openSUSE-SU-2026:20826-1

Опубликовано: 28 мая 2026

Источник: suse-cvrf

Описание

Security update for the Linux Kernel

The SUSE Linux Enterprise 16.0 kernel was updated to fix various security issues

The following security issues were fixed:

CVE-2023-2058: x86/CPU: Fix FPDSS on Zen1 (bsc#1243603).
CVE-2024-14027: xattr: switch to CLASS(fd) (bsc#1259420).
CVE-2025-40181: x86/kvm: Force legacy PCI hole to UC when overriding MTRRs for TDX/SNP (bsc#1253471).
CVE-2025-68265: nvme: fix admin request_queue lifetime (bsc#1255360).
CVE-2025-68310: s390/pci: Avoid deadlock between PCI error recovery and mlx5 crdump (bsc#1255160).
CVE-2025-71302: drm/panthor: fix for dma-fence safe access rules (bsc#1264837).
CVE-2026-23168: flex_proportions: make fprop_new_period() hardirq safe (bsc#1258826).
CVE-2026-23245: net/sched: act_gate: snapshot parameters with RCU on replace (bsc#1259799).
CVE-2026-23271: perf: Fix __perf_event_overflow() vs perf_remove_from_context() race (bsc#1260018).
CVE-2026-23276: net: add xmit recursion limit to tunnel xmit functions (bsc#1260012).
CVE-2026-23300: net: ipv6: fix panic when IPv4 route references loopback IPv6 nexthop (bsc#1260538).
CVE-2026-23313: i40e: Fix preempt count leak in napi poll tracepoint (bsc#1260555).
CVE-2026-23316: net: ipv4: fix ARM64 alignment fault in multipath hash seed (bsc#1260573).
CVE-2026-23321: mptcp: pm: in-kernel: always mark signal+subflow endp as used (bsc#1260505).
CVE-2026-23340: net: sched: avoid qdisc_reset_all_tx_gt() vs dequeue race for lockless qdiscs (bsc#1260523).
CVE-2026-23346: arm64: io: Rename ioremap_prot() to __ioremap_prot() (bsc#1260529).
CVE-2026-23351: netfilter: nft_set_pipapo: split gc into unlink and reclaim phase (bsc#1260526).
CVE-2026-23354: x86/fred: Correct speculative safety in fred_extint() (bsc#1260801).
CVE-2026-23368: net: phy: register phy led_triggers during probe to avoid AB-BA deadlock (bsc#1260530).
CVE-2026-23374: blktrace: fix __this_cpu_read/write in preemptible context (bsc#1260811).
CVE-2026-23375: mm: thp: deny THP for files on anonymous inodes (bsc#1260576).
CVE-2026-23378: net/sched: act_ife: Fix metalist update behavior (bsc#1260546).
CVE-2026-23391: netfilter: xt_CT: drop pending enqueued packets on template removal (bsc#1260566).
CVE-2026-23392: netfilter: nf_tables: release flowtable after rcu grace period on error (bsc#1260531).
CVE-2026-23397: nfnetlink_osf: validate individual option lengths in fingerprints (bsc#1260728).
CVE-2026-23399: nf_tables: nft_dynset: fix possible stateful expression memleak in error path (bsc#1261020).
CVE-2026-23417: bpf: Fix constant blinding for PROBE_MEM32 stores (bsc#1261410).
CVE-2026-23436: net: add helpers for lookup and walking netdevs under netdev_lock() (bsc#1261617).
CVE-2026-23437: net: shaper: protect late read accesses to the hierarchy (bsc#1261635).
CVE-2026-23440: net/mlx5e: Fix race condition during IPSec ESN update (bsc#1261641).
CVE-2026-23441: net/mlx5e: Prevent concurrent access to IPSec ASO context (bsc#1261768).
CVE-2026-23442: ipv6: add NULL checks for idev in SRv6 paths (bsc#1261581).
CVE-2026-23445: igc: fix page fault in XDP TX timestamps handling (bsc#1261702).
CVE-2026-23449: net/sched: teql: Fix double-free in teql_master_xmit (bsc#1261779).
CVE-2026-23450: net/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock() (bsc#1261584).
CVE-2026-23455: netfilter: nf_conntrack_h323: check for zero length in DecodeQ931() (bsc#1261687).
CVE-2026-23456: netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case (bsc#1261703).
CVE-2026-23457: netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp() (bsc#1261686).
CVE-2026-23458: netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct() (bsc#1261781).
CVE-2026-23468: drm/amdgpu: Limit BO list entry count to prevent resource exhaustion (bsc#1261692).
CVE-2026-23472: serial: core: fix infinite loop in handle_tx() for PORT_UNKNOWN (bsc#1261636).
CVE-2026-23473: io_uring/poll: fix multishot recv missing EOF on wakeup race (bsc#1261694).
CVE-2026-31392: smb: client: fix krb5 mount with username option (bsc#1261788).
CVE-2026-31395: bnxt_en: fix OOB access in DBG_BUF_PRODUCER async event handler (bsc#1261786).
CVE-2026-31400: sunrpc: fix cache_request leak in cache_release (bsc#1261645).
CVE-2026-31402: nfsd: fix heap overflow in NFSv4.0 LOCK replay cache (bsc#1261638).
CVE-2026-31403: NFSD: Hold net reference for the lifetime of /proc/fs/nfs/exports fd (bsc#1261796).
CVE-2026-31406: xfrm: Fix work re-schedule after cancel in xfrm_nat_keepalive_net_fini() (bsc#1261629).
CVE-2026-31407: netfilter: conntrack: add missing netlink policy validations (bsc#1261632).
CVE-2026-31411: net: atm: fix crash due to unvalidated vcc pointer in sigd_send() (bsc#1261752).
CVE-2026-31415: ipv6: avoid overflows in ip6_datagram_send_ctl() (bsc#1262099).
CVE-2026-31416: netfilter: nfnetlink_log: account for netlink header size (bsc#1262100).
CVE-2026-31420: bridge: mrp: reject zero test interval to avoid OOM panic (bsc#1262055).
CVE-2026-31421: net/sched: cls_fw: fix NULL pointer dereference on shared blocks (bsc#1262061).
CVE-2026-31422: net/sched: cls_flow: fix NULL pointer dereference on shared blocks (bsc#1262054).
CVE-2026-31423: net/sched: sch_hfsc: fix divide-by-zero in rtsc_min() (bsc#1262063).
CVE-2026-31424: netfilter: x_tables: restrict xt_check_match/xt_check_target extensions for NFPROTO_ARP (bsc#1262053).
CVE-2026-31425: rds: ib: reject FRMR registration before IB connection is established (bsc#1262074).
CVE-2026-31427: netfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in process_sdp (bsc#1262086).
CVE-2026-31428: netfilter: nfnetlink_log: fix uninitialized padding leak in NFULA_PAYLOAD (bsc#1262087).
CVE-2026-31435: netfs: Fix read abandonment during retry (bsc#1262601).
CVE-2026-31449: ext4: validate p_idx bounds in ext4_ext_correct_indexes (bsc#1262616).
CVE-2026-31453: xfs: avoid dereferencing log items after push callbacks (bsc#1262617).
CVE-2026-31456: mm/pagewalk: fix race between concurrent split and refault (bsc#1262627).
CVE-2026-31494: net: cadence: macb: Synchronize stats calculations (bsc#1262671).
CVE-2026-31496: netfilter: nf_conntrack_expect: skip expectations in other netns via proc (bsc#1262673).
CVE-2026-31503: udp: Fix wildcard bind conflict check when using hash2 (bsc#1263077).
CVE-2026-31504: net: fix fanout UAF in packet_release() via NETDEV_UP race (bsc#1263085).
CVE-2026-31505: iavf: fix out-of-bounds writes in iavf_get_ethtool_stats() (bsc#1263093).
CVE-2026-31507: net/smc: fix double-free of smc_spd_priv when tee() duplicates splice pipe buffer (bsc#1263095).
CVE-2026-31515: af_key: validate families in pfkey_send_migrate() (bsc#1262752).
CVE-2026-31519: btrfs: set BTRFS_ROOT_ORPHAN_CLEANUP during subvol create (bsc#1263012).
CVE-2026-31525: bpf: Fix undefined behavior in interpreter sdiv/smod for INT_MIN (bsc#1262725).
CVE-2026-31526: bpf: Fix exception exit lock checking for subprogs (bsc#1262662).
CVE-2026-31528: perf: Make sure to use pmu_ctx->pmu for groups (bsc#1263001).
CVE-2026-31533: net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption (bsc#1262758).
CVE-2026-31547: drm/xe: Fix missing runtime PM reference in ccs_mode_store (bsc#1263018).
CVE-2026-31550: pmdomain: bcm: bcm2835-power: Increase ASB control timeout (bsc#1263104).
CVE-2026-31554: futex: Require sys_futex_requeue() to have identical flags (bsc#1263107).
CVE-2026-31565: RDMA/irdma: Fix deadlock during netdev reset with active connections (bsc#1263064).
CVE-2026-31579: wireguard: device: use exit_rtnl callback instead of manual rtnl_lock in pre_exit (bsc#1263074).
CVE-2026-31586: mm: blk-cgroup: fix use-after-free in cgwb_release_workfn() (bsc#1263176).
CVE-2026-31588: KVM: x86: Use scratch field in MMIO fragment to hold small write values (bsc#1263165).
CVE-2026-31644: net: lan966x: fix use-after-free and leak in lan966x_fdma_reload() (bsc#1263048).
CVE-2026-31649: net: stmmac: fix integer underflow in chain mode (bsc#1263582).
CVE-2026-31658: net: altera-tse: fix skb leak on DMA mapping error in tse_start_xmit() (bsc#1263052).
CVE-2026-31662: tipc: fix bc_ackers underflow on duplicate GRP_ACK_MSG (bsc#1263131).
CVE-2026-31666: btrfs: fix incorrect return value after changing leaf in lookup_extent_data_ref() (bsc#1263138).
CVE-2026-31668: seg6: separate dst_cache for input and output paths in seg6 lwtunnel (bsc#1263140).
CVE-2026-31669: mptcp: fix slab-use-after-free in __inet_lookup_established (bsc#1263141).
CVE-2026-31675: net/sched: sch_netem: fix out-of-bounds access in packet corruption (bsc#1263556).
CVE-2026-31678: openvswitch: defer tunnel netdev_put to RCU release (bsc#1263562).
CVE-2026-31679: openvswitch: validate MPLS set/set_masked payload length (bsc#1263592).
CVE-2026-31681: netfilter: xt_multiport: validate range encoding in checkentry (bsc#1263593).
CVE-2026-31682: bridge: br_nd_send: linearize skb before parsing ND options (bsc#1263595).
CVE-2026-31684: net: sched: act_csum: validate nested VLAN headers (bsc#1263596).
CVE-2026-31685: netfilter: ip6t_eui64: reject invalid MAC header for all packets (bsc#1263668).
CVE-2026-31691: igb: remove napi_synchronize() in igb_down() (bsc#1263604).
CVE-2026-31694: fuse: reject oversized dirents in page cache (bsc#1263901).
CVE-2026-31700: net/packet: fix TOCTOU race on mmap'd vnet_hdr in tpacket_snd() (bsc#1263882).
CVE-2026-31738: vxlan: validate ND option lengths in vxlan_na_create (bsc#1264059).
CVE-2026-31787: xen/privcmd: fix double free via VMA splitting (bsc#1262181).
CVE-2026-43009: bpf: Fix incorrect pruning due to atomic fetch precision tracking (bsc#1264014).
CVE-2026-43025: netfilter: ctnetlink: ignore explicit helper on new expectations (bsc#1263931).
CVE-2026-43027: netfilter: nf_conntrack_helper: pass helper to expect cleanup (bsc#1263933).
CVE-2026-43037: ip6_tunnel: clear skb2->cb in ip4ip6_err() (bsc#1263995).
CVE-2026-43038: ipv6: icmp: clear skb2->cb in ip6_err_gen_icmpv6_unreach() (bsc#1264097).
CVE-2026-43045: mshv: Refactor and rename memory region handling functions (bsc#1263942).
CVE-2026-43050: atm: lec: fix use-after-free in sock_def_readable() (bsc#1264082).
CVE-2026-43060: netfilter: nft_ct: drop pending enqueued packets on removal (bsc#1264183).
CVE-2026-43082: net: txgbe: leave space for null terminators on property_entry (bsc#1264233).
CVE-2026-43088: net: af_key: zero aligned sockaddr tail in PF_KEY exports (bsc#1264469).
CVE-2026-43153: xfs: remove xfs_attr_leaf_hasname (bsc#1264586).
CVE-2026-43190: netfilter: xt_tcpmss: check remaining length before reading optlen (bsc#1264848).
CVE-2026-43265: KVM: x86: Ignore -EBUSY when checking nested events from vcpu_block() (bsc#1264427).
CVE-2026-43329: netfilter: flowtable: strictly check for maximum number of actions (bsc#1265085).
CVE-2026-43365: xfs: fix undersized l_iclog_roundoff values (bsc#1265119).
CVE-2026-43366: io_uring/kbuf: check if target buffer list is still legacy on recycle (bsc#1265116).
CVE-2026-43441: net: bonding: Fix nd_tbl NULL dereference when IPv6 is disabled (bsc#1264674).
CVE-2026-43494: net/rds: reset op_nents when zerocopy page pin fails (bsc#1265626).
CVE-2026-43503: net: skbuff: propagate shared-frag marker through frag-transfer helpers (bsc#1265960).

The following non security issues were fixed:

