SB2026070968 - openEuler 22.03 LTS SP4 update for kernel
Published: July 9, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 33 vulnerabilities.
1) Memory leak (CVE-ID: CVE-2026-53252)
CWE-ID: CWE-401 - Missing release of memory after effective lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a memory leak in bt_host_release() when handling failed Bluetooth HCI device initialization before hci_register_dev() completes. A local user can trigger device initialization failures to cause a denial of service.
The issue occurs because the unregistered device cleanup path bypasses hci_release_dev(), leaving the SRCU structure allocated in hci_alloc_dev() uncleared.
2) Use-after-free (CVE-ID: CVE-2026-53115)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in the fsl-mc bus driver_override handling when matching drivers during device probing. A local user can trigger driver matching on a device with a stale driver_override reference to cause a denial of service.
The issue occurs because the match callback may access driver_override without the device lock held during __driver_attach().
3) Out-of-bounds write (CVE-ID: CVE-2026-53194)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an out-of-bounds write in klsi_105_prepare_write_buffer() when processing writes to the tty device. A local user can write bulk_out_size or more bytes to the tty to cause a denial of service.
The issue is triggered when the write fifo holds at least the full bulk-out buffer size, causing data to be copied starting two bytes into a 64-byte buffer.
4) Heap-based buffer overflow (CVE-ID: CVE-2026-53195)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a heap-based buffer overflow in build_i2c_fw_hdr() in the io_ti USB serial driver when parsing a crafted firmware file. A local user can supply a firmware image with an oversized Length field to cause a denial of service.
The issue arises because the Length field from the firmware image is not validated against the available destination buffer space before copying.
5) Improper input validation (CVE-ID: CVE-2026-53208)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in l2cap_sig_channel() when processing oversized Bluetooth BR/EDR signaling packets. A remote attacker can send a specially crafted fixed-channel CID 0x0001 packet containing many L2CAP_ECHO_REQ commands to cause a denial of service.
Exploitation is possible by a Bluetooth BR/EDR peer within radio range before pairing.
6) Improper access control (CVE-ID: CVE-2026-53236)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to improper access control in SO_ATTACH_FILTER on TCP sockets when attaching a cBPF filter. A local user can attach a filter to leak TCP sequence and acknowledgment numbers to disclose sensitive information.
Exploitation requires access to create or control a TCP socket and use the socket option interface.
7) Out-of-bounds read (CVE-ID: CVE-2026-53238)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in netlbl_unlabel_addrinfo_get() when handling crafted Generic Netlink requests with a shorter unlabeled address mask attribute. A local user can send a specially crafted Generic Netlink request to cause a denial of service.
8) Improper input validation (CVE-ID: CVE-2026-53245)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in mrp_pdu_parse_vecattr when parsing crafted MRP vector attributes in protocol data units. A remote attacker can send a specially crafted MRP packet to cause a denial of service.
The issue can be triggered when a VectorAttribute uses a zero-length value set or event counts that cross byte boundaries.
9) Improper access control (CVE-ID: CVE-2026-53249)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to improper access control in ip_options_get() in net/ipv4/ip_options.c when setting IPv4 Loose Source and Record Route or Strict Source and Record Route options. A local user can set crafted IP options to force packets through attacker-controlled nodes to disclose sensitive information.
Exposure depends on network paths that support and forward these IPv4 options.
10) Use-after-free (CVE-ID: CVE-2026-53072)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in hci_conn_request_evt() when handling deferred Bluetooth connection requests. A local user can trigger concurrent connection handling to cause a denial of service.
Only SCO deferred setup listen code paths are affected.
11) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-53266)
CWE-ID: CWE-664 - Improper control of a resource through its lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper memory handling in the ebtables SNAT target ARP sender hardware address rewrite in net/bridge/netfilter/ebt_snat.c when processing ARP packets in bridge netfilter hooks. A local user can trigger ARP sender hardware address rewriting on a crafted nonlinear skb to cause a denial of service.
Exploitation requires the ARP sender hardware address rewrite path to be reached with a nonlinear skb fragment backed by a splice-imported file page.
12) Out-of-bounds read (CVE-ID: CVE-2026-53268)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to out-of-bounds read in the conntrack_irc helper when parsing IRC DCC commands. A remote attacker can send specially crafted IRC traffic to cause a denial of service.
13) Race condition (CVE-ID: CVE-2026-53269)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a race condition in the synproxy hook reference counting logic in netfilter when concurrently adding the first iptables target or nftables expression. A local user can trigger concurrent registration or teardown operations to cause a denial of service.
The issue affects on-demand netfilter hook registration performed by the SYNPROXY infrastructure from both iptables and nftables frontends.
14) Use-after-free (CVE-ID: CVE-2026-53270)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local privileged user to cause a denial of service.
The vulnerability exists due to a use-after-free in the IPVS scheduler handling in ip_vs_edit_service() when editing a service and unbinding the old scheduler. A local privileged user can trigger service reconfiguration while packets are being scheduled to cause a denial of service.
The issue occurs because packets may continue using the old scheduler after its scheduling data has been freed following an RCU grace period.
15) Use-after-free (CVE-ID: CVE-2026-53275)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to use-after-free in __mld_query_work in net/ipv6/mcast.c when processing crafted MLD queries. A remote attacker can send a specially crafted MLD query packet to cause a denial of service.
The issue occurs because a pointer to the multicast group address is dereferenced after skb header reallocation following pskb_may_pull() calls.
16) Use-after-free (CVE-ID: CVE-2026-53357)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in l2cap_sock_cleanup_listen() and bt_accept_dequeue() in the Bluetooth L2CAP socket handling code when racing listen socket cleanup with a concurrent HCI disconnect. A local user can trigger a listen/close versus HCI-disconnect race to cause a denial of service.
