SB2026071101 - SUSE update for the Linux Kernel



SB2026071101 - SUSE update for the Linux Kernel

Published: July 11, 2026

Security Bulletin ID SB2026071101
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 30
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Medium 20% Low 80%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 30 vulnerabilities.


1) Use-after-free (CVE-ID: CVE-2026-52923)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in ipc_idr_alloc() in the checkpoint/restore SysV IPC allocation path when processing a request for the next SysV IPC id. A local user can request allocation beyond the valid IPC id range to cause a denial of service.

A subsequent walk of /proc/sysvipc/shm can dereference freed memory through a stale IDR entry.


2) Use-after-free (CVE-ID: CVE-2026-53359)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in the KVM x86 shadow paging logic when changing a PDE mapping from outside the guest and deleting a memslot. A local user can trigger stale rmap entries and subsequent dereference of a freed sptep to cause a denial of service.

The issue occurs when a modified PDE points to a non-leaf page, causing a role mismatch between reused shadow pages for large 2MB mappings and new 4KB mappings.


3) Out-of-bounds read (CVE-ID: CVE-2026-53253)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to an out-of-bounds read in bnep_rx_frame() and bnep_rx_control() in the BNEP packet parser when processing short BNEP frames. A remote attacker can send a specially crafted short BNEP SDU to cause a denial of service.

The issue is triggered by malformed control packets with missing fixed fields or an empty control payload.


4) Integer overflow (CVE-ID: CVE-2026-53133)

CWE-ID: CWE-190 - Integer overflow

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to integer overflow in __rdma_block_iter_next() in the RDMA umem block iterator when reassembling split scatter-gather entries during IOMMU-backed mapping linearization. A local user can trigger processing of a very large mapped block to cause a denial of service.

The issue occurs for block sizes greater than or equal to 4G when a single large block is split across multiple scatter-gather entries.


5) Use-after-free (CVE-ID: CVE-2026-53072)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in hci_conn_request_evt() when handling deferred Bluetooth connection requests. A local user can trigger concurrent connection handling to cause a denial of service.

Only SCO deferred setup listen code paths are affected.


6) Race condition (CVE-ID: CVE-2026-53071)

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv4: CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to corrupt kernel memory.

The vulnerability exists due to a race condition in l2cap_ecred_reconf_rsp in the L2CAP subsystem when processing a crafted L2CAP ECRED reconfiguration response from a remote BLE device. A remote attacker can send a specially crafted L2CAP ECRED reconfiguration response to corrupt kernel memory.

Exploitation requires concurrent channel list iteration by another thread.


7) Improper access control (CVE-ID: CVE-2026-53053)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper access of device identifier data in clone_alias() in the AMD IOMMU subsystem when processing PCI DMA aliases. A local user can trigger alias cloning for a device to cause a denial of service.

Incorrect source device identifiers can cause wrong or stale device table entries to be propagated to an alias device.


8) Improper input validation (CVE-ID: CVE-2026-53041)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper input validation in the ocfs2 xattr list handling logic when processing listxattr requests for inodes with both inline and block-based extended attributes. A local user can invoke listxattr on a crafted OCFS2 inode state to cause a denial of service.

The issue occurs when inline extended attribute names exactly consume the caller buffer and additional block-based extended attribute names are present.


9) Out-of-bounds write (CVE-ID: CVE-2026-53016)

CWE-ID: CWE-787 - Out-of-bounds write

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to an out-of-bounds write in ccp_aes_complete() when processing AF_ALG rfc3686-ctr-aes-ccp requests. A local user can supply a request with an 8-byte IV to cause a denial of service.


10) Double free (CVE-ID: CVE-2026-52993)

CWE-ID: CWE-415 - Double Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to double free in tipc_buf_append() when validating a reassembled skb after tipc_msg_validate() reallocates it. A local user can trigger the error-handling path with a crafted TIPC message to cause a denial of service.


11) Integer overflow (CVE-ID: CVE-2026-52972)

CWE-ID: CWE-190 - Integer overflow

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to an integer overflow in the af_alg control message handler when processing a crafted associated data length value for AEAD operations. A local user can send a specially crafted message to cause a denial of service.