accel/qaic: Add overflow check to remap_pfn_range during mmap (git-fixes).
ACPI: AGDI: fix missing newline in error message (git-fixes).
ACPI: CPPC: Fix related_cpus inconsistency during CPU hotplug (git-fixes).
ACPI: scan: Use acpi_dev_put() in object add error paths (git-fixes).
ACPI: video: Add backlight=native quirk for Dell OptiPlex 7770 AIO (git-fixes).
ACPI: video: force native backlight on HP OMEN 16 (8A44) (stable-fixes).
ACPI: video: Move Lenovo Legion S7 15ACH6 quirk to the right section (git-fixes).
ALSA: 6fire: Fix input volume change detection (git-fixes).
ALSA: 6fire: fix use-after-free on disconnect (git-fixes).
ALSA: aoa: i2sbus: clear stale prepared state (git-fixes).
ALSA: aoa: i2sbus: fix OF node lifetime handling (git-fixes).
ALSA: aoa: Skip devices with no codecs in i2sbus_resume() (git-fixes).
ALSA: aoa: Use guard() for mutex locks (stable-fixes).
ALSA: asihpi: avoid write overflow check warning (stable-fixes).
ALSA: caiaq: Don't abort when no input device is available (git-fixes).
ALSA: caiaq: Fix control_put() result and cache rollback (git-fixes).
ALSA: caiaq: Fix potentially leftover ep1_in_urb at error path (git-fixes).
ALSA: caiaq: fix usb_dev refcount leak on probe failure (git-fixes).
ALSA: caiaq: Handle probe errors properly (git-fixes).
ALSA: caiaq: take a reference on the USB device in create_card() (git-fixes).
ALSA: control: Validate buf_len before strnlen() in snd_ctl_elem_init_enum_names() (git-fixes).
ALSA: core: Fix potential data race at fasync handling (git-fixes).
ALSA: core: Serialize deferred fasync state checks (git-fixes).
ALSA: core: Validate compress device numbers without dynamic minors (git-fixes).
ALSA: ctxfi: Add fallback to default RSR for S/PDIF (git-fixes).
ALSA: ctxfi: Fix missing SPDIFI1 index handling (stable-fixes).
ALSA: ctxfi: Limit PTP to a single page (git-fixes).
ALSA: firewire-tascam: Do not drop unread control events (git-fixes).
ALSA: fireworks: bound device-supplied status before string array lookup (git-fixes).
ALSA: hda/hdmi: Add quirk for TUXEDO IBS14G6 (stable-fixes).
ALSA: hda/realtek - fixed speaker no sound update (git-fixes).
ALSA: hda/realtek: Add HP ENVY Laptop 13-ba0xxx quirk (stable-fixes).
ALSA: hda/realtek: Add mute LED quirk for HP Pavilion 15-eg0xxx (stable-fixes).
ALSA: hda/realtek: Add quirk for ASUS ROG Flow Z13-KJP GZ302EAC (stable-fixes).
ALSA: hda/realtek: add quirk for Framework F111:000F (stable-fixes).
ALSA: hda/realtek: Add quirk for Lenovo Yoga Pro 7 14IAH10 (stable-fixes).
ALSA: hda/realtek: fix code style (ERROR: else should follow close brace '}') (git-fixes).
ALSA: hda: cs35l41: Put ACPI device on missing physical node (git-fixes).
ALSA: hda: cs35l56: Propagate ASP TX source control errors (git-fixes).
ALSA: hda: cs35l56: Put ACPI device after setting companion (git-fixes).
ALSA: hda: Fix NULL pointer dereference in snd_hda_ctl_add() (git-fixes).
ALSA: misc: Use guard() for spin locks (stable-fixes).
ALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger (stable-fixes).
ALSA: pcmtest: fix reference leak on failed device registration (git-fixes).
ALSA: pcmtest: Fix resource leaks in module init error paths (git-fixes).
ALSA: pcmtest: Return -EFAULT on pattern read copy failure (git-fixes).
ALSA: sc6000: Keep the programmed board state in card-private data (git-fixes).
ALSA: scarlett2: Add missing error check when initialise Autogain Status (git-fixes).
ALSA: scarlett2: Add missing sentinel initializer field (git-fixes).
ALSA: seq: Notify client and port info changes (stable-fixes).
ALSA: seq_oss: return full count for successful SEQ_FULLSIZE writes (stable-fixes).
ALSA: usb-audio: apply quirk for MOONDROP JU Jiu (stable-fixes).
ALSA: usb-audio: Avoid false E-MU sample-rate notifications (git-fixes).
ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3() (git-fixes).
ALSA: usb-audio: Bound MIDI 2.0 endpoint descriptor scans (git-fixes).
ALSA: usb-audio: Bound MIDI endpoint descriptor scans (git-fixes).
ALSA: usb-audio: Evaluate packsize caps at the right place (git-fixes).
ALSA: usb-audio: Fix Audio Advantage Micro II SPDIF switch (git-fixes).
ALSA: usb-audio: Fix potential leak of pd at parsing UAC3 streams (git-fixes).
ALSA: usb-audio: Fix quirk flags for NeuralDSP Quad Cortex (stable-fixes).
ALSA: usb-audio: Fix UAC3 cluster descriptor size check (git-fixes).
ALSA: usb-audio: midi2: Restart output URBs on resume (git-fixes).
ALSA: usb-audio: stop parsing UAC2 rates at MAX_NR_RATES (git-fixes).
ALSA: virtio: drop an extaneous kernel-doc comment (git-fixes).
amdgpu/jpeg: fix deepsleep register for jpeg 5_0_0 and 5_0_2 (stable-fixes).
ASoC: amd: acp: Add DMI quirk for Valve Steam Deck OLED (git-fixes).
ASoC: amd: yc: Add DMI entry for HP Laptop 15-fc0xxx (stable-fixes).
ASoC: amd: yc: Add DMI quirk for ASUS EXPERTBOOK BM1403CDA (stable-fixes).
ASoC: amd: yc: Add DMI quirk for Thin A15 B7VF (stable-fixes).
ASoC: amd: yc: Add HP OMEN Gaming Laptop 16-ap0xxx product line in quirk table (stable-fixes).
ASoC: codecs: ab8500: Fix casting of private data (git-fixes).
ASoC: cs35l56: Destroy workqueue in probe error path (git-fixes).
ASoC: cs35l56: Don't use devres to unregister component (git-fixes).
ASoC: cs35l56: Fix hibernate write in runtime resume error path (git-fixes).
ASoC: fsl_easrc: Change the type for iec958 channel status controls (git-fixes).
ASoC: fsl_easrc: Check the variable range in fsl_easrc_iec958_put_bits() (git-fixes).
ASoC: fsl_easrc: fix comment typo (git-fixes).
ASoC: fsl_easrc: Fix value type in fsl_easrc_iec958_get_bits() (git-fixes).
ASoC: fsl_micfil: Add access property for "VAD Detected" (git-fixes).
ASoC: fsl_micfil: Fix event generation in hwvad_put_enable() (git-fixes).
ASoC: fsl_micfil: Fix event generation in hwvad_put_init_mode() (git-fixes).
ASoC: fsl_micfil: Fix event generation in micfil_put_dc_remover_state() (git-fixes).
ASoC: fsl_micfil: Fix event generation in micfil_quality_set() (git-fixes).
ASoC: fsl_xcvr: Fix event generation for cached controls (git-fixes).
ASoC: fsl_xcvr: Fix event generation in fsl_xcvr_arc_mode_put() (git-fixes).
ASoC: fsl_xcvr: Fix event generation in fsl_xcvr_mode_put() (git-fixes).
ASoC: Intel: bytcr_wm5102: Fix MCLK leak on platform_clock_control error (git-fixes).
ASoC: qcom: q6apm-dai: reset queue ptr on trigger stop (git-fixes).
ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens (git-fixes).
ASoC: qcom: q6apm: move component registration to unmanaged version (git-fixes).
ASoC: qcom: q6apm: remove child devices when apm is removed (git-fixes).
ASoC: qcom: qdsp6: topology: check widget type before accessing data (git-fixes).
ASoC: soc-core: call missing INIT_LIST_HEAD() for card_aux_list (stable-fixes).
ASoC: SOF: compress: return the configured codec from get_params (git-fixes).
ASoC: SOF: Don't allow pointer operations on unconfigured streams (git-fixes).
ASoC: SOF: Intel: hda: Place check before dereference (git-fixes).
ASoC: SOF: topology: reject invalid vendor array size in token parser (stable-fixes).
ASoC: sti: Return errors from regmap_field_alloc() (git-fixes).
ASoC: sti: use managed regmap_field allocations (git-fixes).
ASoC: stm32_sai: fix incorrect BCLK polarity for DSP_A/B, LEFT_J (stable-fixes).
ata: ahci: force 32-bit DMA for JMicron JMB582/JMB585 (stable-fixes).
backlight: sky81452-backlight: Check return value of devm_gpiod_get_optional() in sky81452_bl_parse_dt() (git-fixes).
batman-adv: bla: only purge non-released claims (git-fixes).
batman-adv: bla: prevent use-after-free when deleting claims (git-fixes).
batman-adv: bla: put backbone reference on failed claim hash insert (git-fixes).
batman-adv: fix integer overflow on buff_pos (git-fixes).
batman-adv: hold claim backbone gateways by reference (git-fixes).
batman-adv: reject new tp_meter sessions during teardown (git-fixes).
batman-adv: reject oversized global TT response buffers (git-fixes).
batman-adv: stop caching unowned originator pointers in BAT IV (git-fixes).
bitfield: Add FIELD_MODIFY() helper (jsc#PED-14238).
Bluetooth: bnep: fix incorrect length parsing in bnep_rx_frame() extension handling (git-fixes).
Bluetooth: btmtk: validate WMT event SKB length before struct access (git-fixes).
Bluetooth: btusb: Check for unexpected bytes when defragmenting HCI frames (bsc#1260996).
Bluetooth: fix locking in hci_conn_request_evt() with HCI_PROTO_DEFER (git-fixes).
Bluetooth: hci_event: fix memset typo (git-fixes).
Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt (git-fixes).
Bluetooth: hci_event: fix potential UAF in SSP passkey handlers (git-fixes).
Bluetooth: hci_ldisc: Clear HCI_UART_PROTO_INIT on error (git-fixes).
Bluetooth: HIDP: serialise l2cap_unregister_user via hidp_session_sem (git-fixes).
Bluetooth: ISO: Fix data-race on dst in iso_sock_connect() (git-fixes).
Bluetooth: l2cap: Add missing chan lock in l2cap_ecred_reconf_rsp (git-fixes).
Bluetooth: l2cap: fix MPS check in l2cap_ecred_reconf_req (git-fixes).
Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb() (git-fixes).
Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb() (git-fixes).
Bluetooth: L2CAP: Fix printing wrong information if SDU length exceeds MTU (git-fixes).
Bluetooth: RFCOMM: pull credit byte with skb_pull_data() (git-fixes).
Bluetooth: SCO: check for codecs->num_codecs == 1 before assigning to sco_pi(sk)->codec (git-fixes).
Bluetooth: SCO: fix sleeping under spinlock in sco_conn_ready (git-fixes).
Bluetooth: SCO: hold sk properly in sco_conn_ready (git-fixes).
Bluetooth: virtio_bt: clamp rx length before skb_put (git-fixes).
Bluetooth: virtio_bt: validate rx pkt_type header length (git-fixes).
bpf: Add third round of bounds deduction (git-fixes).
bpf: Fix u32/s32 bounds when ranges cross min/max boundary (git-fixes).
bpf: Improve bounds when s64 crosses sign boundary (git-fixes).
bpf: Switch CONFIG_CFI_CLANG to CONFIG_CFI (git-fixes).
btrfs: qgroup: update all parent qgroups when doing quick inherit (bsc#1258933).
btrfs: reject root items with drop_progress and zero drop_level (git-fixes).
btrfs: replace BUG() with error handling in __btrfs_balance() (git-fixes).
bus: mhi: host: pci_generic: Switch to async power up to avoid boot delays (git-fixes).
bus: rifsc: fix RIF configuration check for peripherals (git-fixes).
can: mcp251x: add error handling for power enable in open and resume (stable-fixes).
can: raw: fix ro->uniq use-after-free in raw_rcv() (git-fixes).
can: ucan: fix devres lifetime (git-fixes).
cdc-acm: new quirk for EPSON HMD (stable-fixes).
check-for-config-changes: Exclude CC_MS_EXTENSIONS.
check-for-config-changes: Exclude HAVE_CFI_ICALL_NORMALIZE_INTEGERS{,_RUSTC}.
comedi: dt2815: add hardware detection to prevent crash (stable-fixes).
cpufreq: intel_pstate: Drop Arrow Lake from "scaling factor" list (bsc#1249104).
crypto: af_alg - limit RX SG extraction by receive buffer budget (git-fixes).
crypto: algif_aead - Fix minimum RX size check for decryption (git-fixes).
crypto: atmel-aes - Fix 3-page memory leak in atmel_aes_buff_cleanup (git-fixes).
crypto: atmel-ecc - Release client on allocation failure (git-fixes).
crypto: atmel-sha204a - Fix error codes in OTP reads (git-fixes).
crypto: atmel-sha204a - Fix OTP sysfs read and error handling (git-fixes).
crypto: atmel-sha204a - Fix potential UAF and memory leak in remove path (git-fixes).
crypto: atmel-sha204a - Fix uninitialized data access on OTP read error (git-fixes).
crypto: atmel-tdes - fix DMA sync direction (git-fixes).
crypto: ccp - copy IV using skcipher ivsize (git-fixes).
crypto: ccp: Don't attempt to copy CSR to userspace if PSP command failed (git-fixes).
crypto: ccp: Don't attempt to copy ID to userspace if PSP command failed (git-fixes).
crypto: ccp: Don't attempt to copy PDH cert to userspace if PSP command failed (git-fixes).
crypto: ccree - fix a memory leak in cc_mac_digest() (git-fixes).
crypto: drivers - Switch back to struct platform_driver::remove() (jsc#PED-14238).
crypto: drivers - Use str_enable_disable-like helpers (jsc#PED-14238).
crypto: hisilicon - Fix dma_unmap_single() direction (git-fixes).
crypto: iaa - Adjust workqueue allocation type (jsc#PED-14238).
crypto: iaa - fix per-node CPU counter reset in rebalance_wq_table() (git-fixes).
crypto: iaa - Move compression CRC into request object (jsc#PED-14238).
crypto: iaa - Optimize rebalance_wq_table() (jsc#PED-14238).
crypto: iaa - Remove potential infinite loop in check_completion() (jsc#PED-14238).
crypto: iaa - Remove unreachable pr_debug from iaa_crypto_cleanup_module (jsc#PED-14238).
crypto: iaa - Remove unused disable_async argument from iaa_decompress (jsc#PED-14238).
crypto: iaa - Replace sprintf with sysfs_emit in sysfs show functions (jsc#PED-14238).
crypto: iaa - Simplify init_iaa_device() (jsc#PED-14238).
crypto: jitterentropy - replace long-held spinlock with mutex (git-fixes).
crypto: nx - Fix packed layout in struct nx842_crypto_header (git-fixes).
crypto: pcrypt - Fix handling of MAY_BACKLOG requests (git-fixes).
crypto: qat - #undef field_get() before local definition (jsc#PED-14238).
crypto: qat - add adf_rl_get_num_svc_aes() in rate limiting (jsc#PED-14238).
crypto: qat - add bank state save and restore for qat_420xx (jsc#PED-14238).
crypto: qat - add command queue telemetry counters for GEN6 (jsc#PED-14238).
crypto: qat - add compression slice count for rate limiting (jsc#PED-14238).
crypto: qat - add decompression service for rate limiting (jsc#PED-14238).
crypto: qat - add decompression service to telemetry (jsc#PED-14238).
crypto: qat - add firmware headers for GEN6 devices (jsc#PED-14238).
crypto: qat - add GEN6 firmware loader (jsc#PED-14238).
crypto: qat - add get_svc_slice_cnt() in device data structure (jsc#PED-14238).
crypto: qat - add live migration enablers for GEN6 devices (jsc#PED-14238).
crypto: qat - add macro to write 64-bit values to registers (jsc#PED-14238).
crypto: qat - add missing header inclusion (jsc#PED-14238).
crypto: qat - add qat_6xxx driver (jsc#PED-14238).
crypto: qat - add ring buffer idle telemetry counter for GEN6 (jsc#PED-14238).
crypto: qat - add support for decompression service to GEN6 devices (jsc#PED-14238).
crypto: qat - consolidate service enums (jsc#PED-14238).
crypto: qat - Constify struct pm_status_row (jsc#PED-14238).
crypto: qat - disable 4xxx AE cluster when lead engine is fused off (git-fixes).
crypto: qat - disable 420xx AE cluster when lead engine is fused off (git-fixes).
crypto: qat - do not export adf_cfg_services (jsc#PED-14238).
crypto: qat - enable power management debugfs for GEN6 devices (jsc#PED-14238).
crypto: qat - enable RAS support for GEN6 devices (jsc#PED-14238).
crypto: qat - enable rate limiting feature for GEN6 devices (jsc#PED-14238).
crypto: qat - enable reporting of error counters for GEN6 devices (jsc#PED-14238).
crypto: qat - enable telemetry for GEN6 devices (jsc#PED-14238).
crypto: qat - export adf_get_service_mask() (jsc#PED-14238).
crypto: qat - export adf_init_admin_pm() (jsc#PED-14238).
crypto: qat - expose configuration functions (jsc#PED-14238).
crypto: qat - fix compression instance leak (git-fixes).
crypto: qat - fix IRQ cleanup on 6xxx probe failure (git-fixes).
crypto: qat - fix object goals in Makefiles (jsc#PED-14238.
crypto: qat - fix type mismatch in RAS sysfs show functions (git-fixes).
crypto: qat - Fix typo "accelaration" (jsc#PED-14238).
crypto: qat - fix virtual channel configuration for GEN6 devices (jsc#PED-14238).
crypto: qat - include qat_common in top Makefile (jsc#PED-14238).
crypto: qat - introduce fuse array (jsc#PED-14238).
crypto: qat - make adf_dev_autoreset() static (jsc#PED-14238).
crypto: qat - optimize allocations for fw authentication (jsc#PED-14238).
crypto: qat - refactor compression template logic (jsc#PED-14238).
crypto: qat - refactor FW signing algorithm (jsc#PED-14238).
crypto: qat - refactor ring-related debug functions (jsc#PED-14238).
crypto: qat - refactor service parsing logic (jsc#PED-14238).
crypto: qat - relocate and rename bank state structure definition (jsc#PED-14238).
crypto: qat - relocate bank state helper functions (jsc#PED-14238).
crypto: qat - relocate power management debugfs helper APIs (jsc#PED-14238).
crypto: qat - relocate service related functions (jsc#PED-14238).
crypto: qat - remove BITS_IN_DWORD() (jsc#PED-14238).
crypto: qat - Remove dst_null support (jsc#PED-14238).
crypto: qat - remove duplicate masking for GEN6 devices (jsc#PED-14238).
crypto: qat - remove initialization in device class (jsc#PED-14238).
crypto: qat - remove redundant FW image size check (jsc#PED-14238).
crypto: qat - remove unused adf_devmgr_get_first (jsc#PED-14238).
crypto: qat - remove unused members in suof structure (jsc#PED-14238).
crypto: qat - rename and relocate timer logic (jsc#PED-14238).
crypto: qat - reorder objects in qat_common Makefile (jsc#PED-14238).
crypto: qat - replace CHECK_STAT macro with static inline function (jsc#PED-14238).
crypto: qat - Replace kzalloc() + copy_from_user() with memdup_user() (jsc#PED-14238).
crypto: qat - restore ASYM service support for GEN6 devices (jsc#PED-14238).
crypto: qat - Return pointer directly in adf_ctl_alloc_resources (jsc#PED-14238).
crypto: qat - set command ids as reserved (jsc#PED-14238).
crypto: qat - switch to standard pattern for PCI IDs (jsc#PED-14238).
crypto: qat - update firmware api (jsc#PED-14238).
crypto: qat - use pr_fmt() in adf_gen4_hw_data.c (jsc#PED-14238).
crypto: qat - use pr_fmt() in qat uclo.c (jsc#PED-14238).
crypto: qat - use simple_strtoull to improve qat_uclo_parse_num (jsc#PED-14238).
crypto: qat - use swab32 macro (git-fixes).
crypto: qat - validate service in rate limiting sysfs api (jsc#PED-14238).
crypto: qat/qat_6xxx - Fix NULL vs IS_ERR() check in adf_probe() (jsc#PED-14238).
crypto: sa2ul - Fix AEAD fallback algorithm names (git-fixes).
crypto: simd - reject compat registrations without __ prefixes (git-fixes).
crypto: talitos - fix SEC1 32k ahash request limitation (git-fixes).
crypto: tegra - Disable softirqs before finalizing request (git-fixes).
devres: fix missing node debug info in devm_krealloc() (git-fixes).
dmaengine: dw-axi-dmac: fix Alignment should match open parenthesis (git-fixes).
dmaengine: dw-axi-dmac: Remove unnecessary return statement from void function (git-fixes).
dmaengine: mxs-dma: Fix missing return value from of_dma_controller_register() (git-fixes).
dpll: zl3073x: Add support to adjust phase (bsc#1255752).
dpll: zl3073x: Fix output pin phase adjustment sign (bsc#1255752).
dpll: zl3073x: fix REF_PHASE_OFFSET_COMP register width for some chip IDs (bsc#1255752).
dpll: zl3073x: Specify phase adjustment granularity for pins (bsc#1255752).
drivers/base/memory: fix memory block reference leak in poison accounting (git-fixes).
drm/amd/display: Add NULL check for integrated_info in clk_mgr_construct (git-fixes).
drm/amd/display: Allow DCE link encoder without AUX registers (git-fixes).
drm/amd/display: Avoid NULL dereference in dc_dmub_srv error paths (git-fixes).
drm/amd/display: Change dither policy for 10 bpc output back to dithering (git-fixes).
drm/amd/display: Correct logic check error for fastboot (git-fixes).
drm/amd/display: Disable 10-bit truncation and dithering on DCE 6.x (git-fixes).
drm/amd/display: Disable fastboot on DCE 6 too (stable-fixes).
drm/amd/display: Read EDID from VBIOS embedded panel info (git-fixes).
drm/amd/pm/ci: Clear EnabledForActivity field for memory levels (git-fixes).
drm/amd/pm/ci: Disable MCLK DPM on problematic CI ASICs (git-fixes).
drm/amd/pm/ci: Fill DW8 fields from SMC (git-fixes).
drm/amd/pm/ci: Fix powertune defaults for Hawaii 0x67B0 (git-fixes).
drm/amd/pm/ci: Use highest MCLK on CI when MCLK DPM is disabled (git-fixes).
drm/amd/pm/smu7: Add SCLK cap for quirky Hawaii board (git-fixes).
drm/amd/pm/smu7: Fix SMU7 voltage dependency on display clock (git-fixes).
drm/amd/pm: fix incorrect FeatureCtrlMask setting on smu v14.0.x (git-fixes).
drm/amdgpu/gfx6: Support harvested SI chips with disabled TCCs (v2) (git-fixes).
drm/amdgpu/gfx9: drop unnecessary 64-bit fence flag check in KIQ (stable-fixes).
drm/amdgpu/gfx10: look at the right prop for gfx queue priority (git-fixes).
drm/amdgpu/gfx11: look at the right prop for gfx queue priority (git-fixes).
drm/amdgpu/gmc: Fix AMDGPU_GART_PLACEMENT_LOW to not overlap with VRAM (git-fixes).
drm/amdgpu/jpeg: set no_user_fence for JPEG v2.0 ring (git-fixes).
drm/amdgpu/jpeg: set no_user_fence for JPEG v2.5 ring (git-fixes).
drm/amdgpu/jpeg: set no_user_fence for JPEG v3.0 ring (git-fixes).
drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0 ring (git-fixes).
drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0.3 ring (git-fixes).
drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0.5 ring (git-fixes).
drm/amdgpu/jpeg: set no_user_fence for JPEG v5.0.0 ring (git-fixes).
drm/amdgpu/pm: add missing revision check for CI (git-fixes).
drm/amdgpu/pm: align Hawaii mclk workaround with radeon (git-fixes).
drm/amdgpu/pm: drop SMU driver if version not matched messages (stable-fixes).
drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission (git-fixes).
drm/amdgpu/vce: Prevent partial address patches (stable-fixes).
drm/amdgpu/vcn3: Avoid overflow on msg bound check (git-fixes).
drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg (stable-fixes).
drm/amdgpu/vcn4: Avoid overflow on msg bound check (git-fixes).
drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg (stable-fixes).
drm/amdgpu/vcn4: Prevent OOB reads when parsing IB (stable-fixes).
drm/amdgpu/vcn: set no_user_fence for VCN v2.0 enc/dec rings (git-fixes).
drm/amdgpu/vcn: set no_user_fence for VCN v2.5 enc/dec rings (git-fixes).
drm/amdgpu/vcn: set no_user_fence for VCN v3.0 enc/dec rings (git-fixes).
drm/amdgpu/vcn: set no_user_fence for VCN v4.0 enc ring (git-fixes).
drm/amdgpu/vcn: set no_user_fence for VCN v4.0.3 enc ring (git-fixes).
drm/amdgpu/vcn: set no_user_fence for VCN v4.0.5 enc ring (git-fixes).
drm/amdgpu/vcn: set no_user_fence for VCN v5.0.0 enc ring (git-fixes).
drm/amdgpu: Add bounds checking to ib_{get,set}_value (stable-fixes).
drm/amdgpu: Add default case in DVI mode validation (git-fixes).
drm/amdgpu: fix AMDGPU_INFO_READ_MMR_REG (git-fixes).
drm/amdgpu: fix zero-size GDS range init on RDNA4 (stable-fixes).
drm/amdgpu: gate VM CPU HDP flush on reset lock (stable-fixes).
drm/amdgpu: replace PASID IDR with XArray (git-fixes).
drm/amdgpu: Use SMUIO 15.0.0 offsets for TSC upper and lower count (stable-fixes).
drm/amdgpu: zero-initialize GART table on allocation (stable-fixes).
drm/amdkfd: Add upper bound check for num_of_nodes (stable-fixes).
drm/amdkfd: Clear VRAM on allocation to prevent stale data exposure (stable-fixes).
drm/amdkfd: Make all TLB-flushes heavy-weight (stable-fixes).
drm/amdkfd: validate SVM ioctl nattr against buffer size (stable-fixes).
drm/arcpgu: fix device node leak (git-fixes).
drm/bridge: cadence: cdns-mhdp8546-core: Add mode_valid hook to drm_bridge_funcs (git-fixes).
drm/bridge: cadence: cdns-mhdp8546-core: Handle HDCP state in bridge atomic check (git-fixes).
drm/bridge: cadence: cdns-mhdp8546-core: Set the mhdp connector earlier in atomic_enable() (git-fixes).
drm/bridge: stm_lvds: Do not fail atomic_check on disabled connector (git-fixes).
drm/etnaviv: Fix armed job not being pushed to the DRM scheduler (git-fixes).
drm/exynos: remove bridge when component_add fails (git-fixes).
drm/fb-helper: Fix clipping when damage area spans a single scanline (git-fixes).
drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs() (git-fixes).
drm/gma500/oaktrail_hdmi: fix i2c adapter leak on setup (git-fixes).
drm/gma500/oaktrail_lvds: fix hang on init failure (git-fixes).
drm/gma500/oaktrail_lvds: fix i2c adapter leaks on init (git-fixes).
drm/i915/dp: Fix VSC dynamic range signaling for RGB formats (git-fixes).
drm/i915/gt: fix refcount underflow in intel_engine_park_heartbeat (git-fixes).
drm/i915/wm: Verify the correct plane DDB entry (git-fixes).
drm/i915: skip __i915_request_skip() for already signaled requests (git-fixes).
drm/imagination: Switch reset_reason fields from enum to u32 (git-fixes).
drm/komeda: fix integer overflow in AFBC framebuffer size check (git-fixes).
drm/loongson: Use managed KMS polling (git-fixes).
drm/msm/a6xx: Fix dumping A650+ debugbus blocks (git-fixes).
drm/msm/a6xx: Fix HLSQ register dumping (git-fixes).
drm/msm/a6xx: Use barriers while updating HFI Q headers (git-fixes).
drm/msm/dpu: fix mismatch between power and frequency (git-fixes).
drm/msm/dsi: add the missing parameter description (git-fixes).
drm/msm/dsi: fix bits_per_pclk (git-fixes).
drm/msm/dsi: fix hdisplay calculation for CMD mode panel (git-fixes).
drm/msm/dsi: rename MSM8998 DSI version from V2_2_0 to V2_0_0 (git-fixes).
drm/msm/gem: fix error handling in msm_ioctl_gem_info_get_metadata() (git-fixes).
drm/msm/shrinker: Fix can_block() logic (git-fixes).
drm/nouveau: fix nvkm_device leak on aperture removal failure (git-fixes).
drm/nouveau: fix u32 overflow in pushbuf reloc bounds check (git-fixes).
drm/panel: boe-tv101wum-nl6: restore MODE_LPM after sending disable cmds (git-fixes).
drm/panel: himax-hx83102: restore MODE_LPM after sending disable cmds (git-fixes).
drm/panel: sharp-ls043t1le01: make use of prepare_prev_first (git-fixes).
drm/panel: simple: Correct G190EAN01 prepare timing (git-fixes).
drm/panfrost: Fix wait_bo ioctl leaking positive return from dma_resv_wait_timeout() (git-fixes).
drm/panthor: Fix outdated function documentation (git-fixes).
drm/radeon: add missing revision check for CI (git-fixes).
drm/sun4i: backend: fix error pointer dereference (git-fixes).
drm/sun4i: Fix resource leaks (git-fixes).
drm/v3d: Handle error from drm_sched_entity_init() (git-fixes).
drm/vc4: Fix a memory leak in hang state error path (git-fixes).
drm/vc4: Fix memory leak of BO array in hang state (git-fixes).
drm/vc4: platform_get_irq_byname() returns an int (stable-fixes).
drm/vc4: Protect madv read in vc4_gem_object_mmap() with madv_lock (git-fixes).
drm/vc4: Release runtime PM reference after binding V3D (git-fixes).
drm/vram: remove DRM_VRAM_MM_FILE_OPERATIONS from docs (git-fixes).
drm/xe/bo: Fix bo leak on GGTT flag validation in xe_bo_init_locked() (git-fixes).
drm/xe/bo: Fix bo leak on unaligned size validation in xe_bo_init_locked() (git-fixes).
drm/xe/debugfs: Correct printing of register whitelist ranges (git-fixes).
drm/xe/dma-buf: handle empty bo and UAF races (git-fixes).
drm/xe/gsc: Fix BO leak on error in query_compatibility_version() (git-fixes).
drm/xe/uapi: update used tracking kernel-doc (git-fixes).
drm/xe: Fix dma-buf attachment leak in xe_gem_prime_import() (git-fixes).
drm/xe: Fix error cleanup in xe_exec_queue_create_ioctl() (git-fixes).
dt-bindings: net: Fix Tegra234 MGBE PTP clock (git-fixes).
efi/capsule-loader: fix incorrect sizeof in phys array reallocation (git-fixes).
efi: pstore: Drop efivar lock when efi_pstore_open() returns with an error (git-fixes).
erofs: add GFP_NOIO in the bio completion if needed (git-fixes).
ext4: fix fsync(2) for nojournal mode (git-fixes).
ext4: make recently_deleted() properly work with lazy itable initialization (git-fixes).
ext4: reject mount if bigalloc with s_first_data_block != 0 (git-fixes).
extcon: Fixed sysfs duplicate filename issue (git-fixes).
extcon: ptn5150: handle pending IRQ events during system resume (git-fixes).
fbdev: matroxfb: Mark variable with __maybe_unused to avoid W=1 build break (git-fixes).
fbdev: offb: fix PCI device reference leak on probe failure (git-fixes).
fbdev: tdfxfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO (stable-fixes).
fbdev: udlfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO (git-fixes).
firmware: arm_ffa: Use the correct buffer size during RXTX_MAP (git-fixes).
firmware: dmi: Correct an indexing error in dmi.h (git-fixes).
firmware: google: framebuffer: Do not mark framebuffer as busy (git-fixes).
firmware: google: framebuffer: Do not unregister platform device (git-fixes).
gpio: of: clear OF_POPULATED on hog nodes in remove path (git-fixes).
gpio: tegra: fix irq_release_resources calling enable instead of disable (git-fixes).
gtp: disable BH before calling udp_tunnel_xmit_skb() (git-fixes).
HID: alps: fix NULL pointer dereference in alps_raw_event() (git-fixes).
HID: amd_sfh: don't log error when device discovery fails with -EOPNOTSUPP (git-fixes).
HID: apple: ensure the keyboard backlight is off if suspending (git-fixes).
HID: asus: do not abort probe when not necessary (git-fixes).
HID: asus: make asus_resume adhere to linux kernel coding standards (git-fixes).
HID: core: clamp report_size in s32ton() to avoid undefined shift (stable-fixes).
HID: logitech-hidpp: Enable MX Master 4 over bluetooth (stable-fixes).
HID: logitech-hidpp: Prevent use-after-free on force feedback initialisation failure (stable-fixes).
HID: multitouch: Check to ensure report responses match the request (stable-fixes).
HID: quirks: add HID_QUIRK_ALWAYS_POLL for 8BitDo Pro 3 (stable-fixes).
HID: roccat: fix use-after-free in roccat_report_event (stable-fixes).
HID: usbhid: fix deadlock in hid_post_reset() (git-fixes).
HID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq (stable-fixes).
hisi_acc_vfio_pci: add eq and aeq interruption restore (git-fixes).
hisi_acc_vfio_pci: bugfix cache write-back issue (git-fixes).
hisi_acc_vfio_pci: bugfix the problem of uninstalling driver (git-fixes).
hv_sock: fix ARM64 support (git-fixes).
hv_sock: update outdated comment for renamed vsock_stream_recvmsg() (git-fixes).
hwmon: (ads7871) Fix endianness bug in 16-bit register reads (git-fixes).
hwmon: (corsair-psu) Close HID device on probe errors (git-fixes).
hwmon: (lm63) Add locking to avoid TOCTOU (git-fixes).
hwmon: (ltc2992) Clamp threshold writes to hardware range (git-fixes).
hwmon: (ltc2992) Fix u32 overflow in power read path (git-fixes).
hwmon: (ltc4286) Add missing MODULE_IMPORT_NS("PMBUS") (git-fixes).
hwmon: (powerz) Fix missing usb_kill_urb() on signal interrupt (git-fixes).
hwmon: (powerz) Fix use-after-free on USB disconnect (git-fixes).
hwmon: (pt5161l) Fix bugs in pt5161l_read_block_data() (git-fixes).
i2c: s3c24xx: check the size of the SMBUS message before using it (stable-fixes).
i2c: smbus: reject oversized block transfers in the common path (git-fixes).
i2c: stm32f7: reinit_completion() per transfer not per msg (git-fixes).
i2c: stub: Reject I2C block transfers with invalid length (git-fixes).
i2c: tegra: Add HS mode support (bsc#1261550).
i2c: tegra: Add Tegra256 support (bsc#1261550).
i2c: tegra: Do not configure DMA if not supported (bsc#1261550).
i2c: tegra: Don't mark devices with pins as IRQ safe (stable-fixes).
i2c: tegra: Update Tegra256 timing parameters (bsc#1261550).
i2c: tegra: Use separate variables for fast and fastplus (bsc#1261550).
i3c: dw: Fix memory leak in dw_i3c_master_i3c_xfers() (git-fixes).
i3c: master: Fix error codes at send_ccc_cmd (git-fixes).
i3c: mipi-i3c-hci: fix IBI payload length calculation for final status (git-fixes).
ibmveth: Disable GSO for packets with small MSS (bsc#1265144).
iio: adc: ad7192: Revert "properly check spi_get_device_match_data()" (stable-fixes).
iio: adc: ad7768-1: fix one-shot mode data acquisition (git-fixes).
iio: adc: ti-ads7950: use iio_push_to_buffers_with_ts_unaligned() (git-fixes).
iio: frequency: admv1013: add dev variable (stable-fixes).
iio: frequency: admv1013: fix NULL pointer dereference on str (git-fixes).
Input: bcm5974 - recover from failed mode switch (stable-fixes).
Input: i8042 - add TUXEDO InfinityBook Max 16 Gen10 AMD to i8042 quirk table (stable-fixes).
Input: uinput - fix circular locking dependency with ff-core (git-fixes).
Input: uinput - take event lock when submitting FF request "event" (stable-fixes).
Input: xpad - add support for BETOP BTP-KP50B/C controller's wireless mode (stable-fixes).
Input: xpad - add support for Razer Wolverine V3 Pro (stable-fixes).
interconnect: debugfs: fix devm_kstrdup and kfree mismatch (git-fixes).
io_uring/timeout: check unused sqe fields (git-fixes).
iommu/amd: move wait_on_sem() out of spinlock (git-fixes bsc#1260593).
iommu/amd: serialize sequence allocation under concurrent TLB invalidations (git-fixes bsc#1260593).
iommu/vt-d: Remove LPIG from page group response descriptor (jsc#PED-16113).
ipmi: Add limits to event and receive message requests (git-fixes).
ipmi: Check event message buffer response for bad data (git-fixes).
ipmi: ssif_bmc: change log level to dbg in irq callback (git-fixes).
ipmi: ssif_bmc: fix message desynchronization after truncated response (git-fixes).
ipmi: ssif_bmc: fix missing check for copy_to_user() partial failure (git-fixes).
ipv6: rpl: reserve mac_len headroom when recompressed SRH grows (git-fixes).
KVM: arm64: Allow cacheable stage 2 mapping using VMA flags (git-fixes).
KVM: arm64: Assume non-PFNMAP/MIXEDMAP VMAs can be mapped cacheable (git-fixes).
KVM: arm64: Block cacheable PFNMAP mapping (git-fixes).
KVM: arm64: Consolidate idreg callbacks (git-fixes).
KVM: arm64: Discard PC update state on vcpu reset (git-fixes).
KVM: arm64: Finalize ID registers only once per VM (git-fixes).
KVM: arm64: Fix MTE flag initialization for protected VMs (git-fixes).
KVM: arm64: Fix page leak in user_mem_abort() (git-fixes).
KVM: arm64: Fix Trace Buffer trap polarity for protected VMs (git-fixes).
KVM: arm64: Fix Trace Buffer trapping for protected VMs (git-fixes).
KVM: arm64: Fix vma_shift staleness on nested hwpoison path (git-fixes).
KVM: arm64: Hide S1POE from guests when not supported by the host (git-fixes).
KVM: arm64: Limit clearing of ID_{AA64PFR0,PFR1}_EL1.GIC to userspace irqchip (git-fixes).
KVM: arm64: Make all 32bit ID registers fully writable (git-fixes).
KVM: arm64: nv: Add trap config for DBGWCR<15>_EL1 (git-fixes).
KVM: arm64: nv: Return correct RES0 bits for FGT registers (git-fixes).
KVM: arm64: pkvm: Fallback to level-3 mapping on host stage-2 fault (git-fixes).
KVM: arm64: Read PMUVer as unsigned (git-fixes).
KVM: arm64: Rename the device variable to s2_force_noncacheable (git-fixes).
KVM: arm64: Return early from trace helpers when KVM isn't available (git-fixes).
KVM: arm64: Set ID_{AA64PFR0,PFR1}_EL1.GIC when GICv3 is configured (git-fixes).
KVM: arm64: vgic-v3: Release reserved slot outside of lpi_xa's lock (git-fixes).
KVM: arm64: vgic: Fix IIDR revision field extracted from wrong value (git-fixes).
KVM: nSVM: Use vcpu->arch.cr2 when updating vmcb12 on nested #VMEXIT (git-fixes).
KVM: nVMX: Add consistency check for TSC_MULTIPLIER=0 (git-fixes).
KVM: Reject wrapped offset in kvm_reset_dirty_gfn() (git-fixes).
KVM: SEV: Disallow LAUNCH_FINISH if vCPUs are actively being created (git-fixes).
KVM: SEV: Drop WARN on large size for KVM_MEMORY_ENCRYPT_REG_REGION (git-fixes).
KVM: SEV: Lock all vCPUs when synchronzing VMSAs for SNP launch finish (git-fixes).
KVM: SEV: Protect all of sev_mem_enc_register_region() with kvm->lock (git-fixes).
KVM: SEV: Reject attempts to sync VMSA of an already-launched/encrypted vCPU (git-fixes).
KVM: SVM: Disallow EFER.LMSLE when not supported by hardware (git-fixes).
KVM: SVM: Fix a missing kunmap_local() in sev_gmem_post_populate() (git-fixes).
KVM: SVM: Initialize AVIC VMCB fields if AVIC is enabled with in-kernel APIC (git-fixes).
KVM: SVM: Mark VMCB_NPT as dirty on nested VMRUN (git-fixes).
KVM: SVM: Mark VMCB_PERM_MAP as dirty on nested VMRUN (git-fixes).
KVM: SVM: Properly check RAX in the emulator for SVM instructions (git-fixes).
KVM: SVM: Set/clear CR8 write interception when AVIC is (de)activated (git-fixes).
KVM: TDX: Explicitly set user-return MSRs that may be clobbered by the TDX-Module (git-fixes).
KVM: x86/mmu: Fix UBSAN warning when reading nx_huge_pages parameter (git-fixes).
KVM: x86/xen: Fix cleanup logic in emulation of Xen schedop poll hypercalls (git-fixes).
KVM: x86: Add SRCU protection for reading PDPTRs in __get_sregs2() (git-fixes).
KVM: x86: Advertise EferLmsleUnsupported to userspace (git-fixes).
KVM: x86: check for nEPT/nNPT in slow flush hypercalls (git-fixes).
KVM: X86: Fix array_index_nospec protection in __pv_send_ipi (git-fixes).
KVM: x86: Fix shadow paging use-after-free due to unexpected GFN (git-fixes).
KVM: x86: hyper-v: Validate all GVAs during PV TLB flush (git-fixes).
KVM: x86: Ignore cpuid faulting in SMM (git-fixes).
leds: lgm-sso: Remove duplicate assignments for priv->mmap (git-fixes).
leds: qcom-lpg: Check for array overflow when selecting the high resolution (stable-fixes).
lib/hexdump: print_hex_dump_bytes() calls print_hex_dump_debug() (git-fixes).
md/raid1: fix the comparing region of interval tree (bsc#1261555).
md/raid1: serialize overlap io for writemostly disk (bsc#1261555).
media: amphion: Fix race between m2m job_abort and device_run (git-fixes).
media: as102: fix to not free memory after the device is registered in as102_usb_probe() (git-fixes).
media: chips-media: wave5: add missing spinlock protection for handle_dynamic_resolution_change() (git-fixes).
media: chips-media: wave5: add missing spinlock protection for send_eos_event() (git-fixes).
media: chips-media: wave5: fix a potential memory leak in wave5_vdi_init() (git-fixes).
media: dib8000: avoid division by 0 in dib8000_set_dds() (git-fixes).
media: em28xx: fix use-after-free in em28xx_v4l2_open() (git-fixes).
media: hackrf: fix to not free memory after the device is registered in hackrf_probe() (git-fixes).
media: i2c: imx219: Check return value of devm_gpiod_get_optional() in imx219_probe() (git-fixes).
media: i2c: imx283: Enter full standby when stopping streaming (git-fixes).
media: i2c: imx283: Fix hang when going from large to small resolution (git-fixes).
media: i2c: imx412: Assert reset GPIO during probe (git-fixes).
media: i2c: ov08d10: fix image vertical start setting (git-fixes).
media: i2c: ov8856: free control handler on error in ov8856_init_controls() (git-fixes).
media: intel/ipu6: fix error pointer dereference (git-fixes).
media: mtk-jpeg: fix use-after-free in release path due to uncancelled work (git-fixes).
media: nxp: imx8-isi: Reduce minimum queued buffers from 2 to 0 (git-fixes).
media: omap3isp: drop the use count of v4l2 pipeline (git-fixes).
media: pci: zoran: fix potential memory leak in zoran_probe() (git-fixes).
media: rc: streamzap: Error handling in probe (git-fixes).
media: rc: xbox_remote: heed DMA restrictions (git-fixes).
media: saa7164: add ioremap return checks and cleanups (git-fixes).
media: staging: imx: configure src_mux in csi_start (git-fixes).
media: staging: imx: request mbus_config in csi_start (git-fixes).
media: uvcvideo: Enable VB2_DMABUF for metadata stream (git-fixes).
media: videobuf2: Set vma_flags in vb2_dma_sg_mmap (git-fixes).
media: vidtv: fix nfeeds state corruption on start_streaming failure (git-fixes).
media: vidtv: fix NULL pointer dereference in vidtv_channel_pmt_match_sections (git-fixes).
media: vidtv: fix pass-by-value structs causing MSAN warnings (git-fixes).
memory: tegra30-emc: Fix dll_change check (git-fixes).
memory: tegra124-emc: Fix dll_change check (git-fixes).
mfd: core: Preserve OF node when ACPI handle is present (git-fixes).
mfd: mc13xxx-core: Fix memory leak in mc13xxx_add_subdevice_pdata() (git-fixes).
mfd: stpmic1: Attempt system shutdown twice in case PMIC is confused (git-fixes).
mkspec: Add signature to source list only when it exists.
mmc: sdhci-of-dwcmshc: Disable clock before DLL configuration (git-fixes).
mmc: vub300: fix NULL-deref on disconnect (git-fixes).
modpost: Amend ppc64 save/restfpr symnames for -Os build (bsc#1215199).
mtd: docg3: fix use-after-free in docg3_release() (git-fixes).
mtd: parsers: ofpart: call of_node_get() for dedicated subpartitions (git-fixes).
mtd: parsers: ofpart: call of_node_put() only in ofpart_fail path (git-fixes).
mtd: physmap_of_gemini: Fix disabled pinctrl state check (git-fixes).
mtd: rawnand: sunxi: fix sunxi_nfc_hw_ecc_read_extra_oob (git-fixes).
mtd: spi-nor: core: correct the op.dummy.nbytes when check read operations (git-fixes).
mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show() (git-fixes).
mtd: spi-nor: sst: Fix write enable before AAI sequence (git-fixes).
mtd: spi-nor: swp: check SR_TB flag when getting tb_mask (git-fixes).
net-shapers: don't free reply skb after genlmsg_reply() (git-fixes).
net/mlx5: Fix HCA caps leak on notifier init failure (git-fixes).
net/rds: reset op_nents when zerocopy page pin fails (bsc#1265626).
net/sched: cls_fw: fix NULL dereference of "old" filters before change() (git-fixes).
net/sched: fix pedit partial COW leading to page cache corruption (bsc#1265421).
net: gro: don't merge zcopy skbs (git-fixes).
net: hamradio: 6pack: fix uninit-value in sixpack_receive_buf (git-fixes).
net: mana: Add MAC address to vPort logs and clarify error messages (git-fixes).
net: mana: check xdp_rxq registration before unreg in mana_destroy_rxq() (git-fixes).
net: mana: Don't overwrite port probe error with add_adev result (git-fixes).
net: mana: Fix crash from unvalidated SHM offset read from BAR0 during FLR (bsc#1265846).
net: mana: Fix EQ leak in mana_remove on NULL port (git-fixes).
net: mana: Fix RX skb truesize accounting (bsc#1248754).
net: mana: Guard mana_remove against double invocation (git-fixes).
net: mana: hardening: Validate adapter_mtu from MANA_QUERY_DEV_CONFIG (git-fixes).
net: mana: hardening: Validate doorbell ID from GDMA_REGISTER_DEVICE response (git-fixes).
net: mana: Init gf_stats_work before potential error paths in probe (git-fixes).
net: mana: Init link_change_work before potential error paths in probe (git-fixes).
net: mana: Move current_speed debugfs file to mana_init_port() (git-fixes).
net: mana: remove double CQ cleanup in mana_create_rxq error path (git-fixes).
net: mana: Set default number of queues to 16 (bsc#1261648).
net: mana: Skip WQ object destruction for uninitialized RXQ (git-fixes).
net: mana: Use at least SZ_4K in doorbell ID range check (git-fixes).
net: mana: Use pci_name() for debugfs directory naming (git-fixes).
net: phy: broadcom: Save PHY counters during suspend (git-fixes).
net: phy: DP83TC811: add reading of abilities (git-fixes).
net: phy: dp83869: fix setting CLK_O_SEL field (git-fixes).
net: phy: fix a return path in get_phy_c45_ids() (git-fixes).
net: phy: qcom: at803x: Use the correct bit to disable extended next page (git-fixes).
net: stmmac: Fix PTP ref clock for Tegra234 (git-fixes).
net: usb: asix: ax88772: re-add usbnet_link_change() in phylink callbacks (git-fixes).
net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete() (git-fixes).
net: usb: rtl8150: fix use-after-free in rtl8150_start_xmit() (git-fixes).
net: usb: rtl8150: free skb on usb_submit_urb() failure in xmit (git-fixes).
net: wan: fsl_ucc_hdlc: fix ucc_hdlc_remove (git-fixes).
net: wan: fsl_ucc_hdlc: fix uhdlc_memclean (git-fixes).
net: wan: fsl_ucc_hdlc: free tx_skbuff in uhdlc_memclean (git-fixes).
net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler (git-fixes).
NFC: digital: Bounds check NFC-A cascade depth in SDD response handler (git-fixes).
nfc: llcp: add missing return after LLCP_CLOSED checks (git-fixes).
nfc: pn533: allocate rx skb before consuming bytes (git-fixes).
nfc: s3fwrn5: allocate rx skb before consuming bytes (git-fixes).
NFC: trf7970a: Ignore antenna noise when checking for RF field (git-fixes).
nvme-apple: drop invalid put of admin queue reference count (git-fixes).
nvme-auth: Include SC_C in RVAL controller hash (bsc#1260428).
nvme-loop: do not cancel I/O and admin tagset during ctrl reset/shutdown (bsc#1262709).
nvme-pci: add NVME_QUIRK_DISABLE_WRITE_ZEROES for Kingston OM3SGP4 (git-fixes).
nvme: Allow reauth from sysfs (bsc#1259672).
nvme: Expose the tls_configured sysfs for secure concat connections (bsc#1259672).
nvme: expose TLS mode (bsc#1259672).
nvme: fix admin queue leak on controller reset (git-fixes).
nvme: fix PCIe subsystem reset controller state transition (bsc#1261738).
nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers (git-fixes).
ocfs2: fix possible deadlock between unlink and dio_end_io_write (bsc#1258718).
ocfs2: split transactions in dio completion to avoid credit exhaustion (bsc#1258718).
openvswitch: vport: fix self-deadlock on release of tunnel ports (git-fixes).
panic/printk: replace other_cpu_in_panic() with panic_on_other_cpu() (bsc#1261149).
panic/printk: replace this_cpu_in_panic() with panic_on_this_cpu() (bsc#1261149).
panic: introduce helper functions for panic state (bsc#1261149).
panic: use angle-bracket include for panic.h (bsc#1261149).
PCI/AER: Clear only error bits in PCIe Device Status (git-fixes).
PCI/AER: Stop ruling out unbound devices as error source (git-fixes).
PCI/ASPM: Fix pci_clear_and_set_config_dword() usage (git-fixes).
PCI/NPEM: Set LED_HW_PLUGGABLE for hotplug-capable ports (git-fixes).
PCI/TPH: Allow TPH enable for RCiEPs (git-fixes).
PCI: dwc: Apply ECRC workaround to DesignWare 5.00a as well (git-fixes).
PCI: dwc: rcar-gen4: Change EPC BAR alignment to 4K as per the documentation (git-fixes).
PCI: Enable AtomicOps only if Root Port supports them (git-fixes).
PCI: endpoint: pci-epf-ntb: Remove duplicate resource teardown (git-fixes).
PCI: endpoint: pci-epf-vntb: Stop cmd_handler work in epf_ntb_epc_cleanup (git-fixes).
PCI: epf-mhi: Return 0, not remaining timeout, when eDMA ops complete (git-fixes).
PCI: hv: Set default NUMA node to 0 for devices without affinity info (bsc#1261648).
PCI: mediatek-gen3: Prevent leaking IRQ domains when IRQ not found (git-fixes).
PCI: qcom: Advertise Hotplug Slot Capability with no Command Completion support (git-fixes).
PCI: tegra194: Allow system suspend when the Endpoint link is not up (git-fixes).
PCI: tegra194: Disable direct speed change for Endpoint mode (git-fixes).
PCI: tegra194: Disable LTSSM after transition to Detect on surprise link down (git-fixes).
PCI: tegra194: Disable PERST# IRQ only in Endpoint mode (git-fixes).
PCI: tegra194: Fix CBB timeout caused by DBI access before core power-on (git-fixes).
PCI: tegra194: Fix polling delay for L2 state (git-fixes).
PCI: tegra194: Free up Endpoint resources during remove() (git-fixes).
PCI: tegra194: Increase LTSSM poll time on surprise link down (git-fixes).
PCI: tegra194: Set LTR message request before PCIe link up in Endpoint mode (git-fixes).
PCI: tegra194: Use devm_gpiod_get_optional() to parse "nvidia,refclk-select" (git-fixes).
PCI: tegra194: Use DWC IP core version (git-fixes).
pinctrl: abx500: Fix type of 'argument' variable (git-fixes).
pinctrl: Fix spelling problem (git-fixes).
pinctrl: intel: Fix the revision for new features (1kOhm PD, HW debouncer) (stable-fixes).
pinctrl: pic32: change all cases of bare 'unsigned' to 'unsigned int' (git-fixes).
pinctrl: pic32: use consistent spacing around '+' (git-fixes).
pinctrl: pinctrl-pic32: Fix resource leak (git-fixes).
pinctrl: realtek: Fix function signature for config argument (git-fixes).
pinctrl: renesas: rzg2l: Fix save/restore of {IOLH,IEN,PUPD,SMT} registers (git-fixes).
platform/chrome: chromeos_tbmc: Drop wakeup source on remove (git-fixes).
platform/surface: surfacepro3_button: Drop wakeup source on remove (git-fixes).
platform/x86/amd: pmc: Add Thinkpad L14 Gen3 to quirk_s2idle_bug (stable-fixes).
platform/x86/intel-uncore-freq: Handle autonomous UFS status bit (git-fixes).
platform/x86: asus-wmi: adjust screenpad power/brightness handling (git-fixes).
platform/x86: asus-wmi: fix screenpad brightness range (git-fixes).
platform/x86: dell-wmi-sysman: bound enumeration string aggregation (git-fixes).
platform/x86: dell_rbu: avoid uninit value usage in packet_size_write() (git-fixes).
platform/x86: hp-wmi: Ignore backlight and FnLock events (stable-fixes).
platform/x86: panasonic-laptop: Fix OPTD notifier registration and cleanup (git-fixes).
power: supply: axp288_charger: Do not cancel work before initializing it (git-fixes).
power: supply: max17042: avoid overflow when determining health (git-fixes).
powerpc/crash: fix backup region offset update to elfcorehdr (bsc#1259535).
powerpc/crash: Update backup region offset in elfcorehdr on memory hotplug (bsc#1259535).
printk/nbcon/panic: Allow printk kthread to sleep when the system is in panic (bsc#1261149).
printk/nbcon: Block printk kthreads when any CPU is in an emergency context (bsc#1261149).
printk/nbcon: Release nbcon consoles ownership in atomic flush after each emitted record (bsc#1261149).
printk/nbcon: Restore IRQ in atomic flush after each emitted record (bsc#1261149).
printk/nbcon: use panic_on_this_cpu() helper (bsc#1261149).
printk: Allow printk_trigger_flush() to flush all types (bsc#1262750).
printk: Allow to use the printk kthread immediately even for 1st nbcon (jsc#PED-7912).
printk: Avoid irq_work for printk_deferred() on suspend (bsc#1262750).
printk: Avoid scheduling irq_work on suspend (bsc#1262750).
printk: console_flush_one_record() code cleanup (bsc#1261149).
printk: Introduce console_flush_one_record (bsc#1261149).
printk: Use console_flush_one_record for legacy printer kthread (bsc#1261149).
pwm: imx-tpm: Count the number of enabled channels in probe (git-fixes).
qat: don't mess with ->d_name (jsc#PED-14238).
r8152: fix incorrect register write to USB_UPHY_XTAL (git-fixes).
RDMA/irdma: Fix double free related to rereg_user_mr (git-fixes).
RDMA/mana: Fix error unwind in mana_ib_create_qp_rss() (git-fixes).
RDMA/mana: Fix mana_destroy_wq_obj() cleanup in mana_ib_create_qp_rss() (git-fixes).
RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss() (git-fixes).
RDMA/mana: Validate rx_hash_key_len (git-fixes).
RDMA/mana_ib: cleanup the usage of mana_gd_send_request() (git-fixes).
RDMA/mana_ib: Disable RX steering on RSS QP destroy (git-fixes).
RDMA/mana_ib: Support memory windows (git-fixes).
regulator: act8945a: fix OF node reference imbalance (git-fixes).
regulator: bd9571mwv: fix OF node reference imbalance (git-fixes).
regulator: max77650: fix OF node reference imbalance (git-fixes).
regulator: mt6357: fix OF node reference imbalance (git-fixes).
regulator: rk808: fix OF node reference imbalance (git-fixes).
remoteproc: xlnx: Fix sram property parsing (git-fixes).
remoteproc: xlnx: Only access buffer information if IPI is buffered (git-fixes).
Revert "ALSA: usb: Increase volume range that triggers a warning" (git-fixes).
Revert "serial: 8250: Revert "drop lockdep annotation from serial8250_clear_IER()"" (bsc#1262480).
Revert "serial: 8250: Switch to nbcon console" (bsc#1262480).
rtc: abx80x: Disable alarm feature if no interrupt attached (git-fixes).
rtc: ntxec: fix OF node reference imbalance (git-fixes).
s390/dasd: Copy detected format information to secondary device (bsc#1259994).
s390/dasd: Fix gendisk parent after copy pair swap (bsc#1259994).
s390/dasd: Move quiesce state with pprc swap (bsc#1259994).
sched/fair: Change likelyhood of nohz.nr_cpus (bsc#1234634 bsc#1258961).
sched/fair: Move checking for nohz cpus after time check (bsc#1234634 bsc#1258961).
sched/fair: Remove nohz.nr_cpus and use weight of cpumask instead (bsc#1234634 bsc#1258961).
scsi: lpfc: Add clean up of aborted NVMe commands during PCI fcn reset (bsc#1262019).
scsi: lpfc: Add log messages to fabric login error labels (bsc#1262019).
scsi: lpfc: Add PCI ID support for LPe42100 series adapters (bsc#1262019).
scsi: lpfc: Add REG_VFI mailbox cmd error handling (bsc#1262019).
scsi: lpfc: Break out of IRQ affinity assignment when mask reaches nr_cpu_ids (bsc#1262019).
scsi: lpfc: Check ASIC_ID register to aid diagnostics during failed fw updates (bsc#1262019).
scsi: lpfc: Cleanup error exit paths in lpfc_fdmi_cmd() and associated messages (bsc#1262019).
scsi: lpfc: ELIMINATE kernel-doc warnings in lpfc.h (bsc#1262019).
scsi: lpfc: Fix incorrect txcmplq_cnt during cleanup in lpfc_sli_abort_ring() (bsc#1262019).
scsi: lpfc: Introduce 128G link speed selection and support (bsc#1262019).
scsi: lpfc: Log discarded and insufficient RQE buffer events (bsc#1262019).
scsi: lpfc: Log MCQE contents for mbox commands with no context (bsc#1262019).
scsi: lpfc: Properly set WC for DPP mapping (bsc#1262019).
scsi: lpfc: Reduce pointer chasing when accessing vmid_flag (bsc#1262019).
scsi: lpfc: Remove deprecated PBDE feature (bsc#1262019).
scsi: lpfc: Remove unnecessary ndlp kref get in lpfc_check_nlp_post_devloss (bsc#1262019).
scsi: lpfc: Restrict first burst to non-FCoE and SLI4 adapters only (bsc#1262019).
scsi: lpfc: Select mailbox rq_create cmd version based on SLI4 if_type (bsc#1262019).
scsi: lpfc: Update class of service bit field to 3 bits for WQE submissions (bsc#1262019).
scsi: lpfc: Update construction of SGL when XPSGL is enabled (bsc#1262019).
scsi: lpfc: Update copyright year string for 2026 (bsc#1262019).
scsi: lpfc: Update log message when ndlp kref get is unsuccessful (bsc#1262019).
scsi: lpfc: Update lpfc version to 14.4.0.14 (bsc#1262019).
scsi: lpfc: Update lpfc version to 15.0.0.0 (bsc#1262019).
scsi: lpfc: Update outdated comment for renamed lpfc_freenode() (bsc#1262019).
scsi: lpfc: Use min_t() instead of min() in lpfc_sli4_driver_resource_setup (bsc#1262019).
scsi: lpfc: Use the crc32c() function (bsc#1262019).
scsi: mpi3mr: Add NULL checks when resetting request and reply queues (git-fixes).
scsi: ses: Fix devices attaching to different hosts (git-fixes).
scsi: storvsc: Handle PERSISTENT_RESERVE_IN truncation for Hyper-V vFC (git-fixes).
scsi: target: iscsi: validate CHAP_R length before base64 decode (bsc#1265449).
scsi: ufs: ufs-pci: Add support for Intel Wildcat Lake (jsc#PED-13771).
selftests/bpf: Test cross-sign 64bits range refinement (git-fixes).
selftests/bpf: Test invariants on JSLT crossing sign (git-fixes).
selftests/bpf: test refining u32/s32 bounds when ranges cross min/max boundary (git-fixes).
selftests: net: build net/lib dependency in all target (bsc#1262245).
selinux: don't reserve xattr slot when we won't fill it (stable-fixes).
selinux: prune /sys/fs/selinux/disable (stable-fixes).
selinux: shrink critical section in sel_write_load() (stable-fixes).
serial: 8250: Add serial8250_handle_irq_locked() (bsc#1262480).
serial: 8250: Protect LCR write in shutdown (bsc#1262480).
serial: 8250_dw: Avoid unnecessary LCR writes (bsc#1262480).
serial: 8250_dw: Ensure BUSY is deasserted (bsc#1262480).
serial: 8250_dw: Rework dw8250_handle_irq() locking and IIR handling (bsc#1262480).
serial: 8250_dw: Rework IIR_NO_INT handling to stop interrupt storm (bsc#1262480).
Set CONFIG_INTEL_TSX_MODE to follow upstream AUTO default (bsc#1263044).
soc/tegra: cbb: Set ERD on resume for err interrupt (git-fixes).
soc: qcom: aoss: compare against normalized cooling state (git-fixes).
soc: qcom: llcc: fix v1 SB syndrome register offset (git-fixes).
soc: qcom: ocmem: make the core clock optional (git-fixes).
soc: qcom: ocmem: register reasons for probe deferrals (git-fixes).
soc: qcom: ocmem: return -EPROBE_DEFER is ocmem is not available (git-fixes).
sound: ua101: fix division by zero at probe (git-fixes).
soundwire: bus: demote UNATTACHED state warnings to dev_dbg() (git-fixes).
soundwire: cadence: Clear message complete before signaling waiting thread (git-fixes).
soundwire: debugfs: initialize firmware_file to empty string (git-fixes).
spi: aspeed-smc: fix controller deregistration (git-fixes).
spi: at91-usart: fix controller deregistration (git-fixes).
spi: atmel: fix controller deregistration (git-fixes).
spi: bcm63xx: fix controller deregistration (git-fixes).
spi: bcmbca-hsspi: fix controller deregistration (git-fixes).
spi: cadence: fix controller deregistration (git-fixes).
spi: cadence: fix unclocked access on unbind (git-fixes).
spi: ch341: fix memory leaks on probe failures (git-fixes).
spi: coldfire-qspi: fix controller deregistration (git-fixes).
spi: dln2: fix controller deregistration (git-fixes).
spi: fix controller cleanup() documentation (git-fixes).
spi: fix misleading controller deregistration kernel-doc (git-fixes).
spi: fix misleading controller registration kernel-doc (git-fixes).
spi: fsl-espi: fix controller deregistration (git-fixes).
spi: fsl-qspi: Use reinit_completion() for repeated operations (git-fixes).
spi: fsl: fix controller deregistration (git-fixes).
spi: hisi-kunpeng: prevent infinite while() loop in hisi_spi_flush_fifo (git-fixes).
spi: img-spfi: fix controller deregistration (git-fixes).
spi: imx: fix runtime pm leak on probe deferral (git-fixes).
spi: imx: fix use-after-free on unbind (git-fixes).
spi: lantiq-ssc: fix controller deregistration (git-fixes).
spi: meson-spicc: fix controller deregistration (git-fixes).
spi: microchip-core-qspi: fix controller deregistration (git-fixes).
spi: mpc52xx: fix controller deregistration (git-fixes).
spi: mpc52xx: fix use-after-free on registration failure (git-fixes).
spi: mpc52xx: fix use-after-free on unbind (git-fixes).
spi: mtk-nor: fix controller deregistration (git-fixes).
spi: mtk-snfi: fix memory leak in probe (git-fixes).
spi: mtk-snfi: unregister ECC engine on probe failure and remove() callback (git-fixes).
spi: mxic: fix controller deregistration (git-fixes).
spi: mxs: fix controller deregistration (git-fixes).
spi: npcm-pspi: fix controller deregistration (git-fixes).
spi: omap2-mcspi: fix controller deregistration (git-fixes).
spi: orion: fix clock imbalance on registration failure (git-fixes).
spi: orion: fix controller deregistration (git-fixes).
spi: orion: fix runtime pm leak on unbind (git-fixes).
spi: pic32-sqi: fix controller deregistration (git-fixes).
spi: pic32: fix controller deregistration (git-fixes).
spi: pl022: fix controller deregistration (git-fixes).
spi: qup: fix controller deregistration (git-fixes).
spi: rockchip: fix controller deregistration (git-fixes).
spi: rockchip: Read ISR, not IMR, to detect cs-inactive IRQ (git-fixes).
spi: rspi: fix controller deregistration (git-fixes).
spi: s3c64xx: fix controller deregistration (git-fixes).
spi: s3c64xx: fix NULL-deref on driver unbind (git-fixes).
spi: sh-hspi: fix controller deregistration (git-fixes).
spi: sprd: fix controller deregistration (git-fixes).
spi: st-ssc4: fix controller deregistration (git-fixes).
spi: sun4i: fix controller deregistration (git-fixes).
spi: sun6i: fix controller deregistration (git-fixes).
spi: syncuacer: fix controller deregistration (git-fixes).
spi: ti-qspi: fix controller deregistration (git-fixes).
spi: topcliff-pch: fix controller deregistration (git-fixes).
spi: topcliff-pch: fix use-after-free on unbind (git-fixes).
spi: uniphier: fix controller deregistration (git-fixes).
spi: uniphier: Simplify clock handling with devm_clk_get_enabled() (stable-fixes).
spi: zynq-qspi: fix controller deregistration (git-fixes).
spi: zynq-qspi: Simplify clock handling with devm_clk_get_enabled() (stable-fixes).
spi: zynqmp-gqspi: fix controller deregistration (git-fixes).
staging: media: atomisp: Disallow all private IOCTLs (git-fixes).
staging: rtl8723bs: initialize le_tmp64 in rtw_BIP_verify() (git-fixes).
staging: sm750fb: fix division by zero in ps_to_hz() (git-fixes).
staging: vme_user: fix root device leak on init failure (git-fixes).
tg3: replace placeholder MAC address with device property (git-fixes).
thermal/drivers/spear: Fix error condition for reading st,thermal-flags (git-fixes).
thermal/drivers/sprd: Fix raw temperature clamping in sprd_thm_rawdata_to_temp (git-fixes).
thermal/drivers/sprd: Fix temperature clamping in sprd_thm_temp_to_rawdata (git-fixes).
tools/power/turbostat: Fix microcode patch level output for AMD/Hygon (git-fixes).
tools: hv: Fix cross-compilation (git-fixes).
tpm2-sessions: Fix missing tpm_buf_destroy() in tpm2_read_public() (git-fixes).
tpm: avoid -Wunused-but-set-variable (git-fixes).
tpm: Fix auth session leak in tpm2_get_random() error path (git-fixes).
tpm: tpm_tis: add error logging for data transfer (git-fixes).
tpm: tpm_tis: stop transmit if retries are exhausted (git-fixes).
tpm: Use kfree_sensitive() to free auth session in tpm_dev_release() (git-fixes).
tty: serial: ip22zilog: Fix section mispatch warning (git-fixes).
udp: Force compute_score to always inline (bsc#1241259).
unshare: fix unshare_fs() handling (git-fixes).
USB: cdc-acm: Add quirks for Yoga Book 9 14IAH10 INGENIC touchscreen (git-fixes).
usb: chipidea: core: allow ci_irq_handler() handle both ID and VBUS change (git-fixes).
usb: chipidea: otg: not wait vbus drop if use role_switch (git-fixes).
USB: core: add NO_LPM quirk for Razer Kiyo Pro webcam (stable-fixes).
usb: gadget: dummy_hcd: fix premature URB completion when ZLP follows partial transfer (stable-fixes).
usb: gadget: f_hid: Add missing error code (git-fixes).
usb: gadget: f_hid: don't call cdev_init while cdev in use (git-fixes).
usb: gadget: f_hid: move list and spinlock inits from bind to alloc (stable-fixes).
usb: gadget: f_ncm: validate minimum block_len in ncm_unwrap_ntb() (git-fixes).
usb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete() (git-fixes).
usb: gadget: f_uac1_legacy: validate control request size (stable-fixes).
usb: gadget: renesas_usb3: validate endpoint index in standard request handlers (git-fixes).
usb: gadget: u_ether: Fix NULL pointer deref in eth_get_drvinfo (git-fixes).
USB: omap_udc: DMA: Don't enable burst 4 mode (git-fixes).
usb: port: add delay after usb_hub_set_port_power() (git-fixes).
usb: quirks: add DELAY_INIT quirk for another Silicon Motion flash drive (stable-fixes).
USB: serial: io_edgeport: add support for Blackbox IC135A (stable-fixes).
USB: serial: option: add MeiG Smart SRM825WN (stable-fixes).
USB: serial: option: add support for Rolling Wireless RW135R-GL (stable-fixes).
USB: serial: option: add Telit Cinterion FN990A MBIM composition (git-fixes).
USB: serial: option: add Telit Cinterion LE910Cx compositions (stable-fixes).
usb: storage: Expand range of matched versions for VL817 quirks entry (git-fixes).
usb: typec: tcpm: reset internal port states on soft reset AMS (git-fixes).
usb: ulpi: fix memory leak on ulpi_register() error paths (git-fixes).
usb: usblp: fix heap leak in IEEE 1284 device ID via short response (stable-fixes).
usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl (stable-fixes).
usb: xhci: Make usb_host_endpoint.hcpriv survive endpoint_disable() (git-fixes).
usbip: validate number_of_packets in usbip_pack_ret_submit() (git-fixes).
vfio/pci: Lock upstream bridge for vfio_pci_core_disable() (git-fixes).
vfio/pds: Fix memory leak in pds_vfio_dirty_enable() (git-fixes).
vfio/pds: Fix missing detach_ioas op (git-fixes).
vfio/pds: replace bitmap_free with vfree (git-fixes).
vfio/type1: Fix error unwind in migration dirty bitmap allocation (git-fixes).
vfio: Fix unbalanced vfio_df_close call in no-iommu mode (git-fixes).
vfio: Prevent open_count decrement to negative (git-fixes).
virt: arm-cca-guest: fix error check for RSI_INCOMPLETE (git-fixes).
virt: sev-guest: Do not use host-controlled page order in cleanup path (git-fixes).
virt: tdx-guest: Fix handling of host controlled 'quote' buffer length (git-fixes).
virt: tdx-guest: Return error for GetQuote failures (git-fixes).
wifi: ath5k: do not access array OOB (git-fixes).
wifi: ath9k: Fix typo (git-fixes).
wifi: ath10k: fix station lookup failure during disconnect (git-fixes).
wifi: ath11k: fix memory leaks in beacon template setup (git-fixes).
wifi: ath12k: fix leak in some ath12k_wmi_xxx() functions (git-fixes).
wifi: ath12k: use lockdep_assert_in_rcu_read_lock() for RCU assertions (git-fixes).
wifi: b43: enforce bounds check on firmware key index in b43_rx() (git-fixes).
wifi: b43legacy: enforce bounds check on firmware key index in RX path (git-fixes).
wifi: brcmfmac: Fix error pointer dereference (git-fixes).
wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog task (git-fixes).
wifi: brcmfmac: validate bsscfg indices in IF events (stable-fixes).
wifi: brcmsmac: Fix dma_free_coherent() size (git-fixes).
wifi: cw1200: Revert "Fix locking in error paths" (git-fixes).
wifi: libertas: notify firmware load wait on disconnect (git-fixes).
wifi: mac80211: check ieee80211_rx_data_set_link return in pubsta MLO path (git-fixes).
wifi: mac80211: check tdls flag in ieee80211_tdls_oper (stable-fixes).
wifi: mac80211: drop stray 'static' from fast-RX rx_result (git-fixes).
wifi: mac80211: handle VHT EXT NSS in ieee80211_determine_our_sta_mode() (git-fixes).
wifi: mac80211: remove station if connection prep fails (git-fixes).
wifi: mac80211: use safe list iteration in radar detect work (git-fixes).
wifi: mt76: Fix memory leak after mt76_connac_mcu_alloc_sta_req() (git-fixes).
wifi: mt76: mt792x: describe USB WFSYS reset with a descriptor (stable-fixes).
wifi: mt76: mt792x: fix mt7925u USB WFSYS reset handling (git-fixes).
wifi: mt76: mt7615: fix use_cts_prot support (git-fixes).
wifi: mt76: mt7915: fix use-after-free bugs in mt7915_mac_dump_work() (git-fixes).
wifi: mt76: mt7915: fix use_cts_prot support (git-fixes).
wifi: mt76: mt7921: fix 6GHz regulatory update on connection (git-fixes).
wifi: mt76: mt7921: fix a potential clc buffer length underflow (git-fixes).
wifi: mt76: mt7921: fix ROC abort flow interruption in mt7921_roc_work (git-fixes).
wifi: mt76: mt7921: Place upper limit on station AID (git-fixes).
wifi: mt76: mt7921: Reset ampdu_state state in case of failure in mt76_connac2_tx_check_aggr() (git-fixes).
wifi: mt76: mt7925: fix AMPDU state handling in mt7925_tx_check_aggr (git-fixes).
wifi: mt76: mt7925: fix incorrect length field in txpower command (git-fixes).
wifi: mt76: mt7925: Fix incorrect MLO mode in firmware control (git-fixes).
wifi: mt76: mt7925: fix incorrect TLV length in CLC command (git-fixes).
wifi: mt76: mt7925: prevent NULL pointer dereference in mt7925_tx_check_aggr() (git-fixes).
wifi: mt76: mt7925: prevent NULL vif dereference in mt7925_mac_write_txwi (git-fixes).
wifi: mt76: mt7996: fix FCS error flag check in RX descriptor (git-fixes).
wifi: mt76: mt7996: fix struct mt7996_mcu_uni_event (git-fixes).
wifi: mt76: mt7996: fix use-after-free bugs in mt7996_mac_dump_work() (git-fixes).
wifi: mwifiex: Fix memory leak in mwifiex_11n_aggregate_pkt() (git-fixes).
wifi: nl80211: fix NL80211_PMSR_FTM_REQ_ATTR_FTMS_PER_BURST usage (git-fixes).
wifi: nl80211: require admin perm on SET_PMK / DEL_PMK (git-fixes).
wifi: rsi: fix kthread lifetime race between self-exit and external-stop (git-fixes).
wifi: rt2x00usb: fix devres lifetime (git-fixes).
wifi: rtl8xxxu: fix potential use of uninitialized value (git-fixes).
wifi: rtlwifi: pci: fix possible use-after-free caused by unfinished irq_prepare_bcn_tasklet (git-fixes).
wifi: rtw88: Add additional USB IDs for RTL8812BU (bsc#1263135).
wifi: rtw88: Add BUFFALO WI-U3-866DHP to the USB ID list (bsc#1263135).
wifi: rtw88: Add support for Mercusys MA30N and D-Link DWA-T185 rev. A1 (bsc#1263135).
wifi: rtw88: check for PCI upstream bridge existence (git-fixes).
wifi: rtw88: fix device leak on probe failure (git-fixes).
wifi: rtw88: rtw8822bu VID/PID for BUFFALO WI-U2-866DM (bsc#1263135).
wifi: rtw89: phy: fix uninitialized variable access in rtw89_phy_cfo_set_crystal_cap() (git-fixes).
wifi: wl1251: validate packet IDs before indexing tx_frames (stable-fixes).
x86/acpi/boot: Correct acpi_is_processor_usable() check again (git-fixes).
x86/boot/sev: Avoid shared GHCB page for early memory acceptance (git-fixes).
x86/boot/sev: Support memory acceptance in the EFI stub under SVSM (git-fixes).
x86/boot: Fix page table access in 5-level to 4-level paging transition (git-fixes).
x86/CPU/AMD: Add X86_FEATURE_ZEN6 (bsc#1263255).
x86/cpufeatures: Free up unused feature bits (bsc#1263255).
x86/fred: Fix early boot failures on SEV-ES/SNP guests (git-fixes).
x86/mtrr: Check if fixed-range MTRRs exist in mtrr_save_fixed_ranges() (git-fixes).
x86/sev: Add missing RIP_REL_REF() invocations during sme_enable() (git-fixes).
x86/sev: Do not touch VMSA pages during SNP guest memory kdump (git-fixes).
x86/sev: Ensure SVSM reserved fields in a page validation entry are initialized to zero (git-fixes).
x86/sev: Fix operator precedence in GHCB_MSR_VMPL_REQ_LEVEL macro (git-fixes).
x86/sev: Improve handling of writes to intercepted TSC MSRs (git-fixes).
x86/sev: Make sure pages are not skipped during kdump (git-fixes).
x86/tsx: Get the tsx= command line parameter with early_param() (bsc#1250951 bsc#1263044).
x86/tsx: Make tsx_ctrl_state static (bsc#1250951 bsc#1263044).
x86/vmware: Parse MP tables for SEV-SNP enabled guests under VMware hypervisors (git-fixes).
X.509: Fix out-of-bounds access when parsing extensions (git-fixes).
Xarray: do not return sibling entries from xas_find_marked() (bsc#1263815).