The issue occurs during cleanup of not-yet-accepted child sockets on a listening socket.
17) Use-after-free (CVE-ID: CVE-2025-39860)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the l2cap_sock_release() function in net/bluetooth/l2cap_sock.c. A local user can escalate privileges on the system.
18) Improper access control (CVE-ID: CVE-2026-43052)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause unintended side effects in wireless configuration.
The vulnerability exists due to improper access control in ieee80211_tdls_oper when handling NL80211_TDLS_ENABLE_LINK operations for non-TDLS stations. A local user can trigger the operation on a non-TDLS station to cause unintended side effects in wireless configuration.
19) Improper locking (CVE-ID: CVE-2026-53049)
CWE-ID: CWE-667 - Improper Locking
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper locking in gfs2_logd() and log flushing functions in the gfs2 log subsystem when handling concurrent transactions. A local user can trigger concurrent log flush activity to cause a denial of service.
20) Stack-based buffer overflow (CVE-ID: CVE-2026-53002)
CWE-ID: CWE-121 - Stack-based buffer overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a stack-based buffer overflow in the nf_nat_sip netfilter helper when processing crafted SIP/SDP messages. A remote attacker can send specially crafted network traffic to cause a denial of service.
The issue is triggered in mangle_content_len() during SIP message handling.
21) NULL pointer dereference (CVE-ID: CVE-2026-52998)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in nf_osf_ttl() when processing packets for TTL checks. A remote attacker can send a specially crafted packet to cause a denial of service.
22) Use-after-free (CVE-ID: CVE-2026-52991)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in pressure_write() in kernel/cgroup/cgroup.c when handling a write to a pressure cgroup file during concurrent cgroup file release. A local user can write crafted pressure data while racing cgroup file release to cause a denial of service.
The issue occurs because the of->priv pointer may be freed concurrently and later dereferenced.
23) Out-of-bounds read (CVE-ID: CVE-2026-52986)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to out-of-bounds read in the nf_conntrack_sip SIP message parser when parsing non-NUL-terminated SIP packet data containing crafted port values. A remote attacker can send a specially crafted SIP packet to cause a denial of service.
The issue involves port parsing in epaddr_len(), ct_sip_parse_header_uri(), and ct_sip_parse_request(), where parsing could reach the buffer limit without a trailing character.
24) Missing Release of Resource after Effective Lifetime (CVE-ID: CVE-2026-52970)
CWE-ID: CWE-772 - Missing Release of Resource after Effective Lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a missing reference release in nft_ct_expect_obj_eval() in the netfilter nft_ct component when processing conntrack expectation objects. A local user can trigger the vulnerable code path to cause a denial of service.
25) Out-of-bounds read (CVE-ID: CVE-2026-52963)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in snd_usbmidi_get_ms_info() / USB MIDI endpoint descriptor scanning when parsing crafted MIDIStreaming endpoint descriptors. A local user can provide a crafted USB device descriptor to disclose sensitive information.
26) Use-after-free (CVE-ID: CVE-2026-52943)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to a use-after-free in pskb_carve_inside_header() and pskb_carve_inside_nonlinear() when copying skb_shared_info for MSG_ZEROCOPY skbs. A local user can trigger repeated zerocopy skb operations to escalate privileges.
The issue is caused by copying the destructor_arg pointer into a new skb_shared_info without incrementing the associated zerocopy reference count, which can prematurely free ubuf_info_msgzc while transmit skbs still hold live references.
27) Use-after-free (CVE-ID: CVE-2026-52923)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in ipc_idr_alloc() in the checkpoint/restore SysV IPC allocation path when processing a request for the next SysV IPC id. A local user can request allocation beyond the valid IPC id range to cause a denial of service.
A subsequent walk of /proc/sysvipc/shm can dereference freed memory through a stale IDR entry.
28) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-45912)
CWE-ID: CWE-664 - Improper control of a resource through its lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper state management in ext4 extent status tree handling when splitting an unwritten extent during direct I/O writes. A local user can trigger extent splitting and subsequent delayed buffer writes to cause a denial of service.
The issue can leave a stale hole extent in the extent status tree, leading to errors in space accounting.
29) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-45899)
CWE-ID: CWE-664 - Improper control of a resource through its lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper state management in the ext4 extent status tree when splitting extents. A local user can trigger a split extent failure to cause a denial of service.
30) Race condition (CVE-ID: CVE-2026-45892)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper synchronization in ext4 extent status tree handling in ext4_split_extent() when processing buffered writes to the middle of an unwritten extent without dioread_nolock enabled. A local user can trigger a stale unwritten extent entry to cause a denial of service.
The issue occurs when splitting an unwritten extent in the middle and converting it to initialized after a partial zeroout operation leaves extent status information inconsistent with the on-disk extent state.
31) Out-of-bounds write (CVE-ID: CVE-2026-43206)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to an out-of-bounds write in kfd_event_page_set() when processing a user-supplied buffer size parameter. A local user can pass a small buffer to trigger an out-of-bounds kernel memory write to escalate privileges.
32) Use-after-free (CVE-ID: CVE-2026-43111)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in roccat_report_event when iterating over the device readers list during concurrent device access. A local user can trigger concurrent access to the roccat device to cause a denial of service.
The issue arises from a race condition with roccat_release() removing and freeing a reader while it is still being accessed.
33) Out-of-bounds read (CVE-ID: CVE-2026-43110)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in brcmf_fweh_handle_if_event() when handling firmware-provided IF events. A remote attacker can supply a crafted bsscfg index to cause a denial of service.
Remediation
Install update from vendor's website.