerability exists due to uninitialized memory exposure in build_polexpire() when sending netlink multicast notifications to XFRMNLGRP_EXPIRE listeners. A local user can receive a crafted expiration notification to disclose sensitive information.

The issue leaks trailing padding bytes from struct xfrm_user_polexpire to userspace.


45) Out-of-bounds read (CVE-ID: CVE-2026-31681)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to an out-of-bounds read in ports_match_v1() in the xt_multiport netfilter module when processing malformed multiport v1 rules. A local user can supply a crafted rule with invalid range encoding to cause a denial of service.


46) Improper access control (CVE-ID: CVE-2026-31717)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear


The vulnerability allows a remote user to hijack an orphaned durable handle.

The vulnerability exists due to improper access control in durable handle reconnect validation in ksmbd when processing SMB2 durable handle reconnect requests. A remote user can predict or brute-force the persistent ID and reconnect to the orphaned handle to hijack an orphaned durable handle.

The issue occurs because the reconnecting user's security context is not verified against the original opener's identity.


47) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-31725)

CWE-ID: CWE-664 - Improper control of a resource through its lifetime

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper resource management in the f_ecm net_device lifecycle handling when unbinding the gadget function. A local user can trigger bind and unbind cycles to cause a denial of service.

The issue can leave dangling sysfs symlinks after the parent gadget device is destroyed while the network device remains registered.


Remediation

Install update from vendor's website.