Список пакетов

openSUSE Leap 16.0

cluster-md-kmp-64kb-6.12.0-160000.33.1

cluster-md-kmp-azure-6.12.0-160000.33.1

cluster-md-kmp-default-6.12.0-160000.33.1

cluster-md-kmp-rt-6.12.0-160000.33.1

dlm-kmp-64kb-6.12.0-160000.33.1

dlm-kmp-azure-6.12.0-160000.33.1

dlm-kmp-default-6.12.0-160000.33.1

dlm-kmp-rt-6.12.0-160000.33.1

dtb-allwinner-6.12.0-160000.33.1

dtb-altera-6.12.0-160000.33.1

dtb-amazon-6.12.0-160000.33.1

dtb-amd-6.12.0-160000.33.1

dtb-amlogic-6.12.0-160000.33.1

dtb-apm-6.12.0-160000.33.1

dtb-apple-6.12.0-160000.33.1

dtb-arm-6.12.0-160000.33.1

dtb-broadcom-6.12.0-160000.33.1

dtb-cavium-6.12.0-160000.33.1

dtb-exynos-6.12.0-160000.33.1

dtb-freescale-6.12.0-160000.33.1

dtb-hisilicon-6.12.0-160000.33.1

dtb-lg-6.12.0-160000.33.1

dtb-marvell-6.12.0-160000.33.1

dtb-mediatek-6.12.0-160000.33.1

dtb-nvidia-6.12.0-160000.33.1

dtb-qcom-6.12.0-160000.33.1

dtb-renesas-6.12.0-160000.33.1

dtb-rockchip-6.12.0-160000.33.1

dtb-socionext-6.12.0-160000.33.1

dtb-sprd-6.12.0-160000.33.1

dtb-xilinx-6.12.0-160000.33.1

gfs2-kmp-64kb-6.12.0-160000.33.1

gfs2-kmp-azure-6.12.0-160000.33.1

gfs2-kmp-default-6.12.0-160000.33.1

gfs2-kmp-rt-6.12.0-160000.33.1

kernel-64kb-6.12.0-160000.33.1

kernel-64kb-devel-6.12.0-160000.33.1

kernel-64kb-extra-6.12.0-160000.33.1

kernel-64kb-optional-6.12.0-160000.33.1

kernel-azure-6.12.0-160000.33.1

kernel-azure-devel-6.12.0-160000.33.1

kernel-azure-extra-6.12.0-160000.33.1

kernel-azure-optional-6.12.0-160000.33.1

kernel-azure-vdso-6.12.0-160000.33.1

kernel-default-6.12.0-160000.33.1

kernel-default-base-6.12.0-160000.33.1.160000.2.14

kernel-default-devel-6.12.0-160000.33.1

kernel-default-extra-6.12.0-160000.33.1

kernel-default-optional-6.12.0-160000.33.1

kernel-default-vdso-6.12.0-160000.33.1

kernel-devel-6.12.0-160000.33.1

kernel-docs-6.12.0-160000.33.1

kernel-docs-html-6.12.0-160000.33.1

kernel-kvmsmall-6.12.0-160000.33.1

kernel-kvmsmall-devel-6.12.0-160000.33.1

kernel-kvmsmall-vdso-6.12.0-160000.33.1

kernel-macros-6.12.0-160000.33.1

kernel-obs-build-6.12.0-160000.33.1

kernel-obs-qa-6.12.0-160000.33.1

kernel-rt-6.12.0-160000.33.1

kernel-rt-devel-6.12.0-160000.33.1

kernel-rt-extra-6.12.0-160000.33.1

kernel-rt-optional-6.12.0-160000.33.1

kernel-rt-vdso-6.12.0-160000.33.1

kernel-source-6.12.0-160000.33.1

kernel-source-vanilla-6.12.0-160000.33.1

kernel-syms-6.12.0-160000.33.1

kernel-zfcpdump-6.12.0-160000.33.1

kselftests-kmp-64kb-6.12.0-160000.33.1

kselftests-kmp-azure-6.12.0-160000.33.1

kselftests-kmp-default-6.12.0-160000.33.1

kselftests-kmp-rt-6.12.0-160000.33.1

ocfs2-kmp-64kb-6.12.0-160000.33.1

ocfs2-kmp-azure-6.12.0-160000.33.1

ocfs2-kmp-default-6.12.0-160000.33.1

ocfs2-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/support/security/rating/
SUSE Security Ratings
https://bugzilla.suse.com/1215199
SUSE Bug 1215199
https://bugzilla.suse.com/1234634
SUSE Bug 1234634
https://bugzilla.suse.com/1241259
SUSE Bug 1241259
https://bugzilla.suse.com/1243603
SUSE Bug 1243603
https://bugzilla.suse.com/1248754
SUSE Bug 1248754
https://bugzilla.suse.com/1249104
SUSE Bug 1249104
https://bugzilla.suse.com/1250951
SUSE Bug 1250951
https://bugzilla.suse.com/1253471
SUSE Bug 1253471
https://bugzilla.suse.com/1254518
SUSE Bug 1254518
https://bugzilla.suse.com/1255160
SUSE Bug 1255160
https://bugzilla.suse.com/1255360
SUSE Bug 1255360
https://bugzilla.suse.com/1255459
SUSE Bug 1255459
https://bugzilla.suse.com/1255752
SUSE Bug 1255752
https://bugzilla.suse.com/1256288
SUSE Bug 1256288
https://bugzilla.suse.com/1256865
SUSE Bug 1256865
https://bugzilla.suse.com/1256867
SUSE Bug 1256867
https://bugzilla.suse.com/1258518
SUSE Bug 1258518
https://bugzilla.suse.com/1258718
SUSE Bug 1258718
https://bugzilla.suse.com/1258826
SUSE Bug 1258826

Описание

A vulnerability was found in EyouCms up to 1.6.2. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /yxcms/index.php?r=admin/extendfield/mesedit&tabid=12&id=4 of the component HTTP POST Request Handler. The manipulation of the argument web_ico leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-225943.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-2058.html
CVE-2023-2058

Описание

In the Linux kernel, the following vulnerability has been resolved: fs/xattr: missing fdput() in fremovexattr error path In the Linux kernel, the fremovexattr() syscall calls fdget() to acquire a file reference but returns early without calling fdput() when strncpy_from_user() fails on the name argument. In multi-threaded processes where fdget() takes the slow path, this permanently leaks one file reference per call, pinning the struct file and associated kernel objects in memory. An unprivileged local user can exploit this to cause kernel memory exhaustion. The issue was inadvertently fixed by commit a71874379ec8 ("xattr: switch to CLASS(fd)").

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-14027.html
CVE-2024-14027
https://bugzilla.suse.com/1259420
SUSE Bug 1259420

Описание

In the Linux kernel, the following vulnerability has been resolved: x86/kvm: Force legacy PCI hole to UC when overriding MTRRs for TDX/SNP When running as an SNP or TDX guest under KVM, force the legacy PCI hole, i.e. memory between Top of Lower Usable DRAM and 4GiB, to be mapped as UC via a forced variable MTRR range. In most KVM-based setups, legacy devices such as the HPET and TPM are enumerated via ACPI. ACPI enumeration includes a Memory32Fixed entry, and optionally a SystemMemory descriptor for an OperationRegion, e.g. if the device needs to be accessed via a Control Method. If a SystemMemory entry is present, then the kernel's ACPI driver will auto-ioremap the region so that it can be accessed at will. However, the ACPI spec doesn't provide a way to enumerate the memory type of SystemMemory regions, i.e. there's no way to tell software that a region must be mapped as UC vs. WB, etc. As a result, Linux's ACPI driver always maps SystemMemory regions using ioremap_cache(), i.e. as WB on x86. The dedicated device drivers however, e.g. the HPET driver and TPM driver, want to map their associated memory as UC or WC, as accessing PCI devices using WB is unsupported. On bare metal and non-CoCO, the conflicting requirements "work" as firmware configures the PCI hole (and other device memory) to be UC in the MTRRs. So even though the ACPI mappings request WB, they are forced to UC- in the kernel's tracking due to the kernel properly handling the MTRR overrides, and thus are compatible with the drivers' requested WC/UC-. With force WB MTRRs on SNP and TDX guests, the ACPI mappings get their requested WB if the ACPI mappings are established before the dedicated driver code attempts to initialize the device. E.g. if acpi_init() runs before the corresponding device driver is probed, ACPI's WB mapping will "win", and result in the driver's ioremap() failing because the existing WB mapping isn't compatible with the requested WC/UC-. E.g. when a TPM is emulated by the hypervisor (ignoring the security implications of relying on what is allegedly an untrusted entity to store measurements), the TPM driver will request UC and fail: [ 1.730459] ioremap error for 0xfed40000-0xfed45000, requested 0x2, got 0x0 [ 1.732780] tpm_tis MSFT0101:00: probe with driver tpm_tis failed with error -12 Note, the '0x2' and '0x0' values refer to "enum page_cache_mode", not x86's memtypes (which frustratingly are an almost pure inversion; 2 == WB, 0 == UC). E.g. tracing mapping requests for TPM TIS yields: Mapping TPM TIS with req_type = 0 WARNING: CPU: 22 PID: 1 at arch/x86/mm/pat/memtype.c:530 memtype_reserve+0x2ab/0x460 Modules linked in: CPU: 22 UID: 0 PID: 1 Comm: swapper/0 Tainted: G W 6.16.0-rc7+ #2 VOLUNTARY Tainted: [W]=WARN Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/29/2025 RIP: 0010:memtype_reserve+0x2ab/0x460 __ioremap_caller+0x16d/0x3d0 ioremap_cache+0x17/0x30 x86_acpi_os_ioremap+0xe/0x20 acpi_os_map_iomem+0x1f3/0x240 acpi_os_map_memory+0xe/0x20 acpi_ex_system_memory_space_handler+0x273/0x440 acpi_ev_address_space_dispatch+0x176/0x4c0 acpi_ex_access_region+0x2ad/0x530 acpi_ex_field_datum_io+0xa2/0x4f0 acpi_ex_extract_from_field+0x296/0x3e0 acpi_ex_read_data_from_field+0xd1/0x460 acpi_ex_resolve_node_to_value+0x2ee/0x530 acpi_ex_resolve_to_value+0x1f2/0x540 acpi_ds_evaluate_name_path+0x11b/0x190 acpi_ds_exec_end_op+0x456/0x960 acpi_ps_parse_loop+0x27a/0xa50 acpi_ps_parse_aml+0x226/0x600 acpi_ps_execute_method+0x172/0x3e0 acpi_ns_evaluate+0x175/0x5f0 acpi_evaluate_object+0x213/0x490 acpi_evaluate_integer+0x6d/0x140 acpi_bus_get_status+0x93/0x150 acpi_add_single_object+0x43a/0x7c0 acpi_bus_check_add+0x149/0x3a0 acpi_bus_check_add_1+0x16/0x30 acpi_ns_walk_namespace+0x22c/0x360 acpi_walk_namespace+0x15c/0x170 acpi_bus_scan+0x1dd/0x200 acpi_scan_init+0xe5/0x2b0 acpi_init+0x264/0x5b0 do_one_i ---truncated---

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-40181.html
CVE-2025-40181
https://bugzilla.suse.com/1253471
SUSE Bug 1253471

Описание

In the Linux kernel, the following vulnerability has been resolved: PCI/IOV: Fix race between SR-IOV enable/disable and hotplug Commit 05703271c3cd ("PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV") tried to fix a race between the VF removal inside sriov_del_vfs() and concurrent hot unplug by taking the PCI rescan/remove lock in sriov_del_vfs(). Similarly the PCI rescan/remove lock was also taken in sriov_add_vfs() to protect addition of VFs. This approach however causes deadlock on trying to remove PFs with SR-IOV enabled because PFs disable SR-IOV during removal and this removal happens under the PCI rescan/remove lock. So the original fix had to be reverted. Instead of taking the PCI rescan/remove lock in sriov_add_vfs() and sriov_del_vfs(), fix the race that occurs with SR-IOV enable and disable vs hotplug higher up in the callchain by taking the lock in sriov_numvfs_store() before calling into the driver's sriov_configure() callback.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-40219.html
CVE-2025-40219
https://bugzilla.suse.com/1254518
SUSE Bug 1254518

Описание

In the Linux kernel, the following vulnerability has been resolved: nvme: fix admin request_queue lifetime The namespaces can access the controller's admin request_queue, and stale references on the namespaces may exist after tearing down the controller. Ensure the admin request_queue is active by moving the controller's 'put' to after all controller references have been released to ensure no one is can access the request_queue. This fixes a reported use-after-free bug: BUG: KASAN: slab-use-after-free in blk_queue_enter+0x41c/0x4a0 Read of size 8 at addr ffff88c0a53819f8 by task nvme/3287 CPU: 67 UID: 0 PID: 3287 Comm: nvme Tainted: G E 6.13.2-ga1582f1a031e #15 Tainted: [E]=UNSIGNED_MODULE Hardware name: Jabil /EGS 2S MB1, BIOS 1.00 06/18/2025 Call Trace: <TASK> dump_stack_lvl+0x4f/0x60 print_report+0xc4/0x620 ? _raw_spin_lock_irqsave+0x70/0xb0 ? _raw_read_unlock_irqrestore+0x30/0x30 ? blk_queue_enter+0x41c/0x4a0 kasan_report+0xab/0xe0 ? blk_queue_enter+0x41c/0x4a0 blk_queue_enter+0x41c/0x4a0 ? __irq_work_queue_local+0x75/0x1d0 ? blk_queue_start_drain+0x70/0x70 ? irq_work_queue+0x18/0x20 ? vprintk_emit.part.0+0x1cc/0x350 ? wake_up_klogd_work_func+0x60/0x60 blk_mq_alloc_request+0x2b7/0x6b0 ? __blk_mq_alloc_requests+0x1060/0x1060 ? __switch_to+0x5b7/0x1060 nvme_submit_user_cmd+0xa9/0x330 nvme_user_cmd.isra.0+0x240/0x3f0 ? force_sigsegv+0xe0/0xe0 ? nvme_user_cmd64+0x400/0x400 ? vfs_fileattr_set+0x9b0/0x9b0 ? cgroup_update_frozen_flag+0x24/0x1c0 ? cgroup_leave_frozen+0x204/0x330 ? nvme_ioctl+0x7c/0x2c0 blkdev_ioctl+0x1a8/0x4d0 ? blkdev_common_ioctl+0x1930/0x1930 ? fdget+0x54/0x380 __x64_sys_ioctl+0x129/0x190 do_syscall_64+0x5b/0x160 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7f765f703b0b Code: ff ff ff 85 c0 79 9b 49 c7 c4 ff ff ff ff 5b 5d 4c 89 e0 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d dd 52 0f 00 f7 d8 64 89 01 48 RSP: 002b:00007ffe2cefe808 EFLAGS: 00000202 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007ffe2cefe860 RCX: 00007f765f703b0b RDX: 00007ffe2cefe860 RSI: 00000000c0484e41 RDI: 0000000000000003 RBP: 0000000000000000 R08: 0000000000000003 R09: 0000000000000000 R10: 00007f765f611d50 R11: 0000000000000202 R12: 0000000000000003 R13: 00000000c0484e41 R14: 0000000000000001 R15: 00007ffe2cefea60 </TASK>

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-68265.html
CVE-2025-68265
https://bugzilla.suse.com/1255360
SUSE Bug 1255360

Описание

In the Linux kernel, the following vulnerability has been resolved: s390/pci: Avoid deadlock between PCI error recovery and mlx5 crdump Do not block PCI config accesses through pci_cfg_access_lock() when executing the s390 variant of PCI error recovery: Acquire just device_lock() instead of pci_dev_lock() as powerpc's EEH and generig PCI AER processing do. During error recovery testing a pair of tasks was reported to be hung: mlx5_core 0000:00:00.1: mlx5_health_try_recover:338:(pid 5553): health recovery flow aborted, PCI reads still not working INFO: task kmcheck:72 blocked for more than 122 seconds. Not tainted 5.14.0-570.12.1.bringup7.el9.s390x #1 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kmcheck state:D stack:0 pid:72 tgid:72 ppid:2 flags:0x00000000 Call Trace: [<000000065256f030>] __schedule+0x2a0/0x590 [<000000065256f356>] schedule+0x36/0xe0 [<000000065256f572>] schedule_preempt_disabled+0x22/0x30 [<0000000652570a94>] __mutex_lock.constprop.0+0x484/0x8a8 [<000003ff800673a4>] mlx5_unload_one+0x34/0x58 [mlx5_core] [<000003ff8006745c>] mlx5_pci_err_detected+0x94/0x140 [mlx5_core] [<0000000652556c5a>] zpci_event_attempt_error_recovery+0xf2/0x398 [<0000000651b9184a>] __zpci_event_error+0x23a/0x2c0 INFO: task kworker/u1664:6:1514 blocked for more than 122 seconds. Not tainted 5.14.0-570.12.1.bringup7.el9.s390x #1 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/u1664:6 state:D stack:0 pid:1514 tgid:1514 ppid:2 flags:0x00000000 Workqueue: mlx5_health0000:00:00.0 mlx5_fw_fatal_reporter_err_work [mlx5_core] Call Trace: [<000000065256f030>] __schedule+0x2a0/0x590 [<000000065256f356>] schedule+0x36/0xe0 [<0000000652172e28>] pci_wait_cfg+0x80/0xe8 [<0000000652172f94>] pci_cfg_access_lock+0x74/0x88 [<000003ff800916b6>] mlx5_vsc_gw_lock+0x36/0x178 [mlx5_core] [<000003ff80098824>] mlx5_crdump_collect+0x34/0x1c8 [mlx5_core] [<000003ff80074b62>] mlx5_fw_fatal_reporter_dump+0x6a/0xe8 [mlx5_core] [<0000000652512242>] devlink_health_do_dump.part.0+0x82/0x168 [<0000000652513212>] devlink_health_report+0x19a/0x230 [<000003ff80075a12>] mlx5_fw_fatal_reporter_err_work+0xba/0x1b0 [mlx5_core] No kernel log of the exact same error with an upstream kernel is available - but the very same deadlock situation can be constructed there, too: - task: kmcheck mlx5_unload_one() tries to acquire devlink lock while the PCI error recovery code has set pdev->block_cfg_access by way of pci_cfg_access_lock() - task: kworker mlx5_crdump_collect() tries to set block_cfg_access through pci_cfg_access_lock() while devlink_health_report() had acquired the devlink lock. A similar deadlock situation can be reproduced by requesting a crdump with > devlink health dump show pci/<BDF> reporter fw_fatal while PCI error recovery is executed on the same <BDF> physical function by mlx5_core's pci_error_handlers. On s390 this can be injected with > zpcictl --reset-fw <BDF> Tests with this patch failed to reproduce that second deadlock situation, the devlink command is rejected with "kernel answers: Permission denied" - and we get a kernel log message of: mlx5_core 1ed0:00:00.1: mlx5_crdump_collect:50:(pid 254382): crdump: failed to lock vsc gw err -5 because the config read of VSC_SEMAPHORE is rejected by the underlying hardware. Two prior attempts to address this issue have been discussed and ultimately rejected [see link], with the primary argument that s390's implementation of PCI error recovery is imposing restrictions that neither powerpc's EEH nor PCI AER handling need. Tests show that PCI error recovery on s390 is running to completion even without blocking access to PCI config space.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-68310.html
CVE-2025-68310
https://bugzilla.suse.com/1255160
SUSE Bug 1255160

Описание

In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix bsg_done() causing double free Kernel panic observed on system, [5353358.825191] BUG: unable to handle page fault for address: ff5f5e897b024000 [5353358.825194] #PF: supervisor write access in kernel mode [5353358.825195] #PF: error_code(0x0002) - not-present page [5353358.825196] PGD 100006067 P4D 0 [5353358.825198] Oops: 0002 [#1] PREEMPT SMP NOPTI [5353358.825200] CPU: 5 PID: 2132085 Comm: qlafwupdate.sub Kdump: loaded Tainted: G W L ------- --- 5.14.0-503.34.1.el9_5.x86_64 #1 [5353358.825203] Hardware name: HPE ProLiant DL360 Gen11/ProLiant DL360 Gen11, BIOS 2.44 01/17/2025 [5353358.825204] RIP: 0010:memcpy_erms+0x6/0x10 [5353358.825211] RSP: 0018:ff591da8f4f6b710 EFLAGS: 00010246 [5353358.825212] RAX: ff5f5e897b024000 RBX: 0000000000007090 RCX: 0000000000001000 [5353358.825213] RDX: 0000000000001000 RSI: ff591da8f4fed090 RDI: ff5f5e897b024000 [5353358.825214] RBP: 0000000000010000 R08: ff5f5e897b024000 R09: 0000000000000000 [5353358.825215] R10: ff46cf8c40517000 R11: 0000000000000001 R12: 0000000000008090 [5353358.825216] R13: ff591da8f4f6b720 R14: 0000000000001000 R15: 0000000000000000 [5353358.825218] FS: 00007f1e88d47740(0000) GS:ff46cf935f940000(0000) knlGS:0000000000000000 [5353358.825219] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [5353358.825220] CR2: ff5f5e897b024000 CR3: 0000000231532004 CR4: 0000000000771ef0 [5353358.825221] PKRU: 55555554 [5353358.825222] Call Trace: [5353358.825223] <TASK> [5353358.825224] ? show_trace_log_lvl+0x1c4/0x2df [5353358.825229] ? show_trace_log_lvl+0x1c4/0x2df [5353358.825232] ? sg_copy_buffer+0xc8/0x110 [5353358.825236] ? __die_body.cold+0x8/0xd [5353358.825238] ? page_fault_oops+0x134/0x170 [5353358.825242] ? kernelmode_fixup_or_oops+0x84/0x110 [5353358.825244] ? exc_page_fault+0xa8/0x150 [5353358.825247] ? asm_exc_page_fault+0x22/0x30 [5353358.825252] ? memcpy_erms+0x6/0x10 [5353358.825253] sg_copy_buffer+0xc8/0x110 [5353358.825259] qla2x00_process_vendor_specific+0x652/0x1320 [qla2xxx] [5353358.825317] qla24xx_bsg_request+0x1b2/0x2d0 [qla2xxx] Most routines in qla_bsg.c call bsg_done() only for success cases. However a few invoke it for failure case as well leading to a double free. Validate before calling bsg_done().

