Описание
Security update for the Linux Kernel
The SUSE Linux Enterprise 15 SP7 kernel was updated to fix various security issues
The following security issues were fixed:
- CVE-2025-39998: scsi: target: target_core_configfs: Add length check to avoid buffer overflow (bsc#1252073).
- CVE-2025-68794: iomap: adjust read range correctly for non-block-aligned positions (bsc#1256647).
- CVE-2025-71268: btrfs: fix reservation leak in some error paths when inserting inline extent (bsc#1259865).
- CVE-2025-71269: btrfs: do not free data reservation in fallback from inline due to -ENOSPC (bsc#1259889).
- CVE-2026-23030: phy: rockchip: inno-usb2: Fix a double free bug in rockchip_usb2phy_probe() (bsc#1257561).
- CVE-2026-23047: libceph: make calc_target() set t->paused, not just clear it (bsc#1257682).
- CVE-2026-23103: ipvlan: Make the addrs_lock be per port (bsc#1257773).
- CVE-2026-23120: l2tp: avoid one data-race in l2tp_tunnel_del_work() (bsc#1258280).
- CVE-2026-23136: libceph: reset sparse-read state in osd_fault() (bsc#1258303).
- CVE-2026-23140: bpf, test_run: Subtract size of xdp_frame from allowed metadata size (bsc#1258305).
- CVE-2026-23187: pmdomain: imx8m-blk-ctrl: fix out-of-range access of bc->domains (bsc#1258330).
- CVE-2026-23193: scsi: target: iscsi: Fix use-after-free in iscsit_dec_session_usage_count() (bsc#1258414).
- CVE-2026-23201: ceph: fix oops due to invalid pointer for kfree() in parse_longname() (bsc#1258337).
- CVE-2026-23215: x86/vmware: Fix hypercall clobbers (bsc#1258476).
- CVE-2026-23216: scsi: target: iscsi: Fix use-after-free in iscsit_dec_conn_usage_count() (bsc#1258447).
- CVE-2026-23231: netfilter: nf_tables: register hooks last when adding new chain/flowtable (bsc#1259188).
- CVE-2026-23242: RDMA/siw: Fix potential NULL pointer dereference in header processing (bsc#1259795).
- CVE-2026-23243: RDMA/umad: Reject negative data_len in ib_umad_write (bsc#1259797).
- CVE-2026-23255: net: add proper RCU protection to /proc/net/ptype (bsc#1259891).
- CVE-2026-23259: io_uring/rw: free potentially allocated iovec on cache put failure (bsc#1259866).
- CVE-2026-23270: net/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks (bsc#1259886).
- CVE-2026-23272: netfilter: nf_tables: unconditionally bump set->nelems before insertion (bsc#1260009).
- CVE-2026-23274: netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels (bsc#1260005).
- CVE-2026-23277: net/sched: teql: fix NULL pointer dereference in iptunnel_xmit on TEQL slave xmit (bsc#1259997).
- CVE-2026-23278: netfilter: nf_tables: always walk all pending catchall elements (bsc#1259998).
- CVE-2026-23281: wifi: libertas: fix use-after-free in lbs_free_adapter() (bsc#1260464).
- CVE-2026-23292: scsi: target: Fix recursive locking in __configfs_open_file() (bsc#1260500).
- CVE-2026-23293: net: vxlan: fix nd_tbl NULL dereference when IPv6 is disabled (bsc#1260486).
- CVE-2026-23317: drm/vmwgfx: Return the correct value in vmw_translate_ptr functions (bsc#1260562).
- CVE-2026-23319: bpf: export bpf_link_inc_not_zero (bsc#1260735).
- CVE-2026-23361: PCI: dwc: ep: Flush MSI-X write before unmapping its ATU entry (bsc#1260732).
- CVE-2026-23379: net/sched: ets: fix divide by zero in the offload path (bsc#1260481).
- CVE-2026-23381: net: bridge: fix nd_tbl NULL dereference when IPv6 is disabled (bsc#1260471).
- CVE-2026-23386: gve: fix incorrect buffer cleanup in gve_tx_clean_pending_packets for QPL (bsc#1260799).
- CVE-2026-23398: icmp: fix NULL pointer dereference in icmp_tag_validation() (bsc#1260730).
- CVE-2026-23413: clsact: Fix use-after-free in init/destroy rollback asymmetry (bsc#1261498).
- CVE-2026-23414: tls: Purge async_hold in tls_decrypt_async_wait() (bsc#1261496).
- CVE-2026-31788: xen/privcmd: restrict usage in unprivileged domU (bsc#1259707).
The following non security issues were fixed:
- accel/qaic: Handle DBC deactivation if the owner went away (git-fixes).
- ACPI: EC: clean up handlers on probe failure in acpi_ec_setup() (git-fixes).
- ACPI: OSI: Add DMI quirk for Acer Aspire One D255 (stable-fixes).
- ACPI: PM: Save NVS memory on Lenovo G70-35 (stable-fixes).
- ACPI: processor: Fix previous acpi_processor_errata_piix4() fix (git-fixes).
- ALSA: caiaq: fix stack out-of-bounds read in init_card (git-fixes).
- ALSA: firewire-lib: fix uninitialized local variable (git-fixes).
- ALSA: hda: cs35l56: Fix signedness error in cs35l56_hda_posture_put() (git-fixes).
- ALSA: hda/conexant: Add quirk for HP ZBook Studio G4 (stable-fixes).
- ALSA: hda/conexant: Fix headphone jack handling on Acer Swift SF314 (stable-fixes).
- ALSA: hda/realtek: Add headset jack quirk for Thinkpad X390 (stable-fixes).
- ALSA: hda/realtek: add HP Laptop 14s-dr5xxx mute LED quirk (stable-fixes).
- ALSA: pci: hda: use snd_kcontrol_chip() (stable-fixes).
- ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain() (git-fixes).
- ALSA: usb-audio: Check endpoint numbers at parsing Scarlett2 mixer interfaces (stable-fixes).
- ASoC: adau1372: Fix clock leak on PLL lock failure (git-fixes).
- ASoC: adau1372: Fix unchecked clk_prepare_enable() return value (git-fixes).
- ASoC: amd: acp-mach-common: Add missing error check for clock acquisition (git-fixes).
- ASoC: amd: acp3x-rt5682-max9836: Add missing error check for clock acquisition (git-fixes).
- ASoC: amd: yc: Add ASUS EXPERTBOOK BM1503CDA to quirk table (stable-fixes).
- ASoC: amd: yc: Add DMI quirk for ASUS EXPERTBOOK PM1503CDA (stable-fixes).
- ASoC: cs42l43: Report insert for exotic peripherals (stable-fixes).
- ASoC: detect empty DMI strings (git-fixes).
- ASoC: ep93xx: Fix unchecked clk_prepare_enable() and add rollback on failure (git-fixes).
- ASoC: fsl_easrc: Fix event generation in fsl_easrc_iec958_put_bits() (stable-fixes).
- ASoC: fsl_easrc: Fix event generation in fsl_easrc_iec958_set_reg() (stable-fixes).
- ASoC: Intel: boards: fix unmet dependency on PINCTRL (git-fixes).
- ASoC: Intel: catpt: Fix the device initialization (git-fixes).
- ASoC: qcom: qdsp6: Fix q6apm remove ordering during ADSP stop and start (git-fixes).
- ASoC: soc-core: drop delayed_work_pending() check before flush (git-fixes).
- ASoC: soc-core: flush delayed work before removing DAIs and widgets (git-fixes).
- ASoC: SOF: ipc4-topology: Allow bytes controls without initial payload (git-fixes).
- Bluetooth: btintel: serialize btintel_hw_error() with hci_req_sync_lock (git-fixes).
- Bluetooth: btusb: clamp SCO altsetting table indices (git-fixes).
- Bluetooth: hci_conn: fix potential UAF in set_cig_params_sync (git-fixes).
- Bluetooth: hci_event: fix potential UAF in hci_le_remote_conn_param_req_evt (git-fixes).
- Bluetooth: hci_ll: Fix firmware leak on error path (git-fixes).
- Bluetooth: hci_sync: call destroy in hci_cmd_sync_run if immediate (git-fixes).
- Bluetooth: hci_sync: Fix hci_le_create_conn_sync (git-fixes).
- Bluetooth: hci_sync: Remove remaining dependencies of hci_request (stable-fixes).
- Bluetooth: HIDP: Fix possible UAF (git-fixes).
- Bluetooth: ISO: Fix defer tests being unstable (git-fixes).
- Bluetooth: L2CAP: Fix accepting multiple L2CAP_ECRED_CONN_REQ (git-fixes).
- Bluetooth: L2CAP: Fix ERTM re-init and zero pdu_len infinite loop (git-fixes).
- Bluetooth: L2CAP: Fix null-ptr-deref on l2cap_sock_ready_cb (git-fixes).
- Bluetooth: L2CAP: Fix send LE flow credits in ACL link (git-fixes).
- Bluetooth: L2CAP: Fix stack-out-of-bounds read in l2cap_ecred_conn_req (git-fixes).
- Bluetooth: L2CAP: Fix type confusion in l2cap_ecred_reconf_rsp() (git-fixes).
- Bluetooth: L2CAP: Fix use-after-free in l2cap_unregister_user (git-fixes).
- Bluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access (git-fixes).
- Bluetooth: L2CAP: Validate PDU length before reading SDU length in l2cap_ecred_data_rcv() (git-fixes).
- Bluetooth: LE L2CAP: Disconnect if received packet's SDU exceeds IMTU (git-fixes).
- Bluetooth: LE L2CAP: Disconnect if sum of payload sizes exceed SDU (git-fixes).
- Bluetooth: MGMT: Fix dangling pointer on mgmt_add_adv_patterns_monitor_complete (git-fixes).
- Bluetooth: MGMT: Fix list corruption and UAF in command complete handlers (git-fixes).
- Bluetooth: MGMT: validate LTK enc_size on load (git-fixes).
- Bluetooth: MGMT: validate mesh send advertising payload length (git-fixes).
- Bluetooth: qca: fix ROM version reading on WCN3998 chips (git-fixes).
- Bluetooth: Remove 3 repeated macro definitions (stable-fixes).
- Bluetooth: SCO: fix race conditions in sco_sock_connect() (git-fixes).
- Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold (git-fixes).
- Bluetooth: SMP: derive legacy responder STK authentication from MITM state (git-fixes).
- Bluetooth: SMP: force responder MITM requirements before building the pairing response (git-fixes).
- Bluetooth: SMP: make SM/PER/KDU/BI-04-C happy (git-fixes).
- bonding: do not set usable_slaves for broadcast mode (git-fixes).
- btrfs: fix zero size inode with non-zero size after log replay (git-fixes).
- btrfs: log new dentries when logging parent dir of a conflicting inode (git-fixes).
