SB2026070968 - openEuler 22.03 LTS SP4 update for kernel



SB2026070968 - openEuler 22.03 LTS SP4 update for kernel

Published: July 9, 2026

Security Bulletin ID SB2026070968
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 33
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Medium 21% Low 79%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 33 vulnerabilities.


1) Memory leak (CVE-ID: CVE-2026-53252)

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a memory leak in bt_host_release() when handling failed Bluetooth HCI device initialization before hci_register_dev() completes. A local user can trigger device initialization failures to cause a denial of service.

The issue occurs because the unregistered device cleanup path bypasses hci_release_dev(), leaving the SRCU structure allocated in hci_alloc_dev() uncleared.


2) Use-after-free (CVE-ID: CVE-2026-53115)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in the fsl-mc bus driver_override handling when matching drivers during device probing. A local user can trigger driver matching on a device with a stale driver_override reference to cause a denial of service.

The issue occurs because the match callback may access driver_override without the device lock held during __driver_attach().


3) Out-of-bounds write (CVE-ID: CVE-2026-53194)

CWE-ID: CWE-787 - Out-of-bounds write

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to an out-of-bounds write in klsi_105_prepare_write_buffer() when processing writes to the tty device. A local user can write bulk_out_size or more bytes to the tty to cause a denial of service.

The issue is triggered when the write fifo holds at least the full bulk-out buffer size, causing data to be copied starting two bytes into a 64-byte buffer.


4) Heap-based buffer overflow (CVE-ID: CVE-2026-53195)

CWE-ID: CWE-122 - Heap-based Buffer Overflow

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a heap-based buffer overflow in build_i2c_fw_hdr() in the io_ti USB serial driver when parsing a crafted firmware file. A local user can supply a firmware image with an oversized Length field to cause a denial of service.

The issue arises because the Length field from the firmware image is not validated against the available destination buffer space before copying.


5) Improper input validation (CVE-ID: CVE-2026-53208)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in l2cap_sig_channel() when processing oversized Bluetooth BR/EDR signaling packets. A remote attacker can send a specially crafted fixed-channel CID 0x0001 packet containing many L2CAP_ECHO_REQ commands to cause a denial of service.

Exploitation is possible by a Bluetooth BR/EDR peer within radio range before pairing.


6) Improper access control (CVE-ID: CVE-2026-53236)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to disclose sensitive information.

The vulnerability exists due to improper access control in SO_ATTACH_FILTER on TCP sockets when attaching a cBPF filter. A local user can attach a filter to leak TCP sequence and acknowledgment numbers to disclose sensitive information.

Exploitation requires access to create or control a TCP socket and use the socket option interface.


7) Out-of-bounds read (CVE-ID: CVE-2026-53238)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to an out-of-bounds read in netlbl_unlabel_addrinfo_get() when handling crafted Generic Netlink requests with a shorter unlabeled address mask attribute. A local user can send a specially crafted Generic Netlink request to cause a denial of service.


8) Improper input validation (CVE-ID: CVE-2026-53245)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in mrp_pdu_parse_vecattr when parsing crafted MRP vector attributes in protocol data units. A remote attacker can send a specially crafted MRP packet to cause a denial of service.

The issue can be triggered when a VectorAttribute uses a zero-length value set or event counts that cross byte boundaries.


9) Improper access control (CVE-ID: CVE-2026-53249)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to disclose sensitive information.

The vulnerability exists due to improper access control in ip_options_get() in net/ipv4/ip_options.c when setting IPv4 Loose Source and Record Route or Strict Source and Record Route options. A local user can set crafted IP options to force packets through attacker-controlled nodes to disclose sensitive information.

Exposure depends on network paths that support and forward these IPv4 options.


10) Use-after-free (CVE-ID: CVE-2026-53072)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in hci_conn_request_evt() when handling deferred Bluetooth connection requests. A local user can trigger concurrent connection handling to cause a denial of service.

Only SCO deferred setup listen code paths are affected.


11) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-53266)

CWE-ID: CWE-664 - Improper control of a resource through its lifetime

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper memory handling in the ebtables SNAT target ARP sender hardware address rewrite in net/bridge/netfilter/ebt_snat.c when processing ARP packets in bridge netfilter hooks. A local user can trigger ARP sender hardware address rewriting on a crafted nonlinear skb to cause a denial of service.

Exploitation requires the ARP sender hardware address rewrite path to be reached with a nonlinear skb fragment backed by a splice-imported file page.


12) Out-of-bounds read (CVE-ID: CVE-2026-53268)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to out-of-bounds read in the conntrack_irc helper when parsing IRC DCC commands. A remote attacker can send specially crafted IRC traffic to cause a denial of service.


13) Race condition (CVE-ID: CVE-2026-53269)

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a race condition in the synproxy hook reference counting logic in netfilter when concurrently adding the first iptables target or nftables expression. A local user can trigger concurrent registration or teardown operations to cause a denial of service.

The issue affects on-demand netfilter hook registration performed by the SYNPROXY infrastructure from both iptables and nftables frontends.


14) Use-after-free (CVE-ID: CVE-2026-53270)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local privileged user to cause a denial of service.

The vulnerability exists due to a use-after-free in the IPVS scheduler handling in ip_vs_edit_service() when editing a service and unbinding the old scheduler. A local privileged user can trigger service reconfiguration while packets are being scheduled to cause a denial of service.

The issue occurs because packets may continue using the old scheduler after its scheduling data has been freed following an RCU grace period.


15) Use-after-free (CVE-ID: CVE-2026-53275)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to use-after-free in __mld_query_work in net/ipv6/mcast.c when processing crafted MLD queries. A remote attacker can send a specially crafted MLD query packet to cause a denial of service.

The issue occurs because a pointer to the multicast group address is dereferenced after skb header reallocation following pskb_may_pull() calls.


16) Use-after-free (CVE-ID: CVE-2026-53357)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in l2cap_sock_cleanup_listen() and bt_accept_dequeue() in the Bluetooth L2CAP socket handling code when racing listen socket cleanup with a concurrent HCI disconnect. A local user can trigger a listen/close versus HCI-disconnect race to cause a denial of service.

The issue occurs during cleanup of not-yet-accepted child sockets on a listening socket.


17) Use-after-free (CVE-ID: CVE-2025-39860)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within the l2cap_sock_release() function in net/bluetooth/l2cap_sock.c. A local user can escalate privileges on the system.


18) Improper access control (CVE-ID: CVE-2026-43052)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause unintended side effects in wireless configuration.

The vulnerability exists due to improper access control in ieee80211_tdls_oper when handling NL80211_TDLS_ENABLE_LINK operations for non-TDLS stations. A local user can trigger the operation on a non-TDLS station to cause unintended side effects in wireless configuration.


19) Improper locking (CVE-ID: CVE-2026-53049)

CWE-ID: CWE-667 - Improper Locking

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper locking in gfs2_logd() and log flushing functions in the gfs2 log subsystem when handling concurrent transactions. A local user can trigger concurrent log flush activity to cause a denial of service.


20) Stack-based buffer overflow (CVE-ID: CVE-2026-53002)

CWE-ID: CWE-121 - Stack-based buffer overflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to a stack-based buffer overflow in the nf_nat_sip netfilter helper when processing crafted SIP/SDP messages. A remote attacker can send specially crafted network traffic to cause a denial of service.

The issue is triggered in mangle_content_len() during SIP message handling.


21) NULL pointer dereference (CVE-ID: CVE-2026-52998)

CWE-ID: CWE-476 - NULL Pointer Dereference

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to a NULL pointer dereference in nf_osf_ttl() when processing packets for TTL checks. A remote attacker can send a specially crafted packet to cause a denial of service.


22) Use-after-free (CVE-ID: CVE-2026-52991)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in pressure_write() in kernel/cgroup/cgroup.c when handling a write to a pressure cgroup file during concurrent cgroup file release. A local user can write crafted pressure data while racing cgroup file release to cause a denial of service.

The issue occurs because the of->priv pointer may be freed concurrently and later dereferenced.