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-71238.html
CVE-2025-71238
https://bugzilla.suse.com/1259186
SUSE Bug 1259186

Описание

In the Linux kernel, the following vulnerability has been resolved: btrfs: fix reservation leak in some error paths when inserting inline extent If we fail to allocate a path or join a transaction, we return from __cow_file_range_inline() without freeing the reserved qgroup data, resulting in a leak. Fix this by ensuring we call btrfs_qgroup_free_data() in such cases.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-71268.html
CVE-2025-71268
https://bugzilla.suse.com/1259865
SUSE Bug 1259865

Описание

In the Linux kernel, the following vulnerability has been resolved: btrfs: do not free data reservation in fallback from inline due to -ENOSPC If we fail to create an inline extent due to -ENOSPC, we will attempt to go through the normal COW path, reserve an extent, create an ordered extent, etc. However we were always freeing the reserved qgroup data, which is wrong since we will use data. Fix this by freeing the reserved qgroup data in __cow_file_range_inline() only if we are not doing the fallback (ret is <= 0).

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-71269.html
CVE-2025-71269
https://bugzilla.suse.com/1259889
SUSE Bug 1259889

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/panthor: fix for dma-fence safe access rules Commit 506aa8b02a8d6 ("dma-fence: Add safe access helpers and document the rules") details the dma-fence safe access rules. The most common culprit is that drm_sched_fence_get_timeline_name may race with group_free_queue.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-71302.html
CVE-2025-71302
https://bugzilla.suse.com/1264837
SUSE Bug 1264837
https://bugzilla.suse.com/1264838
SUSE Bug 1264838

Описание

In the Linux kernel, the following vulnerability has been resolved: flex_proportions: make fprop_new_period() hardirq safe Bernd has reported a lockdep splat from flexible proportions code that is essentially complaining about the following race: <timer fires> run_timer_softirq - we are in softirq context call_timer_fn writeout_period fprop_new_period write_seqcount_begin(&p->sequence); <hardirq is raised> ... blk_mq_end_request() blk_update_request() ext4_end_bio() folio_end_writeback() __wb_writeout_add() __fprop_add_percpu_max() if (unlikely(max_frac < FPROP_FRAC_BASE)) { fprop_fraction_percpu() seq = read_seqcount_begin(&p->sequence); - sees odd sequence so loops indefinitely Note that a deadlock like this is only possible if the bdi has configured maximum fraction of writeout throughput which is very rare in general but frequent for example for FUSE bdis. To fix this problem we have to make sure write section of the sequence counter is irqsafe.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23168.html
CVE-2026-23168
https://bugzilla.suse.com/1258826
SUSE Bug 1258826

Описание

In the Linux kernel, the following vulnerability has been resolved: macvlan: fix error recovery in macvlan_common_newlink() valis provided a nice repro to crash the kernel: ip link add p1 type veth peer p2 ip link set address 00:00:00:00:00:20 dev p1 ip link set up dev p1 ip link set up dev p2 ip link add mv0 link p2 type macvlan mode source ip link add invalid% link p2 type macvlan mode source macaddr add 00:00:00:00:00:20 ping -c1 -I p1 1.2.3.4 He also gave a very detailed analysis: <quote valis> The issue is triggered when a new macvlan link is created with MACVLAN_MODE_SOURCE mode and MACVLAN_MACADDR_ADD (or MACVLAN_MACADDR_SET) parameter, lower device already has a macvlan port and register_netdevice() called from macvlan_common_newlink() fails (e.g. because of the invalid link name). In this case macvlan_hash_add_source is called from macvlan_change_sources() / macvlan_common_newlink(): This adds a reference to vlan to the port's vlan_source_hash using macvlan_source_entry. vlan is a pointer to the priv data of the link that is being created. When register_netdevice() fails, the error is returned from macvlan_newlink() to rtnl_newlink_create(): if (ops->newlink) err = ops->newlink(dev, &params, extack); else err = register_netdevice(dev); if (err < 0) { free_netdev(dev); goto out; } and free_netdev() is called, causing a kvfree() on the struct net_device that is still referenced in the source entry attached to the lower device's macvlan port. Now all packets sent on the macvlan port with a matching source mac address will trigger a use-after-free in macvlan_forward_source(). </quote valis> With all that, my fix is to make sure we call macvlan_flush_sources() regardless of @create value whenever "goto destroy_macvlan_port;" path is taken. Many thanks to valis for following up on this issue.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23209.html
CVE-2026-23209
https://bugzilla.suse.com/1258518
SUSE Bug 1258518
https://bugzilla.suse.com/1258784
SUSE Bug 1258784

Описание

In the Linux kernel, the following vulnerability has been resolved: fbdev: smscufx: properly copy ioctl memory to kernelspace The UFX_IOCTL_REPORT_DAMAGE ioctl does not properly copy data from userspace to kernelspace, and instead directly references the memory, which can cause problems if invalid data is passed from userspace. Fix this all up by correctly copying the memory before accessing it within the kernel.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23236.html
CVE-2026-23236
https://bugzilla.suse.com/1259199
SUSE Bug 1259199
https://bugzilla.suse.com/1259200
SUSE Bug 1259200

Описание

In the Linux kernel, the following vulnerability has been resolved: platform/x86: classmate-laptop: Add missing NULL pointer checks In a few places in the Classmate laptop driver, code using the accel object may run before that object's address is stored in the driver data of the input device using it. For example, cmpc_accel_sensitivity_store_v4() is the "show" method of cmpc_accel_sensitivity_attr_v4 which is added in cmpc_accel_add_v4(), before calling dev_set_drvdata() for inputdev->dev. If the sysfs attribute is accessed prematurely, the dev_get_drvdata(&inputdev->dev) call in in cmpc_accel_sensitivity_store_v4() returns NULL which leads to a NULL pointer dereference going forward. Moreover, sysfs attributes using the input device are added before initializing that device by cmpc_add_acpi_notify_device() and if one of them is accessed before running that function, a NULL pointer dereference will occur. For example, cmpc_accel_sensitivity_attr_v4 is added before calling cmpc_add_acpi_notify_device() and if it is read prematurely, the dev_get_drvdata(&acpi->dev) call in cmpc_accel_sensitivity_show_v4() returns NULL which leads to a NULL pointer dereference going forward. Fix this by adding NULL pointer checks in all of the relevant places.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23237.html
CVE-2026-23237
https://bugzilla.suse.com/1259222
SUSE Bug 1259222

Описание

In the Linux kernel, the following vulnerability has been resolved: net/sched: act_gate: snapshot parameters with RCU on replace The gate action can be replaced while the hrtimer callback or dump path is walking the schedule list. Convert the parameters to an RCU-protected snapshot and swap updates under tcf_lock, freeing the previous snapshot via call_rcu(). When REPLACE omits the entry list, preserve the existing schedule so the effective state is unchanged.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23245.html
CVE-2026-23245
https://bugzilla.suse.com/1259799
SUSE Bug 1259799

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: bounds-check link_id in ieee80211_ml_reconfiguration link_id is taken from the ML Reconfiguration element (control & 0x000f), so it can be 0..15. link_removal_timeout[] has IEEE80211_MLD_MAX_NUM_LINKS (15) elements, so index 15 is out-of-bounds. Skip subelements with link_id >= IEEE80211_MLD_MAX_NUM_LINKS to avoid a stack out-of-bounds write.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23246.html
CVE-2026-23246
https://bugzilla.suse.com/1259806
SUSE Bug 1259806

Описание

In the Linux kernel, the following vulnerability has been resolved: media: dvb-core: fix wrong reinitialization of ringbuffer on reopen dvb_dvr_open() calls dvb_ringbuffer_init() when a new reader opens the DVR device. dvb_ringbuffer_init() calls init_waitqueue_head(), which reinitializes the waitqueue list head to empty. Since dmxdev->dvr_buffer.queue is a shared waitqueue (all opens of the same DVR device share it), this orphans any existing waitqueue entries from io_uring poll or epoll, leaving them with stale prev/next pointers while the list head is reset to {self, self}. The waitqueue and spinlock in dvr_buffer are already properly initialized once in dvb_dmxdev_init(). The open path only needs to reset the buffer data pointer, size, and read/write positions. Replace the dvb_ringbuffer_init() call in dvb_dvr_open() with direct assignment of data/size and a call to dvb_ringbuffer_reset(), which properly resets pread, pwrite, and error with correct memory ordering without touching the waitqueue or spinlock.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23253.html
CVE-2026-23253
https://bugzilla.suse.com/1259878
SUSE Bug 1259878

Описание

In the Linux kernel, the following vulnerability has been resolved: regmap: maple: free entry on mas_store_gfp() failure regcache_maple_write() allocates a new block ('entry') to merge adjacent ranges and then stores it with mas_store_gfp(). When mas_store_gfp() fails, the new 'entry' remains allocated and is never freed, leaking memory. Free 'entry' on the failure path; on success continue freeing the replaced neighbor blocks ('lower', 'upper').

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23260.html
CVE-2026-23260
https://bugzilla.suse.com/1259873
SUSE Bug 1259873

Описание

In the Linux kernel, the following vulnerability has been resolved: nvme-fc: release admin tagset if init fails nvme_fabrics creates an NVMe/FC controller in following path: nvmf_dev_write() -> nvmf_create_ctrl() -> nvme_fc_create_ctrl() -> nvme_fc_init_ctrl() nvme_fc_init_ctrl() allocates the admin blk-mq resources right after nvme_add_ctrl() succeeds. If any of the subsequent steps fail (changing the controller state, scheduling connect work, etc.), we jump to the fail_ctrl path, which tears down the controller references but never frees the admin queue/tag set. The leaked blk-mq allocations match the kmemleak report seen during blktests nvme/fc. Check ctrl->ctrl.admin_tagset in the fail_ctrl path and call nvme_remove_admin_tag_set() when it is set so that all admin queue allocations are reclaimed whenever controller setup aborts.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23261.html
CVE-2026-23261
https://bugzilla.suse.com/1259871
SUSE Bug 1259871

Описание

In the Linux kernel, the following vulnerability has been resolved: Revert "drm/amd: Check if ASPM is enabled from PCIe subsystem" This reverts commit 7294863a6f01248d72b61d38478978d638641bee. This commit was erroneously applied again after commit 0ab5d711ec74 ("drm/amd: Refactor `amdgpu_aspm` to be evaluated per device") removed it, leading to very hard to debug crashes, when used with a system with two AMD GPUs of which only one supports ASPM. (cherry picked from commit 97a9689300eb2b393ba5efc17c8e5db835917080)

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23264.html
CVE-2026-23264
https://bugzilla.suse.com/1259869
SUSE Bug 1259869

Описание

In the Linux kernel, the following vulnerability has been resolved: fbdev: rivafb: fix divide error in nv3_arb() A userspace program can trigger the RIVA NV3 arbitration code by calling the FBIOPUT_VSCREENINFO ioctl on /dev/fb*. When doing so, the driver recomputes FIFO arbitration parameters in nv3_arb(), using state->mclk_khz (derived from the PRAMDAC MCLK PLL) as a divisor without validating it first. In a normal setup, state->mclk_khz is provided by the real hardware and is non-zero. However, an attacker can construct a malicious or misconfigured device (e.g. a crafted/emulated PCI device) that exposes a bogus PLL configuration, causing state->mclk_khz to become zero. Once nv3_get_param() calls nv3_arb(), the division by state->mclk_khz in the gns calculation causes a divide error and crashes the kernel. Fix this by checking whether state->mclk_khz is zero and bailing out before doing the division. The following log reveals it: rivafb: setting virtual Y resolution to 2184 divide error: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 0 PID: 2187 Comm: syz-executor.0 Not tainted 5.18.0-rc1+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 RIP: 0010:nv3_arb drivers/video/fbdev/riva/riva_hw.c:439 [inline] RIP: 0010:nv3_get_param+0x3ab/0x13b0 drivers/video/fbdev/riva/riva_hw.c:546 Call Trace: nv3CalcArbitration.constprop.0+0x255/0x460 drivers/video/fbdev/riva/riva_hw.c:603 nv3UpdateArbitrationSettings drivers/video/fbdev/riva/riva_hw.c:637 [inline] CalcStateExt+0x447/0x1b90 drivers/video/fbdev/riva/riva_hw.c:1246 riva_load_video_mode+0x8a9/0xea0 drivers/video/fbdev/riva/fbdev.c:779 rivafb_set_par+0xc0/0x5f0 drivers/video/fbdev/riva/fbdev.c:1196 fb_set_var+0x604/0xeb0 drivers/video/fbdev/core/fbmem.c:1033 do_fb_ioctl+0x234/0x670 drivers/video/fbdev/core/fbmem.c:1109 fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1188 __x64_sys_ioctl+0x122/0x190 fs/ioctl.c:856

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23266.html
CVE-2026-23266
https://bugzilla.suse.com/1259868
SUSE Bug 1259868

Описание

In the Linux kernel, the following vulnerability has been resolved: apparmor: fix unprivileged local user can do privileged policy management An unprivileged local user can load, replace, and remove profiles by opening the apparmorfs interfaces, via a confused deputy attack, by passing the opened fd to a privileged process, and getting the privileged process to write to the interface. This does require a privileged target that can be manipulated to do the write for the unprivileged process, but once such access is achieved full policy management is possible and all the possible implications that implies: removing confinement, DoS of system or target applications by denying all execution, by-passing the unprivileged user namespace restriction, to exploiting kernel bugs for a local privilege escalation. The policy management interface can not have its permissions simply changed from 0666 to 0600 because non-root processes need to be able to load policy to different policy namespaces. Instead ensure the task writing the interface has privileges that are a subset of the task that opened the interface. This is already done via policy for confined processes, but unconfined can delegate access to the opened fd, by-passing the usual policy check.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23268.html
CVE-2026-23268
https://bugzilla.suse.com/1258850
SUSE Bug 1258850
https://bugzilla.suse.com/1259859
SUSE Bug 1259859

Описание

In the Linux kernel, the following vulnerability has been resolved: apparmor: validate DFA start states are in bounds in unpack_pdb Start states are read from untrusted data and used as indexes into the DFA state tables. The aa_dfa_next() function call in unpack_pdb() will access dfa->tables[YYTD_ID_BASE][start], and if the start state exceeds the number of states in the DFA, this results in an out-of-bound read. ================================================================== BUG: KASAN: slab-out-of-bounds in aa_dfa_next+0x2a1/0x360 Read of size 4 at addr ffff88811956fb90 by task su/1097 ... Reject policies with out-of-bounds start states during unpacking to prevent the issue.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23269.html
CVE-2026-23269
https://bugzilla.suse.com/1259857
SUSE Bug 1259857

Описание

In the Linux kernel, the following vulnerability has been resolved: perf: Fix __perf_event_overflow() vs perf_remove_from_context() race Make sure that __perf_event_overflow() runs with IRQs disabled for all possible callchains. Specifically the software events can end up running it with only preemption disabled. This opens up a race vs perf_event_exit_event() and friends that will go and free various things the overflow path expects to be present, like the BPF program.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23271.html
CVE-2026-23271
https://bugzilla.suse.com/1260018
SUSE Bug 1260018

Описание

In the Linux kernel, the following vulnerability has been resolved: macvlan: observe an RCU grace period in macvlan_common_newlink() error path valis reported that a race condition still happens after my prior patch. macvlan_common_newlink() might have made @dev visible before detecting an error, and its caller will directly call free_netdev(dev). We must respect an RCU period, either in macvlan or the core networking stack. After adding a temporary mdelay(1000) in macvlan_forward_source_one() to open the race window, valis repro was: ip link add p1 type veth peer p2 ip link set address 00:00:00:00:00:20 dev p1 ip link set up dev p1 ip link set up dev p2 ip link add mv0 link p2 type macvlan mode source (ip link add invalid% link p2 type macvlan mode source macaddr add 00:00:00:00:00:20 &) ; sleep 0.5 ; ping -c1 -I p1 1.2.3.4 PING 1.2.3.4 (1.2.3.4): 56 data bytes RTNETLINK answers: Invalid argument BUG: KASAN: slab-use-after-free in macvlan_forward_source (drivers/net/macvlan.c:408 drivers/net/macvlan.c:444) Read of size 8 at addr ffff888016bb89c0 by task e/175 CPU: 1 UID: 1000 PID: 175 Comm: e Not tainted 6.19.0-rc8+ #33 NONE Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014 Call Trace: <IRQ> dump_stack_lvl (lib/dump_stack.c:123) print_report (mm/kasan/report.c:379 mm/kasan/report.c:482) ? macvlan_forward_source (drivers/net/macvlan.c:408 drivers/net/macvlan.c:444) kasan_report (mm/kasan/report.c:597) ? macvlan_forward_source (drivers/net/macvlan.c:408 drivers/net/macvlan.c:444) macvlan_forward_source (drivers/net/macvlan.c:408 drivers/net/macvlan.c:444) ? tasklet_init (kernel/softirq.c:983) macvlan_handle_frame (drivers/net/macvlan.c:501) Allocated by task 169: kasan_save_stack (mm/kasan/common.c:58) kasan_save_track (./arch/x86/include/asm/current.h:25 mm/kasan/common.c:70 mm/kasan/common.c:79) __kasan_kmalloc (mm/kasan/common.c:419) __kvmalloc_node_noprof (./include/linux/kasan.h:263 mm/slub.c:5657 mm/slub.c:7140) alloc_netdev_mqs (net/core/dev.c:12012) rtnl_create_link (net/core/rtnetlink.c:3648) rtnl_newlink (net/core/rtnetlink.c:3830 net/core/rtnetlink.c:3957 net/core/rtnetlink.c:4072) rtnetlink_rcv_msg (net/core/rtnetlink.c:6958) netlink_rcv_skb (net/netlink/af_netlink.c:2550) netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344) netlink_sendmsg (net/netlink/af_netlink.c:1894) __sys_sendto (net/socket.c:727 net/socket.c:742 net/socket.c:2206) __x64_sys_sendto (net/socket.c:2209) do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:131) Freed by task 169: kasan_save_stack (mm/kasan/common.c:58) kasan_save_track (./arch/x86/include/asm/current.h:25 mm/kasan/common.c:70 mm/kasan/common.c:79) kasan_save_free_info (mm/kasan/generic.c:587) __kasan_slab_free (mm/kasan/common.c:287) kfree (mm/slub.c:6674 mm/slub.c:6882) rtnl_newlink (net/core/rtnetlink.c:3845 net/core/rtnetlink.c:3957 net/core/rtnetlink.c:4072) rtnetlink_rcv_msg (net/core/rtnetlink.c:6958) netlink_rcv_skb (net/netlink/af_netlink.c:2550) netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344) netlink_sendmsg (net/netlink/af_netlink.c:1894) __sys_sendto (net/socket.c:727 net/socket.c:742 net/socket.c:2206) __x64_sys_sendto (net/socket.c:2209) do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:131)

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23273.html
CVE-2026-23273
https://bugzilla.suse.com/1260010
SUSE Bug 1260010

Описание

In the Linux kernel, the following vulnerability has been resolved: net: add xmit recursion limit to tunnel xmit functions Tunnel xmit functions (iptunnel_xmit, ip6tunnel_xmit) lack their own recursion limit. When a bond device in broadcast mode has GRE tap interfaces as slaves, and those GRE tunnels route back through the bond, multicast/broadcast traffic triggers infinite recursion between bond_xmit_broadcast() and ip_tunnel_xmit()/ip6_tnl_xmit(), causing kernel stack overflow. The existing XMIT_RECURSION_LIMIT (8) in the no-qdisc path is not sufficient because tunnel recursion involves route lookups and full IP output, consuming much more stack per level. Use a lower limit of 4 (IP_TUNNEL_RECURSION_LIMIT) to prevent overflow. Add recursion detection using dev_xmit_recursion helpers directly in iptunnel_xmit() and ip6tunnel_xmit() to cover all IPv4/IPv6 tunnel paths including UDP encapsulated tunnels (VXLAN, Geneve, etc.). Move dev_xmit_recursion helpers from net/core/dev.h to public header include/linux/netdevice.h so they can be used by tunnel code. BUG: KASAN: stack-out-of-bounds in blake2s.constprop.0+0xe7/0x160 Write of size 32 at addr ffff88810033fed0 by task kworker/0:1/11 Workqueue: mld mld_ifc_work Call Trace: <TASK> __build_flow_key.constprop.0 (net/ipv4/route.c:515) ip_rt_update_pmtu (net/ipv4/route.c:1073) iptunnel_xmit (net/ipv4/ip_tunnel_core.c:84) ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847) gre_tap_xmit (net/ipv4/ip_gre.c:779) dev_hard_start_xmit (net/core/dev.c:3887) sch_direct_xmit (net/sched/sch_generic.c:347) __dev_queue_xmit (net/core/dev.c:4802) bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312) bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279) bond_start_xmit (drivers/net/bonding/bond_main.c:5530) dev_hard_start_xmit (net/core/dev.c:3887) __dev_queue_xmit (net/core/dev.c:4841) ip_finish_output2 (net/ipv4/ip_output.c:237) ip_output (net/ipv4/ip_output.c:438) iptunnel_xmit (net/ipv4/ip_tunnel_core.c:86) gre_tap_xmit (net/ipv4/ip_gre.c:779) dev_hard_start_xmit (net/core/dev.c:3887) sch_direct_xmit (net/sched/sch_generic.c:347) __dev_queue_xmit (net/core/dev.c:4802) bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312) bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279) bond_start_xmit (drivers/net/bonding/bond_main.c:5530) dev_hard_start_xmit (net/core/dev.c:3887) __dev_queue_xmit (net/core/dev.c:4841) ip_finish_output2 (net/ipv4/ip_output.c:237) ip_output (net/ipv4/ip_output.c:438) iptunnel_xmit (net/ipv4/ip_tunnel_core.c:86) ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847) gre_tap_xmit (net/ipv4/ip_gre.c:779) dev_hard_start_xmit (net/core/dev.c:3887) sch_direct_xmit (net/sched/sch_generic.c:347) __dev_queue_xmit (net/core/dev.c:4802) bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312) bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279) bond_start_xmit (drivers/net/bonding/bond_main.c:5530) dev_hard_start_xmit (net/core/dev.c:3887) __dev_queue_xmit (net/core/dev.c:4841) mld_sendpack mld_ifc_work process_one_work worker_thread </TASK>

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23276.html
CVE-2026-23276
https://bugzilla.suse.com/1260012
SUSE Bug 1260012

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix NULL pointer dereference in mesh_rx_csa_frame() In mesh_rx_csa_frame(), elems->mesh_chansw_params_ie is dereferenced at lines 1638 and 1642 without a prior NULL check: ifmsh->chsw_ttl = elems->mesh_chansw_params_ie->mesh_ttl; ... pre_value = le16_to_cpu(elems->mesh_chansw_params_ie->mesh_pre_value); The mesh_matches_local() check above only validates the Mesh ID, Mesh Configuration, and Supported Rates IEs. It does not verify the presence of the Mesh Channel Switch Parameters IE (element ID 118). When a received CSA action frame omits that IE, ieee802_11_parse_elems() leaves elems->mesh_chansw_params_ie as NULL, and the unconditional dereference causes a kernel NULL pointer dereference. A remote mesh peer with an established peer link (PLINK_ESTAB) can trigger this by sending a crafted SPECTRUM_MGMT/CHL_SWITCH action frame that includes a matching Mesh ID and Mesh Configuration IE but omits the Mesh Channel Switch Parameters IE. No authentication beyond the default open mesh peering is required. Crash confirmed on kernel 6.17.0-5-generic via mac80211_hwsim: BUG: kernel NULL pointer dereference, address: 0000000000000000 Oops: Oops: 0000 [#1] SMP NOPTI RIP: 0010:ieee80211_mesh_rx_queued_mgmt+0x143/0x2a0 [mac80211] CR2: 0000000000000000 Fix by adding a NULL check for mesh_chansw_params_ie after mesh_matches_local() returns, consistent with how other optional IEs are guarded throughout the mesh code. The bug has been present since v3.13 (released 2014-01-19).

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23279.html
CVE-2026-23279
https://bugzilla.suse.com/1260468
SUSE Bug 1260468

Описание

In the Linux kernel, the following vulnerability has been resolved: net: usb: pegasus: validate USB endpoints The pegasus driver should validate that the device it is probing has the proper number and types of USB endpoints it is expecting before it binds to it. If a malicious device were to not have the same urbs the driver will crash later on when it blindly accesses these endpoints.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23290.html
CVE-2026-23290
https://bugzilla.suse.com/1260533
SUSE Bug 1260533

Описание

In the Linux kernel, the following vulnerability has been resolved: nfc: pn533: properly drop the usb interface reference on disconnect When the device is disconnected from the driver, there is a "dangling" reference count on the usb interface that was grabbed in the probe callback. Fix this up by properly dropping the reference after we are done with it.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23291.html
CVE-2026-23291
https://bugzilla.suse.com/1260483
SUSE Bug 1260483

Описание

In the Linux kernel, the following vulnerability has been resolved: can: ucan: Fix infinite loop from zero-length messages If a broken ucan device gets a message with the message length field set to 0, then the driver will loop for forever in ucan_read_bulk_callback(), hanging the system. If the length is 0, just skip the message and go on to the next one. This has been fixed in the kvaser_usb driver in the past in commit 0c73772cd2b8 ("can: kvaser_usb: leaf: Fix potential infinite loop in command parsers"), so there must be some broken devices out there like this somewhere.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23298.html
CVE-2026-23298
https://bugzilla.suse.com/1260485
SUSE Bug 1260485

Описание

In the Linux kernel, the following vulnerability has been resolved: net: ipv6: fix panic when IPv4 route references loopback IPv6 nexthop When a standalone IPv6 nexthop object is created with a loopback device (e.g., "ip -6 nexthop add id 100 dev lo"), fib6_nh_init() misclassifies it as a reject route. This is because nexthop objects have no destination prefix (fc_dst=::), causing fib6_is_reject() to match any loopback nexthop. The reject path skips fib_nh_common_init(), leaving nhc_pcpu_rth_output unallocated. If an IPv4 route later references this nexthop, __mkroute_output() dereferences NULL nhc_pcpu_rth_output and panics. Simplify the check in fib6_nh_init() to only match explicit reject routes (RTF_REJECT) instead of using fib6_is_reject(). The loopback promotion heuristic in fib6_is_reject() is handled separately by ip6_route_info_create_nh(). After this change, the three cases behave as follows: 1. Explicit reject route ("ip -6 route add unreachable 2001:db8::/64"): RTF_REJECT is set, enters reject path, skips fib_nh_common_init(). No behavior change. 2. Implicit loopback reject route ("ip -6 route add 2001:db8::/32 dev lo"): RTF_REJECT is not set, takes normal path, fib_nh_common_init() is called. ip6_route_info_create_nh() still promotes it to reject afterward. nhc_pcpu_rth_output is allocated but unused, which is harmless. 3. Standalone nexthop object ("ip -6 nexthop add id 100 dev lo"): RTF_REJECT is not set, takes normal path, fib_nh_common_init() is called. nhc_pcpu_rth_output is properly allocated, fixing the crash when IPv4 routes reference this nexthop.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23300.html
CVE-2026-23300
https://bugzilla.suse.com/1260538
SUSE Bug 1260538

Описание

In the Linux kernel, the following vulnerability has been resolved: can: ems_usb: ems_usb_read_bulk_callback(): check the proper length of a message When looking at the data in a USB urb, the actual_length is the size of the buffer passed to the driver, not the transfer_buffer_length which is set by the driver as the max size of the buffer. When parsing the messages in ems_usb_read_bulk_callback() properly check the size both at the beginning of parsing the message to make sure it is big enough for the expected structure, and at the end of the message to make sure we don't overflow past the end of the buffer for the next message.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23307.html
CVE-2026-23307
https://bugzilla.suse.com/1260541
SUSE Bug 1260541

Описание

In the Linux kernel, the following vulnerability has been resolved: net: usb: kaweth: validate USB endpoints The kaweth driver should validate that the device it is probing has the proper number and types of USB endpoints it is expecting before it binds to it. If a malicious device were to not have the same urbs the driver will crash later on when it blindly accesses these endpoints.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23312.html
CVE-2026-23312
https://bugzilla.suse.com/1260561
SUSE Bug 1260561

Описание

In the Linux kernel, the following vulnerability has been resolved: i40e: Fix preempt count leak in napi poll tracepoint Using get_cpu() in the tracepoint assignment causes an obvious preempt count leak because nothing invokes put_cpu() to undo it: softirq: huh, entered softirq 3 NET_RX with preempt_count 00000100, exited with 00000101? This clearly has seen a lot of testing in the last 3+ years... Use smp_processor_id() instead.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23313.html
CVE-2026-23313
https://bugzilla.suse.com/1260555
SUSE Bug 1260555

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: Fix possible oob access in mt76_connac2_mac_write_txwi_80211() Check frame length before accessing the mgmt fields in mt76_connac2_mac_write_txwi_80211 in order to avoid a possible oob access. [fix check to also cover mgmt->u.action.u.addba_req.capab, correct Fixes tag]

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23315.html
CVE-2026-23315
https://bugzilla.suse.com/1260549
SUSE Bug 1260549

Описание

In the Linux kernel, the following vulnerability has been resolved: net: ipv4: fix ARM64 alignment fault in multipath hash seed `struct sysctl_fib_multipath_hash_seed` contains two u32 fields (user_seed and mp_seed), making it an 8-byte structure with a 4-byte alignment requirement. In `fib_multipath_hash_from_keys()`, the code evaluates the entire struct atomically via `READ_ONCE()`: mp_seed = READ_ONCE(net->ipv4.sysctl_fib_multipath_hash_seed).mp_seed; While this silently works on GCC by falling back to unaligned regular loads which the ARM64 kernel tolerates, it causes a fatal kernel panic when compiled with Clang and LTO enabled. Commit e35123d83ee3 ("arm64: lto: Strengthen READ_ONCE() to acquire when CONFIG_LTO=y") strengthens `READ_ONCE()` to use Load-Acquire instructions (`ldar` / `ldapr`) to prevent compiler reordering bugs under Clang LTO. Since the macro evaluates the full 8-byte struct, Clang emits a 64-bit `ldar` instruction. ARM64 architecture strictly requires `ldar` to be naturally aligned, thus executing it on a 4-byte aligned address triggers a strict Alignment Fault (FSC = 0x21). Fix the read side by moving the `READ_ONCE()` directly to the `u32` member, which emits a safe 32-bit `ldar Wn`. Furthermore, Eric Dumazet pointed out that `WRITE_ONCE()` on the entire struct in `proc_fib_multipath_hash_set_seed()` is also flawed. Analysis shows that Clang splits this 8-byte write into two separate 32-bit `str` instructions. While this avoids an alignment fault, it destroys atomicity and exposes a tear-write vulnerability. Fix this by explicitly splitting the write into two 32-bit `WRITE_ONCE()` operations. Finally, add the missing `READ_ONCE()` when reading `user_seed` in `proc_fib_multipath_hash_seed()` to ensure proper pairing and concurrency safety.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23316.html
CVE-2026-23316
https://bugzilla.suse.com/1260573
SUSE Bug 1260573

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Return the correct value in vmw_translate_ptr functions Before the referenced fixes these functions used a lookup function that returned a pointer. This was changed to another lookup function that returned an error code with the pointer becoming an out parameter. The error path when the lookup failed was not changed to reflect this change and the code continued to return the PTR_ERR of the now uninitialized pointer. This could cause the vmw_translate_ptr functions to return success when they actually failed causing further uninitialized and OOB accesses.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23317.html
CVE-2026-23317
https://bugzilla.suse.com/1260562
SUSE Bug 1260562
https://bugzilla.suse.com/1260563
SUSE Bug 1260563