- btrfs: tracepoints: get correct superblock from dentry in event btrfs_sync_file() (bsc#1257777).
- can: gw: fix OOB heap access in cgw_csum_crc8_rel() (git-fixes).
- can: isotp: fix tx.buf use-after-free in isotp_sendmsg() (git-fixes).
- cifs: Fix locking usage for tcon fields (git-fixes).
- cifs: force interface update before a fresh session setup (git-fixes).
- cifs: make default value of retrans as zero (git-fixes).
- cifs: some missing initializations on replay (git-fixes).
- comedi: me_daq: Fix potential overrun of firmware buffer (git-fixes).
- comedi: me4000: Fix potential overrun of firmware buffer (git-fixes).
- comedi: ni_atmio16d: Fix invalid clean-up after failed attach (git-fixes).
- comedi: Reinit dev->spinlock between attachments to low-level drivers (git-fixes).
- cpufreq/amd-pstate: Remove the redundant verify() function (bsc#1252803).
- cpufreq/amd-pstate: Set the initial min_freq to lowest_nonlinear_freq (bsc#1252803).
- crypto: af-alg - fix NULL pointer dereference in scatterwalk (git-fixes).
- crypto: caam - fix DMA corruption on long hmac keys (git-fixes).
- crypto: caam - fix overflow on long hmac keys (git-fixes).
- dmaengine: idxd: Fix freeing the allocated ida too late (git-fixes).
- dmaengine: idxd: Fix leaking event log memory (git-fixes).
- dmaengine: idxd: Fix memory leak when a wq is reset (git-fixes).
- dmaengine: idxd: Fix not releasing workqueue on .release() (git-fixes).
- dmaengine: idxd: fix possible wrong descriptor completion in llist_abort_desc() (git-fixes).
- dmaengine: idxd: Remove usage of the deprecated ida_simple_xx() API (stable-fixes).
- dmaengine: sh: rz-dmac: Move CHCTRL updates under spinlock (git-fixes).
- dmaengine: sh: rz-dmac: Protect the driver specific lists (git-fixes).
- dmaengine: xilinx: xdma: Fix regmap init error handling (git-fixes).
- dmaengine: xilinx: xilinx_dma: Fix dma_device directions (git-fixes).
- dmaengine: xilinx: xilinx_dma: Fix residue calculation for cyclic DMA (git-fixes).
- dmaengine: xilinx: xilinx_dma: Fix unmasked residue subtraction (git-fixes).
- Drivers: hv: fix missing kernel-doc description for 'size' in request_arr_init() (git-fixes).
- Drivers: hv: remove stale comment (git-fixes).
- Drivers: hv: vmbus: Clean up sscanf format specifier in target_cpu_store() (git-fixes).
- Drivers: hv: vmbus: Fix sysfs output format for ring buffer index (git-fixes).
- Drivers: hv: vmbus: Fix typos in vmbus_drv.c (git-fixes).
- drm: Fix use-after-free on framebuffers and property blobs when calling drm_dev_unplug (git-fixes).
- drm/amd: fix dcn 2.01 check (git-fixes).
- drm/amd: Set num IP blocks to 0 if discovery fails (stable-fixes).
- drm/amd/display: Add pixel_clock to amd_pp_display_configuration (stable-fixes).
- drm/amd/display: Do not skip unrelated mode changes in DSC validation (git-fixes).
- drm/amd/display: Fallback to boot snapshot for dispclk (stable-fixes).
- drm/amd/display: Fix DisplayID not-found handling in parse_edid_displayid_vrr() (git-fixes).
- drm/amd/display: Wrap dcn32_override_min_req_memclk() in DC_FP_{START, END} (git-fixes).
- drm/amd/pm: add missing od setting PP_OD_FEATURE_ZERO_FAN_BIT for smu v14 (git-fixes).
- drm/amd/pm: remove invalid gpu_metrics.energy_accumulator on smu v13.0.x (stable-fixes).
- drm/amdgpu: apply state adjust rules to some additional HAINAN vairants (stable-fixes).
- drm/amdgpu: Change AMDGPU_VA_RESERVED_TRAP_SIZE to 64KB (git-fixes).
- drm/amdgpu: Fix fence put before wait in amdgpu_amdkfd_submit_ib (git-fixes).
- drm/amdgpu: fix gpu idle power consumption issue for gfx v12 (stable-fixes).
- drm/amdgpu: Fix kernel-doc comments for some LUT properties (git-fixes).
- drm/amdgpu: Fix use-after-free race in VM acquire (stable-fixes).
- drm/amdgpu: keep vga memory on MacBooks with switchable graphics (stable-fixes).
- drm/amdgpu: prevent immediate PASID reuse case (stable-fixes).
- drm/amdgpu/gmc9.0: add bounds checking for cid (stable-fixes).
- drm/amdgpu/mmhub2.0: add bounds checking for cid (stable-fixes).
- drm/amdgpu/mmhub2.3: add bounds checking for cid (stable-fixes).
- drm/amdgpu/mmhub3.0: add bounds checking for cid (stable-fixes).
- drm/amdgpu/mmhub3.0.1: add bounds checking for cid (stable-fixes).
- drm/amdgpu/mmhub3.0.2: add bounds checking for cid (stable-fixes).
- drm/amdgpu/mmhub4.1.0: add bounds checking for cid (stable-fixes).
- drm/amdgpu/vcn5: Add SMU dpm interface type (stable-fixes).
- drm/amdkfd: Unreserve bo if queue update failed (git-fixes).
- drm/ast: dp501: Fix initialization of SCU2C (git-fixes).
- drm/bridge: ti-sn65dsi83: fix CHA_DSI_CLK_RANGE rounding (git-fixes).
- drm/bridge: ti-sn65dsi86: Add support for DisplayPort mode with HPD (stable-fixes).
- drm/exynos: vidi: fix to avoid directly dereferencing user pointer (stable-fixes).
- drm/exynos/vidi: Remove redundant error handling in vidi_get_modes() (stable-fixes).
- drm/i915/display: Add module param to skip retraining of dp link (bsc#1253129).
- drm/i915/dp_tunnel: Fix error handling when clearing stream BW in atomic state (git-fixes).
- drm/i915/dp: Use crtc_state->enhanced_framing properly on ivb/hsw CPU eDP (git-fixes).
- drm/i915/dsc: Add helper for writing DSC Selective Update ET parameters (stable-fixes).
- drm/i915/dsc: Add Selective Update register definitions (stable-fixes).
- drm/i915/dsi: Don't do DSC horizontal timing adjustments in command mode (git-fixes).
- drm/i915/gmbus: fix spurious timeout on 512-byte burst reads (git-fixes).
- drm/i915/gt: Check set_default_submission() before deferencing (git-fixes).
- drm/imagination: Fix deadlock in soft reset sequence (git-fixes).
- drm/ioc32: stop speculation on the drm_compat_ioctl path (git-fixes).
- drm/msm: Fix dma_free_attrs() buffer size (git-fixes).
- drm/msm/dsi: Document DSC related pclk_rate and hdisplay calculations (stable-fixes).
- drm/msm/dsi: fix hdisplay calculation when programming dsi registers (git-fixes).
- drm/msm/dsi: fix pclk rate calculation for bonded dsi (git-fixes).
- drm/radeon: apply state adjust rules to some additional HAINAN vairants (stable-fixes).
- drm/ttm/tests: Fix build failure on PREEMPT_RT (stable-fixes).
- drm/xe: Do not preempt fence signaling CS instructions (git-fixes).
- drm/xe: Open-code GGTT MMIO access protection (git-fixes).
- drm/xe/oa: Allow reading after disabling OA stream (git-fixes).
- drm/xe/reg_sr: Fix leak on xa_store failure (git-fixes).
- firmware: arm_scpi: Fix device_node reference leak in probe path (git-fixes).
- gpio: mxc: map Both Edge pad wakeup to Rising Edge (git-fixes).
- HID: Add HID_CLAIMED_INPUT guards in raw_event callbacks missing them (stable-fixes).
- HID: apple: avoid memory leak in apple_report_fixup() (stable-fixes).
- HID: asus: avoid memory leak in asus_report_fixup() (stable-fixes).
- HID: magicmouse: avoid memory leak in magicmouse_report_fixup() (stable-fixes).
- HID: mcp2221: cancel last I2C command on read error (stable-fixes).
- hv/hv_kvp_daemon: Handle IPv4 and Ipv6 combination for keyfile format (git-fixes).
- hv/hv_kvp_daemon: Pass NIC name to hv_get_dns_info as well (git-fixes).
- hwmon: (adm1177) fix sysfs ABI violation and current unit conversion (git-fixes).
- hwmon: (axi-fan-control) Make use of dev_err_probe() (stable-fixes).
- hwmon: (axi-fan-control) Use device firmware agnostic API (stable-fixes).
- hwmon: (occ) Fix division by zero in occ_show_power_1() (git-fixes).
- hwmon: (occ) Fix missing newline in occ_show_extended() (git-fixes).
- hwmon: (peci/cputemp) Fix crit_hyst returning delta instead of absolute temperature (git-fixes).
- hwmon: (peci/cputemp) Fix off-by-one in cputemp_is_visible() (git-fixes).
- hwmon: (pmbus/isl68137) Add mutex protection for AVS enable sysfs attributes (git-fixes).
- hwmon: (pmbus/isl68137) Fix unchecked return value and use sysfs_emit() (git-fixes).
- hwmon: (pxe1610) Check return value of page-select write in probe (git-fixes).
- hwmon: (tps53679) Fix device ID comparison and printing in tps53676_identify() (git-fixes).
- hwmon: axi-fan: don't use driver_override as IRQ name (git-fixes).
- i2c: cp2615: fix serial string NULL-deref at probe (git-fixes).
- i2c: cp2615: replace deprecated strncpy with strscpy (stable-fixes).
- i2c: fsi: Fix a potential leak in fsi_i2c_probe() (git-fixes).
- i2c: pxa: defer reset on Armada 3700 when recovery is used (git-fixes).
- idpf: nullify pointers after they are freed (git-fixes).
- iio: accel: fix ADXL355 temperature signature value (git-fixes).
- iio: adc: ti-adc161s626: fix buffer read on big-endian (git-fixes).
- iio: chemical: bme680: Fix measurement wait duration calculation (git-fixes).
- iio: chemical: sps30_i2c: fix buffer size in sps30_i2c_read_meas() (git-fixes).
- iio: chemical: sps30_serial: fix buffer size in sps30_serial_read_meas() (git-fixes).
- iio: dac: ad5770r: fix error return in ad5770r_read_raw() (git-fixes).
- iio: dac: ds4424: reject -128 RAW value (git-fixes).
- iio: frequency: adf4377: Fix duplicated soft reset mask (git-fixes).
