SB2026070678 - Red Hat Enterprise Linux 9 update for kernel



SB2026070678 - Red Hat Enterprise Linux 9 update for kernel

Published: July 6, 2026

Security Bulletin ID SB2026070678
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 13
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Medium 23% Low 77%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 13 vulnerabilities.


1) Out-of-bounds read (CVE-ID: CVE-2026-43112)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to out-of-bounds read in cifs_sanitize_prepath when parsing path strings containing only delimiters or no path content. A local user can supply a crafted path string to cause a denial of service.

The issue can be triggered by an empty string or a string such as "/".


2) Use-after-free (CVE-ID: CVE-2026-43276)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in the mana driver service rescan PCI path when handling a failed resume during service reset and rescan. A local user can trigger this code path to cause a denial of service.


3) Use-after-free (CVE-ID: CVE-2026-46323)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in skb_gro_receive in the GRO subsystem when merging zerocopy skbs. A local user can trigger GRO processing with zerocopy skbs to cause a denial of service.

The issue occurs when either the source skb or the last skb in the GRO chain is zerocopy and uses managed fragment references.


4) Use-after-free (CVE-ID: CVE-2026-46116)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in __xfrm_state_delete when deleting xfrm_state list entries during xfrm_state lifecycle handling. A local user can trigger repeated deletion of the same xfrm_state object to cause a denial of service.

The issue was reproduced under syzkaller load during network namespace cleanup in the xfrm subsystem.


5) Use-after-free (CVE-ID: CVE-2026-46227)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to execute arbitrary code.

The vulnerability exists due to a use-after-free and type confusion in sctp_sendmsg() SCTP_SENDALL path when iterating associations after sctp_sendmsg_to_asoc() drops and reacquires the socket lock. A local user can trigger concurrent association migration or freeing to execute arbitrary code.

The issue is reachable with no effective capabilities, and the type-confusion path can lead to a controlled indirect call via the outqueue.sched->init_sid pointer.


6) Integer overflow (CVE-ID: CVE-2026-46209)

CWE-ID: CWE-190 - Integer overflow

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to perform out-of-bounds read or write operations.

The vulnerability exists due to an integer overflow in drm_gem_fb_init_with_funcs() when initializing framebuffer plane dimensions for sub-sampled pixel formats. A local user can create a specially crafted framebuffer configuration to perform out-of-bounds read or write operations.

The issue can occur for certain pixel format and dimension combinations where plane height calculation truncates instead of rounding up, causing the GEM object size check to accept an undersized object.


7) Out-of-bounds read (CVE-ID: CVE-2026-46155)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to an out-of-bounds read in smb2_compound_op() when processing a crafted SMB server response. A remote attacker can send a truncated response with a large OutputBufferLength and an early-terminated EA list to disclose sensitive information.


8) Always-Incorrect Control Flow Implementation (CVE-ID: CVE-2026-46244)

CWE-ID: CWE-670 - Always-Incorrect Control Flow Implementation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to bypass firewall restrictions.

The vulnerability exists due to improper handling of the transport header offset in nft_inner_parse_l2l3() in net/netfilter/nft_inner.c when processing inner IPv6 packets with extension headers. A remote attacker can send specially crafted packets to bypass firewall restrictions.

The issue causes a desynchronization between inner_thoff and l4proto, allowing transport header forgery in the inner IPv6 parsing path.


9) Use-after-free (CVE-ID: CVE-2026-46259)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in do_task_stat() in procfs when reading /proc/[pid]/stat. A local user can trigger access to a stale real_parent task reference to cause a denial of service.


10) Race condition (CVE-ID: CVE-2025-10263)

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper synchronization in broadcast TLBI completion handling in the arm64 CPU errata logic when performing broadcast TLB invalidation on affected Arm CPUs. A local user can trigger memory management activity to cause a denial of service.

The issue affects completion of memory accesses translated by an invalidated TLB entry, while TLB invalidation itself still occurs correctly.


11) Improper locking (CVE-ID: CVE-2025-10263)

CWE-ID: CWE-667 - Improper Locking

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper memory synchronization in broadcast TLB invalidation completion handling in the arm64 CPU errata logic when performing broadcast TLB invalidation on affected Arm CPUs. A local user can trigger memory access patterns that rely on invalidated TLB entries to cause a denial of service.

The issue affects only completion of memory accesses translated by an invalidated TLB entry and does not prevent the actual invalidation of TLB entries.


12) Improper access control (CVE-ID: CVE-2025-10263)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to escalate privileges.

The vulnerability exists due to improper access control in Stage 2 translation handling when invalidating translation lookaside buffer entries on affected Arm systems. A remote user can trigger writes from a malicious guest after write permissions have been revoked to escalate privileges.

Only Xen on Arm in multi-core configurations is affected. The issue does not affect reads.


13) Double free (CVE-ID: CVE-2026-46316)

CWE-ID: CWE-415 - Double Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a double free in vgic_its_invalidate_cache() in the KVM arm64 vgic-its translation cache when invalidating cache entries concurrently. A local user can trigger concurrent cache invalidation paths to cause a denial of service.

The issue occurs because multiple contexts can drain the same cache at the same time, allowing an entry to be freed while an ITE still maps it.


Remediation

Install update from vendor's website.