Описание

In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Use correct version for UAC3 header validation The entry of the validators table for UAC3 AC header descriptor is defined with the wrong protocol version UAC_VERSION_2, while it should have been UAC_VERSION_3. This results in the validator never matching for actual UAC3 devices (protocol == UAC_VERSION_3), causing their header descriptors to bypass validation entirely. A malicious USB device presenting a truncated UAC3 header could exploit this to cause out-of-bounds reads when the driver later accesses unvalidated descriptor fields. The bug was introduced in the same commit as the recently fixed UAC3 feature unit sub-type typo, and appears to be from the same copy-paste error when the UAC3 section was created from the UAC2 section.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23318.html
CVE-2026-23318
https://bugzilla.suse.com/1260536
SUSE Bug 1260536

Описание

In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: in-kernel: always mark signal+subflow endp as used Syzkaller managed to find a combination of actions that was generating this warning: msk->pm.local_addr_used == 0 WARNING: net/mptcp/pm_kernel.c:1071 at __mark_subflow_endp_available net/mptcp/pm_kernel.c:1071 [inline], CPU#1: syz.2.17/961 WARNING: net/mptcp/pm_kernel.c:1071 at mptcp_nl_remove_subflow_and_signal_addr net/mptcp/pm_kernel.c:1103 [inline], CPU#1: syz.2.17/961 WARNING: net/mptcp/pm_kernel.c:1071 at mptcp_pm_nl_del_addr_doit+0x81d/0x8f0 net/mptcp/pm_kernel.c:1210, CPU#1: syz.2.17/961 Modules linked in: CPU: 1 UID: 0 PID: 961 Comm: syz.2.17 Not tainted 6.19.0-08368-gfafda3b4b06b #22 PREEMPT(full) Hardware name: QEMU Ubuntu 25.10 PC v2 (i440FX + PIIX, + 10.1 machine, 1996), BIOS 1.17.0-debian-1.17.0-1build1 04/01/2014 RIP: 0010:__mark_subflow_endp_available net/mptcp/pm_kernel.c:1071 [inline] RIP: 0010:mptcp_nl_remove_subflow_and_signal_addr net/mptcp/pm_kernel.c:1103 [inline] RIP: 0010:mptcp_pm_nl_del_addr_doit+0x81d/0x8f0 net/mptcp/pm_kernel.c:1210 Code: 89 c5 e8 46 30 6f fe e9 21 fd ff ff 49 83 ed 80 e8 38 30 6f fe 4c 89 ef be 03 00 00 00 e8 db 49 df fe eb ac e8 24 30 6f fe 90 <0f> 0b 90 e9 1d ff ff ff e8 16 30 6f fe eb 05 e8 0f 30 6f fe e8 9a RSP: 0018:ffffc90001663880 EFLAGS: 00010293 RAX: ffffffff82de1a6c RBX: 0000000000000000 RCX: ffff88800722b500 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffff8880158b22d0 R08: 0000000000010425 R09: ffffffffffffffff R10: ffffffff82de18ba R11: 0000000000000000 R12: ffff88800641a640 R13: ffff8880158b1880 R14: ffff88801ec3c900 R15: ffff88800641a650 FS: 00005555722c3500(0000) GS:ffff8880f909d000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f66346e0f60 CR3: 000000001607c000 CR4: 0000000000350ef0 Call Trace: <TASK> genl_family_rcv_msg_doit+0x117/0x180 net/netlink/genetlink.c:1115 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0x3a8/0x3f0 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x16d/0x240 net/netlink/af_netlink.c:2550 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x3e9/0x4c0 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x4aa/0x5b0 net/netlink/af_netlink.c:1894 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg+0xc9/0xf0 net/socket.c:742 ____sys_sendmsg+0x272/0x3b0 net/socket.c:2592 ___sys_sendmsg+0x2de/0x320 net/socket.c:2646 __sys_sendmsg net/socket.c:2678 [inline] __do_sys_sendmsg net/socket.c:2683 [inline] __se_sys_sendmsg net/socket.c:2681 [inline] __x64_sys_sendmsg+0x110/0x1a0 net/socket.c:2681 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x143/0x440 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f66346f826d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffc83d8bdc8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f6634985fa0 RCX: 00007f66346f826d RDX: 00000000040000b0 RSI: 0000200000000740 RDI: 0000000000000007 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f6634985fa8 R13: 00007f6634985fac R14: 0000000000000000 R15: 0000000000001770 </TASK> The actions that caused that seem to be: - Set the MPTCP subflows limit to 0 - Create an MPTCP endpoint with both the 'signal' and 'subflow' flags - Create a new MPTCP connection from a different address: an ADD_ADDR linked to the MPTCP endpoint will be sent ('signal' flag), but no subflows is initiated ('subflow' flag) - Remove the MPTCP endpoint ---truncated---

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23321.html
CVE-2026-23321
https://bugzilla.suse.com/1260505
SUSE Bug 1260505

Описание

In the Linux kernel, the following vulnerability has been resolved: can: usb: etas_es58x: correctly anchor the urb in the read bulk callback When submitting an urb, that is using the anchor pattern, it needs to be anchored before submitting it otherwise it could be leaked if usb_kill_anchored_urbs() is called. This logic is correctly done elsewhere in the driver, except in the read bulk callback so do that here also.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23324.html
CVE-2026-23324
https://bugzilla.suse.com/1260507
SUSE Bug 1260507

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7996: Fix possible oob access in mt7996_mac_write_txwi_80211() Check frame length before accessing the mgmt fields in mt7996_mac_write_txwi_80211 in order to avoid a possible oob access.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23325.html
CVE-2026-23325
https://bugzilla.suse.com/1260537
SUSE Bug 1260537

Описание

In the Linux kernel, the following vulnerability has been resolved: can: usb: f81604: handle short interrupt urb messages properly If an interrupt urb is received that is not the correct length, properly detect it and don't attempt to treat the data as valid.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23334.html
CVE-2026-23334
https://bugzilla.suse.com/1260571
SUSE Bug 1260571

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: cancel rfkill_block work in wiphy_unregister() There is a use-after-free error in cfg80211_shutdown_all_interfaces found by syzkaller: BUG: KASAN: use-after-free in cfg80211_shutdown_all_interfaces+0x213/0x220 Read of size 8 at addr ffff888112a78d98 by task kworker/0:5/5326 CPU: 0 UID: 0 PID: 5326 Comm: kworker/0:5 Not tainted 6.19.0-rc2 #2 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: events cfg80211_rfkill_block_work Call Trace: <TASK> dump_stack_lvl+0x116/0x1f0 print_report+0xcd/0x630 kasan_report+0xe0/0x110 cfg80211_shutdown_all_interfaces+0x213/0x220 cfg80211_rfkill_block_work+0x1e/0x30 process_one_work+0x9cf/0x1b70 worker_thread+0x6c8/0xf10 kthread+0x3c5/0x780 ret_from_fork+0x56d/0x700 ret_from_fork_asm+0x1a/0x30 </TASK> The problem arises due to the rfkill_block work is not cancelled when wiphy is being unregistered. In order to fix the issue cancel the corresponding work in wiphy_unregister(). Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23336.html
CVE-2026-23336
https://bugzilla.suse.com/1260552
SUSE Bug 1260552

Описание

In the Linux kernel, the following vulnerability has been resolved: nfc: nci: free skb on nci_transceive early error paths nci_transceive() takes ownership of the skb passed by the caller, but the -EPROTO, -EINVAL, and -EBUSY error paths return without freeing it. Due to issues clearing NCI_DATA_EXCHANGE fixed by subsequent changes the nci/nci_dev selftest hits the error path occasionally in NIPA, and kmemleak detects leaks: unreferenced object 0xff11000015ce6a40 (size 640): comm "nci_dev", pid 3954, jiffies 4295441246 hex dump (first 32 bytes): 6b 6b 6b 6b 00 a4 00 0c 02 e1 03 6b 6b 6b 6b 6b kkkk.......kkkkk 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk backtrace (crc 7c40cc2a): kmem_cache_alloc_node_noprof+0x492/0x630 __alloc_skb+0x11e/0x5f0 alloc_skb_with_frags+0xc6/0x8f0 sock_alloc_send_pskb+0x326/0x3f0 nfc_alloc_send_skb+0x94/0x1d0 rawsock_sendmsg+0x162/0x4c0 do_syscall_64+0x117/0xfc0

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23339.html
CVE-2026-23339
https://bugzilla.suse.com/1260581
SUSE Bug 1260581

Описание

In the Linux kernel, the following vulnerability has been resolved: net: sched: avoid qdisc_reset_all_tx_gt() vs dequeue race for lockless qdiscs When shrinking the number of real tx queues, netif_set_real_num_tx_queues() calls qdisc_reset_all_tx_gt() to flush qdiscs for queues which will no longer be used. qdisc_reset_all_tx_gt() currently serializes qdisc_reset() with qdisc_lock(). However, for lockless qdiscs, the dequeue path is serialized by qdisc_run_begin/end() using qdisc->seqlock instead, so qdisc_reset() can run concurrently with __qdisc_run() and free skbs while they are still being dequeued, leading to UAF. This can easily be reproduced on e.g. virtio-net by imposing heavy traffic while frequently changing the number of queue pairs: iperf3 -ub0 -c $peer -t 0 & while :; do ethtool -L eth0 combined 1 ethtool -L eth0 combined 2 done With KASAN enabled, this leads to reports like: BUG: KASAN: slab-use-after-free in __qdisc_run+0x133f/0x1760 ... Call Trace: <TASK> ... __qdisc_run+0x133f/0x1760 __dev_queue_xmit+0x248f/0x3550 ip_finish_output2+0xa42/0x2110 ip_output+0x1a7/0x410 ip_send_skb+0x2e6/0x480 udp_send_skb+0xb0a/0x1590 udp_sendmsg+0x13c9/0x1fc0 ... </TASK> Allocated by task 1270 on cpu 5 at 44.558414s: ... alloc_skb_with_frags+0x84/0x7c0 sock_alloc_send_pskb+0x69a/0x830 __ip_append_data+0x1b86/0x48c0 ip_make_skb+0x1e8/0x2b0 udp_sendmsg+0x13a6/0x1fc0 ... Freed by task 1306 on cpu 3 at 44.558445s: ... kmem_cache_free+0x117/0x5e0 pfifo_fast_reset+0x14d/0x580 qdisc_reset+0x9e/0x5f0 netif_set_real_num_tx_queues+0x303/0x840 virtnet_set_channels+0x1bf/0x260 [virtio_net] ethnl_set_channels+0x684/0xae0 ethnl_default_set_doit+0x31a/0x890 ... Serialize qdisc_reset_all_tx_gt() against the lockless dequeue path by taking qdisc->seqlock for TCQ_F_NOLOCK qdiscs, matching the serialization model already used by dev_reset_queue(). Additionally clear QDISC_STATE_NON_EMPTY after reset so the qdisc state reflects an empty queue, avoiding needless re-scheduling.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23340.html
CVE-2026-23340
https://bugzilla.suse.com/1260523
SUSE Bug 1260523

Описание

In the Linux kernel, the following vulnerability has been resolved: arm64: io: Extract user memory type in ioremap_prot() The only caller of ioremap_prot() outside of the generic ioremap() implementation is generic_access_phys(), which passes a 'pgprot_t' value determined from the user mapping of the target 'pfn' being accessed by the kernel. On arm64, the 'pgprot_t' contains all of the non-address bits from the pte, including the permission controls, and so we end up returning a new user mapping from ioremap_prot() which faults when accessed from the kernel on systems with PAN: | Unable to handle kernel read from unreadable memory at virtual address ffff80008ea89000 | ... | Call trace: | __memcpy_fromio+0x80/0xf8 | generic_access_phys+0x20c/0x2b8 | __access_remote_vm+0x46c/0x5b8 | access_remote_vm+0x18/0x30 | environ_read+0x238/0x3e8 | vfs_read+0xe4/0x2b0 | ksys_read+0xcc/0x178 | __arm64_sys_read+0x4c/0x68 Extract only the memory type from the user 'pgprot_t' in ioremap_prot() and assert that we're being passed a user mapping, to protect us against any changes in future that may require additional handling. To avoid falsely flagging users of ioremap(), provide our own ioremap() macro which simply wraps __ioremap_prot().

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23346.html
CVE-2026-23346
https://bugzilla.suse.com/1260529
SUSE Bug 1260529

Описание

In the Linux kernel, the following vulnerability has been resolved: can: usb: f81604: correctly anchor the urb in the read bulk callback When submitting an urb, that is using the anchor pattern, it needs to be anchored before submitting it otherwise it could be leaked if usb_kill_anchored_urbs() is called. This logic is correctly done elsewhere in the driver, except in the read bulk callback so do that here also.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23347.html
CVE-2026-23347
https://bugzilla.suse.com/1260514
SUSE Bug 1260514

Описание

In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: split gc into unlink and reclaim phase Yiming Qian reports Use-after-free in the pipapo set type: Under a large number of expired elements, commit-time GC can run for a very long time in a non-preemptible context, triggering soft lockup warnings and RCU stall reports (local denial of service). We must split GC in an unlink and a reclaim phase. We cannot queue elements for freeing until pointers have been swapped. Expired elements are still exposed to both the packet path and userspace dumpers via the live copy of the data structure. call_rcu() does not protect us: dump operations or element lookups starting after call_rcu has fired can still observe the free'd element, unless the commit phase has made enough progress to swap the clone and live pointers before any new reader has picked up the old version. This a similar approach as done recently for the rbtree backend in commit 35f83a75529a ("netfilter: nft_set_rbtree: don't gc elements on insert").

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23351.html
CVE-2026-23351
https://bugzilla.suse.com/1260526
SUSE Bug 1260526

Описание

In the Linux kernel, the following vulnerability has been resolved: x86/fred: Correct speculative safety in fred_extint() array_index_nospec() is no use if the result gets spilled to the stack, as it makes the believed safe-under-speculation value subject to memory predictions. For all practical purposes, this means array_index_nospec() must be used in the expression that accesses the array. As the code currently stands, it's the wrong side of irqentry_enter(), and 'index' is put into %ebp across the function call. Remove the index variable and reposition array_index_nospec(), so it's calculated immediately before the array access.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23354.html
CVE-2026-23354
https://bugzilla.suse.com/1260801
SUSE Bug 1260801

Описание

In the Linux kernel, the following vulnerability has been resolved: can: mcp251x: fix deadlock in error path of mcp251x_open The mcp251x_open() function call free_irq() in its error path with the mpc_lock mutex held. But if an interrupt already occurred the interrupt handler will be waiting for the mpc_lock and free_irq() will deadlock waiting for the handler to finish. This issue is similar to the one fixed in commit 7dd9c26bd6cf ("can: mcp251x: fix deadlock if an interrupt occurs during mcp251x_open") but for the error path. To solve this issue move the call to free_irq() after the lock is released. Setting `priv->force_quit = 1` beforehand ensure that the IRQ handler will exit right away once it acquired the lock.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23357.html
CVE-2026-23357
https://bugzilla.suse.com/1260532
SUSE Bug 1260532

Описание

In the Linux kernel, the following vulnerability has been resolved: nvme: fix admin queue leak on controller reset When nvme_alloc_admin_tag_set() is called during a controller reset, a previous admin queue may still exist. Release it properly before allocating a new one to avoid orphaning the old queue. This fixes a regression introduced by commit 03b3bcd319b3 ("nvme: fix admin request_queue lifetime").

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23360.html
CVE-2026-23360
https://bugzilla.suse.com/1260613
SUSE Bug 1260613

Описание

In the Linux kernel, the following vulnerability has been resolved: can: bcm: fix locking for bcm_op runtime updates Commit c2aba69d0c36 ("can: bcm: add locking for bcm_op runtime updates") added a locking for some variables that can be modified at runtime when updating the sending bcm_op with a new TX_SETUP command in bcm_tx_setup(). Usually the RX_SETUP only handles and filters incoming traffic with one exception: When the RX_RTR_FRAME flag is set a predefined CAN frame is sent when a specific RTR frame is received. Therefore the rx bcm_op uses bcm_can_tx() which uses the bcm_tx_lock that was only initialized in bcm_tx_setup(). Add the missing spin_lock_init() when allocating the bcm_op in bcm_rx_setup() to handle the RTR case properly.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23362.html
CVE-2026-23362
https://bugzilla.suse.com/1260489
SUSE Bug 1260489

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7925: Fix possible oob access in mt7925_mac_write_txwi_80211() Check frame length before accessing the mgmt fields in mt7925_mac_write_txwi_80211 in order to avoid a possible oob access.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23363.html
CVE-2026-23363
https://bugzilla.suse.com/1260572
SUSE Bug 1260572

Описание

In the Linux kernel, the following vulnerability has been resolved: net: usb: kalmia: validate USB endpoints The kalmia driver should validate that the device it is probing has the proper number and types of USB endpoints it is expecting before it binds to it. If a malicious device were to not have the same urbs the driver will crash later on when it blindly accesses these endpoints.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23365.html
CVE-2026-23365
https://bugzilla.suse.com/1260800
SUSE Bug 1260800

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: radiotap: reject radiotap with unknown bits The radiotap parser is currently only used with the radiotap namespace (not with vendor namespaces), but if the undefined field 18 is used, the alignment/size is unknown as well. In this case, iterator->_next_ns_data isn't initialized (it's only set for skipping vendor namespaces), and syzbot points out that we later compare against this uninitialized value. Fix this by moving the rejection of unknown radiotap fields down to after the in-namespace lookup, so it will really use iterator->_next_ns_data only for vendor namespaces, even in case undefined fields are present.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23367.html
CVE-2026-23367
https://bugzilla.suse.com/1260731
SUSE Bug 1260731

Описание

In the Linux kernel, the following vulnerability has been resolved: net: phy: register phy led_triggers during probe to avoid AB-BA deadlock There is an AB-BA deadlock when both LEDS_TRIGGER_NETDEV and LED_TRIGGER_PHY are enabled: [ 1362.049207] [<8054e4b8>] led_trigger_register+0x5c/0x1fc <-- Trying to get lock "triggers_list_lock" via down_write(&triggers_list_lock); [ 1362.054536] [<80662830>] phy_led_triggers_register+0xd0/0x234 [ 1362.060329] [<8065e200>] phy_attach_direct+0x33c/0x40c [ 1362.065489] [<80651fc4>] phylink_fwnode_phy_connect+0x15c/0x23c [ 1362.071480] [<8066ee18>] mtk_open+0x7c/0xba0 [ 1362.075849] [<806d714c>] __dev_open+0x280/0x2b0 [ 1362.080384] [<806d7668>] __dev_change_flags+0x244/0x24c [ 1362.085598] [<806d7698>] dev_change_flags+0x28/0x78 [ 1362.090528] [<807150e4>] dev_ioctl+0x4c0/0x654 <-- Hold lock "rtnl_mutex" by calling rtnl_lock(); [ 1362.094985] [<80694360>] sock_ioctl+0x2f4/0x4e0 [ 1362.099567] [<802e9c4c>] sys_ioctl+0x32c/0xd8c [ 1362.104022] [<80014504>] syscall_common+0x34/0x58 Here LED_TRIGGER_PHY is registering LED triggers during phy_attach while holding RTNL and then taking triggers_list_lock. [ 1362.191101] [<806c2640>] register_netdevice_notifier+0x60/0x168 <-- Trying to get lock "rtnl_mutex" via rtnl_lock(); [ 1362.197073] [<805504ac>] netdev_trig_activate+0x194/0x1e4 [ 1362.202490] [<8054e28c>] led_trigger_set+0x1d4/0x360 <-- Hold lock "triggers_list_lock" by down_read(&triggers_list_lock); [ 1362.207511] [<8054eb38>] led_trigger_write+0xd8/0x14c [ 1362.212566] [<80381d98>] sysfs_kf_bin_write+0x80/0xbc [ 1362.217688] [<8037fcd8>] kernfs_fop_write_iter+0x17c/0x28c [ 1362.223174] [<802cbd70>] vfs_write+0x21c/0x3c4 [ 1362.227712] [<802cc0c4>] ksys_write+0x78/0x12c [ 1362.232164] [<80014504>] syscall_common+0x34/0x58 Here LEDS_TRIGGER_NETDEV is being enabled on an LED. It first takes triggers_list_lock and then RTNL. A classical AB-BA deadlock. phy_led_triggers_registers() does not require the RTNL, it does not make any calls into the network stack which require protection. There is also no requirement the PHY has been attached to a MAC, the triggers only make use of phydev state. This allows the call to phy_led_triggers_registers() to be placed elsewhere. PHY probe() and release() don't hold RTNL, so solving the AB-BA deadlock.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23368.html
CVE-2026-23368
https://bugzilla.suse.com/1260530
SUSE Bug 1260530

Описание

In the Linux kernel, the following vulnerability has been resolved: i2c: i801: Revert "i2c: i801: replace acpi_lock with I2C bus lock" This reverts commit f707d6b9e7c18f669adfdb443906d46cfbaaa0c1. Under rare circumstances, multiple udev threads can collect i801 device info on boot and walk i801_acpi_io_handler somewhat concurrently. The first will note the area is reserved by acpi to prevent further touches. This ultimately causes the area to be deregistered. The second will enter i801_acpi_io_handler after the area is unregistered but before a check can be made that the area is unregistered. i2c_lock_bus relies on the now unregistered area containing lock_ops to lock the bus. The end result is a kernel panic on boot with the following backtrace; [ 14.971872] ioatdma 0000:09:00.2: enabling device (0100 -> 0102) [ 14.971873] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 14.971880] #PF: supervisor read access in kernel mode [ 14.971884] #PF: error_code(0x0000) - not-present page [ 14.971887] PGD 0 P4D 0 [ 14.971894] Oops: 0000 [#1] PREEMPT SMP PTI [ 14.971900] CPU: 5 PID: 956 Comm: systemd-udevd Not tainted 5.14.0-611.5.1.el9_7.x86_64 #1 [ 14.971905] Hardware name: XXXXXXXXXXXXXXXXXXXXXXX BIOS 1.20.10.SV91 01/30/2023 [ 14.971908] RIP: 0010:i801_acpi_io_handler+0x2d/0xb0 [i2c_i801] [ 14.971929] Code: 00 00 49 8b 40 20 41 57 41 56 4d 8b b8 30 04 00 00 49 89 ce 41 55 41 89 d5 41 54 49 89 f4 be 02 00 00 00 55 4c 89 c5 53 89 fb <48> 8b 00 4c 89 c7 e8 18 61 54 e9 80 bd 80 04 00 00 00 75 09 4c 3b [ 14.971933] RSP: 0018:ffffbaa841483838 EFLAGS: 00010282 [ 14.971938] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff9685e01ba568 [ 14.971941] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000000000000 [ 14.971944] RBP: ffff9685ca22f028 R08: ffff9685ca22f028 R09: ffff9685ca22f028 [ 14.971948] R10: 000000000000000b R11: 0000000000000580 R12: 0000000000000580 [ 14.971951] R13: 0000000000000008 R14: ffff9685e01ba568 R15: ffff9685c222f000 [ 14.971954] FS: 00007f8287c0ab40(0000) GS:ffff96a47f940000(0000) knlGS:0000000000000000 [ 14.971959] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 14.971963] CR2: 0000000000000000 CR3: 0000000168090001 CR4: 00000000003706f0 [ 14.971966] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 14.971968] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 14.971972] Call Trace: [ 14.971977] <TASK> [ 14.971981] ? show_trace_log_lvl+0x1c4/0x2df [ 14.971994] ? show_trace_log_lvl+0x1c4/0x2df [ 14.972003] ? acpi_ev_address_space_dispatch+0x16e/0x3c0 [ 14.972014] ? __die_body.cold+0x8/0xd [ 14.972021] ? page_fault_oops+0x132/0x170 [ 14.972028] ? exc_page_fault+0x61/0x150 [ 14.972036] ? asm_exc_page_fault+0x22/0x30 [ 14.972045] ? i801_acpi_io_handler+0x2d/0xb0 [i2c_i801] [ 14.972061] acpi_ev_address_space_dispatch+0x16e/0x3c0 [ 14.972069] ? __pfx_i801_acpi_io_handler+0x10/0x10 [i2c_i801] [ 14.972085] acpi_ex_access_region+0x5b/0xd0 [ 14.972093] acpi_ex_field_datum_io+0x73/0x2e0 [ 14.972100] acpi_ex_read_data_from_field+0x8e/0x230 [ 14.972106] acpi_ex_resolve_node_to_value+0x23d/0x310 [ 14.972114] acpi_ds_evaluate_name_path+0xad/0x110 [ 14.972121] acpi_ds_exec_end_op+0x321/0x510 [ 14.972127] acpi_ps_parse_loop+0xf7/0x680 [ 14.972136] acpi_ps_parse_aml+0x17a/0x3d0 [ 14.972143] acpi_ps_execute_method+0x137/0x270 [ 14.972150] acpi_ns_evaluate+0x1f4/0x2e0 [ 14.972158] acpi_evaluate_object+0x134/0x2f0 [ 14.972164] acpi_evaluate_integer+0x50/0xe0 [ 14.972173] ? vsnprintf+0x24b/0x570 [ 14.972181] acpi_ac_get_state.part.0+0x23/0x70 [ 14.972189] get_ac_property+0x4e/0x60 [ 14.972195] power_supply_show_property+0x90/0x1f0 [ 14.972205] add_prop_uevent+0x29/0x90 [ 14.972213] power_supply_uevent+0x109/0x1d0 [ 14.972222] dev_uevent+0x10e/0x2f0 [ 14.972228] uevent_show+0x8e/0x100 [ 14.972236] dev_attr_show+0x19 ---truncated---

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23369.html
CVE-2026-23369
https://bugzilla.suse.com/1260798
SUSE Bug 1260798

Описание

In the Linux kernel, the following vulnerability has been resolved: platform/x86: dell-wmi-sysman: Don't hex dump plaintext password data set_new_password() hex dumps the entire buffer, which contains plaintext password data, including current and new passwords. Remove the hex dump to avoid leaking credentials.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23370.html
CVE-2026-23370
https://bugzilla.suse.com/1260504
SUSE Bug 1260504

Описание

In the Linux kernel, the following vulnerability has been resolved: nfc: rawsock: cancel tx_work before socket teardown In rawsock_release(), cancel any pending tx_work and purge the write queue before orphaning the socket. rawsock_tx_work runs on the system workqueue and calls nfc_data_exchange which dereferences the NCI device. Without synchronization, tx_work can race with socket and device teardown when a process is killed (e.g. by SIGKILL), leading to use-after-free or leaked references. Set SEND_SHUTDOWN first so that if tx_work is already running it will see the flag and skip transmitting, then use cancel_work_sync to wait for any in-progress execution to finish, and finally purge any remaining queued skbs.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23372.html
CVE-2026-23372
https://bugzilla.suse.com/1260484
SUSE Bug 1260484

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: rsi: Don't default to -EOPNOTSUPP in rsi_mac80211_config This triggers a WARN_ON in ieee80211_hw_conf_init and isn't the expected behavior from the driver - other drivers default to 0 too.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23373.html
CVE-2026-23373
https://bugzilla.suse.com/1260528
SUSE Bug 1260528

Описание

In the Linux kernel, the following vulnerability has been resolved: blktrace: fix __this_cpu_read/write in preemptible context tracing_record_cmdline() internally uses __this_cpu_read() and __this_cpu_write() on the per-CPU variable trace_cmdline_save, and trace_save_cmdline() explicitly asserts preemption is disabled via lockdep_assert_preemption_disabled(). These operations are only safe when preemption is off, as they were designed to be called from the scheduler context (probe_wakeup_sched_switch() / probe_wakeup()). __blk_add_trace() was calling tracing_record_cmdline(current) early in the blk_tracer path, before ring buffer reservation, from process context where preemption is fully enabled. This triggers the following using blktests/blktrace/002: blktrace/002 (blktrace ftrace corruption with sysfs trace) [failed] runtime 0.367s ... 0.437s something found in dmesg: [ 81.211018] run blktests blktrace/002 at 2026-02-25 22:24:33 [ 81.239580] null_blk: disk nullb1 created [ 81.357294] BUG: using __this_cpu_read() in preemptible [00000000] code: dd/2516 [ 81.362842] caller is tracing_record_cmdline+0x10/0x40 [ 81.362872] CPU: 16 UID: 0 PID: 2516 Comm: dd Tainted: G N 7.0.0-rc1lblk+ #84 PREEMPT(full) [ 81.362877] Tainted: [N]=TEST [ 81.362878] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014 [ 81.362881] Call Trace: [ 81.362884] <TASK> [ 81.362886] dump_stack_lvl+0x8d/0xb0 ... (See '/mnt/sda/blktests/results/nodev/blktrace/002.dmesg' for the entire message) [ 81.211018] run blktests blktrace/002 at 2026-02-25 22:24:33 [ 81.239580] null_blk: disk nullb1 created [ 81.357294] BUG: using __this_cpu_read() in preemptible [00000000] code: dd/2516 [ 81.362842] caller is tracing_record_cmdline+0x10/0x40 [ 81.362872] CPU: 16 UID: 0 PID: 2516 Comm: dd Tainted: G N 7.0.0-rc1lblk+ #84 PREEMPT(full) [ 81.362877] Tainted: [N]=TEST [ 81.362878] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014 [ 81.362881] Call Trace: [ 81.362884] <TASK> [ 81.362886] dump_stack_lvl+0x8d/0xb0 [ 81.362895] check_preemption_disabled+0xce/0xe0 [ 81.362902] tracing_record_cmdline+0x10/0x40 [ 81.362923] __blk_add_trace+0x307/0x5d0 [ 81.362934] ? lock_acquire+0xe0/0x300 [ 81.362940] ? iov_iter_extract_pages+0x101/0xa30 [ 81.362959] blk_add_trace_bio+0x106/0x1e0 [ 81.362968] submit_bio_noacct_nocheck+0x24b/0x3a0 [ 81.362979] ? lockdep_init_map_type+0x58/0x260 [ 81.362988] submit_bio_wait+0x56/0x90 [ 81.363009] __blkdev_direct_IO_simple+0x16c/0x250 [ 81.363026] ? __pfx_submit_bio_wait_endio+0x10/0x10 [ 81.363038] ? rcu_read_lock_any_held+0x73/0xa0 [ 81.363051] blkdev_read_iter+0xc1/0x140 [ 81.363059] vfs_read+0x20b/0x330 [ 81.363083] ksys_read+0x67/0xe0 [ 81.363090] do_syscall_64+0xbf/0xf00 [ 81.363102] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 81.363106] RIP: 0033:0x7f281906029d [ 81.363111] Code: 31 c0 e9 c6 fe ff ff 50 48 8d 3d 66 63 0a 00 e8 59 ff 01 00 66 0f 1f 84 00 00 00 00 00 80 3d 41 33 0e 00 00 74 17 31 c0 0f 05 <48> 3d 00 f0 ff ff 77 5b c3 66 2e 0f 1f 84 00 00 00 00 00 48 83 ec [ 81.363113] RSP: 002b:00007ffca127dd48 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [ 81.363120] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f281906029d [ 81.363122] RDX: 0000000000001000 RSI: 0000559f8bfae000 RDI: 0000000000000000 [ 81.363123] RBP: 0000000000001000 R08: 0000002863a10a81 R09: 00007f281915f000 [ 81.363124] R10: 00007f2818f77b60 R11: 0000000000000246 R12: 0000559f8bfae000 [ 81.363126] R13: 0000000000000000 R14: 0000000000000000 R15: 000000000000000a [ 81.363142] </TASK> The same BUG fires from blk_add_trace_plug(), blk_add_trace_unplug(), and blk_add_trace_rq() paths as well. The purpose of tracin ---truncated---

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23374.html
CVE-2026-23374
https://bugzilla.suse.com/1260811
SUSE Bug 1260811

Описание

In the Linux kernel, the following vulnerability has been resolved: mm: thp: deny THP for files on anonymous inodes file_thp_enabled() incorrectly allows THP for files on anonymous inodes (e.g. guest_memfd and secretmem). These files are created via alloc_file_pseudo(), which does not call get_write_access() and leaves inode->i_writecount at 0. Combined with S_ISREG(inode->i_mode) being true, they appear as read-only regular files when CONFIG_READ_ONLY_THP_FOR_FS is enabled, making them eligible for THP collapse. Anonymous inodes can never pass the inode_is_open_for_write() check since their i_writecount is never incremented through the normal VFS open path. The right thing to do is to exclude them from THP eligibility altogether, since CONFIG_READ_ONLY_THP_FOR_FS was designed for real filesystem files (e.g. shared libraries), not for pseudo-filesystem inodes. For guest_memfd, this allows khugepaged and MADV_COLLAPSE to create large folios in the page cache via the collapse path, but the guest_memfd fault handler does not support large folios. This triggers WARN_ON_ONCE(folio_test_large(folio)) in kvm_gmem_fault_user_mapping(). For secretmem, collapse_file() tries to copy page contents through the direct map, but secretmem pages are removed from the direct map. This can result in a kernel crash: BUG: unable to handle page fault for address: ffff88810284d000 RIP: 0010:memcpy_orig+0x16/0x130 Call Trace: collapse_file hpage_collapse_scan_file madvise_collapse Secretmem is not affected by the crash on upstream as the memory failure recovery handles the failed copy gracefully, but it still triggers confusing false memory failure reports: Memory failure: 0x106d96f: recovery action for clean unevictable LRU page: Recovered Check IS_ANON_FILE(inode) in file_thp_enabled() to deny THP for all anonymous inode files.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23375.html
CVE-2026-23375
https://bugzilla.suse.com/1260576
SUSE Bug 1260576

Описание

In the Linux kernel, the following vulnerability has been resolved: net/sched: act_ife: Fix metalist update behavior Whenever an ife action replace changes the metalist, instead of replacing the old data on the metalist, the current ife code is appending the new metadata. Aside from being innapropriate behavior, this may lead to an unbounded addition of metadata to the metalist which might cause an out of bounds error when running the encode op: [ 138.423369][ C1] ================================================================== [ 138.424317][ C1] BUG: KASAN: slab-out-of-bounds in ife_tlv_meta_encode (net/ife/ife.c:168) [ 138.424906][ C1] Write of size 4 at addr ffff8880077f4ffe by task ife_out_out_bou/255 [ 138.425778][ C1] CPU: 1 UID: 0 PID: 255 Comm: ife_out_out_bou Not tainted 7.0.0-rc1-00169-gfbdfa8da05b6 #624 PREEMPT(full) [ 138.425795][ C1] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [ 138.425800][ C1] Call Trace: [ 138.425804][ C1] <IRQ> [ 138.425808][ C1] dump_stack_lvl (lib/dump_stack.c:122) [ 138.425828][ C1] print_report (mm/kasan/report.c:379 mm/kasan/report.c:482) [ 138.425839][ C1] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) [ 138.425844][ C1] ? __virt_addr_valid (./arch/x86/include/asm/preempt.h:95 (discriminator 1) ./include/linux/rcupdate.h:975 (discriminator 1) ./include/linux/mmzone.h:2207 (discriminator 1) arch/x86/mm/physaddr.c:54 (discriminator 1)) [ 138.425853][ C1] ? ife_tlv_meta_encode (net/ife/ife.c:168) [ 138.425859][ C1] kasan_report (mm/kasan/report.c:221 mm/kasan/report.c:597) [ 138.425868][ C1] ? ife_tlv_meta_encode (net/ife/ife.c:168) [ 138.425878][ C1] kasan_check_range (mm/kasan/generic.c:186 (discriminator 1) mm/kasan/generic.c:200 (discriminator 1)) [ 138.425884][ C1] __asan_memset (mm/kasan/shadow.c:84 (discriminator 2)) [ 138.425889][ C1] ife_tlv_meta_encode (net/ife/ife.c:168) [ 138.425893][ C1] ? ife_tlv_meta_encode (net/ife/ife.c:171) [ 138.425898][ C1] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) [ 138.425903][ C1] ife_encode_meta_u16 (net/sched/act_ife.c:57) [ 138.425910][ C1] ? __pfx_do_raw_spin_lock (kernel/locking/spinlock_debug.c:114) [ 138.425916][ C1] ? __asan_memcpy (mm/kasan/shadow.c:105 (discriminator 3)) [ 138.425921][ C1] ? __pfx_ife_encode_meta_u16 (net/sched/act_ife.c:45) [ 138.425927][ C1] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) [ 138.425931][ C1] tcf_ife_act (net/sched/act_ife.c:847 net/sched/act_ife.c:879) To solve this issue, fix the replace behavior by adding the metalist to the ife rcu data structure.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23378.html
CVE-2026-23378
https://bugzilla.suse.com/1260546
SUSE Bug 1260546

