SB2026070778 - Red Hat Enterprise Linux 8 update for kernel



SB2026070778 - Red Hat Enterprise Linux 8 update for kernel

Published: July 7, 2026

Security Bulletin ID SB2026070778
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 9
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Medium 22% Low 78%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 9 vulnerabilities.


1) Race condition (CVE-ID: CVE-2026-43198)

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to a race condition in tcp_v6_syn_recv_sock() when handling IPv6 TCP connection requests. A remote attacker can send network traffic that triggers the race to cause a denial of service.

The issue occurs because a child socket may become visible in the TCP ehash table before its IPv6 state is fully initialized.


2) Out-of-bounds read (CVE-ID: CVE-2026-43450)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to out-of-bounds read in nfnl_cthelper_dump_table() when handling netlink dump requests after a previously saved helper entry is deleted between dump rounds. A local user can trigger the affected dump logic to cause a denial of service.

The issue is triggered when the saved "last" helper is deleted between dump rounds, causing a restart path to bypass the loop bounds check.


3) Use-after-free (CVE-ID: CVE-2026-46227)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to execute arbitrary code.

The vulnerability exists due to a use-after-free and type confusion in sctp_sendmsg() SCTP_SENDALL path when iterating associations after sctp_sendmsg_to_asoc() drops and reacquires the socket lock. A local user can trigger concurrent association migration or freeing to execute arbitrary code.

The issue is reachable with no effective capabilities, and the type-confusion path can lead to a controlled indirect call via the outqueue.sched->init_sid pointer.


4) Integer overflow (CVE-ID: CVE-2026-46209)

CWE-ID: CWE-190 - Integer overflow

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to perform out-of-bounds read or write operations.

The vulnerability exists due to an integer overflow in drm_gem_fb_init_with_funcs() when initializing framebuffer plane dimensions for sub-sampled pixel formats. A local user can create a specially crafted framebuffer configuration to perform out-of-bounds read or write operations.

The issue can occur for certain pixel format and dimension combinations where plane height calculation truncates instead of rounding up, causing the GEM object size check to accept an undersized object.


5) Use-after-free (CVE-ID: CVE-2026-46259)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in do_task_stat() in procfs when reading /proc/[pid]/stat. A local user can trigger access to a stale real_parent task reference to cause a denial of service.


6) Race condition (CVE-ID: CVE-2025-10263)

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper synchronization in broadcast TLB invalidation completion handling in the arm64 TLB invalidation logic when performing memory accesses translated by an invalidated TLB entry after a TLBI;DSB sequence. A local user can trigger affected memory access patterns to cause a denial of service.

The issue affects only the completion of memory accesses translated by an invalidated TLB entry and does not prevent the actual invalidation of TLB entries.


7) Race condition (CVE-ID: CVE-2025-10263)

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper synchronization in broadcast TLBI completion handling in the arm64 CPU errata logic when performing broadcast TLB invalidation on affected Arm CPUs. A local user can trigger memory management activity to cause a denial of service.

The issue affects completion of memory accesses translated by an invalidated TLB entry, while TLB invalidation itself still occurs correctly.


8) Improper locking (CVE-ID: CVE-2025-10263)

CWE-ID: CWE-667 - Improper Locking

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper memory synchronization in broadcast TLB invalidation completion handling in the arm64 CPU errata logic when performing broadcast TLB invalidation on affected Arm CPUs. A local user can trigger memory access patterns that rely on invalidated TLB entries to cause a denial of service.

The issue affects only completion of memory accesses translated by an invalidated TLB entry and does not prevent the actual invalidation of TLB entries.


9) Improper access control (CVE-ID: CVE-2025-10263)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to escalate privileges.

The vulnerability exists due to improper access control in Stage 2 translation handling when invalidating translation lookaside buffer entries on affected Arm systems. A remote user can trigger writes from a malicious guest after write permissions have been revoked to escalate privileges.

Only Xen on Arm in multi-core configurations is affected. The issue does not affect reads.


Remediation

Install update from vendor's website.