- iio: gyro: mpu3050-core: fix pm_runtime error handling (git-fixes).
- iio: gyro: mpu3050-i2c: fix pm_runtime error handling (git-fixes).
- iio: gyro: mpu3050: Fix incorrect free_irq() variable (git-fixes).
- iio: gyro: mpu3050: Fix irq resource leak (git-fixes).
- iio: gyro: mpu3050: Fix out-of-sequence free_irq() (git-fixes).
- iio: gyro: mpu3050: Move iio_device_register() to correct location (git-fixes).
- iio: imu: bmi160: Remove potential undefined behavior in bmi160_config_pin() (git-fixes).
- iio: imu: bno055: fix BNO055_SCAN_CH_COUNT off by one (git-fixes).
- iio: imu: inv_icm42600: fix odr switch to the same value (git-fixes).
- iio: imu: st_lsm6dsx: Set FIFO ODR for accelerometer and gyroscope only (git-fixes).
- iio: light: vcnl4035: fix scan buffer on big-endian (git-fixes).
- iio: potentiometer: mcp4131: fix double application of wiper shift (git-fixes).
- Input: synaptics-rmi4 - fix a locking bug in an error path (git-fixes).
- irqchip/qcom-mpm: Add missing mailbox TX done acknowledgment (git-fixes).
- mac80211: fix crash in ieee80211_chan_bw_change for AP_VLAN stations (stable-fixes).
- media: mc, v4l2: serialize REINIT and REQBUFS with req_queue_mutex (git-fixes).
- media: tegra-video: Use accessors for pad config 'try_*' fields (stable-fixes).
- mfd: omap-usb-host: Convert to platform remove callback returning void (stable-fixes).
- mfd: omap-usb-host: Fix OF populate on driver rebind (git-fixes).
- mfd: qcom-pm8xxx: Convert to platform remove callback returning void (stable-fixes).
- mfd: qcom-pm8xxx: Fix OF populate on driver rebind (git-fixes).
- misc: fastrpc: possible double-free of cctx->remote_heap (git-fixes).
- mmc: sdhci-pci-gli: fix GL9750 DMA write corruption (git-fixes).
- mmc: sdhci: fix timing selection for 1-bit bus width (git-fixes).
- mtd: Avoid boot crash in RedBoot partition table parser (git-fixes).
- mtd: rawnand: brcmnand: skip DMA during panic write (git-fixes).
- mtd: rawnand: cadence: Fix error check for dma_alloc_coherent() in cadence_nand_init() (git-fixes).
- mtd: rawnand: pl353: make sure optimal timings are applied (git-fixes).
- mtd: rawnand: serialize lock/unlock against other NAND operations (git-fixes).
- mtd: spi-nor: core: avoid odd length/address reads on 8D-8D-8D mode (stable-fixes).
- mtd: spi-nor: core: avoid odd length/address writes in 8D-8D-8D mode (stable-fixes).
- net: mana: Add metadata support for xdp mode (git-fixes).
- net: mana: Add standard counter rx_missed_errors (git-fixes).
- net: mana: Add support for auxiliary device servicing events (bsc#1251971).
- net: mana: Change the function signature of mana_get_primary_netdev_rcu (bsc#1256690).
- net: mana: Drop TX skb on post_work_request failure and unmap resources (git-fixes).
- net: mana: Fix double destroy_workqueue on service rescan PCI path (git-fixes).
- net: mana: fix spelling for mana_gd_deregiser_irq() (git-fixes).
- net: mana: fix use-after-free in add_adev() error path (git-fixes).
- net: mana: fix use-after-free in mana_hwc_destroy_channel() by reordering teardown (git-fixes).
- net: mana: Fix use-after-free in reset service rescan path (git-fixes).
- net: mana: Fix warnings for missing export.h header inclusion (git-fixes).
- net: mana: Handle hardware recovery events when probing the device (bsc#1257466).
- net: mana: Handle Reset Request from MANA NIC (bsc#1245728 bsc#1251971).
- net: mana: Handle SKB if TX SGEs exceed hardware limit (git-fixes).
- net: mana: Handle unsupported HWC commands (git-fixes).
- net: mana: Implement ndo_tx_timeout and serialize queue resets per port (bsc#1257472).
- net: mana: Move hardware counter stats from per-port to per-VF context (git-fixes).
- net: mana: Probe rdma device in mana driver (git-fixes).
- net: mana: Reduce waiting time if HWC not responding (bsc#1252266).
- net: mana: Ring doorbell at 4 CQ wraparounds (git-fixes).
- net: mana: Support HW link state events (bsc#1253049).
- net: mana: Trigger VF reset/recovery on health check failure due to HWC timeout (bsc#1259580).
- net: mana: use ethtool string helpers (git-fixes).
- net: mana: Use mana_cleanup_port_context() for rxq cleanup (git-fixes).
- net: usb: aqc111: Do not perform PM inside suspend callback (git-fixes).
- net: usb: cdc_ncm: add ndpoffset to NDP16 nframes bounds check (git-fixes).
- net: usb: cdc_ncm: add ndpoffset to NDP32 nframes bounds check (git-fixes).
- net: usb: pegasus: validate USB endpoints (stable-fixes).
- net/mana: Null service_wq on setup error to prevent double destroy (git-fix).
- net/mana: Null service_wq on setup error to prevent double destroy (git-fixes).
- net/mlx5: Fix crash when moving to switchdev mode (git-fixes).
- net/rose: fix NULL pointer dereference in rose_transmit_link on reconnect (git-fixes).
- net/x25: Fix overflow when accumulating packets (git-fixes).
- net/x25: Fix potential double free of skb (git-fixes).
- nfc: nci: fix circular locking dependency in nci_close_device (git-fixes).
- NFC: nxp-nci: allow GPIOs to sleep (git-fixes).
- NFC: pn533: bound the UART receive buffer (git-fixes).
- nvme: add support for dynamic quirk configuration via module parameter (bsc#1243208).
- nvme: expose active quirks in sysfs (bsc#1243208).
- nvme: fix memory leak in quirks_param_set() (bsc#1243208).
- PCI: hv: Correct a comment (git-fixes).
- PCI: hv: Remove unnecessary flex array in struct pci_packet (git-fixes).
- PCI: hv: remove unnecessary module_init/exit functions (git-fixes).
- PCI: hv: Remove unused field pci_bus in struct hv_pcibus_device (git-fixes).
- PCI: Update BAR # and window messages (stable-fixes).
- phy: ti: j721e-wiz: Fix device node reference leak in wiz_get_lane_phy_types() (git-fixes).
- pinctrl: equilibrium: fix warning trace on load (git-fixes).
- pinctrl: equilibrium: rename irq_chip function callbacks (stable-fixes).
- pinctrl: mediatek: common: Fix probe failure for devices without EINT (git-fixes).
- pinctrl: qcom: spmi-gpio: implement .get_direction() (git-fixes).
- platform/olpc: olpc-xo175-ec: Fix overflow error message to print inlen (git-fixes).
- platform/x86: dell-wmi: Add audio/mic mute key codes (stable-fixes).
- platform/x86: intel-hid: Add Dell 14 Plus 2-in-1 to dmi_vgbs_allow_list (stable-fixes).
- platform/x86: intel-hid: Enable 5-button array on ThinkPad X1 Fold 16 Gen 1 (stable-fixes).
- platform/x86: ISST: Correct locked bit width (git-fixes).
- platform/x86: touchscreen_dmi: Add quirk for y-inverted Goodix touchscreen on SUPI S10 (stable-fixes).
- PM: runtime: Fix a race condition related to device removal (git-fixes).
- RDMA/mana_ib: Access remote atomic for MRs (bsc#1251135).
- RDMA/mana_ib: add additional port counters (bsc#1251135).
- RDMA/mana_ib: Add device statistics support (git-fixes).
- RDMA/mana_ib: Add device-memory support (git-fixes).
- RDMA/mana_ib: Add EQ creation for rnic adapter (git-fixes).
- RDMA/mana_ib: Add port statistics support (git-fixes).
- RDMA/mana_ib: Add support of 4M, 1G, and 2G pages (git-fixes).
- RDMA/mana_ib: Add support of mana_ib for RNIC and ETH nic (git-fixes).
- RDMA/mana_ib: add support of multiple ports (bsc#1251135).
- RDMA/mana_ib: Adding and deleting GIDs (git-fixes).
- RDMA/mana_ib: Allow registration of DMA-mapped memory in PDs (git-fixes).
- RDMA/mana_ib: check cqe length for kernel CQs (git-fixes).
- RDMA/mana_ib: Configure mac address in RNIC (git-fixes).
- RDMA/mana_ib: Create and destroy RC QP (git-fixes).
- RDMA/mana_ib: Create and destroy rnic adapter (git-fixes).
- RDMA/mana_ib: create and destroy RNIC cqs (git-fixes).
- RDMA/mana_ib: Create and destroy UD/GSI QP (git-fixes).
- RDMA/mana_ib: create EQs for RNIC CQs (git-fixes).
- RDMA/mana_ib: create kernel-level CQs (git-fixes).
- RDMA/mana_ib: create/destroy AH (git-fixes).
- RDMA/mana_ib: Drain send wrs of GSI QP (git-fixes).
- RDMA/mana_ib: Enable RoCE on port 1 (git-fixes).
- RDMA/mana_ib: extend mana QP table (git-fixes).
- RDMA/mana_ib: Extend modify QP (git-fixes).
- RDMA/mana_ib: extend query device (git-fixes).
- RDMA/mana_ib: Fix DSCP value in modify QP (git-fixes).
- RDMA/mana_ib: Fix error code in probe() (git-fixes).
- RDMA/mana_ib: Fix integer overflow during queue creation (bsc#1251135).
- RDMA/mana_ib: Fix missing ret value (git-fixes).
- RDMA/mana_ib: Handle net event for pointing to the current netdev (bsc#1256690).
- RDMA/mana_ib: helpers to allocate kernel queues (git-fixes).
- RDMA/mana_ib: Implement DMABUF MR support (git-fixes).
- RDMA/mana_ib: implement get_dma_mr (git-fixes).
- RDMA/mana_ib: Implement port parameters (git-fixes).
- RDMA/mana_ib: implement req_notify_cq (git-fixes).
- RDMA/mana_ib: implement uapi for creation of rnic cq (git-fixes).
- RDMA/mana_ib: Implement uapi to create and destroy RC QP (git-fixes).
- RDMA/mana_ib: indicate CM support (git-fixes).
- RDMA/mana_ib: introduce a helper to remove cq callbacks (git-fixes).
- RDMA/mana_ib: Introduce helpers to create and destroy mana queues (git-fixes).
- RDMA/mana_ib: Introduce mana_ib_get_netdev helper function (git-fixes).