23) Out-of-bounds read (CVE-ID: CVE-2026-52986)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to out-of-bounds read in the nf_conntrack_sip SIP message parser when parsing non-NUL-terminated SIP packet data containing crafted port values. A remote attacker can send a specially crafted SIP packet to cause a denial of service.

The issue involves port parsing in epaddr_len(), ct_sip_parse_header_uri(), and ct_sip_parse_request(), where parsing could reach the buffer limit without a trailing character.


24) Missing Release of Resource after Effective Lifetime (CVE-ID: CVE-2026-52970)

CWE-ID: CWE-772 - Missing Release of Resource after Effective Lifetime

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a missing reference release in nft_ct_expect_obj_eval() in the netfilter nft_ct component when processing conntrack expectation objects. A local user can trigger the vulnerable code path to cause a denial of service.


25) Out-of-bounds read (CVE-ID: CVE-2026-52963)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to disclose sensitive information.

The vulnerability exists due to an out-of-bounds read in snd_usbmidi_get_ms_info() / USB MIDI endpoint descriptor scanning when parsing crafted MIDIStreaming endpoint descriptors. A local user can provide a crafted USB device descriptor to disclose sensitive information.


26) Use-after-free (CVE-ID: CVE-2026-52943)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to escalate privileges.

The vulnerability exists due to a use-after-free in pskb_carve_inside_header() and pskb_carve_inside_nonlinear() when copying skb_shared_info for MSG_ZEROCOPY skbs. A local user can trigger repeated zerocopy skb operations to escalate privileges.

The issue is caused by copying the destructor_arg pointer into a new skb_shared_info without incrementing the associated zerocopy reference count, which can prematurely free ubuf_info_msgzc while transmit skbs still hold live references.


27) Use-after-free (CVE-ID: CVE-2026-52923)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in ipc_idr_alloc() in the checkpoint/restore SysV IPC allocation path when processing a request for the next SysV IPC id. A local user can request allocation beyond the valid IPC id range to cause a denial of service.

A subsequent walk of /proc/sysvipc/shm can dereference freed memory through a stale IDR entry.


28) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-45912)

CWE-ID: CWE-664 - Improper control of a resource through its lifetime

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper state management in ext4 extent status tree handling when splitting an unwritten extent during direct I/O writes. A local user can trigger extent splitting and subsequent delayed buffer writes to cause a denial of service.

The issue can leave a stale hole extent in the extent status tree, leading to errors in space accounting.


29) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-45899)

CWE-ID: CWE-664 - Improper control of a resource through its lifetime

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper state management in the ext4 extent status tree when splitting extents. A local user can trigger a split extent failure to cause a denial of service.


30) Race condition (CVE-ID: CVE-2026-45892)

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper synchronization in ext4 extent status tree handling in ext4_split_extent() when processing buffered writes to the middle of an unwritten extent without dioread_nolock enabled. A local user can trigger a stale unwritten extent entry to cause a denial of service.

The issue occurs when splitting an unwritten extent in the middle and converting it to initialized after a partial zeroout operation leaves extent status information inconsistent with the on-disk extent state.


31) Out-of-bounds write (CVE-ID: CVE-2026-43206)

CWE-ID: CWE-787 - Out-of-bounds write

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to escalate privileges.

The vulnerability exists due to an out-of-bounds write in kfd_event_page_set() when processing a user-supplied buffer size parameter. A local user can pass a small buffer to trigger an out-of-bounds kernel memory write to escalate privileges.


32) Use-after-free (CVE-ID: CVE-2026-43111)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in roccat_report_event when iterating over the device readers list during concurrent device access. A local user can trigger concurrent access to the roccat device to cause a denial of service.

The issue arises from a race condition with roccat_release() removing and freeing a reader while it is still being accessed.


33) Out-of-bounds read (CVE-ID: CVE-2026-43110)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to an out-of-bounds read in brcmf_fweh_handle_if_event() when handling firmware-provided IF events. A remote attacker can supply a crafted bsscfg index to cause a denial of service.


Remediation

Install update from vendor's website.