12) Out-of-bounds write (CVE-ID: CVE-2026-52969)

CWE-ID: CWE-787 - Out-of-bounds write

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause memory corruption.

The vulnerability exists due to an out-of-bounds write in kvm_reset_dirty_gfn() and the KVM dirty ring handling logic when processing rewritten dirty ring entries from a vcpu file descriptor. A local user can modify slot and offset fields in crafted dirty ring entries to cause memory corruption.

The issue is reachable from a process holding /dev/kvm and affects the legacy MMU path with shadow paging, allocated shadow roots, or a write-tracked slot.


13) Out-of-bounds read (CVE-ID: CVE-2026-52955)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to an out-of-bounds access in crush_decode() when processing a CEPH_MSG_OSD_MAP message containing a crush map with mismatched bucket algorithm fields. A remote attacker can send a specially crafted CEPH_MSG_OSD_MAP message to cause a denial of service.


14) Use-after-free (CVE-ID: CVE-2026-52943)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to escalate privileges.

The vulnerability exists due to a use-after-free in pskb_carve_inside_header() and pskb_carve_inside_nonlinear() when copying skb_shared_info for MSG_ZEROCOPY skbs. A local user can trigger repeated zerocopy skb operations to escalate privileges.

The issue is caused by copying the destructor_arg pointer into a new skb_shared_info without incrementing the associated zerocopy reference count, which can prematurely free ubuf_info_msgzc while transmit skbs still hold live references.


15) Use-after-free (CVE-ID: CVE-2026-52924)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to use-after-free in the SCTP outqueue and stream scheduler state handling when processing a stale COOKIE-ECHO condition. A remote attacker can send a stale cookie error during SCTP association handling to cause a denial of service.

The issue occurs when an association is rolled back from COOKIE_ECHOED to COOKIE_WAIT, leaving scheduler state referencing freed stream entries.


16) Out-of-bounds read (CVE-ID: CVE-2026-31771)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local attacker to cause a denial of service.

The vulnerability exists due to an out-of-bounds read in the Bluetooth HCI event handling logic when processing a short HCI event frame. A local attacker can send a specially crafted HCI event frame to cause a denial of service.

The issue occurs because wake reason storage is reached before per-event minimum payload length validation is enforced.


17) Race condition (CVE-ID: CVE-2026-52918)

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a race condition in bt_sock_poll() and the Bluetooth accept queue when polling Bluetooth sockets. A local user can trigger concurrent socket teardown and accept queue access to cause a denial of service.

The issue occurs because the accept queue is walked without synchronization while child teardown can unlink a socket and drop its last reference.


18) Improper access control (CVE-ID: CVE-2026-52909)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to move a fallback tunnel device to another network namespace.

The vulnerability exists due to improper access control in the ip6_vti fallback tunnel device initialization when initializing the per-network-namespace fallback device. A local user can move the ip6_vti0 device to another network namespace to move a fallback tunnel device to another network namespace.

The issue affects the per-netns fallback tunnel device ip6_vti0.


19) Out-of-bounds write (CVE-ID: CVE-2026-46331)

CWE-ID: CWE-787 - Out-of-bounds write

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause memory corruption.

The vulnerability exists due to an out-of-bounds write in tcf_pedit_act() when processing packet edit actions with typed keys and runtime header offsets. A local user can supply crafted pedit parameters that cause writes to a region that has not been properly copy-on-written to cause memory corruption.

The issue can involve negative offsets such as Ethernet header edits at ingress.


20) Use-after-free (CVE-ID: CVE-2026-46330)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to use-after-free in the SMC TCP ULP support in net/smc/af_smc.c when converting an active TCP socket into an SMC socket by modifying open-file VFS structures in place. A local user can trigger the flawed socket conversion to cause a denial of service.

The issue stems from in-place modification of struct file, dentry, and inode objects that are expected to remain immutable for an open file.