- RDMA/mana_ib: Introduce mana_ib_install_cq_cb helper function (git-fixes).
- RDMA/mana_ib: Introduce mdev_to_gc helper function (git-fixes).
- RDMA/mana_ib: Modify QP state (git-fixes).
- RDMA/mana_ib: polling of CQs for GSI/UD (git-fixes).
- RDMA/mana_ib: Process QP error events in mana_ib (git-fixes).
- RDMA/mana_ib: Query feature_flags bitmask from FW (git-fixes).
- RDMA/mana_ib: remove useless return values from dbg prints (git-fixes).
- RDMA/mana_ib: request error CQEs when supported (git-fixes).
- RDMA/mana_ib: Set correct device into ib (git-fixes).
- RDMA/mana_ib: set node_guid (git-fixes).
- RDMA/mana_ib: support of the zero based MRs (bsc#1251135).
- RDMA/mana_ib: Take CQ type from the device type (git-fixes).
- RDMA/mana_ib: UD/GSI QP creation for kernel (git-fixes).
- RDMA/mana_ib: UD/GSI work requests (git-fixes).
- RDMA/mana_ib: unify mana_ib functions to support any gdma device (git-fixes).
- RDMA/mana_ib: Use num_comp_vectors of ib_device (git-fixes).
- RDMA/mana_ib: Use safer allocation function() (bsc#1251135).
- RDMA/mana_ib: Use struct mana_ib_queue for CQs (git-fixes).
- RDMA/mana_ib: Use struct mana_ib_queue for RAW QPs (git-fixes).
- RDMA/mana_ib: Use struct mana_ib_queue for WQs (git-fixes).
- regmap: Synchronize cache for the page selector (git-fixes).
- regulator: pca9450: Correct interrupt type (git-fixes).
- regulator: pca9450: Make IRQ optional (stable-fixes).
- s390/debug: Pass in and enforce output buffer size for format handlers (jsc#PED-15582.
- scsi: hisi_sas: Fix NULL pointer exception during user_scan() (bsc#1255687).
- scsi: scsi_transport_sas: Fix the maximum channel scanning issue (bsc#1255687, git-fixes).
- scsi: storvsc: Remove redundant ternary operators (git-fixes).
- serial: 8250_pci: add support for the AX99100 (stable-fixes).
- serial: 8250: Add late synchronize_irq() to shutdown to handle DW UART BUSY (git-fixes).
- serial: 8250: Fix TX deadlock when using DMA (git-fixes).
- serial: uartlite: fix PM runtime usage count underflow on probe (git-fixes).
- smb: client: add proper locking around ses->iface_last_update (git-fixes).
- smb: client: fix broken multichannel with krb5+signing (git-fixes).
- smb: client: fix cifs_pick_channel when channels are equally loaded (git-fixes).
- smb: client: fix in-place encryption corruption in SMB2_write() (git-fixes).
- smb: client: fix krb5 mount with username option (git-fixes).
- smb: client: prevent races in ->query_interfaces() (git-fixes).
- soc: aspeed: socinfo: Mask table entries for accurate SoC ID matching (git-fixes).
- soc: fsl: qbman: fix race condition in qman_destroy_fq (git-fixes).
- spi: fix statistics allocation (git-fixes).
- spi: fix use-after-free on controller registration failure (git-fixes).
- spi: spi-fsl-lpspi: fix teardown order issue (UAF) (git-fixes).
- staging: rtl8723bs: properly validate the data in rtw_get_ie_ex() (stable-fixes).
- thunderbolt: Fix property read in nhi_wake_supported() (git-fixes).
- tools: hv: Enable debug logs for hv_kvp_daemon (git-fixes).
- tools: hv: lsvmbus: change shebang to use python3 (git-fixes).
- tools/hv: add a .gitignore file (git-fixes).
- tools/hv: reduce resouce usage in hv_get_dns_info helper (git-fixes).
- tools/hv: reduce resource usage in hv_kvp_daemon (git-fixes).
- USB: add QUIRK_NO_BOS for video capture several devices (stable-fixes).
- usb: cdc-acm: Restore CAP_BRK functionnality to CH343 (git-fixes).
- usb: cdns3: call cdns_power_is_lost() only once in cdns_resume() (stable-fixes).
- usb: cdns3: fix role switching during resume (git-fixes).
- usb: cdns3: gadget: fix NULL pointer dereference in ep_queue (git-fixes).
- usb: cdns3: gadget: fix state inconsistency on gadget init failure (git-fixes).
- usb: cdns3: remove redundant if branch (stable-fixes).
- usb: class: cdc-wdm: fix reordering issue in read code path (git-fixes).
- usb: core: don't power off roothub PHYs if phy_set_mode() fails (git-fixes).
- USB: core: Limit the length of unkillable synchronous timeouts (git-fixes).
- usb: core: new quirk to handle devices with zero configurations (stable-fixes).
- usb: core: phy: avoid double use of 'usb3-phy' (git-fixes).
- USB: dummy-hcd: Fix interrupt synchronization error (git-fixes).
- USB: dummy-hcd: Fix locking/synchronization error (git-fixes).
- usb: dwc2: gadget: Fix spin_lock/unlock mismatch in dwc2_hsotg_udc_stop() (git-fixes).
- usb: dwc3: pci: add support for the Intel Nova Lake -H (stable-fixes).
- usb: ehci-brcm: fix sleep during atomic (git-fixes).
- USB: ezcap401 needs USB_QUIRK_NO_BOS to function on 10gbs usb speed (stable-fixes).
- usb: gadget: f_mass_storage: Fix potential integer overflow in check_command_size_in_blocks() (git-fixes).
- usb: gadget: f_rndis: Protect RNDIS options with mutex (git-fixes).
- usb: gadget: f_subset: Fix unbalanced refcnt in geth_free (git-fixes).
- usb: gadget: u_ether: Fix race between gether_disconnect and eth_stop (git-fixes).
- usb: gadget: uvc: fix NULL pointer dereference during unbind race (git-fixes).
- usb: image: mdc800: kill download URB on timeout (stable-fixes).
- usb: mdc800: handle signal and read racing (stable-fixes).
- usb: misc: uss720: properly clean up reference in uss720_probe() (stable-fixes).
- usb: renesas_usbhs: fix use-after-free in ISR during device removal (git-fixes).
- usb: roles: get usb role switch from parent only for usb-b-connector (git-fixes).
- USB: serial: f81232: fix incomplete serial port generation (stable-fixes).
- usb: ulpi: fix double free in ulpi_register_interface() error path (git-fixes).
- USB: usbcore: Introduce usb_bulk_msg_killable() (git-fixes).
- usb: usbtmc: Flush anchored URBs in usbtmc_release (git-fixes).
- USB: usbtmc: Use usb_bulk_msg_killable() with user-specified timeouts (git-fixes).
- usb: xhci: Fix memory leak in xhci_disable_slot() (git-fixes).
- usb: xhci: Prevent interrupt storm on host controller error (HCE) (stable-fixes).
- usb: yurex: fix race in probe (stable-fixes).
- usb/core/quirks: Add Huawei ME906S-device to wakeup quirk (stable-fixes).
- vhost: fix caching attributes of MMIO regions by setting them explicitly (git-fixes).
- vmw_vsock: bypass false-positive Wnonnull warning with gcc-16 (git-fixes).
- watchdog/perf: properly initialize the turbo mode timestamp and rearm counter (bsc#1256504).
- wifi: ath11k: Pass the correct value of each TID during a stop AMPDU session (git-fixes).
- wifi: cfg80211: cancel pmsr_free_wk in cfg80211_pmsr_wdev_down (git-fixes).
- wifi: iwlwifi: mvm: fix potential out-of-bounds read in iwl_mvm_nd_match_info_handler() (git-fixes).
- wifi: mac80211: fix NULL deref in mesh_matches_local() (git-fixes).
- wifi: mac80211: Fix static_branch_dec() underflow for aql_disable (git-fixes).
- wifi: mac80211: set default WMM parameters on all links (stable-fixes).
- wifi: wilc1000: fix u8 overflow in SSID scan buffer size calculation (git-fixes).
- wifi: wlcore: Return -ENOMEM instead of -EAGAIN if there is not enough headroom (git-fixes).
- x86/platform/uv: Handle deconfigured sockets (bsc#1260347).
- xen/privcmd: unregister xenstore notifier on module exit (git-fixes).
- xenbus: Use .freeze/.thaw to handle xenbus devices (git-fixes).
Список пакетов
SUSE Linux Enterprise High Availability Extension 15 SP7
SUSE Linux Enterprise Live Patching 15 SP7
SUSE Linux Enterprise Module for Basesystem 15 SP7
SUSE Linux Enterprise Module for Development Tools 15 SP7
SUSE Linux Enterprise Module for Legacy 15 SP7
SUSE Linux Enterprise Module for Public Cloud 15 SP7
SUSE Linux Enterprise Workstation Extension 15 SP7
Ссылки
- Link for SUSE-SU-2026:1661-1
- E-Mail link for SUSE-SU-2026:1661-1
- SUSE Security Ratings
- SUSE Bug 1243208
- SUSE Bug 1245728
- SUSE Bug 1251135
- SUSE Bug 1251971
- SUSE Bug 1252073
- SUSE Bug 1252266
- SUSE Bug 1252803
- SUSE Bug 1253049
- SUSE Bug 1253129
- SUSE Bug 1255687
- SUSE Bug 1256504
- SUSE Bug 1256647
- SUSE Bug 1256690
- SUSE Bug 1257466
- SUSE Bug 1257472
- SUSE Bug 1257506
- SUSE Bug 1257561
Описание
In the Linux kernel, the following vulnerability has been resolved: scsi: target: target_core_configfs: Add length check to avoid buffer overflow A buffer overflow arises from the usage of snprintf to write into the buffer "buf" in target_lu_gp_members_show function located in /drivers/target/target_core_configfs.c. This buffer is allocated with size LU_GROUP_NAME_BUF (256 bytes). snprintf(...) formats multiple strings into buf with the HBA name (hba->hba_group.cg_item), a slash character, a devicename (dev-> dev_group.cg_item) and a newline character, the total formatted string length may exceed the buffer size of 256 bytes. Since snprintf() returns the total number of bytes that would have been written (the length of %s/%sn ), this value may exceed the buffer length (256 bytes) passed to memcpy(), this will ultimately cause function memcpy reporting a buffer overflow error. An additional check of the return value of snprintf() can avoid this buffer overflow.
Затронутые продукты
Ссылки
- CVE-2025-39998
- SUSE Bug 1252073
Описание
In the Linux kernel, the following vulnerability has been resolved: iomap: adjust read range correctly for non-block-aligned positions iomap_adjust_read_range() assumes that the position and length passed in are block-aligned. This is not always the case however, as shown in the syzbot generated case for erofs. This causes too many bytes to be skipped for uptodate blocks, which results in returning the incorrect position and length to read in. If all the blocks are uptodate, this underflows length and returns a position beyond the folio. Fix the calculation to also take into account the block offset when calculating how many bytes can be skipped for uptodate blocks.
