SB2026070833 - Red Hat Enterprise Linux 9 update for kernel



SB2026070833 - Red Hat Enterprise Linux 9 update for kernel

Published: July 8, 2026

Security Bulletin ID SB2026070833
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 10
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Medium 20% Low 80%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 10 vulnerabilities.


1) Use-after-free (CVE-ID: CVE-2024-27398)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Green


The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a use-after-free error within the sco_sock_timeout() function in net/bluetooth/sco.c. A remote attacker can trigger a use-after-free error and perform a denial of service (DoS) attack.


2) Use-after-free (CVE-ID: CVE-2024-50125)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within the SCO_CONN_TIMEOUT(), sco_sock_timeout() and sco_conn_del() functions in net/bluetooth/sco.c, within the bt_sock_unlink() function in net/bluetooth/af_bluetooth.c. A local user can escalate privileges on the system.


3) Buffer overflow (CVE-ID: CVE-2025-68183)

CWE-ID: CWE-119 - Memory corruption

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to memory corruption within the ima_protect_xattr(), ima_reset_appraise_flags(), ima_inode_setxattr() and ima_inode_set_acl() functions in security/integrity/ima/ima_appraise.c. A local user can perform a denial of service (DoS) attack.


4) Use-after-free (CVE-ID: CVE-2026-31408)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to use-after-free in sco_recv_frame() when processing Bluetooth SCO frames during concurrent socket closure. A local user can trigger a race condition to cause a denial of service.

The issue occurs because the socket reference is not held after releasing sco_conn_lock() before accessing sk->sk_state.


5) Use-after-free (CVE-ID: CVE-2026-43027)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in nf_conntrack_helper_unregister and expectation handling in netfilter nf_conntrack_helper when unregistering a helper while stale expectations remain. A local user can trigger helper unregistration and subsequent expectation access to cause a denial of service.

The issue is triggered because expectations referencing the helper survive cleanup and are later dereferenced during expectation dumps or packet-driven conntrack initialization.


6) Out-of-bounds write (CVE-ID: CVE-2026-43279)

CWE-ID: CWE-787 - Out-of-bounds write

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to out-of-bounds write in prepare_silent_urb() when silencing playback URB packets in implicit feedback mode before actual playback. A local user can trigger inconsistent capture and playback stream packet sizing to cause a denial of service.

The issue can occur when the capture stream setup differs from the playback stream setup, such as due to USB core maximum packet size limitations.


7) Out-of-bounds write (CVE-ID: CVE-2026-43125)

CWE-ID: CWE-787 - Out-of-bounds write

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to an out-of-bounds write in dlm_search_rsb_tree() when processing network messages with an excessive resource name length. A remote attacker can send a specially crafted network message to cause a denial of service.

The length value originates from the len parameter in dlm_dump_rsb_name().


8) Use-after-free (CVE-ID: CVE-2026-45984)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to use-after-free in gfs2 inline data write path when handling inline data writes. A local user can trigger an inline write operation to cause a denial of service.

The issue occurs because a buffer head is released before the inline write completes, leaving a stale pointer that is later dereferenced during the write end path.


9) Race condition (CVE-ID: CVE-2026-46152)

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause incorrect packet processing.

The vulnerability exists due to a race condition in ieee80211_invoke_fast_rx() when processing packets in parallel RX paths. A local user can trigger concurrent packet processing to cause incorrect packet processing.

This issue arises because concurrent callers share a single rx_result instance, which can be overwritten between ieee80211_rx_mesh_data() and the subsequent switch on the result.


10) Double free (CVE-ID: CVE-2026-46189)

CWE-ID: CWE-415 - Double Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to double free in pvrdma_alloc_ucontext() error path when handling ucontext allocation failures. A local user can trigger the error path to cause a denial of service.


Remediation

Install update from vendor's website.