SB2026070615 - openEuler 24.03 LTS SP1 update for kernel



SB2026070615 - openEuler 24.03 LTS SP1 update for kernel

Published: July 6, 2026

Security Bulletin ID SB2026070615
CSH Severity
Low
Patch available
YES
Number of vulnerabilities 6
Exploitation vector Local access
Highest impact Denial of service

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 6 vulnerabilities.


1) Out-of-bounds read (CVE-ID: CVE-2026-23346)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper input validation in the ioremap_prot() function when handling memory protection settings from user mappings. A local user can trigger access to a specially crafted user memory region to cause a kernel memory access violation, leading to a system crash.

The issue specifically affects arm64 systems where user page protection flags are incorrectly processed during physical memory access, resulting in an unreadable memory access from kernel space.


2) Out-of-bounds write (CVE-ID: CVE-2026-23377)

CWE-ID: CWE-787 - Out-of-bounds write

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper input validation in the ice driver's XDP RxQ configuration when handling XDP buffer size parameters. A local user can trigger a negative tailroom condition by using the XDP_ADJUST_TAIL_GROW_MULTI_BUFF xskxceiver test with a large packet size and offset to cause a kernel panic.

The issue arises specifically from incorrect assumptions about buffer size in the frag_size field, leading to memory corruption during XDP processing.


3) Race condition (CVE-ID: CVE-2026-31466)

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a race condition in softleaf_to_folio() and softleaf_to_page() when handling migration entries during concurrent folio splitting and zap_nonpresent_ptes() processing. A local user can trigger the race to cause a denial of service.

The issue can result in VM_WARN_ON_ONCE() being triggered, and on systems before commit 93976a20345b it can manifest as a BUG_ON().


4) Race condition (CVE-ID: CVE-2026-31508)

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a race condition in the openvswitch port teardown code when unregistering a netdevice. A local user can trigger netdevice unregistration to cause a denial of service.

The issue can occur on PREEMPT_RT kernels if the device is freed before unregistration completes.


5) Integer overflow (CVE-ID: CVE-2026-43323)

CWE-ID: CWE-190 - Integer overflow

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to an integer overflow in the CFS scheduler when handling repeated yield operations across runnable tasks. A local user can trigger repeated yield activity to cause a denial of service.

Systems with multiple cgroups may be more exposed because scheduler tick updates may not reach every cgroup in a timely manner.


6) Race condition (CVE-ID: CVE-2026-43448)

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a race condition in nvme_poll_irqdisable() when handling concurrent device disable and IRQ polling operations. A local user can trigger the race to cause a denial of service.

The issue can lead to an unbalanced IRQ enable warning in the kernel.


Remediation

Install update from vendor's website.