Затронутые продукты
Ссылки
- CVE-2025-68794
- SUSE Bug 1256647
Описание
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix reservation leak in some error paths when inserting inline extent If we fail to allocate a path or join a transaction, we return from __cow_file_range_inline() without freeing the reserved qgroup data, resulting in a leak. Fix this by ensuring we call btrfs_qgroup_free_data() in such cases.
Затронутые продукты
Ссылки
- CVE-2025-71268
- SUSE Bug 1259865
Описание
In the Linux kernel, the following vulnerability has been resolved: btrfs: do not free data reservation in fallback from inline due to -ENOSPC If we fail to create an inline extent due to -ENOSPC, we will attempt to go through the normal COW path, reserve an extent, create an ordered extent, etc. However we were always freeing the reserved qgroup data, which is wrong since we will use data. Fix this by freeing the reserved qgroup data in __cow_file_range_inline() only if we are not doing the fallback (ret is <= 0).
Затронутые продукты
Ссылки
- CVE-2025-71269
- SUSE Bug 1259889
Описание
In the Linux kernel, the following vulnerability has been resolved: phy: rockchip: inno-usb2: Fix a double free bug in rockchip_usb2phy_probe() The for_each_available_child_of_node() calls of_node_put() to release child_np in each success loop. After breaking from the loop with the child_np has been released, the code will jump to the put_child label and will call the of_node_put() again if the devm_request_threaded_irq() fails. These cause a double free bug. Fix by returning directly to avoid the duplicate of_node_put().
Затронутые продукты
Ссылки
- CVE-2026-23030
- SUSE Bug 1257561
Описание
In the Linux kernel, the following vulnerability has been resolved: libceph: make calc_target() set t->paused, not just clear it Currently calc_target() clears t->paused if the request shouldn't be paused anymore, but doesn't ever set t->paused even though it's able to determine when the request should be paused. Setting t->paused is left to __submit_request() which is fine for regular requests but doesn't work for linger requests -- since __submit_request() doesn't operate on linger requests, there is nowhere for lreq->t.paused to be set. One consequence of this is that watches don't get reestablished on paused -> unpaused transitions in cases where requests have been paused long enough for the (paused) unwatch request to time out and for the subsequent (re)watch request to enter the paused state. On top of the watch not getting reestablished, rbd_reregister_watch() gets stuck with rbd_dev->watch_mutex held: rbd_register_watch __rbd_register_watch ceph_osdc_watch linger_reg_commit_wait It's waiting for lreq->reg_commit_wait to be completed, but for that to happen the respective request needs to end up on need_resend_linger list and be kicked when requests are unpaused. There is no chance for that if the request in question is never marked paused in the first place. The fact that rbd_dev->watch_mutex remains taken out forever then prevents the image from getting unmapped -- "rbd unmap" would inevitably hang in D state on an attempt to grab the mutex.
Затронутые продукты
Ссылки
- CVE-2026-23047
- SUSE Bug 1257682
Описание
In the Linux kernel, the following vulnerability has been resolved: ipvlan: Make the addrs_lock be per port Make the addrs_lock be per port, not per ipvlan dev. Initial code seems to be written in the assumption, that any address change must occur under RTNL. But it is not so for the case of IPv6. So 1) Introduce per-port addrs_lock. 2) It was needed to fix places where it was forgotten to take lock (ipvlan_open/ipvlan_close) This appears to be a very minor problem though. Since it's highly unlikely that ipvlan_add_addr() will be called on 2 CPU simultaneously. But nevertheless, this could cause: 1) False-negative of ipvlan_addr_busy(): one interface iterated through all port->ipvlans + ipvlan->addrs under some ipvlan spinlock, and another added IP under its own lock. Though this is only possible for IPv6, since looks like only ipvlan_addr6_event() can be called without rtnl_lock. 2) Race since ipvlan_ht_addr_add(port) is called under different ipvlan->addrs_lock locks This should not affect performance, since add/remove IP is a rare situation and spinlock is not taken on fast paths.
Затронутые продукты
Ссылки
- CVE-2026-23103
- SUSE Bug 1257773
Описание
In the Linux kernel, the following vulnerability has been resolved: l2tp: avoid one data-race in l2tp_tunnel_del_work() We should read sk->sk_socket only when dealing with kernel sockets. syzbot reported the following data-race: BUG: KCSAN: data-race in l2tp_tunnel_del_work / sk_common_release write to 0xffff88811c182b20 of 8 bytes by task 5365 on cpu 0: sk_set_socket include/net/sock.h:2092 [inline] sock_orphan include/net/sock.h:2118 [inline] sk_common_release+0xae/0x230 net/core/sock.c:4003 udp_lib_close+0x15/0x20 include/net/udp.h:325 inet_release+0xce/0xf0 net/ipv4/af_inet.c:437 __sock_release net/socket.c:662 [inline] sock_close+0x6b/0x150 net/socket.c:1455 __fput+0x29b/0x650 fs/file_table.c:468 ____fput+0x1c/0x30 fs/file_table.c:496 task_work_run+0x131/0x1a0 kernel/task_work.c:233 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] __exit_to_user_mode_loop kernel/entry/common.c:44 [inline] exit_to_user_mode_loop+0x1fe/0x740 kernel/entry/common.c:75 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline] syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline] syscall_exit_to_user_mode_work include/linux/entry-common.h:159 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:194 [inline] do_syscall_64+0x1e1/0x2b0 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f read to 0xffff88811c182b20 of 8 bytes by task 827 on cpu 1: l2tp_tunnel_del_work+0x2f/0x1a0 net/l2tp/l2tp_core.c:1418 process_one_work kernel/workqueue.c:3257 [inline] process_scheduled_works+0x4ce/0x9d0 kernel/workqueue.c:3340 worker_thread+0x582/0x770 kernel/workqueue.c:3421 kthread+0x489/0x510 kernel/kthread.c:463 ret_from_fork+0x149/0x290 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 value changed: 0xffff88811b818000 -> 0x0000000000000000
Затронутые продукты
Ссылки
- CVE-2026-23120
- SUSE Bug 1258280
Описание
In the Linux kernel, the following vulnerability has been resolved: libceph: reset sparse-read state in osd_fault() When a fault occurs, the connection is abandoned, reestablished, and any pending operations are retried. The OSD client tracks the progress of a sparse-read reply using a separate state machine, largely independent of the messenger's state. If a connection is lost mid-payload or the sparse-read state machine returns an error, the sparse-read state is not reset. The OSD client will then interpret the beginning of a new reply as the continuation of the old one. If this makes the sparse-read machinery enter a failure state, it may never recover, producing loops like: libceph: [0] got 0 extents libceph: data len 142248331 != extent len 0 libceph: osd0 (1)...:6801 socket error on read libceph: data len 142248331 != extent len 0 libceph: osd0 (1)...:6801 socket error on read Therefore, reset the sparse-read state in osd_fault(), ensuring retries start from a clean state.
Затронутые продукты
Ссылки
- CVE-2026-23136
- SUSE Bug 1258303
Описание
In the Linux kernel, the following vulnerability has been resolved: bpf, test_run: Subtract size of xdp_frame from allowed metadata size The xdp_frame structure takes up part of the XDP frame headroom, limiting the size of the metadata. However, in bpf_test_run, we don't take this into account, which makes it possible for userspace to supply a metadata size that is too large (taking up the entire headroom). If userspace supplies such a large metadata size in live packet mode, the xdp_update_frame_from_buff() call in xdp_test_run_init_page() call will fail, after which packet transmission proceeds with an uninitialised frame structure, leading to the usual Bad Stuff. The commit in the Fixes tag fixed a related bug where the second check in xdp_update_frame_from_buff() could fail, but did not add any additional constraints on the metadata size. Complete the fix by adding an additional check on the metadata size. Reorder the checks slightly to make the logic clearer and add a comment.
Затронутые продукты
Ссылки
- CVE-2026-23140
- SUSE Bug 1258305
Описание
In the Linux kernel, the following vulnerability has been resolved: pmdomain: imx8m-blk-ctrl: fix out-of-range access of bc->domains Fix out-of-range access of bc->domains in imx8m_blk_ctrl_remove().
Затронутые продукты
Ссылки
- CVE-2026-23187
- SUSE Bug 1258330
Описание
In the Linux kernel, the following vulnerability has been resolved: scsi: target: iscsi: Fix use-after-free in iscsit_dec_session_usage_count() In iscsit_dec_session_usage_count(), the function calls complete() while holding the sess->session_usage_lock. Similar to the connection usage count logic, the waiter signaled by complete() (e.g., in the session release path) may wake up and free the iscsit_session structure immediately. This creates a race condition where the current thread may attempt to execute spin_unlock_bh() on a session structure that has already been deallocated, resulting in a KASAN slab-use-after-free. To resolve this, release the session_usage_lock before calling complete() to ensure all dereferences of the sess pointer are finished before the waiter is allowed to proceed with deallocation.
Затронутые продукты
Ссылки
- CVE-2026-23193
- SUSE Bug 1258414
Описание
In the Linux kernel, the following vulnerability has been resolved: ceph: fix oops due to invalid pointer for kfree() in parse_longname() This fixes a kernel oops when reading ceph snapshot directories (.snap), for example by simply running `ls /mnt/my_ceph/.snap`. The variable str is guarded by __free(kfree), but advanced by one for skipping the initial '_' in snapshot names. Thus, kfree() is called with an invalid pointer. This patch removes the need for advancing the pointer so kfree() is called with correct memory pointer. Steps to reproduce: 1. Create snapshots on a cephfs volume (I've 63 snaps in my testcase) 2. Add cephfs mount to fstab $ echo "samba-fileserver@.files=/volumes/datapool/stuff/3461082b-ecc9-4e82-8549-3fd2590d3fb6 /mnt/test/stuff ceph acl,noatime,_netdev 0 0" >> /etc/fstab 3. Reboot the system $ systemctl reboot 4. Check if it's really mounted $ mount | grep stuff 5. List snapshots (expected 63 snapshots on my system) $ ls /mnt/test/stuff/.snap Now ls hangs forever and the kernel log shows the oops.
