Описание
ELSA-2026-0759: kernel security update (IMPORTANT)
[4.18.0-553.94.1]
- Update Oracle Linux certificates (Kevin Lyons)
- Disable signing for aarch64 (Ilya Okomin)
- Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list (olkmod_signing_key.pem) [Orabug: 29539237]
- Update x509.genkey [Orabug: 24817676]
- Conflict with shim-ia32 and shim-x64 <= 15.3-1.0.3
- Remove upstream reference during boot (Kevin Lyons) [Orabug: 34750652]
- Add new Oracle Linux Driver Signing (key 1) certificate [Orabug: 37985772]
[4.18.0-553.94.1]
- net: atlantic: fix fragment overflow handling in RX path (CKI Backport Bot) [RHEL-139482] {CVE-2025-68301}
- smb: client: let recv_done verify data_offset, data_length and remaining_data_length (Paulo Alcantara) [RHEL-131387] {CVE-2025-39933}
- smb: client: Fix use-after-free in cifs_fill_dirent (CKI Backport Bot) [RHEL-134369] {CVE-2025-38051}
[4.18.0-553.93.1]
- mm: compaction: update the COMPACT[STALL|FAIL] events properly (Lucas Oakley) [RHEL-132449]
- drm/sched: Fix potential double free in drm_sched_job_add_resv_dependencies (Mika Penttila) [RHEL-125456] {CVE-2025-40096}
- drm/i915: mark requests for GuC virtual engines to avoid use-after-free (CKI Backport Bot) [RHEL-124682] {CVE-2023-53552}
Обновленные пакеты
Oracle Linux 8
Oracle Linux aarch64
kernel-tools-libs-devel
4.18.0-553.94.1.el8_10
bpftool
4.18.0-553.94.1.el8_10
kernel-cross-headers
4.18.0-553.94.1.el8_10
kernel-headers
4.18.0-553.94.1.el8_10
kernel-tools
4.18.0-553.94.1.el8_10
kernel-tools-libs
4.18.0-553.94.1.el8_10
perf
4.18.0-553.94.1.el8_10
python3-perf
4.18.0-553.94.1.el8_10
Oracle Linux x86_64
kernel-tools-libs-devel
4.18.0-553.94.1.el8_10
bpftool
4.18.0-553.94.1.el8_10
kernel
4.18.0-553.94.1.el8_10
kernel-abi-stablelists
4.18.0-553.94.1.el8_10
kernel-core
4.18.0-553.94.1.el8_10
kernel-cross-headers
4.18.0-553.94.1.el8_10
kernel-debug
4.18.0-553.94.1.el8_10
kernel-debug-core
4.18.0-553.94.1.el8_10
kernel-debug-devel
4.18.0-553.94.1.el8_10
kernel-debug-modules
4.18.0-553.94.1.el8_10
kernel-debug-modules-extra
4.18.0-553.94.1.el8_10
kernel-devel
4.18.0-553.94.1.el8_10
kernel-doc
4.18.0-553.94.1.el8_10
kernel-headers
4.18.0-553.94.1.el8_10
kernel-modules
4.18.0-553.94.1.el8_10
kernel-modules-extra
4.18.0-553.94.1.el8_10
kernel-tools
4.18.0-553.94.1.el8_10
kernel-tools-libs
4.18.0-553.94.1.el8_10
perf
4.18.0-553.94.1.el8_10
python3-perf
4.18.0-553.94.1.el8_10
Ссылки на источники
Связанные уязвимости
In the Linux kernel, the following vulnerability has been resolved: drm/i915: mark requests for GuC virtual engines to avoid use-after-free References to i915_requests may be trapped by userspace inside a sync_file or dmabuf (dma-resv) and held indefinitely across different proceses. To counter-act the memory leaks, we try to not to keep references from the request past their completion. On the other side on fence release we need to know if rq->engine is valid and points to hw engine (true for non-virtual requests). To make it possible extra bit has been added to rq->execution_mask, for marking virtual engines. (cherry picked from commit 280410677af763f3871b93e794a199cfcf6fb580)
In the Linux kernel, the following vulnerability has been resolved: drm/i915: mark requests for GuC virtual engines to avoid use-after-free References to i915_requests may be trapped by userspace inside a sync_file or dmabuf (dma-resv) and held indefinitely across different proceses. To counter-act the memory leaks, we try to not to keep references from the request past their completion. On the other side on fence release we need to know if rq->engine is valid and points to hw engine (true for non-virtual requests). To make it possible extra bit has been added to rq->execution_mask, for marking virtual engines. (cherry picked from commit 280410677af763f3871b93e794a199cfcf6fb580)
In the Linux kernel, the following vulnerability has been resolved: d ...
In the Linux kernel, the following vulnerability has been resolved: drm/i915: mark requests for GuC virtual engines to avoid use-after-free References to i915_requests may be trapped by userspace inside a sync_file or dmabuf (dma-resv) and held indefinitely across different proceses. To counter-act the memory leaks, we try to not to keep references from the request past their completion. On the other side on fence release we need to know if rq->engine is valid and points to hw engine (true for non-virtual requests). To make it possible extra bit has been added to rq->execution_mask, for marking virtual engines. (cherry picked from commit 280410677af763f3871b93e794a199cfcf6fb580)
In the Linux kernel, the following vulnerability has been resolved: smb: client: Fix use-after-free in cifs_fill_dirent There is a race condition in the readdir concurrency process, which may access the rsp buffer after it has been released, triggering the following KASAN warning. ================================================================== BUG: KASAN: slab-use-after-free in cifs_fill_dirent+0xb03/0xb60 [cifs] Read of size 4 at addr ffff8880099b819c by task a.out/342975 CPU: 2 UID: 0 PID: 342975 Comm: a.out Not tainted 6.15.0-rc6+ #240 PREEMPT(full) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x53/0x70 print_report+0xce/0x640 kasan_report+0xb8/0xf0 cifs_fill_dirent+0xb03/0xb60 [cifs] cifs_readdir+0x12cb/0x3190 [cifs] iterate_dir+0x1a1/0x520 __x64_sys_getdents+0x134/0x220 do_syscall_64+0x4b/0x110 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f996f64b9f9 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0...