Описание

In the Linux kernel, the following vulnerability has been resolved: HID: Add HID_CLAIMED_INPUT guards in raw_event callbacks missing them In commit 2ff5baa9b527 ("HID: appleir: Fix potential NULL dereference at raw event handle"), we handle the fact that raw event callbacks can happen even for a HID device that has not been "claimed" causing a crash if a broken device were attempted to be connected to the system. Fix up the remaining in-tree HID drivers that forgot to add this same check to resolve the same issue.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23382.html
CVE-2026-23382
https://bugzilla.suse.com/1260551
SUSE Bug 1260551

Описание

In the Linux kernel, the following vulnerability has been resolved: pinctrl: cirrus: cs42l43: Fix double-put in cs42l43_pin_probe() devm_add_action_or_reset() already invokes the action on failure, so the explicit put causes a double-put.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23387.html
CVE-2026-23387
https://bugzilla.suse.com/1260807
SUSE Bug 1260807

Описание

In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_CT: drop pending enqueued packets on template removal Templates refer to objects that can go away while packets are sitting in nfqueue refer to: - helper, this can be an issue on module removal. - timeout policy, nfnetlink_cttimeout might remove it. The use of templates with zone and event cache filter are safe, since this just copies values. Flush these enqueued packets in case the template rule gets removed.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23391.html
CVE-2026-23391
https://bugzilla.suse.com/1260566
SUSE Bug 1260566

Описание

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: release flowtable after rcu grace period on error Call synchronize_rcu() after unregistering the hooks from error path, since a hook that already refers to this flowtable can be already registered, exposing this flowtable to packet path and nfnetlink_hook control plane. This error path is rare, it should only happen by reaching the maximum number hooks or by failing to set up to hardware offload, just call synchronize_rcu(). There is a check for already used device hooks by different flowtable that could result in EEXIST at this late stage. The hook parser can be updated to perform this check earlier to this error path really becomes rarely exercised. Uncovered by KASAN reported as use-after-free from nfnetlink_hook path when dumping hooks.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23392.html
CVE-2026-23392
https://bugzilla.suse.com/1260531
SUSE Bug 1260531
https://bugzilla.suse.com/1262016
SUSE Bug 1262016

Описание

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix accepting multiple L2CAP_ECRED_CONN_REQ Currently the code attempts to accept requests regardless of the command identifier which may cause multiple requests to be marked as pending (FLAG_DEFER_SETUP) which can cause more than L2CAP_ECRED_MAX_CID(5) to be allocated in l2cap_ecred_rsp_defer causing an overflow. The spec is quite clear that the same identifier shall not be used on subsequent requests: 'Within each signaling channel a different Identifier shall be used for each successive request or indication.' https://www.bluetooth.com/wp-content/uploads/Files/Specification/HTML/Core-62/out/en/host/logical-link-control-and-adaptation-protocol-specification.html#UUID-32a25a06-4aa4-c6c7-77c5-dcfe3682355d So this attempts to check if there are any channels pending with the same identifier and rejects if any are found.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23395.html
CVE-2026-23395
https://bugzilla.suse.com/1260580
SUSE Bug 1260580

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix NULL deref in mesh_matches_local() mesh_matches_local() unconditionally dereferences ie->mesh_config to compare mesh configuration parameters. When called from mesh_rx_csa_frame(), the parsed action-frame elements may not contain a Mesh Configuration IE, leaving ie->mesh_config NULL and triggering a kernel NULL pointer dereference. The other two callers are already safe: - ieee80211_mesh_rx_bcn_presp() checks !elems->mesh_config before calling mesh_matches_local() - mesh_plink_get_event() is only reached through mesh_process_plink_frame(), which checks !elems->mesh_config, too mesh_rx_csa_frame() is the only caller that passes raw parsed elements to mesh_matches_local() without guarding mesh_config. An adjacent attacker can exploit this by sending a crafted CSA action frame that includes a valid Mesh ID IE but omits the Mesh Configuration IE, crashing the kernel. The captured crash log: Oops: general protection fault, probably for non-canonical address ... KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] Workqueue: events_unbound cfg80211_wiphy_work [...] Call Trace: <TASK> ? __pfx_mesh_matches_local (net/mac80211/mesh.c:65) ieee80211_mesh_rx_queued_mgmt (net/mac80211/mesh.c:1686) [...] ieee80211_iface_work (net/mac80211/iface.c:1754 net/mac80211/iface.c:1802) [...] cfg80211_wiphy_work (net/wireless/core.c:426) process_one_work (net/kernel/workqueue.c:3280) ? assign_work (net/kernel/workqueue.c:1219) worker_thread (net/kernel/workqueue.c:3352) ? __pfx_worker_thread (net/kernel/workqueue.c:3385) kthread (net/kernel/kthread.c:436) [...] ret_from_fork_asm (net/arch/x86/entry/entry_64.S:255) </TASK> This patch adds a NULL check for ie->mesh_config at the top of mesh_matches_local() to return false early when the Mesh Configuration IE is absent.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23396.html
CVE-2026-23396
https://bugzilla.suse.com/1260729
SUSE Bug 1260729

Описание

In the Linux kernel, the following vulnerability has been resolved: nfnetlink_osf: validate individual option lengths in fingerprints nfnl_osf_add_callback() validates opt_num bounds and string NUL-termination but does not check individual option length fields. A zero-length option causes nf_osf_match_one() to enter the option matching loop even when foptsize sums to zero, which matches packets with no TCP options where ctx->optp is NULL: Oops: general protection fault KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98) Call Trace: nf_osf_match (net/netfilter/nfnetlink_osf.c:227) xt_osf_match_packet (net/netfilter/xt_osf.c:32) ipt_do_table (net/ipv4/netfilter/ip_tables.c:293) nf_hook_slow (net/netfilter/core.c:623) ip_local_deliver (net/ipv4/ip_input.c:262) ip_rcv (net/ipv4/ip_input.c:573) Additionally, an MSS option (kind=2) with length < 4 causes out-of-bounds reads when nf_osf_match_one() unconditionally accesses optp[2] and optp[3] for MSS value extraction. While RFC 9293 section 3.2 specifies that the MSS option is always exactly 4 bytes (Kind=2, Length=4), the check uses "< 4" rather than "!= 4" because lengths greater than 4 do not cause memory safety issues -- the buffer is guaranteed to be at least foptsize bytes by the ctx->optsize == foptsize check. Reject fingerprints where any option has zero length, or where an MSS option has length less than 4, at add time rather than trusting these values in the packet matching hot path.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23397.html
CVE-2026-23397
https://bugzilla.suse.com/1260728
SUSE Bug 1260728

Описание

In the Linux kernel, the following vulnerability has been resolved: nf_tables: nft_dynset: fix possible stateful expression memleak in error path If cloning the second stateful expression in the element via GFP_ATOMIC fails, then the first stateful expression remains in place without being released. unreferenced object (percpu) 0x607b97e9cab8 (size 16): comm "softirq", pid 0, jiffies 4294931867 hex dump (first 16 bytes on cpu 3): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 backtrace (crc 0): pcpu_alloc_noprof+0x453/0xd80 nft_counter_clone+0x9c/0x190 [nf_tables] nft_expr_clone+0x8f/0x1b0 [nf_tables] nft_dynset_new+0x2cb/0x5f0 [nf_tables] nft_rhash_update+0x236/0x11c0 [nf_tables] nft_dynset_eval+0x11f/0x670 [nf_tables] nft_do_chain+0x253/0x1700 [nf_tables] nft_do_chain_ipv4+0x18d/0x270 [nf_tables] nf_hook_slow+0xaa/0x1e0 ip_local_deliver+0x209/0x330

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23399.html
CVE-2026-23399
https://bugzilla.suse.com/1261020
SUSE Bug 1261020

Описание

In the Linux kernel, the following vulnerability has been resolved: KVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTE When installing an emulated MMIO SPTE, do so *after* dropping/zapping the existing SPTE (if it's shadow-present). While commit a54aa15c6bda3 was right about it being impossible to convert a shadow-present SPTE to an MMIO SPTE due to a _guest_ write, it failed to account for writes to guest memory that are outside the scope of KVM. E.g. if host userspace modifies a shadowed gPTE to switch from a memslot to emulted MMIO and then the guest hits a relevant page fault, KVM will install the MMIO SPTE without first zapping the shadow-present SPTE. ------------[ cut here ]------------ is_shadow_present_pte(*sptep) WARNING: arch/x86/kvm/mmu/mmu.c:484 at mark_mmio_spte+0xb2/0xc0 [kvm], CPU#0: vmx_ept_stale_r/4292 Modules linked in: kvm_intel kvm irqbypass CPU: 0 UID: 1000 PID: 4292 Comm: vmx_ept_stale_r Not tainted 7.0.0-rc2-eafebd2d2ab0-sink-vm #319 PREEMPT Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 RIP: 0010:mark_mmio_spte+0xb2/0xc0 [kvm] Call Trace: <TASK> mmu_set_spte+0x237/0x440 [kvm] ept_page_fault+0x535/0x7f0 [kvm] kvm_mmu_do_page_fault+0xee/0x1f0 [kvm] kvm_mmu_page_fault+0x8d/0x620 [kvm] vmx_handle_exit+0x18c/0x5a0 [kvm_intel] kvm_arch_vcpu_ioctl_run+0xc55/0x1c20 [kvm] kvm_vcpu_ioctl+0x2d5/0x980 [kvm] __x64_sys_ioctl+0x8a/0xd0 do_syscall_64+0xb5/0x730 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x47fa3f </TASK> ---[ end trace 0000000000000000 ]---

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23401.html
CVE-2026-23401
https://bugzilla.suse.com/1261288
SUSE Bug 1261288

Описание

In the Linux kernel, the following vulnerability has been resolved: apparmor: fix memory leak in verify_header The function sets `*ns = NULL` on every call, leaking the namespace string allocated in previous iterations when multiple profiles are unpacked. This also breaks namespace consistency checking since *ns is always NULL when the comparison is made. Remove the incorrect assignment. The caller (aa_unpack) initializes *ns to NULL once before the loop, which is sufficient.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23403.html
CVE-2026-23403
https://bugzilla.suse.com/1261287
SUSE Bug 1261287

Описание

In the Linux kernel, the following vulnerability has been resolved: apparmor: replace recursive profile removal with iterative approach The profile removal code uses recursion when removing nested profiles, which can lead to kernel stack exhaustion and system crashes. Reproducer: $ pf='a'; for ((i=0; i<1024; i++)); do echo -e "profile $pf { \n }" | apparmor_parser -K -a; pf="$pf//x"; done $ echo -n a > /sys/kernel/security/apparmor/.remove Replace the recursive __aa_profile_list_release() approach with an iterative approach in __remove_profile(). The function repeatedly finds and removes leaf profiles until the entire subtree is removed, maintaining the same removal semantic without recursion.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23404.html
CVE-2026-23404
https://bugzilla.suse.com/1258854
SUSE Bug 1258854

Описание

In the Linux kernel, the following vulnerability has been resolved: apparmor: fix: limit the number of levels of policy namespaces Currently the number of policy namespaces is not bounded relying on the user namespace limit. However policy namespaces aren't strictly tied to user namespaces and it is possible to create them and nest them arbitrarily deep which can be used to exhaust system resource. Hard cap policy namespaces to the same depth as user namespaces.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23405.html
CVE-2026-23405
https://bugzilla.suse.com/1261295
SUSE Bug 1261295

Описание

In the Linux kernel, the following vulnerability has been resolved: apparmor: fix side-effect bug in match_char() macro usage The match_char() macro evaluates its character parameter multiple times when traversing differential encoding chains. When invoked with *str++, the string pointer advances on each iteration of the inner do-while loop, causing the DFA to check different characters at each iteration and therefore skip input characters. This results in out-of-bounds reads when the pointer advances past the input buffer boundary. [ 94.984676] ================================================================== [ 94.985301] BUG: KASAN: slab-out-of-bounds in aa_dfa_match+0x5ae/0x760 [ 94.985655] Read of size 1 at addr ffff888100342000 by task file/976 [ 94.986319] CPU: 7 UID: 1000 PID: 976 Comm: file Not tainted 6.19.0-rc7-next-20260127 #1 PREEMPT(lazy) [ 94.986322] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 94.986329] Call Trace: [ 94.986341] <TASK> [ 94.986347] dump_stack_lvl+0x5e/0x80 [ 94.986374] print_report+0xc8/0x270 [ 94.986384] ? aa_dfa_match+0x5ae/0x760 [ 94.986388] kasan_report+0x118/0x150 [ 94.986401] ? aa_dfa_match+0x5ae/0x760 [ 94.986405] aa_dfa_match+0x5ae/0x760 [ 94.986408] __aa_path_perm+0x131/0x400 [ 94.986418] aa_path_perm+0x219/0x2f0 [ 94.986424] apparmor_file_open+0x345/0x570 [ 94.986431] security_file_open+0x5c/0x140 [ 94.986442] do_dentry_open+0x2f6/0x1120 [ 94.986450] vfs_open+0x38/0x2b0 [ 94.986453] ? may_open+0x1e2/0x2b0 [ 94.986466] path_openat+0x231b/0x2b30 [ 94.986469] ? __x64_sys_openat+0xf8/0x130 [ 94.986477] do_file_open+0x19d/0x360 [ 94.986487] do_sys_openat2+0x98/0x100 [ 94.986491] __x64_sys_openat+0xf8/0x130 [ 94.986499] do_syscall_64+0x8e/0x660 [ 94.986515] ? count_memcg_events+0x15f/0x3c0 [ 94.986526] ? srso_alias_return_thunk+0x5/0xfbef5 [ 94.986540] ? handle_mm_fault+0x1639/0x1ef0 [ 94.986551] ? vma_start_read+0xf0/0x320 [ 94.986558] ? srso_alias_return_thunk+0x5/0xfbef5 [ 94.986561] ? srso_alias_return_thunk+0x5/0xfbef5 [ 94.986563] ? fpregs_assert_state_consistent+0x50/0xe0 [ 94.986572] ? srso_alias_return_thunk+0x5/0xfbef5 [ 94.986574] ? arch_exit_to_user_mode_prepare+0x9/0xb0 [ 94.986587] ? srso_alias_return_thunk+0x5/0xfbef5 [ 94.986588] ? irqentry_exit+0x3c/0x590 [ 94.986595] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 94.986597] RIP: 0033:0x7fda4a79c3ea Fix by extracting the character value before invoking match_char, ensuring single evaluation per outer loop.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23406.html
CVE-2026-23406
https://bugzilla.suse.com/1258855
SUSE Bug 1258855

Описание

In the Linux kernel, the following vulnerability has been resolved: apparmor: fix missing bounds check on DEFAULT table in verify_dfa() The verify_dfa() function only checks DEFAULT_TABLE bounds when the state is not differentially encoded. When the verification loop traverses the differential encoding chain, it reads k = DEFAULT_TABLE[j] and uses k as an array index without validation. A malformed DFA with DEFAULT_TABLE[j] >= state_count, therefore, causes both out-of-bounds reads and writes. [ 57.179855] ================================================================== [ 57.180549] BUG: KASAN: slab-out-of-bounds in verify_dfa+0x59a/0x660 [ 57.180904] Read of size 4 at addr ffff888100eadec4 by task su/993 [ 57.181554] CPU: 1 UID: 0 PID: 993 Comm: su Not tainted 6.19.0-rc7-next-20260127 #1 PREEMPT(lazy) [ 57.181558] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 57.181563] Call Trace: [ 57.181572] <TASK> [ 57.181577] dump_stack_lvl+0x5e/0x80 [ 57.181596] print_report+0xc8/0x270 [ 57.181605] ? verify_dfa+0x59a/0x660 [ 57.181608] kasan_report+0x118/0x150 [ 57.181620] ? verify_dfa+0x59a/0x660 [ 57.181623] verify_dfa+0x59a/0x660 [ 57.181627] aa_dfa_unpack+0x1610/0x1740 [ 57.181629] ? __kmalloc_cache_noprof+0x1d0/0x470 [ 57.181640] unpack_pdb+0x86d/0x46b0 [ 57.181647] ? srso_alias_return_thunk+0x5/0xfbef5 [ 57.181653] ? srso_alias_return_thunk+0x5/0xfbef5 [ 57.181656] ? aa_unpack_nameX+0x1a8/0x300 [ 57.181659] aa_unpack+0x20b0/0x4c30 [ 57.181662] ? srso_alias_return_thunk+0x5/0xfbef5 [ 57.181664] ? stack_depot_save_flags+0x33/0x700 [ 57.181681] ? kasan_save_track+0x4f/0x80 [ 57.181683] ? kasan_save_track+0x3e/0x80 [ 57.181686] ? __kasan_kmalloc+0x93/0xb0 [ 57.181688] ? __kvmalloc_node_noprof+0x44a/0x780 [ 57.181693] ? aa_simple_write_to_buffer+0x54/0x130 [ 57.181697] ? policy_update+0x154/0x330 [ 57.181704] aa_replace_profiles+0x15a/0x1dd0 [ 57.181707] ? srso_alias_return_thunk+0x5/0xfbef5 [ 57.181710] ? __kvmalloc_node_noprof+0x44a/0x780 [ 57.181712] ? aa_loaddata_alloc+0x77/0x140 [ 57.181715] ? srso_alias_return_thunk+0x5/0xfbef5 [ 57.181717] ? _copy_from_user+0x2a/0x70 [ 57.181730] policy_update+0x17a/0x330 [ 57.181733] profile_replace+0x153/0x1a0 [ 57.181735] ? rw_verify_area+0x93/0x2d0 [ 57.181740] vfs_write+0x235/0xab0 [ 57.181745] ksys_write+0xb0/0x170 [ 57.181748] do_syscall_64+0x8e/0x660 [ 57.181762] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 57.181765] RIP: 0033:0x7f6192792eb2 Remove the MATCH_FLAG_DIFF_ENCODE condition to validate all DEFAULT_TABLE entries unconditionally.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23407.html
CVE-2026-23407
https://bugzilla.suse.com/1258855
SUSE Bug 1258855
https://bugzilla.suse.com/1261292
SUSE Bug 1261292

Описание

In the Linux kernel, the following vulnerability has been resolved: apparmor: Fix double free of ns_name in aa_replace_profiles() if ns_name is NULL after 1071 error = aa_unpack(udata, &lh, &ns_name); and if ent->ns_name contains an ns_name in 1089 } else if (ent->ns_name) { then ns_name is assigned the ent->ns_name 1095 ns_name = ent->ns_name; however ent->ns_name is freed at 1262 aa_load_ent_free(ent); and then again when freeing ns_name at 1270 kfree(ns_name); Fix this by NULLing out ent->ns_name after it is transferred to ns_name ")

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23408.html
CVE-2026-23408
https://bugzilla.suse.com/1258857
SUSE Bug 1258857

Описание

In the Linux kernel, the following vulnerability has been resolved: apparmor: fix differential encoding verification Differential encoding allows loops to be created if it is abused. To prevent this the unpack should verify that a diff-encode chain terminates. Unfortunately the differential encode verification had two bugs. 1. it conflated states that had gone through check and already been marked, with states that were currently being checked and marked. This means that loops in the current chain being verified are treated as a chain that has already been verified. 2. the order bailout on already checked states compared current chain check iterators j,k instead of using the outer loop iterator i. Meaning a step backwards in states in the current chain verification was being mistaken for moving to an already verified state. Move to a double mark scheme where already verified states get a different mark, than the current chain being kept. This enables us to also drop the backwards verification check that was the cause of the second error as any already verified state is already marked.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23409.html
CVE-2026-23409
https://bugzilla.suse.com/1258857
SUSE Bug 1258857
https://bugzilla.suse.com/1261294
SUSE Bug 1261294

Описание

In the Linux kernel, the following vulnerability has been resolved: apparmor: fix race on rawdata dereference There is a race condition that leads to a use-after-free situation: because the rawdata inodes are not refcounted, an attacker can start open()ing one of the rawdata files, and at the same time remove the last reference to this rawdata (by removing the corresponding profile, for example), which frees its struct aa_loaddata; as a result, when seq_rawdata_open() is reached, i_private is a dangling pointer and freed memory is accessed. The rawdata inodes weren't refcounted to avoid a circular refcount and were supposed to be held by the profile rawdata reference. However during profile removal there is a window where the vfs and profile destruction race, resulting in the use after free. Fix this by moving to a double refcount scheme. Where the profile refcount on rawdata is used to break the circular dependency. Allowing for freeing of the rawdata once all inode references to the rawdata are put.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23410.html
CVE-2026-23410
https://bugzilla.suse.com/1258856
SUSE Bug 1258856

Описание

In the Linux kernel, the following vulnerability has been resolved: apparmor: fix race between freeing data and fs accessing it AppArmor was putting the reference to i_private data on its end after removing the original entry from the file system. However the inode can aand does live beyond that point and it is possible that some of the fs call back functions will be invoked after the reference has been put, which results in a race between freeing the data and accessing it through the fs. While the rawdata/loaddata is the most likely candidate to fail the race, as it has the fewest references. If properly crafted it might be possible to trigger a race for the other types stored in i_private. Fix this by moving the put of i_private referenced data to the correct place which is during inode eviction.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23411.html
CVE-2026-23411
https://bugzilla.suse.com/1258851
SUSE Bug 1258851
https://bugzilla.suse.com/1258856
SUSE Bug 1258856

Описание

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix constant blinding for PROBE_MEM32 stores BPF_ST | BPF_PROBE_MEM32 immediate stores are not handled by bpf_jit_blind_insn(), allowing user-controlled 32-bit immediates to survive unblinded into JIT-compiled native code when bpf_jit_harden >= 1. The root cause is that convert_ctx_accesses() rewrites BPF_ST|BPF_MEM to BPF_ST|BPF_PROBE_MEM32 for arena pointer stores during verification, before bpf_jit_blind_constants() runs during JIT compilation. The blinding switch only matches BPF_ST|BPF_MEM (mode 0x60), not BPF_ST|BPF_PROBE_MEM32 (mode 0xa0). The instruction falls through unblinded. Add BPF_ST|BPF_PROBE_MEM32 cases to bpf_jit_blind_insn() alongside the existing BPF_ST|BPF_MEM cases. The blinding transformation is identical: load the blinded immediate into BPF_REG_AX via mov+xor, then convert the immediate store to a register store (BPF_STX). The rewritten STX instruction must preserve the BPF_PROBE_MEM32 mode so the architecture JIT emits the correct arena addressing (R12-based on x86-64). Cannot use the BPF_STX_MEM() macro here because it hardcodes BPF_MEM mode; construct the instruction directly instead.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23417.html
CVE-2026-23417
https://bugzilla.suse.com/1261410
SUSE Bug 1261410

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/xe/reg_sr: Fix leak on xa_store failure Free the newly allocated entry when xa_store() fails to avoid a memory leak on the error path. v2: use goto fail_free. (Bala) (cherry picked from commit 6bc6fec71ac45f52db609af4e62bdb96b9f5fadb)

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23418.html
CVE-2026-23418
https://bugzilla.suse.com/1261505
SUSE Bug 1261505

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: wlcore: Fix a locking bug Make sure that wl->mutex is locked before it is unlocked. This has been detected by the Clang thread-safety analyzer.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23420.html
CVE-2026-23420
https://bugzilla.suse.com/1261503
SUSE Bug 1261503

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/logicvc: Fix device node reference leak in logicvc_drm_config_parse() The logicvc_drm_config_parse() function calls of_get_child_by_name() to find the "layers" node but fails to release the reference, leading to a device node reference leak. Fix this by using the __free(device_node) cleanup attribute to automatic release the reference when the variable goes out of scope.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23426.html
CVE-2026-23426
https://bugzilla.suse.com/1261504
SUSE Bug 1261504

Описание

In the Linux kernel, the following vulnerability has been resolved: mtd: rawnand: serialize lock/unlock against other NAND operations nand_lock() and nand_unlock() call into chip->ops.lock_area/unlock_area without holding the NAND device lock. On controllers that implement SET_FEATURES via multiple low-level PIO commands, these can race with concurrent UBI/UBIFS background erase/write operations that hold the device lock, resulting in cmd_pending conflicts on the NAND controller. Add nand_get_device()/nand_release_device() around the lock/unlock operations to serialize them against all other NAND controller access.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23434.html
CVE-2026-23434
https://bugzilla.suse.com/1261601
SUSE Bug 1261601

Описание

In the Linux kernel, the following vulnerability has been resolved: net: shaper: protect from late creation of hierarchy We look up a netdev during prep of Netlink ops (pre- callbacks) and take a ref to it. Then later in the body of the callback we take its lock or RCU which are the actual protections. The netdev may get unregistered in between the time we take the ref and the time we lock it. We may allocate the hierarchy after flush has already run, which would lead to a leak. Take the instance lock in pre- already, this saves us from the race and removes the need for dedicated lock/unlock callbacks completely. After all, if there's any chance of write happening concurrently with the flush - we're back to leaking the hierarchy. We may take the lock for devices which don't support shapers but we're only dealing with SET operations here, not taking the lock would be optimizing for an error case.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23436.html
CVE-2026-23436
https://bugzilla.suse.com/1261617
SUSE Bug 1261617

Описание

In the Linux kernel, the following vulnerability has been resolved: net: shaper: protect late read accesses to the hierarchy We look up a netdev during prep of Netlink ops (pre- callbacks) and take a ref to it. Then later in the body of the callback we take its lock or RCU which are the actual protections. This is not proper, a conversion from a ref to a locked netdev must include a liveness check (a check if the netdev hasn't been unregistered already). Fix the read cases (those under RCU). Writes needs a separate change to protect from creating the hierarchy after flush has already run.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23437.html
CVE-2026-23437
https://bugzilla.suse.com/1261635
SUSE Bug 1261635
https://bugzilla.suse.com/1261845
SUSE Bug 1261845

Описание

In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix race condition during IPSec ESN update In IPSec full offload mode, the device reports an ESN (Extended Sequence Number) wrap event to the driver. The driver validates this event by querying the IPSec ASO and checking that the esn_event_arm field is 0x0, which indicates an event has occurred. After handling the event, the driver must re-arm the context by setting esn_event_arm back to 0x1. A race condition exists in this handling path. After validating the event, the driver calls mlx5_accel_esp_modify_xfrm() to update the kernel's xfrm state. This function temporarily releases and re-acquires the xfrm state lock. So, need to acknowledge the event first by setting esn_event_arm to 0x1. This prevents the driver from reprocessing the same ESN update if the hardware sends events for other reason. Since the next ESN update only occurs after nearly 2^31 packets are received, there's no risk of missing an update, as it will happen long after this handling has finished. Processing the event twice causes the ESN high-order bits (esn_msb) to be incremented incorrectly. The driver then programs the hardware with this invalid ESN state, which leads to anti-replay failures and a complete halt of IPSec traffic. Fix this by re-arming the ESN event immediately after it is validated, before calling mlx5_accel_esp_modify_xfrm(). This ensures that any spurious, duplicate events are correctly ignored, closing the race window.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23440.html
CVE-2026-23440
https://bugzilla.suse.com/1261641
SUSE Bug 1261641

Описание

In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Prevent concurrent access to IPSec ASO context The query or updating IPSec offload object is through Access ASO WQE. The driver uses a single mlx5e_ipsec_aso struct for each PF, which contains a shared DMA-mapped context for all ASO operations. A race condition exists because the ASO spinlock is released before the hardware has finished processing WQE. If a second operation is initiated immediately after, it overwrites the shared context in the DMA area. When the first operation's completion is processed later, it reads this corrupted context, leading to unexpected behavior and incorrect results. This commit fixes the race by introducing a private context within each IPSec offload object. The shared ASO context is now copied to this private context while the ASO spinlock is held. Subsequent processing uses this saved, per-object context, ensuring its integrity is maintained.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23441.html
CVE-2026-23441
https://bugzilla.suse.com/1261768
SUSE Bug 1261768

Описание

In the Linux kernel, the following vulnerability has been resolved: ipv6: add NULL checks for idev in SRv6 paths __in6_dev_get() can return NULL when the device has no IPv6 configuration (e.g. MTU < IPV6_MIN_MTU or after NETDEV_UNREGISTER). Add NULL checks for idev returned by __in6_dev_get() in both seg6_hmac_validate_skb() and ipv6_srh_rcv() to prevent potential NULL pointer dereferences.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23442.html
CVE-2026-23442
https://bugzilla.suse.com/1261581
SUSE Bug 1261581

Описание

In the Linux kernel, the following vulnerability has been resolved: ACPI: processor: Fix previous acpi_processor_errata_piix4() fix After commi f132e089fe89 ("ACPI: processor: Fix NULL-pointer dereference in acpi_processor_errata_piix4()"), device pointers may be dereferenced after dropping references to the device objects pointed to by them, which may cause a use-after-free to occur. Moreover, debug messages about enabling the errata may be printed if the errata flags corresponding to them are unset. Address all of these issues by moving message printing to the points in the code where the errata flags are set.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23443.html
CVE-2026-23443
https://bugzilla.suse.com/1261679
SUSE Bug 1261679

Описание

In the Linux kernel, the following vulnerability has been resolved: igc: fix page fault in XDP TX timestamps handling If an XDP application that requested TX timestamping is shutting down while the link of the interface in use is still up the following kernel splat is reported: [ 883.803618] [ T1554] BUG: unable to handle page fault for address: ffffcfb6200fd008 ... [ 883.803650] [ T1554] Call Trace: [ 883.803652] [ T1554] <TASK> [ 883.803654] [ T1554] igc_ptp_tx_tstamp_event+0xdf/0x160 [igc] [ 883.803660] [ T1554] igc_tsync_interrupt+0x2d5/0x300 [igc] ... During shutdown of the TX ring the xsk_meta pointers are left behind, so that the IRQ handler is trying to touch them. This issue is now being fixed by cleaning up the stale xsk meta data on TX shutdown. TX timestamps on other queues remain unaffected.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23445.html
CVE-2026-23445
https://bugzilla.suse.com/1261702
SUSE Bug 1261702

Описание

In the Linux kernel, the following vulnerability has been resolved: net: usb: aqc111: Do not perform PM inside suspend callback syzbot reports "task hung in rpm_resume" This is caused by aqc111_suspend calling the PM variant of its write_cmd routine. The simplified call trace looks like this: rpm_suspend() usb_suspend_both() - here udev->dev.power.runtime_status == RPM_SUSPENDING aqc111_suspend() - called for the usb device interface aqc111_write32_cmd() usb_autopm_get_interface() pm_runtime_resume_and_get() rpm_resume() - here we call rpm_resume() on our parent rpm_resume() - Here we wait for a status change that will never happen. At this point we block another task which holds rtnl_lock and locks up the whole networking stack. Fix this by replacing the write_cmd calls with their _nopm variants

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23446.html
CVE-2026-23446
https://bugzilla.suse.com/1261778
SUSE Bug 1261778

Описание

In the Linux kernel, the following vulnerability has been resolved: net: usb: cdc_ncm: add ndpoffset to NDP32 nframes bounds check The same bounds-check bug fixed for NDP16 in the previous patch also exists in cdc_ncm_rx_verify_ndp32(). The DPE array size is validated against the total skb length without accounting for ndpoffset, allowing out-of-bounds reads when the NDP32 is placed near the end of the NTB. Add ndpoffset to the nframes bounds check and use struct_size_t() to express the NDP-plus-DPE-array size more clearly. Compile-tested only.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23447.html
CVE-2026-23447
https://bugzilla.suse.com/1261751
SUSE Bug 1261751

Описание

In the Linux kernel, the following vulnerability has been resolved: net: usb: cdc_ncm: add ndpoffset to NDP16 nframes bounds check cdc_ncm_rx_verify_ndp16() validates that the NDP header and its DPE entries fit within the skb. The first check correctly accounts for ndpoffset: if ((ndpoffset + sizeof(struct usb_cdc_ncm_ndp16)) > skb_in->len) but the second check omits it: if ((sizeof(struct usb_cdc_ncm_ndp16) + ret * (sizeof(struct usb_cdc_ncm_dpe16))) > skb_in->len) This validates the DPE array size against the total skb length as if the NDP were at offset 0, rather than at ndpoffset. When the NDP is placed near the end of the NTB (large wNdpIndex), the DPE entries can extend past the skb data buffer even though the check passes. cdc_ncm_rx_fixup() then reads out-of-bounds memory when iterating the DPE array. Add ndpoffset to the nframes bounds check and use struct_size_t() to express the NDP-plus-DPE-array size more clearly.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23448.html
CVE-2026-23448
https://bugzilla.suse.com/1261750
SUSE Bug 1261750

Описание

In the Linux kernel, the following vulnerability has been resolved: net/sched: teql: Fix double-free in teql_master_xmit Whenever a TEQL devices has a lockless Qdisc as root, qdisc_reset should be called using the seq_lock to avoid racing with the datapath. Failure to do so may cause crashes like the following: [ 238.028993][ T318] BUG: KASAN: double-free in skb_release_data (net/core/skbuff.c:1139) [ 238.029328][ T318] Free of addr ffff88810c67ec00 by task poc_teql_uaf_ke/318 [ 238.029749][ T318] [ 238.029900][ T318] CPU: 3 UID: 0 PID: 318 Comm: poc_teql_ke Not tainted 7.0.0-rc3-00149-ge5b31d988a41 #704 PREEMPT(full) [ 238.029906][ T318] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [ 238.029910][ T318] Call Trace: [ 238.029913][ T318] <TASK> [ 238.029916][ T318] dump_stack_lvl (lib/dump_stack.c:122) [ 238.029928][ T318] print_report (mm/kasan/report.c:379 mm/kasan/report.c:482) [ 238.029940][ T318] ? skb_release_data (net/core/skbuff.c:1139) [ 238.029944][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) ... [ 238.029957][ T318] ? skb_release_data (net/core/skbuff.c:1139) [ 238.029969][ T318] kasan_report_invalid_free (mm/kasan/report.c:221 mm/kasan/report.c:563) [ 238.029979][ T318] ? skb_release_data (net/core/skbuff.c:1139) [ 238.029989][ T318] check_slab_allocation (mm/kasan/common.c:231) [ 238.029995][ T318] kmem_cache_free (mm/slub.c:2637 (discriminator 1) mm/slub.c:6168 (discriminator 1) mm/slub.c:6298 (discriminator 1)) [ 238.030004][ T318] skb_release_data (net/core/skbuff.c:1139) ... [ 238.030025][ T318] sk_skb_reason_drop (net/core/skbuff.c:1256) [ 238.030032][ T318] pfifo_fast_reset (./include/linux/ptr_ring.h:171 ./include/linux/ptr_ring.h:309 ./include/linux/skb_array.h:98 net/sched/sch_generic.c:827) [ 238.030039][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) ... [ 238.030054][ T318] qdisc_reset (net/sched/sch_generic.c:1034) [ 238.030062][ T318] teql_destroy (./include/linux/spinlock.h:395 net/sched/sch_teql.c:157) [ 238.030071][ T318] __qdisc_destroy (./include/net/pkt_sched.h:328 net/sched/sch_generic.c:1077) [ 238.030077][ T318] qdisc_graft (net/sched/sch_api.c:1062 net/sched/sch_api.c:1053 net/sched/sch_api.c:1159) [ 238.030089][ T318] ? __pfx_qdisc_graft (net/sched/sch_api.c:1091) [ 238.030095][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) [ 238.030102][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) [ 238.030106][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) [ 238.030114][ T318] tc_get_qdisc (net/sched/sch_api.c:1529 net/sched/sch_api.c:1556) ... [ 238.072958][ T318] Allocated by task 303 on cpu 5 at 238.026275s: [ 238.073392][ T318] kasan_save_stack (mm/kasan/common.c:58) [ 238.073884][ T318] kasan_save_track (mm/kasan/common.c:64 (discriminator 5) mm/kasan/common.c:79 (discriminator 5)) [ 238.074230][ T318] __kasan_slab_alloc (mm/kasan/common.c:369) [ 238.074578][ T318] kmem_cache_alloc_node_noprof (./include/linux/kasan.h:253 mm/slub.c:4542 mm/slub.c:4869 mm/slub.c:4921) [ 238.076091][ T318] kmalloc_reserve (net/core/skbuff.c:616 (discriminator 107)) [ 238.076450][ T318] __alloc_skb (net/core/skbuff.c:713) [ 238.076834][ T318] alloc_skb_with_frags (./include/linux/skbuff.h:1383 net/core/skbuff.c:6763) [ 238.077178][ T318] sock_alloc_send_pskb (net/core/sock.c:2997) [ 238.077520][ T318] packet_sendmsg (net/packet/af_packet.c:2926 net/packet/af_packet.c:3019 net/packet/af_packet.c:3108) [ 238.081469][ T318] [ 238.081870][ T318] Freed by task 299 on cpu 1 at 238.028496s: [ 238.082761][ T318] kasan_save_stack (mm/kasan/common.c:58) [ 238.083481][ T318] kasan_save_track (mm/kasan/common.c:64 (discriminator 5) mm/kasan/common.c:79 (discriminator 5)) [ 238.085348][ T318] kasan_save_free_info (mm/kasan/generic.c:587 (discriminator 1)) [ 238.085900][ T318] __kasan_slab_free (mm/ ---truncated---