Затронутые продукты
Ссылки
- CVE-2026-23201
- SUSE Bug 1258337
Описание
In the Linux kernel, the following vulnerability has been resolved: x86/vmware: Fix hypercall clobbers Fedora QA reported the following panic: BUG: unable to handle page fault for address: 0000000040003e54 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20251119-3.fc43 11/19/2025 RIP: 0010:vmware_hypercall4.constprop.0+0x52/0x90 .. Call Trace: vmmouse_report_events+0x13e/0x1b0 psmouse_handle_byte+0x15/0x60 ps2_interrupt+0x8a/0xd0 ... because the QEMU VMware mouse emulation is buggy, and clears the top 32 bits of %rdi that the kernel kept a pointer in. The QEMU vmmouse driver saves and restores the register state in a "uint32_t data[6];" and as a result restores the state with the high bits all cleared. RDI originally contained the value of a valid kernel stack address (0xff5eeb3240003e54). After the vmware hypercall it now contains 0x40003e54, and we get a page fault as a result when it is dereferenced. The proper fix would be in QEMU, but this works around the issue in the kernel to keep old setups working, when old kernels had not happened to keep any state in %rdi over the hypercall. In theory this same issue exists for all the hypercalls in the vmmouse driver; in practice it has only been seen with vmware_hypercall3() and vmware_hypercall4(). For now, just mark RDI/RSI as clobbered for those two calls. This should have a minimal effect on code generation overall as it should be rare for the compiler to want to make RDI/RSI live across hypercalls.
Затронутые продукты
Ссылки
- CVE-2026-23215
- SUSE Bug 1258476
Описание
In the Linux kernel, the following vulnerability has been resolved: scsi: target: iscsi: Fix use-after-free in iscsit_dec_conn_usage_count() In iscsit_dec_conn_usage_count(), the function calls complete() while holding the conn->conn_usage_lock. As soon as complete() is invoked, the waiter (such as iscsit_close_connection()) may wake up and proceed to free the iscsit_conn structure. If the waiter frees the memory before the current thread reaches spin_unlock_bh(), it results in a KASAN slab-use-after-free as the function attempts to release a lock within the already-freed connection structure. Fix this by releasing the spinlock before calling complete().
Затронутые продукты
Ссылки
- CVE-2026-23216
- SUSE Bug 1258447
- SUSE Bug 1258448
Описание
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix use-after-free in nf_tables_addchain() nf_tables_addchain() publishes the chain to table->chains via list_add_tail_rcu() (in nft_chain_add()) before registering hooks. If nf_tables_register_hook() then fails, the error path calls nft_chain_del() (list_del_rcu()) followed by nf_tables_chain_destroy() with no RCU grace period in between. This creates two use-after-free conditions: 1) Control-plane: nf_tables_dump_chains() traverses table->chains under rcu_read_lock(). A concurrent dump can still be walking the chain when the error path frees it. 2) Packet path: for NFPROTO_INET, nf_register_net_hook() briefly installs the IPv4 hook before IPv6 registration fails. Packets entering nft_do_chain() via the transient IPv4 hook can still be dereferencing chain->blob_gen_X when the error path frees the chain. Add synchronize_rcu() between nft_chain_del() and the chain destroy so that all RCU readers -- both dump threads and in-flight packet evaluation -- have finished before the chain is freed.
Затронутые продукты
Ссылки
- CVE-2026-23231
- SUSE Bug 1259188
- SUSE Bug 1259189
Описание
In the Linux kernel, the following vulnerability has been resolved: RDMA/siw: Fix potential NULL pointer dereference in header processing If siw_get_hdr() returns -EINVAL before set_rx_fpdu_context(), qp->rx_fpdu can be NULL. The error path in siw_tcp_rx_data() dereferences qp->rx_fpdu->more_ddp_segs without checking, which may lead to a NULL pointer deref. Only check more_ddp_segs when rx_fpdu is present. KASAN splat: [ 101.384271] KASAN: null-ptr-deref in range [0x00000000000000c0-0x00000000000000c7] [ 101.385869] RIP: 0010:siw_tcp_rx_data+0x13ad/0x1e50
Затронутые продукты
Ссылки
- CVE-2026-23242
- SUSE Bug 1259795
Описание
In the Linux kernel, the following vulnerability has been resolved: RDMA/umad: Reject negative data_len in ib_umad_write ib_umad_write computes data_len from user-controlled count and the MAD header sizes. With a mismatched user MAD header size and RMPP header length, data_len can become negative and reach ib_create_send_mad(). This can make the padding calculation exceed the segment size and trigger an out-of-bounds memset in alloc_send_rmpp_list(). Add an explicit check to reject negative data_len before creating the send buffer. KASAN splat: [ 211.363464] BUG: KASAN: slab-out-of-bounds in ib_create_send_mad+0xa01/0x11b0 [ 211.364077] Write of size 220 at addr ffff88800c3fa1f8 by task spray_thread/102 [ 211.365867] ib_create_send_mad+0xa01/0x11b0 [ 211.365887] ib_umad_write+0x853/0x1c80
Затронутые продукты
Ссылки
- CVE-2026-23243
- SUSE Bug 1259797
- SUSE Bug 1259798
Описание
In the Linux kernel, the following vulnerability has been resolved: net: add proper RCU protection to /proc/net/ptype Yin Fengwei reported an RCU stall in ptype_seq_show() and provided a patch. Real issue is that ptype_seq_next() and ptype_seq_show() violate RCU rules. ptype_seq_show() runs under rcu_read_lock(), and reads pt->dev to get device name without any barrier. At the same time, concurrent writers can remove a packet_type structure (which is correctly freed after an RCU grace period) and clear pt->dev without an RCU grace period. Define ptype_iter_state to carry a dev pointer along seq_net_private: struct ptype_iter_state { struct seq_net_private p; struct net_device *dev; // added in this patch }; We need to record the device pointer in ptype_get_idx() and ptype_seq_next() so that ptype_seq_show() is safe against concurrent pt->dev changes. We also need to add full RCU protection in ptype_seq_next(). (Missing READ_ONCE() when reading list.next values) Many thanks to Dong Chenchen for providing a repro.
Затронутые продукты
Ссылки
- CVE-2026-23255
- SUSE Bug 1259891
Описание
In the Linux kernel, the following vulnerability has been resolved: io_uring/rw: free potentially allocated iovec on cache put failure If a read/write request goes through io_req_rw_cleanup() and has an allocated iovec attached and fails to put to the rw_cache, then it may end up with an unaccounted iovec pointer. Have io_rw_recycle() return whether it recycled the request or not, and use that to gauge whether to free a potential iovec or not.
Затронутые продукты
Ссылки
- CVE-2026-23259
- SUSE Bug 1259866
Описание
In the Linux kernel, the following vulnerability has been resolved: net/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks As Paolo said earlier [1]: "Since the blamed commit below, classify can return TC_ACT_CONSUMED while the current skb being held by the defragmentation engine. As reported by GangMin Kim, if such packet is that may cause a UaF when the defrag engine later on tries to tuch again such packet." act_ct was never meant to be used in the egress path, however some users are attaching it to egress today [2]. Attempting to reach a middle ground, we noticed that, while most qdiscs are not handling TC_ACT_CONSUMED, clsact/ingress qdiscs are. With that in mind, we address the issue by only allowing act_ct to bind to clsact/ingress qdiscs and shared blocks. That way it's still possible to attach act_ct to egress (albeit only with clsact). [1] https://lore.kernel.org/netdev/674b8cbfc385c6f37fb29a1de08d8fe5c2b0fbee.1771321118.git.pabeni@redhat.com/ [2] https://lore.kernel.org/netdev/cc6bfb4a-4a2b-42d8-b9ce-7ef6644fb22b@ovn.org/
Затронутые продукты
Ссылки
- CVE-2026-23270
- SUSE Bug 1259886
Описание
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: unconditionally bump set->nelems before insertion In case that the set is full, a new element gets published then removed without waiting for the RCU grace period, while RCU reader can be walking over it already. To address this issue, add the element transaction even if set is full, but toggle the set_full flag to report -ENFILE so the abort path safely unwinds the set to its previous state. As for element updates, decrement set->nelems to restore it. A simpler fix is to call synchronize_rcu() in the error path. However, with a large batch adding elements to already maxed-out set, this could cause noticeable slowdown of such batches.
Затронутые продукты
Ссылки
- CVE-2026-23272
- SUSE Bug 1260009
- SUSE Bug 1260909
Описание
In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels IDLETIMER revision 0 rules reuse existing timers by label and always call mod_timer() on timer->timer. If the label was created first by revision 1 with XT_IDLETIMER_ALARM, the object uses alarm timer semantics and timer->timer is never initialized. Reusing that object from revision 0 causes mod_timer() on an uninitialized timer_list, triggering debugobjects warnings and possible panic when panic_on_warn=1. Fix this by rejecting revision 0 rule insertion when an existing timer with the same label is of ALARM type.
Затронутые продукты
Ссылки
- CVE-2026-23274
- SUSE Bug 1260005
- SUSE Bug 1260908
Описание
In the Linux kernel, the following vulnerability has been resolved: net/sched: teql: fix NULL pointer dereference in iptunnel_xmit on TEQL slave xmit teql_master_xmit() calls netdev_start_xmit(skb, slave) to transmit through slave devices, but does not update skb->dev to the slave device beforehand. When a gretap tunnel is a TEQL slave, the transmit path reaches iptunnel_xmit() which saves dev = skb->dev (still pointing to teql0 master) and later calls iptunnel_xmit_stats(dev, pkt_len). This function does: get_cpu_ptr(dev->tstats) Since teql_master_setup() does not set dev->pcpu_stat_type to NETDEV_PCPU_STAT_TSTATS, the core network stack never allocates tstats for teql0, so dev->tstats is NULL. get_cpu_ptr(NULL) computes NULL + __per_cpu_offset[cpu], resulting in a page fault. BUG: unable to handle page fault for address: ffff8880e6659018 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 68bc067 P4D 68bc067 PUD 0 Oops: Oops: 0002 [#1] SMP KASAN PTI RIP: 0010:iptunnel_xmit (./include/net/ip_tunnels.h:664 net/ipv4/ip_tunnel_core.c:89) Call Trace: <TASK> ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847) __gre_xmit (net/ipv4/ip_gre.c:478) gre_tap_xmit (net/ipv4/ip_gre.c:779) teql_master_xmit (net/sched/sch_teql.c:319) dev_hard_start_xmit (net/core/dev.c:3887) sch_direct_xmit (net/sched/sch_generic.c:347) __dev_queue_xmit (net/core/dev.c:4802) neigh_direct_output (net/core/neighbour.c:1660) ip_finish_output2 (net/ipv4/ip_output.c:237) __ip_finish_output.part.0 (net/ipv4/ip_output.c:315) ip_mc_output (net/ipv4/ip_output.c:369) ip_send_skb (net/ipv4/ip_output.c:1508) udp_send_skb (net/ipv4/udp.c:1195) udp_sendmsg (net/ipv4/udp.c:1485) inet_sendmsg (net/ipv4/af_inet.c:859) __sys_sendto (net/socket.c:2206) Fix this by setting skb->dev = slave before calling netdev_start_xmit(), so that tunnel xmit functions see the correct slave device with properly allocated tstats.