21) Improper resource shutdown or release (CVE-ID: CVE-2026-46320)

CWE-ID: CWE-404 - Improper Resource Shutdown or Release

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper resource shutdown or release in tap_get_user_xdp() when processing XDP frames. A local user can send a crafted short frame or trigger skb allocation failure to cause a denial of service.

Each rejected frame in a batch leaks one page-frag chunk.


22) Use-after-free (CVE-ID: CVE-2026-46319)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to escalate privileges.

The vulnerability exists due to a use-after-free race condition in tcf_ct_flow_table_get() in net/sched/act_ct.c when looking up a flow table and incrementing its reference count. A local user can trigger the race during act_ct initialization to escalate privileges.

The race window is very short and occurs after the flow table object is returned from the hash table lookup but before its reference count is successfully incremented.


23) Use-after-free (CVE-ID: CVE-2026-46274)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to execute arbitrary code.

The vulnerability exists due to a use-after-free in io_wq_remove_pending() and hash_tail handling in io_uring when cancelling hashed bucket-0 work with a non-hashed predecessor in the work list. A local user can trigger cancellation and subsequent hashed work insertion to execute arbitrary code.

The dangling pointer can persist for the lifetime of the task because the io_wq is per-task and survives ring open and close operations.


24) Improper input validation (CVE-ID: CVE-2026-46266)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to alter forwarding and path MTU exception handling state.

The vulnerability exists due to improper input validation in RAW socket handling in the IPv4 and IPv6 ICMP error delivery paths when processing malicious incoming ICMP packets with an embedded packet header using protocol 255. A remote attacker can send a specially crafted ICMP packet to alter forwarding and path MTU exception handling state.

Exploitation requires the presence of a RAW socket created with IPPROTO_RAW.


25) Heap-based buffer overflow (CVE-ID: CVE-2026-46253)

CWE-ID: CWE-122 - Heap-based Buffer Overflow

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a heap-based buffer overflow and an out-of-bounds read in persistent_ram_save_old() and ramoops_pstore_read() when processing persistent crash records after repeated calls for the same persistent_ram_zone. A local user can trigger a survivable crash sequence with a larger subsequent record to cause a denial of service.

Exploitation requires a prior crash record that did not fill the record size, pstore_update_ms to be enabled, and a non-fatal oops so the system continues running.


26) Improper Initialization (CVE-ID: CVE-2026-46229)

CWE-ID: CWE-665 - Improper Initialization

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to disclose sensitive information.

The vulnerability exists due to improper initialization in the KFD VRAM allocation path when allocating VRAM buffers for compute kernels. A local user can allocate VRAM buffers and observe stale data from prior use to disclose sensitive information.

Stale page table remnants may be exposed in user buffers.


27) Out-of-bounds read (CVE-ID: CVE-2026-46197)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to out-of-bounds read in the SVM ioctl handler when processing a user-controlled attribute count. A local user can supply a crafted ioctl request to cause a denial of service.


28) Use-after-free (CVE-ID: CVE-2026-46173)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause memory corruption.

The vulnerability exists due to use-after-free in make_task_dead()/do_task_dead() task exit handling when an already-exiting task oopses during task exit. A local user can trigger an oops in a file_operations::release handler to cause memory corruption.

This can result in two tasks running on the same stack.


29) Use-after-free (CVE-ID: CVE-2026-46090)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to use-after-free in the ALSA aloop peer runtime handling when processing a format-change stop during concurrent stream operations. A local user can trigger concurrent playback start and capture close operations to cause a denial of service.

The issue occurs because a stale peer substream pointer may be used after the capture runtime is detached or freed.


30) Out-of-bounds read (CVE-ID: CVE-2026-43038)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to an out-of-bounds read in ip6_err_gen_icmpv6_unreach() when processing a forged ICMPv4 error containing a CIPSO IP option and an attacker-controlled inner IPv6 packet. A remote attacker can send a specially crafted ICMP error packet to cause a denial of service.

The issue arises because IPv4 control buffer data is reused as IPv6 control buffer data in a cloned skb, which can lead to a forged home address option offset being used during IPv6 TLV parsing.


Remediation

Install update from vendor's website.