Описание
ELSA-2026-1662: kernel security update (MODERATE)
[4.18.0-553.100.1]
- Update Oracle Linux certificates (Kevin Lyons)
- Disable signing for aarch64 (Ilya Okomin)
- Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list (olkmod_signing_key.pem) [Orabug: 29539237]
- Update x509.genkey [Orabug: 24817676]
- Conflict with shim-ia32 and shim-x64 <= 15.3-1.0.3
- Remove upstream reference during boot (Kevin Lyons) [Orabug: 34750652]
- Add new Oracle Linux Driver Signing (key 1) certificate [Orabug: 37985772]
[4.18.0-553.100.1]
- IB/hfi1: Fix sdma.h tx->num_descs off-by-one error (Kamal Heib) [RHEL-138396] {CVE-2024-26766}
[4.18.0-553.99.1]
- fbdev: bitblit: bound-check glyph index in bit_putcs* (Jocelyn Falempe) [RHEL-136937] {CVE-2025-40322}
- atm: clip: Fix infinite recursive call of clip_push(). (Guillaume Nault) [RHEL-137591] {CVE-2025-38459}
- squashfs: fix memory leak in squashfs_fill_super (Abhi Das) [RHEL-138010] {CVE-2025-38415}
- Squashfs: check return result of sb_min_blocksize (CKI Backport Bot) [RHEL-138010] {CVE-2025-38415}
- usb: core: config: Prevent OOB read in SS endpoint companion parsing (CKI Backport Bot) [RHEL-137362] {CVE-2025-39760}
- RDMA/rxe: Fix slab-use-after-free Read in rxe_queue_cleanup bug (CKI Backport Bot) [RHEL-137058] {CVE-2025-38024}
[4.18.0-553.98.1]
- vfs: use READ_ONCE() to access ->i_link (Jay Shin) [RHEL-141790]
- fold generic_readlink() into its only caller (Jay Shin) [RHEL-141790]
- fs/proc: fix uaf in proc_readdir_de() (Pavel Reichl) [RHEL-137093] {CVE-2025-40271}
- Backport 'create an empty changelog file when changing its name' (Alexandra Hajkova)
- mptcp: fix race condition in mptcp_schedule_work() (Paolo Abeni) [RHEL-134443] {CVE-2025-40258}
- mptcp: use mptcp_schedule_work instead of open-coding it (Paolo Abeni) [RHEL-134443]
- tcp: fix a signed-integer-overflow bug in tcp_add_backlog() (Guillaume Nault) [RHEL-137976] {CVE-2022-50865}
- tcp: minor optimization in tcp_add_backlog() (Guillaume Nault) [RHEL-137976] {CVE-2022-50865}
- RDMA/core: Fix 'KASAN: slab-use-after-free Read in ib_register_device' problem (Kamal Heib) [RHEL-134347] {CVE-2025-38022}
Обновленные пакеты
Oracle Linux 8
Oracle Linux aarch64
bpftool
4.18.0-553.100.1.el8_10
kernel-cross-headers
4.18.0-553.100.1.el8_10
kernel-headers
4.18.0-553.100.1.el8_10
kernel-tools
4.18.0-553.100.1.el8_10
kernel-tools-libs
4.18.0-553.100.1.el8_10
kernel-tools-libs-devel
4.18.0-553.100.1.el8_10
perf
4.18.0-553.100.1.el8_10
python3-perf
4.18.0-553.100.1.el8_10
Oracle Linux x86_64
bpftool
4.18.0-553.100.1.el8_10
kernel
4.18.0-553.100.1.el8_10
kernel-abi-stablelists
4.18.0-553.100.1.el8_10
kernel-core
4.18.0-553.100.1.el8_10
kernel-cross-headers
4.18.0-553.100.1.el8_10
kernel-debug
4.18.0-553.100.1.el8_10
kernel-debug-core
4.18.0-553.100.1.el8_10
kernel-debug-devel
4.18.0-553.100.1.el8_10
kernel-debug-modules
4.18.0-553.100.1.el8_10
kernel-debug-modules-extra
4.18.0-553.100.1.el8_10
kernel-devel
4.18.0-553.100.1.el8_10
kernel-doc
4.18.0-553.100.1.el8_10
kernel-headers
4.18.0-553.100.1.el8_10
kernel-modules
4.18.0-553.100.1.el8_10
kernel-modules-extra
4.18.0-553.100.1.el8_10
kernel-tools
4.18.0-553.100.1.el8_10
kernel-tools-libs
4.18.0-553.100.1.el8_10
kernel-tools-libs-devel
4.18.0-553.100.1.el8_10
perf
4.18.0-553.100.1.el8_10
python3-perf
4.18.0-553.100.1.el8_10
Ссылки на источники
Связанные уязвимости
In the Linux kernel, the following vulnerability has been resolved: tcp: fix a signed-integer-overflow bug in tcp_add_backlog() The type of sk_rcvbuf and sk_sndbuf in struct sock is int, and in tcp_add_backlog(), the variable limit is caculated by adding sk_rcvbuf, sk_sndbuf and 64 * 1024, it may exceed the max value of int and overflow. This patch reduces the limit budget by halving the sndbuf to solve this issue since ACK packets are much smaller than the payload.
In the Linux kernel, the following vulnerability has been resolved: tcp: fix a signed-integer-overflow bug in tcp_add_backlog() The type of sk_rcvbuf and sk_sndbuf in struct sock is int, and in tcp_add_backlog(), the variable limit is caculated by adding sk_rcvbuf, sk_sndbuf and 64 * 1024, it may exceed the max value of int and overflow. This patch reduces the limit budget by halving the sndbuf to solve this issue since ACK packets are much smaller than the payload.
In the Linux kernel, the following vulnerability has been resolved: t ...
In the Linux kernel, the following vulnerability has been resolved: tcp: fix a signed-integer-overflow bug in tcp_add_backlog() The type of sk_rcvbuf and sk_sndbuf in struct sock is int, and in tcp_add_backlog(), the variable limit is caculated by adding sk_rcvbuf, sk_sndbuf and 64 * 1024, it may exceed the max value of int and overflow. This patch reduces the limit budget by halving the sndbuf to solve this issue since ACK packets are much smaller than the payload.
In the Linux kernel, the following vulnerability has been resolved: IB/hfi1: Fix sdma.h tx->num_descs off-by-one error Unfortunately the commit `fd8958efe877` introduced another error causing the `descs` array to overflow. This reults in further crashes easily reproducible by `sendmsg` system call. [ 1080.836473] general protection fault, probably for non-canonical address 0x400300015528b00a: 0000 [#1] PREEMPT SMP PTI [ 1080.869326] RIP: 0010:hfi1_ipoib_build_ib_tx_headers.constprop.0+0xe1/0x2b0 [hfi1] -- [ 1080.974535] Call Trace: [ 1080.976990] <TASK> [ 1081.021929] hfi1_ipoib_send_dma_common+0x7a/0x2e0 [hfi1] [ 1081.027364] hfi1_ipoib_send_dma_list+0x62/0x270 [hfi1] [ 1081.032633] hfi1_ipoib_send+0x112/0x300 [hfi1] [ 1081.042001] ipoib_start_xmit+0x2a9/0x2d0 [ib_ipoib] [ 1081.046978] dev_hard_start_xmit+0xc4/0x210 -- [ 1081.148347] __sys_sendmsg+0x59/0xa0 crash> ipoib_txreq 0xffff9cfeba229f00 struct ipoib_txreq { txreq = { list = { next = 0xffff9cfeba229f00, prev = 0xffff9...