Затронутые продукты
Ссылки
- CVE-2026-23277
- SUSE Bug 1259997
Описание
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: always walk all pending catchall elements During transaction processing we might have more than one catchall element: 1 live catchall element and 1 pending element that is coming as part of the new batch. If the map holding the catchall elements is also going away, its required to toggle all catchall elements and not just the first viable candidate. Otherwise, we get: WARNING: ./include/net/netfilter/nf_tables.h:1281 at nft_data_release+0xb7/0xe0 [nf_tables], CPU#2: nft/1404 RIP: 0010:nft_data_release+0xb7/0xe0 [nf_tables] [..] __nft_set_elem_destroy+0x106/0x380 [nf_tables] nf_tables_abort_release+0x348/0x8d0 [nf_tables] nf_tables_abort+0xcf2/0x3ac0 [nf_tables] nfnetlink_rcv_batch+0x9c9/0x20e0 [..]
Затронутые продукты
Ссылки
- CVE-2026-23278
- SUSE Bug 1259998
- SUSE Bug 1260907
Описание
In the Linux kernel, the following vulnerability has been resolved: wifi: libertas: fix use-after-free in lbs_free_adapter() The lbs_free_adapter() function uses timer_delete() (non-synchronous) for both command_timer and tx_lockup_timer before the structure is freed. This is incorrect because timer_delete() does not wait for any running timer callback to complete. If a timer callback is executing when lbs_free_adapter() is called, the callback will access freed memory since lbs_cfg_free() frees the containing structure immediately after lbs_free_adapter() returns. Both timer callbacks (lbs_cmd_timeout_handler and lbs_tx_lockup_handler) access priv->driver_lock, priv->cur_cmd, priv->dev, and other fields, which would all be use-after-free violations. Use timer_delete_sync() instead to ensure any running timer callback has completed before returning. This bug was introduced in commit 8f641d93c38a ("libertas: detect TX lockups and reset hardware") where del_timer() was used instead of del_timer_sync() in the cleanup path. The command_timer has had the same issue since the driver was first written.
Затронутые продукты
Ссылки
- CVE-2026-23281
- SUSE Bug 1260464
- SUSE Bug 1260466
Описание
In the Linux kernel, the following vulnerability has been resolved: scsi: target: Fix recursive locking in __configfs_open_file() In flush_write_buffer, &p->frag_sem is acquired and then the loaded store function is called, which, here, is target_core_item_dbroot_store(). This function called filp_open(), following which these functions were called (in reverse order), according to the call trace: down_read __configfs_open_file do_dentry_open vfs_open do_open path_openat do_filp_open file_open_name filp_open target_core_item_dbroot_store flush_write_buffer configfs_write_iter target_core_item_dbroot_store() tries to validate the new file path by trying to open the file path provided to it; however, in this case, the bug report shows: db_root: not a directory: /sys/kernel/config/target/dbroot indicating that the same configfs file was tried to be opened, on which it is currently working on. Thus, it is trying to acquire frag_sem semaphore of the same file of which it already holds the semaphore obtained in flush_write_buffer(), leading to acquiring the semaphore in a nested manner and a possibility of recursive locking. Fix this by modifying target_core_item_dbroot_store() to use kern_path() instead of filp_open() to avoid opening the file using filesystem-specific function __configfs_open_file(), and further modifying it to make this fix compatible.
Затронутые продукты
Ссылки
- CVE-2026-23292
- SUSE Bug 1260500
Описание
In the Linux kernel, the following vulnerability has been resolved: net: vxlan: fix nd_tbl NULL dereference when IPv6 is disabled When booting with the 'ipv6.disable=1' parameter, the nd_tbl is never initialized because inet6_init() exits before ndisc_init() is called which initializes it. If an IPv6 packet is injected into the interface, route_shortcircuit() is called and a NULL pointer dereference happens on neigh_lookup(). BUG: kernel NULL pointer dereference, address: 0000000000000380 Oops: Oops: 0000 [#1] SMP NOPTI [...] RIP: 0010:neigh_lookup+0x20/0x270 [...] Call Trace: <TASK> vxlan_xmit+0x638/0x1ef0 [vxlan] dev_hard_start_xmit+0x9e/0x2e0 __dev_queue_xmit+0xbee/0x14e0 packet_sendmsg+0x116f/0x1930 __sys_sendto+0x1f5/0x200 __x64_sys_sendto+0x24/0x30 do_syscall_64+0x12f/0x1590 entry_SYSCALL_64_after_hwframe+0x76/0x7e Fix this by adding an early check on route_shortcircuit() when protocol is ETH_P_IPV6. Note that ipv6_mod_enabled() cannot be used here because VXLAN can be built-in even when IPv6 is built as a module.
Затронутые продукты
Ссылки
- CVE-2026-23293
- SUSE Bug 1260486
Описание
In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Return the correct value in vmw_translate_ptr functions Before the referenced fixes these functions used a lookup function that returned a pointer. This was changed to another lookup function that returned an error code with the pointer becoming an out parameter. The error path when the lookup failed was not changed to reflect this change and the code continued to return the PTR_ERR of the now uninitialized pointer. This could cause the vmw_translate_ptr functions to return success when they actually failed causing further uninitialized and OOB accesses.
Затронутые продукты
Ссылки
- CVE-2026-23317
- SUSE Bug 1260562
- SUSE Bug 1260563
Описание
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix a UAF issue in bpf_trampoline_link_cgroup_shim The root cause of this bug is that when 'bpf_link_put' reduces the refcount of 'shim_link->link.link' to zero, the resource is considered released but may still be referenced via 'tr->progs_hlist' in 'cgroup_shim_find'. The actual cleanup of 'tr->progs_hlist' in 'bpf_shim_tramp_link_release' is deferred. During this window, another process can cause a use-after-free via 'bpf_trampoline_link_cgroup_shim'. Based on Martin KaFai Lau's suggestions, I have created a simple patch. To fix this: Add an atomic non-zero check in 'bpf_trampoline_link_cgroup_shim'. Only increment the refcount if it is not already zero. Testing: I verified the fix by adding a delay in 'bpf_shim_tramp_link_release' to make the bug easier to trigger: static void bpf_shim_tramp_link_release(struct bpf_link *link) { /* ... */ if (!shim_link->trampoline) return; + msleep(100); WARN_ON_ONCE(bpf_trampoline_unlink_prog(&shim_link->link, shim_link->trampoline, NULL)); bpf_trampoline_put(shim_link->trampoline); } Before the patch, running a PoC easily reproduced the crash(almost 100%) with a call trace similar to KaiyanM's report. After the patch, the bug no longer occurs even after millions of iterations.
Затронутые продукты
Ссылки
- CVE-2026-23319
- SUSE Bug 1260735
Описание
In the Linux kernel, the following vulnerability has been resolved: PCI: dwc: ep: Flush MSI-X write before unmapping its ATU entry Endpoint drivers use dw_pcie_ep_raise_msix_irq() to raise an MSI-X interrupt to the host using a writel(), which generates a PCI posted write transaction. There's no completion for posted writes, so the writel() may return before the PCI write completes. dw_pcie_ep_raise_msix_irq() also unmaps the outbound ATU entry used for the PCI write, so the write races with the unmap. If the PCI write loses the race with the ATU unmap, the write may corrupt host memory or cause IOMMU errors, e.g., these when running fio with a larger queue depth against nvmet-pci-epf: arm-smmu-v3 fc900000.iommu: 0x0000010000000010 arm-smmu-v3 fc900000.iommu: 0x0000020000000000 arm-smmu-v3 fc900000.iommu: 0x000000090000f040 arm-smmu-v3 fc900000.iommu: 0x0000000000000000 arm-smmu-v3 fc900000.iommu: event: F_TRANSLATION client: 0000:01:00.0 sid: 0x100 ssid: 0x0 iova: 0x90000f040 ipa: 0x0 arm-smmu-v3 fc900000.iommu: unpriv data write s1 "Input address caused fault" stag: 0x0 Flush the write by performing a readl() of the same address to ensure that the write has reached the destination before the ATU entry is unmapped. The same problem was solved for dw_pcie_ep_raise_msi_irq() in commit 8719c64e76bf ("PCI: dwc: ep: Cache MSI outbound iATU mapping"), but there it was solved by dedicating an outbound iATU only for MSI. We can't do the same for MSI-X because each vector can have a different msg_addr and the msg_addr may be changed while the vector is masked. [bhelgaas: commit log]
Затронутые продукты
Ссылки
- CVE-2026-23361
- SUSE Bug 1260732
Описание
In the Linux kernel, the following vulnerability has been resolved: net/sched: ets: fix divide by zero in the offload path Offloading ETS requires computing each class' WRR weight: this is done by averaging over the sums of quanta as 'q_sum' and 'q_psum'. Using unsigned int, the same integer size as the individual DRR quanta, can overflow and even cause division by zero, like it happened in the following splat: Oops: divide error: 0000 [#1] SMP PTI CPU: 13 UID: 0 PID: 487 Comm: tc Tainted: G E 6.19.0-virtme #45 PREEMPT(full) Tainted: [E]=UNSIGNED_MODULE Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 RIP: 0010:ets_offload_change+0x11f/0x290 [sch_ets] Code: e4 45 31 ff eb 03 41 89 c7 41 89 cb 89 ce 83 f9 0f 0f 87 b7 00 00 00 45 8b 08 31 c0 45 01 cc 45 85 c9 74 09 41 6b c4 64 31 d2 <41> f7 f2 89 c2 44 29 fa 45 89 df 41 83 fb 0f 0f 87 c7 00 00 00 44 RSP: 0018:ffffd0a180d77588 EFLAGS: 00010246 RAX: 00000000ffffff38 RBX: ffff8d3d482ca000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffd0a180d77660 RBP: ffffd0a180d77690 R08: ffff8d3d482ca2d8 R09: 00000000fffffffe R10: 0000000000000000 R11: 0000000000000000 R12: 00000000fffffffe R13: ffff8d3d472f2000 R14: 0000000000000003 R15: 0000000000000000 FS: 00007f440b6c2740(0000) GS:ffff8d3dc9803000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000003cdd2000 CR3: 0000000007b58002 CR4: 0000000000172ef0 Call Trace: <TASK> ets_qdisc_change+0x870/0xf40 [sch_ets] qdisc_create+0x12b/0x540 tc_modify_qdisc+0x6d7/0xbd0 rtnetlink_rcv_msg+0x168/0x6b0 netlink_rcv_skb+0x5c/0x110 netlink_unicast+0x1d6/0x2b0 netlink_sendmsg+0x22e/0x470 ____sys_sendmsg+0x38a/0x3c0 ___sys_sendmsg+0x99/0xe0 __sys_sendmsg+0x8a/0xf0 do_syscall_64+0x111/0xf80 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f440b81c77e Code: 4d 89 d8 e8 d4 bc 00 00 4c 8b 5d f8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 11 c9 c3 0f 1f 80 00 00 00 00 48 8b 45 10 0f 05 <c9> c3 83 e2 39 83 fa 08 75 e7 e8 13 ff ff ff 0f 1f 00 f3 0f 1e fa RSP: 002b:00007fff951e4c10 EFLAGS: 00000202 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000000481820 RCX: 00007f440b81c77e RDX: 0000000000000000 RSI: 00007fff951e4cd0 RDI: 0000000000000003 RBP: 00007fff951e4c20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000202 R12: 00007fff951f4fa8 R13: 00000000699ddede R14: 00007f440bb01000 R15: 0000000000486980 </TASK> Modules linked in: sch_ets(E) netdevsim(E) ---[ end trace 0000000000000000 ]--- RIP: 0010:ets_offload_change+0x11f/0x290 [sch_ets] Code: e4 45 31 ff eb 03 41 89 c7 41 89 cb 89 ce 83 f9 0f 0f 87 b7 00 00 00 45 8b 08 31 c0 45 01 cc 45 85 c9 74 09 41 6b c4 64 31 d2 <41> f7 f2 89 c2 44 29 fa 45 89 df 41 83 fb 0f 0f 87 c7 00 00 00 44 RSP: 0018:ffffd0a180d77588 EFLAGS: 00010246 RAX: 00000000ffffff38 RBX: ffff8d3d482ca000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffd0a180d77660 RBP: ffffd0a180d77690 R08: ffff8d3d482ca2d8 R09: 00000000fffffffe R10: 0000000000000000 R11: 0000000000000000 R12: 00000000fffffffe R13: ffff8d3d472f2000 R14: 0000000000000003 R15: 0000000000000000 FS: 00007f440b6c2740(0000) GS:ffff8d3dc9803000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000003cdd2000 CR3: 0000000007b58002 CR4: 0000000000172ef0 Kernel panic - not syncing: Fatal exception Kernel Offset: 0x30000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) ---[ end Kernel panic - not syncing: Fatal exception ]--- Fix this using 64-bit integers for 'q_sum' and 'q_psum'.
