Описание
Security update for the Linux Kernel
The SUSE Linux Enterprise 15 SP7 RT kernel was updated to fix various security issues
The following security issues were fixed:
- CVE-2025-54518: x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's op cache (bsc#1264013).
- CVE-2026-46300: net: skbuff: propagate shared-frag marker through pskb_copy() (bsc#1265209).
- CVE-2026-43284: xfrm: esp: avoid in-place decrypt on shared skb frags (bsc#1264449).
- CVE-2026-43500: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present (aka Dirty Frag) (bsc#1264450)
- CVE-2026-46333: ptrace: Logic bug in the Linux kernel's __ptrace_may_access() function (bsc#1265308).
The following non security issue was fixed:
- io-wq: check that the predecessor is hashed in io_wq_remove_pending() (git-fixes).
Список пакетов
SUSE Linux Enterprise Live Patching 15 SP7
SUSE Real Time Module 15 SP7
Ссылки
- Link for SUSE-SU-2026:1959-1
- E-Mail link for SUSE-SU-2026:1959-1
- SUSE Security Ratings
- SUSE Bug 1264013
- SUSE Bug 1264449
- SUSE Bug 1264450
- SUSE Bug 1265209
- SUSE Bug 1265308
- SUSE CVE CVE-2025-54518 page
- SUSE CVE CVE-2026-43284 page
- SUSE CVE CVE-2026-43500 page
- SUSE CVE CVE-2026-46300 page
- SUSE CVE CVE-2026-46333 page
Описание
Improper isolation of shared resources within the CPU operation cache on Zen 2-based products could allow an attacker to corrupt instructions executed at a different privilege level, potentially resulting in privilege escalation.
Затронутые продукты
Ссылки
- CVE-2025-54518
- SUSE Bug 1264013
- SUSE Bug 1264066
- SUSE Bug 1264096
Описание
In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs. That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path. This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data().
Затронутые продукты
Ссылки
- CVE-2026-43284
- SUSE Bug 1264449
- SUSE Bug 1264459
- SUSE Bug 1265383
Описание
In the Linux kernel, the following vulnerability has been resolved: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling into the security ops only when skb_cloned() is true. An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_append_data, or a chained skb_has_frag_list()) falls through to the in-place decryption path, which binds the frag pages directly into the AEAD/skcipher SGL via skb_to_sgvec(). Extend the gate to also unshare when skb_has_frag_list() or skb_has_shared_frag() is true. This catches the splice-loopback vector and other externally-shared frag sources while preserving the zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC page_pool RX, GRO). The OOM/trace handling already in place is reused.
Затронутые продукты
Ссылки
- CVE-2026-43500
- SUSE Bug 1264450
- SUSE Bug 1264458
- SUSE Bug 1265383
Описание
In the Linux kernel, the following vulnerability has been resolved: net: skbuff: preserve shared-frag marker during coalescing skb_try_coalesce() can attach paged frags from @from to @to. If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally-owned or page-cache-backed frags, but the shared-frag marker is currently lost. That breaks the invariant relied on by later in-place writers. In particular, ESP input checks skb_has_shared_frag() before deciding whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP receive coalescing has moved shared frags into an unmarked skb, ESP can see skb_has_shared_frag() as false and decrypt in place over page-cache backed frags. Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged frags. The tailroom copy path does not need the marker because it copies bytes into @to's linear data rather than transferring frag descriptors.
Затронутые продукты
Ссылки
- CVE-2026-46300
- SUSE Bug 1265209
- SUSE Bug 1265226
- SUSE Bug 1265312
- SUSE Bug 1265383
- SUSE Bug 1265960
Описание
In the Linux kernel, the following vulnerability has been resolved: ptrace: slightly saner 'get_dumpable()' logic The 'dumpability' of a task is fundamentally about the memory image of the task - the concept comes from whether it can core dump or not - and makes no sense when you don't have an associated mm. And almost all users do in fact use it only for the case where the task has a mm pointer. But we have one odd special case: ptrace_may_access() uses 'dumpable' to check various other things entirely independently of the MM (typically explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for threads that no longer have a VM (and maybe never did, like most kernel threads). It's not what this flag was designed for, but it is what it is. The ptrace code does check that the uid/gid matches, so you do have to be uid-0 to see kernel thread details, but this means that the traditional "drop capabilities" model doesn't make any difference for this all. Make it all make a *bit* more sense by saying that if you don't have a MM pointer, we'll use a cached "last dumpability" flag if the thread ever had a MM (it will be zero for kernel threads since it is never set), and require a proper CAP_SYS_PTRACE capability to override.
Затронутые продукты
Ссылки
- CVE-2026-46333
- SUSE Bug 1265308
- SUSE Bug 1265384