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23449.html
CVE-2026-23449
https://bugzilla.suse.com/1261779
SUSE Bug 1261779
https://bugzilla.suse.com/1262213
SUSE Bug 1262213

Описание

In the Linux kernel, the following vulnerability has been resolved: net/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock() Syzkaller reported a panic in smc_tcp_syn_recv_sock() [1]. smc_tcp_syn_recv_sock() is called in the TCP receive path (softirq) via icsk_af_ops->syn_recv_sock on the clcsock (TCP listening socket). It reads sk_user_data to get the smc_sock pointer. However, when the SMC listen socket is being closed concurrently, smc_close_active() sets clcsock->sk_user_data to NULL under sk_callback_lock, and then the smc_sock itself can be freed via sock_put() in smc_release(). This leads to two issues: 1) NULL pointer dereference: sk_user_data is NULL when accessed. 2) Use-after-free: sk_user_data is read as non-NULL, but the smc_sock is freed before its fields (e.g., queued_smc_hs, ori_af_ops) are accessed. The race window looks like this (the syzkaller crash [1] triggers via the SYN cookie path: tcp_get_cookie_sock() -> smc_tcp_syn_recv_sock(), but the normal tcp_check_req() path has the same race): CPU A (softirq) CPU B (process ctx) tcp_v4_rcv() TCP_NEW_SYN_RECV: sk = req->rsk_listener sock_hold(sk) /* No lock on listener */ smc_close_active(): write_lock_bh(cb_lock) sk_user_data = NULL write_unlock_bh(cb_lock) ... smc_clcsock_release() sock_put(smc->sk) x2 -> smc_sock freed! tcp_check_req() smc_tcp_syn_recv_sock(): smc = user_data(sk) -> NULL or dangling smc->queued_smc_hs -> crash! Note that the clcsock and smc_sock are two independent objects with separate refcounts. TCP stack holds a reference on the clcsock, which keeps it alive, but this does NOT prevent the smc_sock from being freed. Fix this by using RCU and refcount_inc_not_zero() to safely access smc_sock. Since smc_tcp_syn_recv_sock() is called in the TCP three-way handshake path, taking read_lock_bh on sk_callback_lock is too heavy and would not survive a SYN flood attack. Using rcu_read_lock() is much more lightweight. - Set SOCK_RCU_FREE on the SMC listen socket so that smc_sock freeing is deferred until after the RCU grace period. This guarantees the memory is still valid when accessed inside rcu_read_lock(). - Use rcu_read_lock() to protect reading sk_user_data. - Use refcount_inc_not_zero(&smc->sk.sk_refcnt) to pin the smc_sock. If the refcount has already reached zero (close path completed), it returns false and we bail out safely. Note: smc_hs_congested() has a similar lockless read of sk_user_data without rcu_read_lock(), but it only checks for NULL and accesses the global smc_hs_wq, never dereferencing any smc_sock field, so it is not affected. Reproducer was verified with mdelay injection and smc_run, the issue no longer occurs with this patch applied. [1] https://syzkaller.appspot.com/bug?extid=827ae2bfb3a3529333e9

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23450.html
CVE-2026-23450
https://bugzilla.suse.com/1261584
SUSE Bug 1261584
https://bugzilla.suse.com/1262214
SUSE Bug 1262214

Описание

In the Linux kernel, the following vulnerability has been resolved: PM: runtime: Fix a race condition related to device removal The following code in pm_runtime_work() may dereference the dev->parent pointer after the parent device has been freed: /* Maybe the parent is now able to suspend. */ if (parent && !parent->power.ignore_children) { spin_unlock(&dev->power.lock); spin_lock(&parent->power.lock); rpm_idle(parent, RPM_ASYNC); spin_unlock(&parent->power.lock); spin_lock(&dev->power.lock); } Fix this by inserting a flush_work() call in pm_runtime_remove(). Without this patch blktest block/001 triggers the following complaint sporadically: BUG: KASAN: slab-use-after-free in lock_acquire+0x70/0x160 Read of size 1 at addr ffff88812bef7198 by task kworker/u553:1/3081 Workqueue: pm pm_runtime_work Call Trace: <TASK> dump_stack_lvl+0x61/0x80 print_address_description.constprop.0+0x8b/0x310 print_report+0xfd/0x1d7 kasan_report+0xd8/0x1d0 __kasan_check_byte+0x42/0x60 lock_acquire.part.0+0x38/0x230 lock_acquire+0x70/0x160 _raw_spin_lock+0x36/0x50 rpm_suspend+0xc6a/0xfe0 rpm_idle+0x578/0x770 pm_runtime_work+0xee/0x120 process_one_work+0xde3/0x1410 worker_thread+0x5eb/0xfe0 kthread+0x37b/0x480 ret_from_fork+0x6cb/0x920 ret_from_fork_asm+0x11/0x20 </TASK> Allocated by task 4314: kasan_save_stack+0x2a/0x50 kasan_save_track+0x18/0x40 kasan_save_alloc_info+0x3d/0x50 __kasan_kmalloc+0xa0/0xb0 __kmalloc_noprof+0x311/0x990 scsi_alloc_target+0x122/0xb60 [scsi_mod] __scsi_scan_target+0x101/0x460 [scsi_mod] scsi_scan_channel+0x179/0x1c0 [scsi_mod] scsi_scan_host_selected+0x259/0x2d0 [scsi_mod] store_scan+0x2d2/0x390 [scsi_mod] dev_attr_store+0x43/0x80 sysfs_kf_write+0xde/0x140 kernfs_fop_write_iter+0x3ef/0x670 vfs_write+0x506/0x1470 ksys_write+0xfd/0x230 __x64_sys_write+0x76/0xc0 x64_sys_call+0x213/0x1810 do_syscall_64+0xee/0xfc0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 Freed by task 4314: kasan_save_stack+0x2a/0x50 kasan_save_track+0x18/0x40 kasan_save_free_info+0x3f/0x50 __kasan_slab_free+0x67/0x80 kfree+0x225/0x6c0 scsi_target_dev_release+0x3d/0x60 [scsi_mod] device_release+0xa3/0x220 kobject_cleanup+0x105/0x3a0 kobject_put+0x72/0xd0 put_device+0x17/0x20 scsi_device_dev_release+0xacf/0x12c0 [scsi_mod] device_release+0xa3/0x220 kobject_cleanup+0x105/0x3a0 kobject_put+0x72/0xd0 put_device+0x17/0x20 scsi_device_put+0x7f/0xc0 [scsi_mod] sdev_store_delete+0xa5/0x120 [scsi_mod] dev_attr_store+0x43/0x80 sysfs_kf_write+0xde/0x140 kernfs_fop_write_iter+0x3ef/0x670 vfs_write+0x506/0x1470 ksys_write+0xfd/0x230 __x64_sys_write+0x76/0xc0 x64_sys_call+0x213/0x1810

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23452.html
CVE-2026-23452
https://bugzilla.suse.com/1261618
SUSE Bug 1261618

Описание

In the Linux kernel, the following vulnerability has been resolved: net: mana: fix use-after-free in mana_hwc_destroy_channel() by reordering teardown A potential race condition exists in mana_hwc_destroy_channel() where hwc->caller_ctx is freed before the HWC's Completion Queue (CQ) and Event Queue (EQ) are destroyed. This allows an in-flight CQ interrupt handler to dereference freed memory, leading to a use-after-free or NULL pointer dereference in mana_hwc_handle_resp(). mana_smc_teardown_hwc() signals the hardware to stop but does not synchronize against IRQ handlers already executing on other CPUs. The IRQ synchronization only happens in mana_hwc_destroy_cq() via mana_gd_destroy_eq() -> mana_gd_deregister_irq(). Since this runs after kfree(hwc->caller_ctx), a concurrent mana_hwc_rx_event_handler() can dereference freed caller_ctx (and rxq->msg_buf) in mana_hwc_handle_resp(). Fix this by reordering teardown to reverse-of-creation order: destroy the TX/RX work queues and CQ/EQ before freeing hwc->caller_ctx. This ensures all in-flight interrupt handlers complete before the memory they access is freed.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23454.html
CVE-2026-23454
https://bugzilla.suse.com/1261780
SUSE Bug 1261780

Описание

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_h323: check for zero length in DecodeQ931() In DecodeQ931(), the UserUserIE code path reads a 16-bit length from the packet, then decrements it by 1 to skip the protocol discriminator byte before passing it to DecodeH323_UserInformation(). If the encoded length is 0, the decrement wraps to -1, which is then passed as a large value to the decoder, leading to an out-of-bounds read. Add a check to ensure len is positive after the decrement.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23455.html
CVE-2026-23455
https://bugzilla.suse.com/1261687
SUSE Bug 1261687

Описание

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case In decode_int(), the CONS case calls get_bits(bs, 2) to read a length value, then calls get_uint(bs, len) without checking that len bytes remain in the buffer. The existing boundary check only validates the 2 bits for get_bits(), not the subsequent 1-4 bytes that get_uint() reads. This allows a malformed H.323/RAS packet to cause a 1-4 byte slab-out-of-bounds read. Add a boundary check for len bytes after get_bits() and before get_uint().

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23456.html
CVE-2026-23456
https://bugzilla.suse.com/1261703
SUSE Bug 1261703

Описание

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp() sip_help_tcp() parses the SIP Content-Length header with simple_strtoul(), which returns unsigned long, but stores the result in unsigned int clen. On 64-bit systems, values exceeding UINT_MAX are silently truncated before computing the SIP message boundary. For example, Content-Length 4294967328 (2^32 + 32) is truncated to 32, causing the parser to miscalculate where the current message ends. The loop then treats trailing data in the TCP segment as a second SIP message and processes it through the SDP parser. Fix this by changing clen to unsigned long to match the return type of simple_strtoul(), and reject Content-Length values that exceed the remaining TCP payload length.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23457.html
CVE-2026-23457
https://bugzilla.suse.com/1261686
SUSE Bug 1261686

Описание

In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct() ctnetlink_dump_exp_ct() stores a conntrack pointer in cb->data for the netlink dump callback ctnetlink_exp_ct_dump_table(), but drops the conntrack reference immediately after netlink_dump_start(). When the dump spans multiple rounds, the second recvmsg() triggers the dump callback which dereferences the now-freed conntrack via nfct_help(ct), leading to a use-after-free on ct->ext. The bug is that the netlink_dump_control has no .start or .done callbacks to manage the conntrack reference across dump rounds. Other dump functions in the same file (e.g. ctnetlink_get_conntrack) properly use .start/.done callbacks for this purpose. Fix this by adding .start and .done callbacks that hold and release the conntrack reference for the duration of the dump, and move the nfct_help() call after the cb->args[0] early-return check in the dump callback to avoid dereferencing ct->ext unnecessarily. BUG: KASAN: slab-use-after-free in ctnetlink_exp_ct_dump_table+0x4f/0x2e0 Read of size 8 at addr ffff88810597ebf0 by task ctnetlink_poc/133 CPU: 1 UID: 0 PID: 133 Comm: ctnetlink_poc Not tainted 7.0.0-rc2+ #3 PREEMPTLAZY Call Trace: <TASK> ctnetlink_exp_ct_dump_table+0x4f/0x2e0 netlink_dump+0x333/0x880 netlink_recvmsg+0x3e2/0x4b0 ? aa_sk_perm+0x184/0x450 sock_recvmsg+0xde/0xf0 Allocated by task 133: kmem_cache_alloc_noprof+0x134/0x440 __nf_conntrack_alloc+0xa8/0x2b0 ctnetlink_create_conntrack+0xa1/0x900 ctnetlink_new_conntrack+0x3cf/0x7d0 nfnetlink_rcv_msg+0x48e/0x510 netlink_rcv_skb+0xc9/0x1f0 nfnetlink_rcv+0xdb/0x220 netlink_unicast+0x3ec/0x590 netlink_sendmsg+0x397/0x690 __sys_sendmsg+0xf4/0x180 Freed by task 0: slab_free_after_rcu_debug+0xad/0x1e0 rcu_core+0x5c3/0x9c0

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23458.html
CVE-2026-23458
https://bugzilla.suse.com/1261781
SUSE Bug 1261781
https://bugzilla.suse.com/1261782
SUSE Bug 1261782

Описание

In the Linux kernel, the following vulnerability has been resolved: net/rose: fix NULL pointer dereference in rose_transmit_link on reconnect syzkaller reported a bug [1], and the reproducer is available at [2]. ROSE sockets use four sk->sk_state values: TCP_CLOSE, TCP_LISTEN, TCP_SYN_SENT, and TCP_ESTABLISHED. rose_connect() already rejects calls for TCP_ESTABLISHED (-EISCONN) and TCP_CLOSE with SS_CONNECTING (-ECONNREFUSED), but lacks a check for TCP_SYN_SENT. When rose_connect() is called a second time while the first connection attempt is still in progress (TCP_SYN_SENT), it overwrites rose->neighbour via rose_get_neigh(). If that returns NULL, the socket is left with rose->state == ROSE_STATE_1 but rose->neighbour == NULL. When the socket is subsequently closed, rose_release() sees ROSE_STATE_1 and calls rose_write_internal() -> rose_transmit_link(skb, NULL), causing a NULL pointer dereference. Per connect(2), a second connect() while a connection is already in progress should return -EALREADY. Add this missing check for TCP_SYN_SENT to complete the state validation in rose_connect(). [1] https://syzkaller.appspot.com/bug?extid=d00f90e0af54102fb271 [2] https://gist.github.com/mrpre/9e6779e0d13e2c66779b1653fef80516

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23460.html
CVE-2026-23460
https://bugzilla.suse.com/1261582
SUSE Bug 1261582

Описание

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix use-after-free in l2cap_unregister_user After commit ab4eedb790ca ("Bluetooth: L2CAP: Fix corrupted list in hci_chan_del"), l2cap_conn_del() uses conn->lock to protect access to conn->users. However, l2cap_register_user() and l2cap_unregister_user() don't use conn->lock, creating a race condition where these functions can access conn->users and conn->hchan concurrently with l2cap_conn_del(). This can lead to use-after-free and list corruption bugs, as reported by syzbot. Fix this by changing l2cap_register_user() and l2cap_unregister_user() to use conn->lock instead of hci_dev_lock(), ensuring consistent locking for the l2cap_conn structure.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23461.html
CVE-2026-23461
https://bugzilla.suse.com/1261707
SUSE Bug 1261707
https://bugzilla.suse.com/1261709
SUSE Bug 1261709
https://bugzilla.suse.com/1265552
SUSE Bug 1265552

Описание

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: HIDP: Fix possible UAF This fixes the following trace caused by not dropping l2cap_conn reference when user->remove callback is called: [ 97.809249] l2cap_conn_free: freeing conn ffff88810a171c00 [ 97.809907] CPU: 1 UID: 0 PID: 1419 Comm: repro_standalon Not tainted 7.0.0-rc1-dirty #14 PREEMPT(lazy) [ 97.809935] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014 [ 97.809947] Call Trace: [ 97.809954] <TASK> [ 97.809961] dump_stack_lvl (lib/dump_stack.c:122) [ 97.809990] l2cap_conn_free (net/bluetooth/l2cap_core.c:1808) [ 97.810017] l2cap_conn_del (./include/linux/kref.h:66 net/bluetooth/l2cap_core.c:1821 net/bluetooth/l2cap_core.c:1798) [ 97.810055] l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7347 (discriminator 1) net/bluetooth/l2cap_core.c:7340 (discriminator 1)) [ 97.810086] ? __pfx_l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7341) [ 97.810117] hci_conn_hash_flush (./include/net/bluetooth/hci_core.h:2152 (discriminator 2) net/bluetooth/hci_conn.c:2644 (discriminator 2)) [ 97.810148] hci_dev_close_sync (net/bluetooth/hci_sync.c:5360) [ 97.810180] ? __pfx_hci_dev_close_sync (net/bluetooth/hci_sync.c:5285) [ 97.810212] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) [ 97.810242] ? up_write (./arch/x86/include/asm/atomic64_64.h:87 (discriminator 5) ./include/linux/atomic/atomic-arch-fallback.h:2852 (discriminator 5) ./include/linux/atomic/atomic-long.h:268 (discriminator 5) ./include/linux/atomic/atomic-instrumented.h:3391 (discriminator 5) kernel/locking/rwsem.c:1385 (discriminator 5) kernel/locking/rwsem.c:1643 (discriminator 5)) [ 97.810267] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) [ 97.810290] ? rcu_is_watching (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/context_tracking.h:128 kernel/rcu/tree.c:752) [ 97.810320] hci_unregister_dev (net/bluetooth/hci_core.c:504 net/bluetooth/hci_core.c:2716) [ 97.810346] vhci_release (drivers/bluetooth/hci_vhci.c:691) [ 97.810375] ? __pfx_vhci_release (drivers/bluetooth/hci_vhci.c:678) [ 97.810404] __fput (fs/file_table.c:470) [ 97.810430] task_work_run (kernel/task_work.c:235) [ 97.810451] ? __pfx_task_work_run (kernel/task_work.c:201) [ 97.810472] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) [ 97.810495] ? do_raw_spin_unlock (./include/asm-generic/qspinlock.h:128 (discriminator 5) kernel/locking/spinlock_debug.c:142 (discriminator 5)) [ 97.810527] do_exit (kernel/exit.c:972) [ 97.810547] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) [ 97.810574] ? __pfx_do_exit (kernel/exit.c:897) [ 97.810594] ? lock_acquire (kernel/locking/lockdep.c:470 (discriminator 6) kernel/locking/lockdep.c:5870 (discriminator 6) kernel/locking/lockdep.c:5825 (discriminator 6)) [ 97.810616] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) [ 97.810639] ? do_raw_spin_lock (kernel/locking/spinlock_debug.c:95 (discriminator 4) kernel/locking/spinlock_debug.c:118 (discriminator 4)) [ 97.810664] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) [ 97.810688] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1)) [ 97.810721] do_group_exit (kernel/exit.c:1093) [ 97.810745] get_signal (kernel/signal.c:3007 (discriminator 1)) [ 97.810772] ? security_file_permission (./arch/x86/include/asm/jump_label.h:37 security/security.c:2366) [ 97.810803] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) [ 97.810826] ? vfs_read (fs/read_write.c:555) [ 97.810854] ? __pfx_get_signal (kernel/signal.c:2800) [ 97.810880] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) [ 97.810905] ? __pfx_vfs_read (fs/read_write.c:555) [ 97.810932] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) [ 97.810960] arch_do_signal_or_restart (arch/ ---truncated---

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23462.html
CVE-2026-23462
https://bugzilla.suse.com/1261710
SUSE Bug 1261710
https://bugzilla.suse.com/1261711
SUSE Bug 1261711
https://bugzilla.suse.com/1265552
SUSE Bug 1265552

Описание

In the Linux kernel, the following vulnerability has been resolved: soc: fsl: qbman: fix race condition in qman_destroy_fq When QMAN_FQ_FLAG_DYNAMIC_FQID is set, there's a race condition between fq_table[fq->idx] state and freeing/allocating from the pool and WARN_ON(fq_table[fq->idx]) in qman_create_fq() gets triggered. Indeed, we can have: Thread A Thread B qman_destroy_fq() qman_create_fq() qman_release_fqid() qman_shutdown_fq() gen_pool_free() -- At this point, the fqid is available again -- qman_alloc_fqid() -- so, we can get the just-freed fqid in thread B -- fq->fqid = fqid; fq->idx = fqid * 2; WARN_ON(fq_table[fq->idx]); fq_table[fq->idx] = fq; fq_table[fq->idx] = NULL; And adding some logs between qman_release_fqid() and fq_table[fq->idx] = NULL makes the WARN_ON() trigger a lot more. To prevent that, ensure that fq_table[fq->idx] is set to NULL before gen_pool_free() is called by using smp_wmb().

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23463.html
CVE-2026-23463
https://bugzilla.suse.com/1261713
SUSE Bug 1261713

Описание

In the Linux kernel, the following vulnerability has been resolved: soc: microchip: mpfs: Fix memory leak in mpfs_sys_controller_probe() In mpfs_sys_controller_probe(), if of_get_mtd_device_by_node() fails, the function returns immediately without freeing the allocated memory for sys_controller, leading to a memory leak. Fix this by jumping to the out_free label to ensure the memory is properly freed. Also, consolidate the error handling for the mbox_request_channel() failure case to use the same label.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23464.html
CVE-2026-23464
https://bugzilla.suse.com/1261592
SUSE Bug 1261592

Описание

In the Linux kernel, the following vulnerability has been resolved: btrfs: log new dentries when logging parent dir of a conflicting inode If we log the parent directory of a conflicting inode, we are not logging the new dentries of the directory, so when we finish we have the parent directory's inode marked as logged but we did not log its new dentries. As a consequence if the parent directory is explicitly fsynced later and it does not have any new changes since we logged it, the fsync is a no-op and after a power failure the new dentries are missing. Example scenario: $ mkdir foo $ sync $rmdir foo $ mkdir dir1 $ mkdir dir2 # A file with the same name and parent as the directory we just deleted # and was persisted in a past transaction. So the deleted directory's # inode is a conflicting inode of this new file's inode. $ touch foo $ ln foo dir2/link # The fsync on dir2 will log the parent directory (".") because the # conflicting inode (deleted directory) does not exists anymore, but it # it does not log its new dentries (dir1). $ xfs_io -c "fsync" dir2 # This fsync on the parent directory is no-op, since the previous fsync # logged it (but without logging its new dentries). $ xfs_io -c "fsync" . <power failure> # After log replay dir1 is missing. Fix this by ensuring we log new dir dentries whenever we log the parent directory of a no longer existing conflicting inode. A test case for fstests will follow soon.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23465.html
CVE-2026-23465
https://bugzilla.suse.com/1261685
SUSE Bug 1261685

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/xe: Open-code GGTT MMIO access protection GGTT MMIO access is currently protected by hotplug (drm_dev_enter), which works correctly when the driver loads successfully and is later unbound or unloaded. However, if driver load fails, this protection is insufficient because drm_dev_unplug() is never called. Additionally, devm release functions cannot guarantee that all BOs with GGTT mappings are destroyed before the GGTT MMIO region is removed, as some BOs may be freed asynchronously by worker threads. To address this, introduce an open-coded flag, protected by the GGTT lock, that guards GGTT MMIO access. The flag is cleared during the dev_fini_ggtt devm release function to ensure MMIO access is disabled once teardown begins. (cherry picked from commit 4f3a998a173b4325c2efd90bdadc6ccd3ad9a431)

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23466.html
CVE-2026-23466
https://bugzilla.suse.com/1261714
SUSE Bug 1261714

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Limit BO list entry count to prevent resource exhaustion Userspace can pass an arbitrary number of BO list entries via the bo_number field. Although the previous multiplication overflow check prevents out-of-bounds allocation, a large number of entries could still cause excessive memory allocation (up to potentially gigabytes) and unnecessarily long list processing times. Introduce a hard limit of 128k entries per BO list, which is more than sufficient for any realistic use case (e.g., a single list containing all buffers in a large scene). This prevents memory exhaustion attacks and ensures predictable performance. Return -EINVAL if the requested entry count exceeds the limit (cherry picked from commit 688b87d39e0aa8135105b40dc167d74b5ada5332)

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23468.html
CVE-2026-23468
https://bugzilla.suse.com/1261692
SUSE Bug 1261692

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/imagination: Fix deadlock in soft reset sequence The soft reset sequence is currently executed from the threaded IRQ handler, hence it cannot call disable_irq() which internally waits for IRQ handlers, i.e. itself, to complete. Use disable_irq_nosync() during a soft reset instead.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23470.html
CVE-2026-23470
https://bugzilla.suse.com/1261585
SUSE Bug 1261585

Описание

In the Linux kernel, the following vulnerability has been resolved: serial: core: fix infinite loop in handle_tx() for PORT_UNKNOWN uart_write_room() and uart_write() behave inconsistently when xmit_buf is NULL (which happens for PORT_UNKNOWN ports that were never properly initialized): - uart_write_room() returns kfifo_avail() which can be > 0 - uart_write() checks xmit_buf and returns 0 if NULL This inconsistency causes an infinite loop in drivers that rely on tty_write_room() to determine if they can write: while (tty_write_room(tty) > 0) { written = tty->ops->write(...); // written is always 0, loop never exits } For example, caif_serial's handle_tx() enters an infinite loop when used with PORT_UNKNOWN serial ports, causing system hangs. Fix by making uart_write_room() also check xmit_buf and return 0 if it's NULL, consistent with uart_write(). Reproducer: https://gist.github.com/mrpre/d9a694cc0e19828ee3bc3b37983fde13

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23472.html
CVE-2026-23472
https://bugzilla.suse.com/1261636
SUSE Bug 1261636

Описание

This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23473.html
CVE-2026-23473
https://bugzilla.suse.com/1261694
SUSE Bug 1261694

Описание

In the Linux kernel, the following vulnerability has been resolved: mtd: Avoid boot crash in RedBoot partition table parser Given CONFIG_FORTIFY_SOURCE=y and a recent compiler, commit 439a1bcac648 ("fortify: Use __builtin_dynamic_object_size() when available") produces the warning below and an oops. Searching for RedBoot partition table in 50000000.flash at offset 0x7e0000 ------------[ cut here ]------------ WARNING: lib/string_helpers.c:1035 at 0xc029e04c, CPU#0: swapper/0/1 memcmp: detected buffer overflow: 15 byte read of buffer size 14 Modules linked in: CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.19.0 #1 NONE As Kees said, "'names' is pointing to the final 'namelen' many bytes of the allocation ... 'namelen' could be basically any length at all. This fortify warning looks legit to me -- this code used to be reading beyond the end of the allocation." Since the size of the dynamic allocation is calculated with strlen() we can use strcmp() instead of memcmp() and remain within bounds.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23474.html
CVE-2026-23474
https://bugzilla.suse.com/1261602
SUSE Bug 1261602

Описание

In the Linux kernel, the following vulnerability has been resolved: spi: fix statistics allocation The controller per-cpu statistics is not allocated until after the controller has been registered with driver core, which leaves a window where accessing the sysfs attributes can trigger a NULL-pointer dereference. Fix this by moving the statistics allocation to controller allocation while tying its lifetime to that of the controller (rather than using implicit devres).

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-23475.html
CVE-2026-23475
https://bugzilla.suse.com/1261644
SUSE Bug 1261644

Описание

In the Linux kernel, the following vulnerability has been resolved: spi: fix use-after-free on controller registration failure Make sure to deregister from driver core also in the unlikely event that per-cpu statistics allocation fails during controller registration to avoid use-after-free (of driver resources) and unclocked register accesses.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-31389.html
CVE-2026-31389
https://bugzilla.suse.com/1261789
SUSE Bug 1261789

Описание

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix krb5 mount with username option Customer reported that some of their krb5 mounts were failing against a single server as the client was trying to mount the shares with wrong credentials. It turned out the client was reusing SMB session from first mount to try mounting the other shares, even though a different username= option had been specified to the other mounts. By using username mount option along with sec=krb5 to search for principals from keytab is supported by cifs.upcall(8) since cifs-utils-4.8. So fix this by matching username mount option in match_session() even with Kerberos. For example, the second mount below should fail with -ENOKEY as there is no 'foobar' principal in keytab (/etc/krb5.keytab). The client ends up reusing SMB session from first mount to perform the second one, which is wrong. ``` $ ktutil ktutil: add_entry -password -p testuser -k 1 -e aes256-cts Password for testuser@ZELDA.TEST: ktutil: write_kt /etc/krb5.keytab ktutil: quit $ klist -ke Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- ---------------------------------------------------------------- 1 testuser@ZELDA.TEST (aes256-cts-hmac-sha1-96) $ mount.cifs //w22-root2/scratch /mnt/1 -o sec=krb5,username=testuser $ mount.cifs //w22-root2/scratch /mnt/2 -o sec=krb5,username=foobar $ mount -t cifs | grep -Po 'username=\K\w+' testuser testuser ```

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-31392.html
CVE-2026-31392
https://bugzilla.suse.com/1261788
SUSE Bug 1261788

Описание

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access l2cap_information_rsp() checks that cmd_len covers the fixed l2cap_info_rsp header (type + result, 4 bytes) but then reads rsp->data without verifying that the payload is present: - L2CAP_IT_FEAT_MASK calls get_unaligned_le32(rsp->data), which reads 4 bytes past the header (needs cmd_len >= 8). - L2CAP_IT_FIXED_CHAN reads rsp->data[0], 1 byte past the header (needs cmd_len >= 5). A truncated L2CAP_INFO_RSP with result == L2CAP_IR_SUCCESS triggers an out-of-bounds read of adjacent skb data. Guard each data access with the required payload length check. If the payload is too short, skip the read and let the state machine complete with safe defaults (feat_mask and remote_fixed_chan remain zero from kzalloc), so the info timer cleanup and l2cap_conn_start() still run and the connection is not stalled.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-31393.html
CVE-2026-31393
https://bugzilla.suse.com/1261719
SUSE Bug 1261719

Описание

In the Linux kernel, the following vulnerability has been resolved: mac80211: fix crash in ieee80211_chan_bw_change for AP_VLAN stations ieee80211_chan_bw_change() iterates all stations and accesses link->reserved.oper via sta->sdata->link[link_id]. For stations on AP_VLAN interfaces (e.g. 4addr WDS clients), sta->sdata points to the VLAN sdata, whose link never participates in chanctx reservations. This leaves link->reserved.oper zero-initialized with chan == NULL, causing a NULL pointer dereference in __ieee80211_sta_cap_rx_bw() when accessing chandef->chan->band during CSA. Resolve the VLAN sdata to its parent AP sdata using get_bss_sdata() before accessing link data. [also change sta->sdata in ARRAY_SIZE even if it doesn't matter]

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-31394.html
CVE-2026-31394
https://bugzilla.suse.com/1261637
SUSE Bug 1261637

Описание

In the Linux kernel, the following vulnerability has been resolved: bnxt_en: fix OOB access in DBG_BUF_PRODUCER async event handler The ASYNC_EVENT_CMPL_EVENT_ID_DBG_BUF_PRODUCER handler in bnxt_async_event_process() uses a firmware-supplied 'type' field directly as an index into bp->bs_trace[] without bounds validation. The 'type' field is a 16-bit value extracted from DMA-mapped completion ring memory that the NIC writes directly to host RAM. A malicious or compromised NIC can supply any value from 0 to 65535, causing an out-of-bounds access into kernel heap memory. The bnxt_bs_trace_check_wrap() call then dereferences bs_trace->magic_byte and writes to bs_trace->last_offset and bs_trace->wrapped, leading to kernel memory corruption or a crash. Fix by adding a bounds check and defining BNXT_TRACE_MAX as DBG_LOG_BUFFER_FLUSH_REQ_TYPE_ERR_QPC_TRACE + 1 to cover all currently defined firmware trace types (0x0 through 0xc).

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-31395.html
CVE-2026-31395
https://bugzilla.suse.com/1261786
SUSE Bug 1261786

Описание

In the Linux kernel, the following vulnerability has been resolved: sunrpc: fix cache_request leak in cache_release When a reader's file descriptor is closed while in the middle of reading a cache_request (rp->offset != 0), cache_release() decrements the request's readers count but never checks whether it should free the request. In cache_read(), when readers drops to 0 and CACHE_PENDING is clear, the cache_request is removed from the queue and freed along with its buffer and cache_head reference. cache_release() lacks this cleanup. The only other path that frees requests with readers == 0 is cache_dequeue(), but it runs only when CACHE_PENDING transitions from set to clear. If that transition already happened while readers was still non-zero, cache_dequeue() will have skipped the request, and no subsequent call will clean it up. Add the same cleanup logic from cache_read() to cache_release(): after decrementing readers, check if it reached 0 with CACHE_PENDING clear, and if so, dequeue and free the cache_request.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-31400.html
CVE-2026-31400
https://bugzilla.suse.com/1261645
SUSE Bug 1261645

Описание

In the Linux kernel, the following vulnerability has been resolved: nfsd: fix heap overflow in NFSv4.0 LOCK replay cache The NFSv4.0 replay cache uses a fixed 112-byte inline buffer (rp_ibuf[NFSD4_REPLAY_ISIZE]) to store encoded operation responses. This size was calculated based on OPEN responses and does not account for LOCK denied responses, which include the conflicting lock owner as a variable-length field up to 1024 bytes (NFS4_OPAQUE_LIMIT). When a LOCK operation is denied due to a conflict with an existing lock that has a large owner, nfsd4_encode_operation() copies the full encoded response into the undersized replay buffer via read_bytes_from_xdr_buf() with no bounds check. This results in a slab-out-of-bounds write of up to 944 bytes past the end of the buffer, corrupting adjacent heap memory. This can be triggered remotely by an unauthenticated attacker with two cooperating NFSv4.0 clients: one sets a lock with a large owner string, then the other requests a conflicting lock to provoke the denial. We could fix this by increasing NFSD4_REPLAY_ISIZE to allow for a full opaque, but that would increase the size of every stateowner, when most lockowners are not that large. Instead, fix this by checking the encoded response length against NFSD4_REPLAY_ISIZE before copying into the replay buffer. If the response is too large, set rp_buflen to 0 to skip caching the replay payload. The status is still cached, and the client already received the correct response on the original request.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-31402.html
CVE-2026-31402
https://bugzilla.suse.com/1261638
SUSE Bug 1261638
https://bugzilla.suse.com/1261640
SUSE Bug 1261640
https://bugzilla.suse.com/1265160
SUSE Bug 1265160

Описание

In the Linux kernel, the following vulnerability has been resolved: NFSD: Hold net reference for the lifetime of /proc/fs/nfs/exports fd The /proc/fs/nfs/exports proc entry is created at module init and persists for the module's lifetime. exports_proc_open() captures the caller's current network namespace and stores its svc_export_cache in seq->private, but takes no reference on the namespace. If the namespace is subsequently torn down (e.g. container destruction after the opener does setns() to a different namespace), nfsd_net_exit() calls nfsd_export_shutdown() which frees the cache. Subsequent reads on the still-open fd dereference the freed cache_detail, walking a freed hash table. Hold a reference on the struct net for the lifetime of the open file descriptor. This prevents nfsd_net_exit() from running -- and thus prevents nfsd_export_shutdown() from freeing the cache -- while any exports fd is open. cache_detail already stores its net pointer (cd->net, set by cache_create_net()), so exports_release() can retrieve it without additional per-file storage.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-31403.html
CVE-2026-31403
https://bugzilla.suse.com/1261796
SUSE Bug 1261796
https://bugzilla.suse.com/1261912
SUSE Bug 1261912

Описание

In the Linux kernel, the following vulnerability has been resolved: media: dvb-net: fix OOB access in ULE extension header tables The ule_mandatory_ext_handlers[] and ule_optional_ext_handlers[] tables in handle_one_ule_extension() are declared with 255 elements (valid indices 0-254), but the index htype is derived from network-controlled data as (ule_sndu_type & 0x00FF), giving a range of 0-255. When htype equals 255, an out-of-bounds read occurs on the function pointer table, and the OOB value may be called as a function pointer. Add a bounds check on htype against the array size before either table is accessed. Out-of-range values now cause the SNDU to be discarded.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-31405.html
CVE-2026-31405
https://bugzilla.suse.com/1261700
SUSE Bug 1261700
https://bugzilla.suse.com/1261701
SUSE Bug 1261701

Описание

In the Linux kernel, the following vulnerability has been resolved: xfrm: Fix work re-schedule after cancel in xfrm_nat_keepalive_net_fini() After cancel_delayed_work_sync() is called from xfrm_nat_keepalive_net_fini(), xfrm_state_fini() flushes remaining states via __xfrm_state_delete(), which calls xfrm_nat_keepalive_state_updated() to re-schedule nat_keepalive_work. The following is a simple race scenario: cpu0 cpu1 cleanup_net() [Round 1] ops_undo_list() xfrm_net_exit() xfrm_nat_keepalive_net_fini() cancel_delayed_work_sync(nat_keepalive_work); xfrm_state_fini() xfrm_state_flush() xfrm_state_delete(x) __xfrm_state_delete(x) xfrm_nat_keepalive_state_updated(x) schedule_delayed_work(nat_keepalive_work); rcu_barrier(); net_complete_free(); net_passive_dec(net); llist_add(&net->defer_free_list, &defer_free_list); cleanup_net() [Round 2] rcu_barrier(); net_complete_free() kmem_cache_free(net_cachep, net); nat_keepalive_work() // on freed net To prevent this, cancel_delayed_work_sync() is replaced with disable_delayed_work_sync().