Затронутые продукты
Ссылки
- CVE-2026-23379
- SUSE Bug 1260481
Описание
In the Linux kernel, the following vulnerability has been resolved: net: bridge: fix nd_tbl NULL dereference when IPv6 is disabled When booting with the 'ipv6.disable=1' parameter, the nd_tbl is never initialized because inet6_init() exits before ndisc_init() is called which initializes it. Then, if neigh_suppress is enabled and an ICMPv6 Neighbor Discovery packet reaches the bridge, br_do_suppress_nd() will dereference ipv6_stub->nd_tbl which is NULL, passing it to neigh_lookup(). This causes a kernel NULL pointer dereference. BUG: kernel NULL pointer dereference, address: 0000000000000268 Oops: 0000 [#1] PREEMPT SMP NOPTI [...] RIP: 0010:neigh_lookup+0x16/0xe0 [...] Call Trace: <IRQ> ? neigh_lookup+0x16/0xe0 br_do_suppress_nd+0x160/0x290 [bridge] br_handle_frame_finish+0x500/0x620 [bridge] br_handle_frame+0x353/0x440 [bridge] __netif_receive_skb_core.constprop.0+0x298/0x1110 __netif_receive_skb_one_core+0x3d/0xa0 process_backlog+0xa0/0x140 __napi_poll+0x2c/0x170 net_rx_action+0x2c4/0x3a0 handle_softirqs+0xd0/0x270 do_softirq+0x3f/0x60 Fix this by replacing IS_ENABLED(IPV6) call with ipv6_mod_enabled() in the callers. This is in essence disabling NS/NA suppression when IPv6 is disabled.
Затронутые продукты
Ссылки
- CVE-2026-23381
- SUSE Bug 1260471
Описание
In the Linux kernel, the following vulnerability has been resolved: gve: fix incorrect buffer cleanup in gve_tx_clean_pending_packets for QPL In DQ-QPL mode, gve_tx_clean_pending_packets() incorrectly uses the RDA buffer cleanup path. It iterates num_bufs times and attempts to unmap entries in the dma array. This leads to two issues: 1. The dma array shares storage with tx_qpl_buf_ids (union). Interpreting buffer IDs as DMA addresses results in attempting to unmap incorrect memory locations. 2. num_bufs in QPL mode (counting 2K chunks) can significantly exceed the size of the dma array, causing out-of-bounds access warnings (trace below is how we noticed this issue). UBSAN: array-index-out-of-bounds in drivers/net/ethernet/drivers/net/ethernet/google/gve/gve_tx_dqo.c:178:5 index 18 is out of range for type 'dma_addr_t[18]' (aka 'unsigned long long[18]') Workqueue: gve gve_service_task [gve] Call Trace: <TASK> dump_stack_lvl+0x33/0xa0 __ubsan_handle_out_of_bounds+0xdc/0x110 gve_tx_stop_ring_dqo+0x182/0x200 [gve] gve_close+0x1be/0x450 [gve] gve_reset+0x99/0x120 [gve] gve_service_task+0x61/0x100 [gve] process_scheduled_works+0x1e9/0x380 Fix this by properly checking for QPL mode and delegating to gve_free_tx_qpl_bufs() to reclaim the buffers.
Затронутые продукты
Ссылки
- CVE-2026-23386
- SUSE Bug 1260799
Описание
In the Linux kernel, the following vulnerability has been resolved: icmp: fix NULL pointer dereference in icmp_tag_validation() icmp_tag_validation() unconditionally dereferences the result of rcu_dereference(inet_protos[proto]) without checking for NULL. The inet_protos[] array is sparse -- only about 15 of 256 protocol numbers have registered handlers. When ip_no_pmtu_disc is set to 3 (hardened PMTU mode) and the kernel receives an ICMP Fragmentation Needed error with a quoted inner IP header containing an unregistered protocol number, the NULL dereference causes a kernel panic in softirq context. Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] RIP: 0010:icmp_unreach (net/ipv4/icmp.c:1085 net/ipv4/icmp.c:1143) Call Trace: <IRQ> icmp_rcv (net/ipv4/icmp.c:1527) ip_protocol_deliver_rcu (net/ipv4/ip_input.c:207) ip_local_deliver_finish (net/ipv4/ip_input.c:242) ip_local_deliver (net/ipv4/ip_input.c:262) ip_rcv (net/ipv4/ip_input.c:573) __netif_receive_skb_one_core (net/core/dev.c:6164) process_backlog (net/core/dev.c:6628) handle_softirqs (kernel/softirq.c:561) </IRQ> Add a NULL check before accessing icmp_strict_tag_validation. If the protocol has no registered handler, return false since it cannot perform strict tag validation.
Затронутые продукты
Ссылки
- CVE-2026-23398
- SUSE Bug 1260730
Описание
In the Linux kernel, the following vulnerability has been resolved: clsact: Fix use-after-free in init/destroy rollback asymmetry Fix a use-after-free in the clsact qdisc upon init/destroy rollback asymmetry. The latter is achieved by first fully initializing a clsact instance, and then in a second step having a replacement failure for the new clsact qdisc instance. clsact_init() initializes ingress first and then takes care of the egress part. This can fail midway, for example, via tcf_block_get_ext(). Upon failure, the kernel will trigger the clsact_destroy() callback. Commit 1cb6f0bae504 ("bpf: Fix too early release of tcx_entry") details the way how the transition is happening. If tcf_block_get_ext on the q->ingress_block ends up failing, we took the tcx_miniq_inc reference count on the ingress side, but not yet on the egress side. clsact_destroy() tests whether the {ingress,egress}_entry was non-NULL. However, even in midway failure on the replacement, both are in fact non-NULL with a valid egress_entry from the previous clsact instance. What we really need to test for is whether the qdisc instance-specific ingress or egress side previously got initialized. This adds a small helper for checking the miniq initialization called mini_qdisc_pair_inited, and utilizes that upon clsact_destroy() in order to fix the use-after-free scenario. Convert the ingress_destroy() side as well so both are consistent to each other.
Затронутые продукты
Ссылки
- CVE-2026-23413
- SUSE Bug 1261498
Описание
In the Linux kernel, the following vulnerability has been resolved: tls: Purge async_hold in tls_decrypt_async_wait() The async_hold queue pins encrypted input skbs while the AEAD engine references their scatterlist data. Once tls_decrypt_async_wait() returns, every AEAD operation has completed and the engine no longer references those skbs, so they can be freed unconditionally. A subsequent patch adds batch async decryption to tls_sw_read_sock(), introducing a new call site that must drain pending AEAD operations and release held skbs. Move __skb_queue_purge(&ctx->async_hold) into tls_decrypt_async_wait() so the purge is centralized and every caller -- recvmsg's drain path, the -EBUSY fallback in tls_do_decryption(), and the new read_sock batch path -- releases held skbs on synchronization without each site managing the purge independently. This fixes a leak when tls_strp_msg_hold() fails part-way through, after having added some cloned skbs to the async_hold queue. tls_decrypt_sg() will then call tls_decrypt_async_wait() to process all pending decrypts, and drop back to synchronous mode, but tls_sw_recvmsg() only flushes the async_hold queue when one record has been processed in "fully-async" mode, which may not be the case here. [pabeni@redhat.com: added leak comment]
Затронутые продукты
Ссылки
- CVE-2026-23414
- SUSE Bug 1261496
Описание
In the Linux kernel, the following vulnerability has been resolved: xen/privcmd: restrict usage in unprivileged domU The Xen privcmd driver allows to issue arbitrary hypercalls from user space processes. This is normally no problem, as access is usually limited to root and the hypervisor will deny any hypercalls affecting other domains. In case the guest is booted using secure boot, however, the privcmd driver would be enabling a root user process to modify e.g. kernel memory contents, thus breaking the secure boot feature. The only known case where an unprivileged domU is really needing to use the privcmd driver is the case when it is acting as the device model for another guest. In this case all hypercalls issued via the privcmd driver will target that other guest. Fortunately the privcmd driver can already be locked down to allow only hypercalls targeting a specific domain, but this mode can be activated from user land only today. The target domain can be obtained from Xenstore, so when not running in dom0 restrict the privcmd driver to that target domain from the beginning, resolving the potential problem of breaking secure boot. This is XSA-482 --- V2: - defer reading from Xenstore if Xenstore isn't ready yet (Jan Beulich) - wait in open() if target domain isn't known yet - issue message in case no target domain found (Jan Beulich)
Затронутые продукты
Ссылки
- CVE-2026-31788
- SUSE Bug 1259707