Описание
ELSA-2026-25121: kernel security update (CRITICAL)
[4.18.0-553.132.1]
- Update Oracle Linux certificates (Kevin Lyons)
- Disable signing for aarch64 (Ilya Okomin)
- Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list (olkmod_signing_key.pem) [Orabug: 29539237]
- Update x509.genkey [Orabug: 24817676]
- Conflict with shim-ia32 and shim-x64 <= 15.3-1.0.3
- Remove upstream reference during boot (Kevin Lyons) [Orabug: 34750652]
- Add new Oracle Linux Driver Signing (key 1) certificate [Orabug: 37985772]
[4.18.0-553.132.1]
- ip6_tunnel: clear skb2->cb[] in ip4ip6_err() (Guillaume Nault) [RHEL-172640] {CVE-2026-43037}
- dlm: fix buffer overflow from negative len in dlm_search_rsb_tree (Alexander Aring) [RHEL-173986] {CVE-2026-43125}
- dlm: validate length in dlm_search_rsb_tree (Alexander Aring) [RHEL-173986] {CVE-2026-43125}
[4.18.0-553.131.1]
- RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event() (Kamal Heib) [RHEL-179982] {CVE-2026-46181}
- nvme: nvme-fc: Ensure ->ioerr_work is cancelled in nvme_fc_delete_ctrl() (Ewan D. Milne) [RHEL-178447]
- ipv6: icmp: clear skb2->cb[] in ip6_err_gen_icmpv6_unreach() (Guillaume Nault) [RHEL-172664] {CVE-2026-43038}
- ALSA: 6fire: Fix leftover global pointers after probe failures (Jaroslav Kysela) [RHEL-172963]
- ALSA: 6fire: Cover the whole probe and disconnect calls with register_mutex (Jaroslav Kysela) [RHEL-172963]
- ALSA: 6fire: fix use-after-free on disconnect (Jaroslav Kysela) [RHEL-172963] {CVE-2026-31581}
- ALSA: 6fire: Release resources at card release (Jaroslav Kysela) [RHEL-172963] {CVE-2024-53239}
[4.18.0-553.130.1]
- RDMA/rxe: Fix double free in rxe_srq_from_init (Kamal Heib) [RHEL-179702] {CVE-2026-45852}
- md: uninitialized start_time in md_clone_bio() causes bogus IO accounting (Nigel Croxon) [RHEL-170384]
Обновленные пакеты
Oracle Linux 8
Oracle Linux aarch64
kernel-tools-libs-devel
4.18.0-553.132.1.el8_10
bpftool
4.18.0-553.132.1.el8_10
kernel-cross-headers
4.18.0-553.132.1.el8_10
kernel-headers
4.18.0-553.132.1.el8_10
kernel-tools
4.18.0-553.132.1.el8_10
kernel-tools-libs
4.18.0-553.132.1.el8_10
perf
4.18.0-553.132.1.el8_10
python3-perf
4.18.0-553.132.1.el8_10
Oracle Linux x86_64
kernel-tools-libs-devel
4.18.0-553.132.1.el8_10
bpftool
4.18.0-553.132.1.el8_10
kernel
4.18.0-553.132.1.el8_10
kernel-abi-stablelists
4.18.0-553.132.1.el8_10
kernel-core
4.18.0-553.132.1.el8_10
kernel-cross-headers
4.18.0-553.132.1.el8_10
kernel-debug
4.18.0-553.132.1.el8_10
kernel-debug-core
4.18.0-553.132.1.el8_10
kernel-debug-devel
4.18.0-553.132.1.el8_10
kernel-debug-modules
4.18.0-553.132.1.el8_10
kernel-debug-modules-extra
4.18.0-553.132.1.el8_10
kernel-devel
4.18.0-553.132.1.el8_10
kernel-doc
4.18.0-553.132.1.el8_10
kernel-headers
4.18.0-553.132.1.el8_10
kernel-modules
4.18.0-553.132.1.el8_10
kernel-modules-extra
4.18.0-553.132.1.el8_10
kernel-tools
4.18.0-553.132.1.el8_10
kernel-tools-libs
4.18.0-553.132.1.el8_10
perf
4.18.0-553.132.1.el8_10
python3-perf
4.18.0-553.132.1.el8_10
Ссылки на источники
Связанные уязвимости
In the Linux kernel, the following vulnerability has been resolved: smc: Fix use-after-free in tcp_write_timer_handler(). With Eric's ref tracker, syzbot finally found a repro for use-after-free in tcp_write_timer_handler() by kernel TCP sockets. [0] If SMC creates a kernel socket in __smc_create(), the kernel socket is supposed to be freed in smc_clcsock_release() by calling sock_release() when we close() the parent SMC socket. However, at the end of smc_clcsock_release(), the kernel socket's sk_state might not be TCP_CLOSE. This means that we have not called inet_csk_destroy_sock() in __tcp_close() and have not stopped the TCP timers. The kernel socket's TCP timers can be fired later, so we need to hold a refcnt for net as we do for MPTCP subflows in mptcp_subflow_create_socket(). [0]: leaked reference. sk_alloc (./include/net/net_namespace.h:335 net/core/sock.c:2108) inet_create (net/ipv4/af_inet.c:319 net/ipv4/af_inet.c:244) __sock_create (net/socket.c:1546) smc_create (net/smc...
In the Linux kernel, the following vulnerability has been resolved: smc: Fix use-after-free in tcp_write_timer_handler(). With Eric's ref tracker, syzbot finally found a repro for use-after-free in tcp_write_timer_handler() by kernel TCP sockets. [0] If SMC creates a kernel socket in __smc_create(), the kernel socket is supposed to be freed in smc_clcsock_release() by calling sock_release() when we close() the parent SMC socket. However, at the end of smc_clcsock_release(), the kernel socket's sk_state might not be TCP_CLOSE. This means that we have not called inet_csk_destroy_sock() in __tcp_close() and have not stopped the TCP timers. The kernel socket's TCP timers can be fired later, so we need to hold a refcnt for net as we do for MPTCP subflows in mptcp_subflow_create_socket(). [0]: leaked reference. sk_alloc (./include/net/net_namespace.h:335 net/core/sock.c:2108) inet_create (net/ipv4/af_inet.c:319 net/ipv4/af_inet.c:244) __sock_create (net/socket.c:1546) smc_create (net/smc...
In the Linux kernel, the following vulnerability has been resolved: smc: Fix use-after-free in tcp_write_timer_handler(). With Eric's ref tracker, syzbot finally found a repro for use-after-free in tcp_write_timer_handler() by kernel TCP sockets. [0] If SMC creates a kernel socket in __smc_create(), the kernel socket is supposed to be freed in smc_clcsock_release() by calling sock_release() when we close() the parent SMC socket. However, at the end of smc_clcsock_release(), the kernel socket's sk_state might not be TCP_CLOSE. This means that we have not called inet_csk_destroy_sock() in __tcp_close() and have not stopped the TCP timers. The kernel socket's TCP timers can be fired later, so we need to hold a refcnt for net as we do for MPTCP subflows in mptcp_subflow_create_socket(). [0]: leaked reference. sk_alloc (./include/net/net_namespace.h:335 net/core/sock.c:2108) inet_create (net/ipv4/af_inet.c:319 net/ipv4/af_inet.c:244) __sock_create (net/socket.c:1546) smc_create (
In the Linux kernel, the following vulnerability has been resolved: s ...