SB20260715109 - Red Hat Enterprise Linux 8 update for kernel
Published: July 15, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 9 vulnerabilities.
1) Buffer overflow (CVE-ID: CVE-2025-68183)
CWE-ID: CWE-119 - Memory corruption
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to memory corruption within the ima_protect_xattr(), ima_reset_appraise_flags(), ima_inode_setxattr() and ima_inode_set_acl() functions in security/integrity/ima/ima_appraise.c. A local user can perform a denial of service (DoS) attack.
2) Out-of-bounds read (CVE-ID: CVE-2026-31613)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to out-of-bounds read in the SMB client symlink response parser when parsing a crafted symlink error response from an untrusted server. A remote attacker can send a specially crafted SMB response to disclose sensitive information.
The exposed heap bytes are UTF-16-decoded into the symlink target and returned to userspace via readlink(2).
3) Out-of-bounds read (CVE-ID: CVE-2026-31684)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in tcf_csum_act() when processing packets with nested in-payload VLAN headers. A remote attacker can send a specially crafted packet to cause a denial of service.
4) Use-after-free (CVE-ID: CVE-2026-43027)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in nf_conntrack_helper_unregister and expectation handling in netfilter nf_conntrack_helper when unregistering a helper while stale expectations remain. A local user can trigger helper unregistration and subsequent expectation access to cause a denial of service.
The issue is triggered because expectations referencing the helper survive cleanup and are later dereferenced during expectation dumps or packet-driven conntrack initialization.
5) Use-after-free (CVE-ID: CVE-2026-43499)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in remove_waiter() when rolling back a proxy lock from futex_requeue(). A local user can trigger the affected rtmutex slowlock and proxy-lock rollback path to cause a denial of service.
The issue can leave waiter task state uncleared and operate on the wrong top priority waiter task.
6) Double free (CVE-ID: CVE-2026-46189)
CWE-ID: CWE-415 - Double Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to double free in pvrdma_alloc_ucontext() error path when handling ucontext allocation failures. A local user can trigger the error path to cause a denial of service.
7) Integer overflow (CVE-ID: CVE-2026-46209)
CWE-ID: CWE-190 - Integer overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform out-of-bounds read or write operations.
The vulnerability exists due to an integer overflow in drm_gem_fb_init_with_funcs() when initializing framebuffer plane dimensions for sub-sampled pixel formats. A local user can create a specially crafted framebuffer configuration to perform out-of-bounds read or write operations.
The issue can occur for certain pixel format and dimension combinations where plane height calculation truncates instead of rounding up, causing the GEM object size check to accept an undersized object.
8) Race condition (CVE-ID: CVE-2026-46135)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a race condition in nvmet_tcp_handle_icreq() and target-side queue teardown when processing an initialization connection request and a connection close concurrently. A remote attacker can send an initialization connection request and immediately close the connection to cause a denial of service.
The issue can lead to a second kref_put() being issued on an already released queue.
9) NULL pointer dereference (CVE-ID: CVE-2026-53166)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in remove_waiter() in the futex requeue logic when handling FUTEX_CMP_REQUEUE_PI operations that requeue a non-top waiter which already owns the target PI futex. A local user can trigger a self-deadlock condition to cause a denial of service.
Remediation
Install update from vendor's website.