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-31406.html
CVE-2026-31406
https://bugzilla.suse.com/1261629
SUSE Bug 1261629
https://bugzilla.suse.com/1261630
SUSE Bug 1261630

Описание

In the Linux kernel, the following vulnerability has been resolved: netfilter: conntrack: add missing netlink policy validations Hyunwoo Kim reports out-of-bounds access in sctp and ctnetlink. These attributes are used by the kernel without any validation. Extend the netlink policies accordingly. Quoting the reporter: nlattr_to_sctp() assigns the user-supplied CTA_PROTOINFO_SCTP_STATE value directly to ct->proto.sctp.state without checking that it is within the valid range. [..] and: ... with exp->dir = 100, the access at ct->master->tuplehash[100] reads 5600 bytes past the start of a 320-byte nf_conn object, causing a slab-out-of-bounds read confirmed by UBSAN.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-31407.html
CVE-2026-31407
https://bugzilla.suse.com/1261632
SUSE Bug 1261632

Описание

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold sco_recv_frame() reads conn->sk under sco_conn_lock() but immediately releases the lock without holding a reference to the socket. A concurrent close() can free the socket between the lock release and the subsequent sk->sk_state access, resulting in a use-after-free. Other functions in the same file (sco_sock_timeout(), sco_conn_del()) correctly use sco_sock_hold() to safely hold a reference under the lock. Fix by using sco_sock_hold() to take a reference before releasing the lock, and adding sock_put() on all exit paths.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-31408.html
CVE-2026-31408
https://bugzilla.suse.com/1261797
SUSE Bug 1261797
https://bugzilla.suse.com/1261799
SUSE Bug 1261799
https://bugzilla.suse.com/1265552
SUSE Bug 1265552

Описание

In the Linux kernel, the following vulnerability has been resolved: net: atm: fix crash due to unvalidated vcc pointer in sigd_send() Reproducer available at [1]. The ATM send path (sendmsg -> vcc_sendmsg -> sigd_send) reads the vcc pointer from msg->vcc and uses it directly without any validation. This pointer comes from userspace via sendmsg() and can be arbitrarily forged: int fd = socket(AF_ATMSVC, SOCK_DGRAM, 0); ioctl(fd, ATMSIGD_CTRL); // become ATM signaling daemon struct msghdr msg = { .msg_iov = &iov, ... }; *(unsigned long *)(buf + 4) = 0xdeadbeef; // fake vcc pointer sendmsg(fd, &msg, 0); // kernel dereferences 0xdeadbeef In normal operation, the kernel sends the vcc pointer to the signaling daemon via sigd_enq() when processing operations like connect(), bind(), or listen(). The daemon is expected to return the same pointer when responding. However, a malicious daemon can send arbitrary pointer values. Fix this by introducing find_get_vcc() which validates the pointer by searching through vcc_hash (similar to how sigd_close() iterates over all VCCs), and acquires a reference via sock_hold() if found. Since struct atm_vcc embeds struct sock as its first member, they share the same lifetime. Therefore using sock_hold/sock_put is sufficient to keep the vcc alive while it is being used. Note that there may be a race with sigd_close() which could mark the vcc with various flags (e.g., ATM_VF_RELEASED) after find_get_vcc() returns. However, sock_hold() guarantees the memory remains valid, so this race only affects the logical state, not memory safety. [1]: https://gist.github.com/mrpre/1ba5949c45529c511152e2f4c755b0f3

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-31411.html
CVE-2026-31411
https://bugzilla.suse.com/1261752
SUSE Bug 1261752

Описание

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_mass_storage: Fix potential integer overflow in check_command_size_in_blocks() The `check_command_size_in_blocks()` function calculates the data size in bytes by left shifting `common->data_size_from_cmnd` by the block size (`common->curlun->blkbits`). However, it does not validate whether this shift operation will cause an integer overflow. Initially, the block size is set up in `fsg_lun_open()` , and the `common->data_size_from_cmnd` is set up in `do_scsi_command()`. During initialization, there is no integer overflow check for the interaction between two variables. So if a malicious USB host sends a SCSI READ or WRITE command requesting a large amount of data (`common->data_size_from_cmnd`), the left shift operation can wrap around. This results in a truncated data size, which can bypass boundary checks and potentially lead to memory corruption or out-of-bounds accesses. Fix this by using the check_shl_overflow() macro to safely perform the shift and catch any overflows.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-31412.html
CVE-2026-31412
https://bugzilla.suse.com/1261896
SUSE Bug 1261896

Описание

In the Linux kernel, the following vulnerability has been resolved: ipv6: avoid overflows in ip6_datagram_send_ctl() Yiming Qian reported : <quote> I believe I found a locally triggerable kernel bug in the IPv6 sendmsg ancillary-data path that can panic the kernel via `skb_under_panic()` (local DoS). The core issue is a mismatch between: - a 16-bit length accumulator (`struct ipv6_txoptions::opt_flen`, type `__u16`) and - a pointer to the *last* provided destination-options header (`opt->dst1opt`) when multiple `IPV6_DSTOPTS` control messages (cmsgs) are provided. - `include/net/ipv6.h`: - `struct ipv6_txoptions::opt_flen` is `__u16` (wrap possible). (lines 291-307, especially 298) - `net/ipv6/datagram.c:ip6_datagram_send_ctl()`: - Accepts repeated `IPV6_DSTOPTS` and accumulates into `opt_flen` without rejecting duplicates. (lines 909-933) - `net/ipv6/ip6_output.c:__ip6_append_data()`: - Uses `opt->opt_flen + opt->opt_nflen` to compute header sizes/headroom decisions. (lines 1448-1466, especially 1463-1465) - `net/ipv6/ip6_output.c:__ip6_make_skb()`: - Calls `ipv6_push_frag_opts()` if `opt->opt_flen` is non-zero. (lines 1930-1934) - `net/ipv6/exthdrs.c:ipv6_push_frag_opts()` / `ipv6_push_exthdr()`: - Push size comes from `ipv6_optlen(opt->dst1opt)` (based on the pointed-to header). (lines 1179-1185 and 1206-1211) 1. `opt_flen` is a 16-bit accumulator: - `include/net/ipv6.h:298` defines `__u16 opt_flen; /* after fragment hdr */`. 2. `ip6_datagram_send_ctl()` accepts *repeated* `IPV6_DSTOPTS` cmsgs and increments `opt_flen` each time: - In `net/ipv6/datagram.c:909-933`, for `IPV6_DSTOPTS`: - It computes `len = ((hdr->hdrlen + 1) << 3);` - It checks `CAP_NET_RAW` using `ns_capable(net->user_ns, CAP_NET_RAW)`. (line 922) - Then it does: - `opt->opt_flen += len;` (line 927) - `opt->dst1opt = hdr;` (line 928) There is no duplicate rejection here (unlike the legacy `IPV6_2292DSTOPTS` path which rejects duplicates at `net/ipv6/datagram.c:901-904`). If enough large `IPV6_DSTOPTS` cmsgs are provided, `opt_flen` wraps while `dst1opt` still points to a large (2048-byte) destination-options header. In the attached PoC (`poc.c`): - 32 cmsgs with `hdrlen=255` => `len = (255+1)*8 = 2048` - 1 cmsg with `hdrlen=0` => `len = 8` - Total increment: `32*2048 + 8 = 65544`, so `(__u16)opt_flen == 8` - The last cmsg is 2048 bytes, so `dst1opt` points to a 2048-byte header. 3. The transmit path sizes headers using the wrapped `opt_flen`: - In `net/ipv6/ip6_output.c:1463-1465`: - `headersize = sizeof(struct ipv6hdr) + (opt ? opt->opt_flen + opt->opt_nflen : 0) + ...;` With wrapped `opt_flen`, `headersize`/headroom decisions underestimate what will be pushed later. 4. When building the final skb, the actual push length comes from `dst1opt` and is not limited by wrapped `opt_flen`: - In `net/ipv6/ip6_output.c:1930-1934`: - `if (opt->opt_flen) proto = ipv6_push_frag_opts(skb, opt, proto);` - In `net/ipv6/exthdrs.c:1206-1211`, `ipv6_push_frag_opts()` pushes `dst1opt` via `ipv6_push_exthdr()`. - In `net/ipv6/exthdrs.c:1179-1184`, `ipv6_push_exthdr()` does: - `skb_push(skb, ipv6_optlen(opt));` - `memcpy(h, opt, ipv6_optlen(opt));` With insufficient headroom, `skb_push()` underflows and triggers `skb_under_panic()` -> `BUG()`: - `net/core/skbuff.c:2669-2675` (`skb_push()` calls `skb_under_panic()`) - `net/core/skbuff.c:207-214` (`skb_panic()` ends in `BUG()`) - The `IPV6_DSTOPTS` cmsg path requires `CAP_NET_RAW` in the target netns user namespace (`ns_capable(net->user_ns, CAP_NET_RAW)`). - Root (or any task with `CAP_NET_RAW`) can trigger this without user namespaces. - An unprivileged `uid=1000` user can trigger this if unprivileged user namespaces are enabled and it can create a userns+netns to obtain namespaced `CAP_NET_RAW` (the attached PoC does this). - Local denial of service: kernel BUG/panic (system crash). - ---truncated---

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-31415.html
CVE-2026-31415
https://bugzilla.suse.com/1262099
SUSE Bug 1262099

Описание

In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_log: account for netlink header size This is a followup to an old bug fix: NLMSG_DONE needs to account for the netlink header size, not just the attribute size. This can result in a WARN splat + drop of the netlink message, but other than this there are no ill effects.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-31416.html
CVE-2026-31416
https://bugzilla.suse.com/1262100
SUSE Bug 1262100

Описание

In the Linux kernel, the following vulnerability has been resolved: net/x25: Fix overflow when accumulating packets Add a check to ensure that `x25_sock.fraglen` does not overflow. The `fraglen` also needs to be resetted when purging `fragment_queue` in `x25_clear_queues()`.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-31417.html
CVE-2026-31417
https://bugzilla.suse.com/1262101
SUSE Bug 1262101

Описание

In the Linux kernel, the following vulnerability has been resolved: bridge: mrp: reject zero test interval to avoid OOM panic br_mrp_start_test() and br_mrp_start_in_test() accept the user-supplied interval value from netlink without validation. When interval is 0, usecs_to_jiffies(0) yields 0, causing the delayed work (br_mrp_test_work_expired / br_mrp_in_test_work_expired) to reschedule itself with zero delay. This creates a tight loop on system_percpu_wq that allocates and transmits MRP test frames at maximum rate, exhausting all system memory and causing a kernel panic via OOM deadlock. The same zero-interval issue applies to br_mrp_start_in_test_parse() for interconnect test frames. Use NLA_POLICY_MIN(NLA_U32, 1) in the nla_policy tables for both IFLA_BRIDGE_MRP_START_TEST_INTERVAL and IFLA_BRIDGE_MRP_START_IN_TEST_INTERVAL, so zero is rejected at the netlink attribute parsing layer before the value ever reaches the workqueue scheduling code. This is consistent with how other bridge subsystems (br_fdb, br_mst) enforce range constraints on netlink attributes.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-31420.html
CVE-2026-31420
https://bugzilla.suse.com/1262055
SUSE Bug 1262055

Описание

In the Linux kernel, the following vulnerability has been resolved: net/sched: cls_fw: fix NULL pointer dereference on shared blocks The old-method path in fw_classify() calls tcf_block_q() and dereferences q->handle. Shared blocks leave block->q NULL, causing a NULL deref when an empty cls_fw filter is attached to a shared block and a packet with a nonzero major skb mark is classified. Reject the configuration in fw_change() when the old method (no TCA_OPTIONS) is used on a shared block, since fw_classify()'s old-method path needs block->q which is NULL for shared blocks. The fixed null-ptr-deref calling stack: KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f] RIP: 0010:fw_classify (net/sched/cls_fw.c:81) Call Trace: tcf_classify (./include/net/tc_wrapper.h:197 net/sched/cls_api.c:1764 net/sched/cls_api.c:1860) tc_run (net/core/dev.c:4401) __dev_queue_xmit (net/core/dev.c:4535 net/core/dev.c:4790)

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-31421.html
CVE-2026-31421
https://bugzilla.suse.com/1262061
SUSE Bug 1262061

Описание

In the Linux kernel, the following vulnerability has been resolved: net/sched: cls_flow: fix NULL pointer dereference on shared blocks flow_change() calls tcf_block_q() and dereferences q->handle to derive a default baseclass. Shared blocks leave block->q NULL, causing a NULL deref when a flow filter without a fully qualified baseclass is created on a shared block. Check tcf_block_shared() before accessing block->q and return -EINVAL for shared blocks. This avoids the null-deref shown below: ======================================================================= KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f] RIP: 0010:flow_change (net/sched/cls_flow.c:508) Call Trace: tc_new_tfilter (net/sched/cls_api.c:2432) rtnetlink_rcv_msg (net/core/rtnetlink.c:6980) [...] =======================================================================

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-31422.html
CVE-2026-31422
https://bugzilla.suse.com/1262054
SUSE Bug 1262054

Описание

In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_hfsc: fix divide-by-zero in rtsc_min() m2sm() converts a u32 slope to a u64 scaled value. For large inputs (e.g. m1=4000000000), the result can reach 2^32. rtsc_min() stores the difference of two such u64 values in a u32 variable `dsm` and uses it as a divisor. When the difference is exactly 2^32 the truncation yields zero, causing a divide-by-zero oops in the concave-curve intersection path: Oops: divide error: 0000 RIP: 0010:rtsc_min (net/sched/sch_hfsc.c:601) Call Trace: init_ed (net/sched/sch_hfsc.c:629) hfsc_enqueue (net/sched/sch_hfsc.c:1569) [...] Widen `dsm` to u64 and replace do_div() with div64_u64() so the full difference is preserved.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-31423.html
CVE-2026-31423
https://bugzilla.suse.com/1262063
SUSE Bug 1262063

Описание

In the Linux kernel, the following vulnerability has been resolved: netfilter: x_tables: restrict xt_check_match/xt_check_target extensions for NFPROTO_ARP Weiming Shi says: xt_match and xt_target structs registered with NFPROTO_UNSPEC can be loaded by any protocol family through nft_compat. When such a match/target sets .hooks to restrict which hooks it may run on, the bitmask uses NF_INET_* constants. This is only correct for families whose hook layout matches NF_INET_*: IPv4, IPv6, INET, and bridge all share the same five hooks (PRE_ROUTING ... POST_ROUTING). ARP only has three hooks (IN=0, OUT=1, FORWARD=2) with different semantics. Because NF_ARP_OUT == 1 == NF_INET_LOCAL_IN, the .hooks validation silently passes for the wrong reasons, allowing matches to run on ARP chains where the hook assumptions (e.g. state->in being set on input hooks) do not hold. This leads to NULL pointer dereferences; xt_devgroup is one concrete example: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000044: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000220-0x0000000000000227] RIP: 0010:devgroup_mt+0xff/0x350 Call Trace: <TASK> nft_match_eval (net/netfilter/nft_compat.c:407) nft_do_chain (net/netfilter/nf_tables_core.c:285) nft_do_chain_arp (net/netfilter/nft_chain_filter.c:61) nf_hook_slow (net/netfilter/core.c:623) arp_xmit (net/ipv4/arp.c:666) </TASK> Kernel panic - not syncing: Fatal exception in interrupt Fix it by restricting arptables to NFPROTO_ARP extensions only. Note that arptables-legacy only supports: - arpt_CLASSIFY - arpt_mangle - arpt_MARK that provide explicit NFPROTO_ARP match/target declarations.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-31424.html
CVE-2026-31424
https://bugzilla.suse.com/1262053
SUSE Bug 1262053

Описание

In the Linux kernel, the following vulnerability has been resolved: rds: ib: reject FRMR registration before IB connection is established rds_ib_get_mr() extracts the rds_ib_connection from conn->c_transport_data and passes it to rds_ib_reg_frmr() for FRWR memory registration. On a fresh outgoing connection, ic is allocated in rds_ib_conn_alloc() with i_cm_id = NULL because the connection worker has not yet called rds_ib_conn_path_connect() to create the rdma_cm_id. When sendmsg() with RDS_CMSG_RDMA_MAP is called on such a connection, the sendmsg path parses the control message before any connection establishment, allowing rds_ib_post_reg_frmr() to dereference ic->i_cm_id->qp and crash the kernel. The existing guard in rds_ib_reg_frmr() only checks for !ic (added in commit 9e630bcb7701), which does not catch this case since ic is allocated early and is always non-NULL once the connection object exists. KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] RIP: 0010:rds_ib_post_reg_frmr+0x50e/0x920 Call Trace: rds_ib_post_reg_frmr (net/rds/ib_frmr.c:167) rds_ib_map_frmr (net/rds/ib_frmr.c:252) rds_ib_reg_frmr (net/rds/ib_frmr.c:430) rds_ib_get_mr (net/rds/ib_rdma.c:615) __rds_rdma_map (net/rds/rdma.c:295) rds_cmsg_rdma_map (net/rds/rdma.c:860) rds_sendmsg (net/rds/send.c:1363) ____sys_sendmsg do_syscall_64 Add a check in rds_ib_get_mr() that verifies ic, i_cm_id, and qp are all non-NULL before proceeding with FRMR registration, mirroring the guard already present in rds_ib_post_inv(). Return -ENODEV when the connection is not ready, which the existing error handling in rds_cmsg_send() converts to -EAGAIN for userspace retry and triggers rds_conn_connect_if_down() to start the connection worker.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-31425.html
CVE-2026-31425
https://bugzilla.suse.com/1262074
SUSE Bug 1262074

Описание

In the Linux kernel, the following vulnerability has been resolved: ACPI: EC: clean up handlers on probe failure in acpi_ec_setup() When ec_install_handlers() returns -EPROBE_DEFER on reduced-hardware platforms, it has already started the EC and installed the address space handler with the struct acpi_ec pointer as handler context. However, acpi_ec_setup() propagates the error without any cleanup. The caller acpi_ec_add() then frees the struct acpi_ec for non-boot instances, leaving a dangling handler context in ACPICA. Any subsequent AML evaluation that accesses an EC OpRegion field dispatches into acpi_ec_space_handler() with the freed pointer, causing a use-after-free: BUG: KASAN: slab-use-after-free in mutex_lock (kernel/locking/mutex.c:289) Write of size 8 at addr ffff88800721de38 by task init/1 Call Trace: <TASK> mutex_lock (kernel/locking/mutex.c:289) acpi_ec_space_handler (drivers/acpi/ec.c:1362) acpi_ev_address_space_dispatch (drivers/acpi/acpica/evregion.c:293) acpi_ex_access_region (drivers/acpi/acpica/exfldio.c:246) acpi_ex_field_datum_io (drivers/acpi/acpica/exfldio.c:509) acpi_ex_extract_from_field (drivers/acpi/acpica/exfldio.c:700) acpi_ex_read_data_from_field (drivers/acpi/acpica/exfield.c:327) acpi_ex_resolve_node_to_value (drivers/acpi/acpica/exresolv.c:392) </TASK> Allocated by task 1: acpi_ec_alloc (drivers/acpi/ec.c:1424) acpi_ec_add (drivers/acpi/ec.c:1692) Freed by task 1: kfree (mm/slub.c:6876) acpi_ec_add (drivers/acpi/ec.c:1751) The bug triggers on reduced-hardware EC platforms (ec->gpe < 0) when the GPIO IRQ provider defers probing. Once the stale handler exists, any unprivileged sysfs read that causes AML to touch an EC OpRegion (battery, thermal, backlight) exercises the dangling pointer. Fix this by calling ec_remove_handlers() in the error path of acpi_ec_setup() before clearing first_ec. ec_remove_handlers() checks each EC_FLAGS_* bit before acting, so it is safe to call regardless of how far ec_install_handlers() progressed: -ENODEV (handler not installed): only calls acpi_ec_stop() -EPROBE_DEFER (handler installed): removes handler, stops EC

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-31426.html
CVE-2026-31426
https://bugzilla.suse.com/1262078
SUSE Bug 1262078

Описание

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in process_sdp process_sdp() declares union nf_inet_addr rtp_addr on the stack and passes it to the nf_nat_sip sdp_session hook after walking the SDP media descriptions. However rtp_addr is only initialized inside the media loop when a recognized media type with a non-zero port is found. If the SDP body contains no m= lines, only inactive media sections (m=audio 0 ...) or only unrecognized media types, rtp_addr is never assigned. Despite that, the function still calls hooks->sdp_session() with &rtp_addr, causing nf_nat_sdp_session() to format the stale stack value as an IP address and rewrite the SDP session owner and connection lines with it. With CONFIG_INIT_STACK_ALL_ZERO (default on most distributions) this results in the session-level o= and c= addresses being rewritten to 0.0.0.0 for inactive SDP sessions. Without stack auto-init the rewritten address is whatever happened to be on the stack. Fix this by pre-initializing rtp_addr from the session-level connection address (caddr) when available, and tracking via a have_rtp_addr flag whether any valid address was established. Skip the sdp_session hook entirely when no valid address exists.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-31427.html
CVE-2026-31427
https://bugzilla.suse.com/1262086
SUSE Bug 1262086

Описание

In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_log: fix uninitialized padding leak in NFULA_PAYLOAD __build_packet_message() manually constructs the NFULA_PAYLOAD netlink attribute using skb_put() and skb_copy_bits(), bypassing the standard nla_reserve()/nla_put() helpers. While nla_total_size(data_len) bytes are allocated (including NLA alignment padding), only data_len bytes of actual packet data are copied. The trailing nla_padlen(data_len) bytes (1-3 when data_len is not 4-byte aligned) are never initialized, leaking stale heap contents to userspace via the NFLOG netlink socket. Replace the manual attribute construction with nla_reserve(), which handles the tailroom check, header setup, and padding zeroing via __nla_reserve(). The subsequent skb_copy_bits() fills in the payload data on top of the properly initialized attribute.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-31428.html
CVE-2026-31428
https://bugzilla.suse.com/1262087
SUSE Bug 1262087

Описание

In the Linux kernel, the following vulnerability has been resolved: netfs: Fix read abandonment during retry Under certain circumstances, all the remaining subrequests from a read request will get abandoned during retry. The abandonment process expects the 'subreq' variable to be set to the place to start abandonment from, but it doesn't always have a useful value (it will be uninitialised on the first pass through the loop and it may point to a deleted subrequest on later passes). Fix the first jump to "abandon:" to set subreq to the start of the first subrequest expected to need retry (which, in this abandonment case, turned out unexpectedly to no longer have NEED_RETRY set). Also clear the subreq pointer after discarding superfluous retryable subrequests to cause an oops if we do try to access it.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-31435.html
CVE-2026-31435
https://bugzilla.suse.com/1262601
SUSE Bug 1262601
https://bugzilla.suse.com/1262772
SUSE Bug 1262772

Описание

In the Linux kernel, the following vulnerability has been resolved: ext4: validate p_idx bounds in ext4_ext_correct_indexes ext4_ext_correct_indexes() walks up the extent tree correcting index entries when the first extent in a leaf is modified. Before accessing path[k].p_idx->ei_block, there is no validation that p_idx falls within the valid range of index entries for that level. If the on-disk extent header contains a corrupted or crafted eh_entries value, p_idx can point past the end of the allocated buffer, causing a slab-out-of-bounds read. Fix this by validating path[k].p_idx against EXT_LAST_INDEX() at both access sites: before the while loop and inside it. Return -EFSCORRUPTED if the index pointer is out of range, consistent with how other bounds violations are handled in the ext4 extent tree code.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-31449.html
CVE-2026-31449
https://bugzilla.suse.com/1262616
SUSE Bug 1262616

Описание

In the Linux kernel, the following vulnerability has been resolved: xfs: avoid dereferencing log items after push callbacks After xfsaild_push_item() calls iop_push(), the log item may have been freed if the AIL lock was dropped during the push. Background inode reclaim or the dquot shrinker can free the log item while the AIL lock is not held, and the tracepoints in the switch statement dereference the log item after iop_push() returns. Fix this by capturing the log item type, flags, and LSN before calling xfsaild_push_item(), and introducing a new xfs_ail_push_class trace event class that takes these pre-captured values and the ailp pointer instead of the log item pointer.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-31453.html
CVE-2026-31453
https://bugzilla.suse.com/1262617
SUSE Bug 1262617

Описание

In the Linux kernel, the following vulnerability has been resolved: mm/pagewalk: fix race between concurrent split and refault The splitting of a PUD entry in walk_pud_range() can race with a concurrent thread refaulting the PUD leaf entry causing it to try walking a PMD range that has disappeared. An example and reproduction of this is to try reading numa_maps of a process while VFIO-PCI is setting up DMA (specifically the vfio_pin_pages_remote call) on a large BAR for that process. This will trigger a kernel BUG: vfio-pci 0000:03:00.0: enabling device (0000 -> 0002) BUG: unable to handle page fault for address: ffffa23980000000 PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI ... RIP: 0010:walk_pgd_range+0x3b5/0x7a0 Code: 8d 43 ff 48 89 44 24 28 4d 89 ce 4d 8d a7 00 00 20 00 48 8b 4c 24 28 49 81 e4 00 00 e0 ff 49 8d 44 24 ff 48 39 c8 4c 0f 43 e3 <49> f7 06 9f ff ff ff 75 3b 48 8b 44 24 20 48 8b 40 28 48 85 c0 74 RSP: 0018:ffffac23e1ecf808 EFLAGS: 00010287 RAX: 00007f44c01fffff RBX: 00007f4500000000 RCX: 00007f44ffffffff RDX: 0000000000000000 RSI: 000ffffffffff000 RDI: ffffffff93378fe0 RBP: ffffac23e1ecf918 R08: 0000000000000004 R09: ffffa23980000000 R10: 0000000000000020 R11: 0000000000000004 R12: 00007f44c0200000 R13: 00007f44c0000000 R14: ffffa23980000000 R15: 00007f44c0000000 FS: 00007fe884739580(0000) GS:ffff9b7d7a9c0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffa23980000000 CR3: 000000c0650e2005 CR4: 0000000000770ef0 PKRU: 55555554 Call Trace: <TASK> __walk_page_range+0x195/0x1b0 walk_page_vma+0x62/0xc0 show_numa_map+0x12b/0x3b0 seq_read_iter+0x297/0x440 seq_read+0x11d/0x140 vfs_read+0xc2/0x340 ksys_read+0x5f/0xe0 do_syscall_64+0x68/0x130 ? get_page_from_freelist+0x5c2/0x17e0 ? mas_store_prealloc+0x17e/0x360 ? vma_set_page_prot+0x4c/0xa0 ? __alloc_pages_noprof+0x14e/0x2d0 ? __mod_memcg_lruvec_state+0x8d/0x140 ? __lruvec_stat_mod_folio+0x76/0xb0 ? __folio_mod_stat+0x26/0x80 ? do_anonymous_page+0x705/0x900 ? __handle_mm_fault+0xa8d/0x1000 ? __count_memcg_events+0x53/0xf0 ? handle_mm_fault+0xa5/0x360 ? do_user_addr_fault+0x342/0x640 ? arch_exit_to_user_mode_prepare.constprop.0+0x16/0xa0 ? irqentry_exit_to_user_mode+0x24/0x100 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7fe88464f47e Code: c0 e9 b6 fe ff ff 50 48 8d 3d be 07 0b 00 e8 69 01 02 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28 RSP: 002b:00007ffe6cd9a9b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007fe88464f47e RDX: 0000000000020000 RSI: 00007fe884543000 RDI: 0000000000000003 RBP: 00007fe884543000 R08: 00007fe884542010 R09: 0000000000000000 R10: fffffffffffffbc5 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000 </TASK> Fix this by validating the PUD entry in walk_pmd_range() using a stable snapshot (pudp_get()). If the PUD is not present or is a leaf, retry the walk via ACTION_AGAIN instead of descending further. This mirrors the retry logic in walk_pte_range(), which lets walk_pmd_range() retry if the PTE is not being got by pte_offset_map_lock().

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-31456.html
CVE-2026-31456
https://bugzilla.suse.com/1262627
SUSE Bug 1262627

Описание

In the Linux kernel, the following vulnerability has been resolved: virt: tdx-guest: Fix handling of host controlled 'quote' buffer length Validate host controlled value `quote_buf->out_len` that determines how many bytes of the quote are copied out to guest userspace. In TDX environments with remote attestation, quotes are not considered private, and can be forwarded to an attestation server. Catch scenarios where the host specifies a response length larger than the guest's allocation, or otherwise races modifying the response while the guest consumes it. This prevents contents beyond the pages allocated for `quote_buf` (up to TSM_REPORT_OUTBLOB_MAX) from being read out to guest userspace, and possibly forwarded in attestation requests. Recall that some deployments want per-container configs-tsm-report interfaces, so the leak may cross container protection boundaries, not just local root.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-31470.html
CVE-2026-31470
https://bugzilla.suse.com/1262665
SUSE Bug 1262665
https://bugzilla.suse.com/1262774
SUSE Bug 1262774

Описание

In the Linux kernel, the following vulnerability has been resolved: net: macb: use the current queue number for stats There's a potential mismatch between the memory reserved for statistics and the amount of memory written. gem_get_sset_count() correctly computes the number of stats based on the active queues, whereas gem_get_ethtool_stats() indiscriminately copies data using the maximum number of queues, and in the case the number of active queues is less than MACB_MAX_QUEUES, this results in a OOB write as observed in the KASAN splat. ================================================================== BUG: KASAN: vmalloc-out-of-bounds in gem_get_ethtool_stats+0x54/0x78 [macb] Write of size 760 at addr ffff80008080b000 by task ethtool/1027 CPU: [...] Tainted: [E]=UNSIGNED_MODULE Hardware name: raspberrypi rpi/rpi, BIOS 2025.10 10/01/2025 Call trace: show_stack+0x20/0x38 (C) dump_stack_lvl+0x80/0xf8 print_report+0x384/0x5e0 kasan_report+0xa0/0xf0 kasan_check_range+0xe8/0x190 __asan_memcpy+0x54/0x98 gem_get_ethtool_stats+0x54/0x78 [macb 926c13f3af83b0c6fe64badb21ec87d5e93fcf65] dev_ethtool+0x1220/0x38c0 dev_ioctl+0x4ac/0xca8 sock_do_ioctl+0x170/0x1d8 sock_ioctl+0x484/0x5d8 __arm64_sys_ioctl+0x12c/0x1b8 invoke_syscall+0xd4/0x258 el0_svc_common.constprop.0+0xb4/0x240 do_el0_svc+0x48/0x68 el0_svc+0x40/0xf8 el0t_64_sync_handler+0xa0/0xe8 el0t_64_sync+0x1b0/0x1b8 The buggy address belongs to a 1-page vmalloc region starting at 0xffff80008080b000 allocated at dev_ethtool+0x11f0/0x38c0 The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff00000a333000 pfn:0xa333 flags: 0x7fffc000000000(node=0|zone=0|lastcpupid=0x1ffff) raw: 007fffc000000000 0000000000000000 dead000000000122 0000000000000000 raw: ffff00000a333000 0000000000000000 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff80008080b080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff80008080b100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff80008080b180: 00 00 00 00 00 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ^ ffff80008080b200: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ffff80008080b280: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ================================================================== Fix it by making sure the copied size only considers the active number of queues.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-31494.html
CVE-2026-31494
https://bugzilla.suse.com/1262671
SUSE Bug 1262671

Описание

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_expect: skip expectations in other netns via proc Skip expectations that do not reside in this netns. Similar to e77e6ff502ea ("netfilter: conntrack: do not dump other netns's conntrack entries via proc").

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-31496.html
CVE-2026-31496
https://bugzilla.suse.com/1262673
SUSE Bug 1262673

Описание

In the Linux kernel, the following vulnerability has been resolved: udp: Fix wildcard bind conflict check when using hash2 When binding a udp_sock to a local address and port, UDP uses two hashes (udptable->hash and udptable->hash2) for collision detection. The current code switches to "hash2" when hslot->count > 10. "hash2" is keyed by local address and local port. "hash" is keyed by local port only. The issue can be shown in the following bind sequence (pseudo code): bind(fd1, "[fd00::1]:8888") bind(fd2, "[fd00::2]:8888") bind(fd3, "[fd00::3]:8888") bind(fd4, "[fd00::4]:8888") bind(fd5, "[fd00::5]:8888") bind(fd6, "[fd00::6]:8888") bind(fd7, "[fd00::7]:8888") bind(fd8, "[fd00::8]:8888") bind(fd9, "[fd00::9]:8888") bind(fd10, "[fd00::10]:8888") /* Correctly return -EADDRINUSE because "hash" is used * instead of "hash2". udp_lib_lport_inuse() detects the * conflict. */ bind(fail_fd, "[::]:8888") /* After one more socket is bound to "[fd00::11]:8888", * hslot->count exceeds 10 and "hash2" is used instead. */ bind(fd11, "[fd00::11]:8888") bind(fail_fd, "[::]:8888") /* succeeds unexpectedly */ The same issue applies to the IPv4 wildcard address "0.0.0.0" and the IPv4-mapped wildcard address "::ffff:0.0.0.0". For example, if there are existing sockets bound to "192.168.1.[1-11]:8888", then binding "0.0.0.0:8888" or "[::ffff:0.0.0.0]:8888" can also miss the conflict when hslot->count > 10. TCP inet_csk_get_port() already has the correct check in inet_use_bhash2_on_bind(). Rename it to inet_use_hash2_on_bind() and move it to inet_hashtables.h so udp.c can reuse it in this fix.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-31503.html
CVE-2026-31503
https://bugzilla.suse.com/1263077
SUSE Bug 1263077

Описание

In the Linux kernel, the following vulnerability has been resolved: net: fix fanout UAF in packet_release() via NETDEV_UP race `packet_release()` has a race window where `NETDEV_UP` can re-register a socket into a fanout group's `arr[]` array. The re-registration is not cleaned up by `fanout_release()`, leaving a dangling pointer in the fanout array. `packet_release()` does NOT zero `po->num` in its `bind_lock` section. After releasing `bind_lock`, `po->num` is still non-zero and `po->ifindex` still matches the bound device. A concurrent `packet_notifier(NETDEV_UP)` that already found the socket in `sklist` can re-register the hook. For fanout sockets, this re-registration calls `__fanout_link(sk, po)` which adds the socket back into `f->arr[]` and increments `f->num_members`, but does NOT increment `f->sk_ref`. The fix sets `po->num` to zero in `packet_release` while `bind_lock` is held to prevent NETDEV_UP from linking, preventing the race window. This bug was found following an additional audit with Claude Code based on CVE-2025-38617.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-31504.html
CVE-2026-31504
https://bugzilla.suse.com/1263085
SUSE Bug 1263085
https://bugzilla.suse.com/1263088
SUSE Bug 1263088

Описание

In the Linux kernel, the following vulnerability has been resolved: iavf: fix out-of-bounds writes in iavf_get_ethtool_stats() iavf incorrectly uses real_num_tx_queues for ETH_SS_STATS. Since the value could change in runtime, we should use num_tx_queues instead. Moreover iavf_get_ethtool_stats() uses num_active_queues while iavf_get_sset_count() and iavf_get_stat_strings() use real_num_tx_queues, which triggers out-of-bounds writes when we do "ethtool -L" and "ethtool -S" simultaneously [1]. For example when we change channels from 1 to 8, Thread 3 could be scheduled before Thread 2, and out-of-bounds writes could be triggered in Thread 3: Thread 1 (ethtool -L) Thread 2 (work) Thread 3 (ethtool -S) iavf_set_channels() ... iavf_alloc_queues() -> num_active_queues = 8 iavf_schedule_finish_config() iavf_get_sset_count() real_num_tx_queues: 1 -> buffer for 1 queue iavf_get_ethtool_stats() num_active_queues: 8 -> out-of-bounds! iavf_finish_config() -> real_num_tx_queues = 8 Use immutable num_tx_queues in all related functions to avoid the issue. [1] BUG: KASAN: vmalloc-out-of-bounds in iavf_add_one_ethtool_stat+0x200/0x270 Write of size 8 at addr ffffc900031c9080 by task ethtool/5800 CPU: 1 UID: 0 PID: 5800 Comm: ethtool Not tainted 6.19.0-enjuk-08403-g8137e3db7f1c #241 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x6f/0xb0 print_report+0x170/0x4f3 kasan_report+0xe1/0x180 iavf_add_one_ethtool_stat+0x200/0x270 iavf_get_ethtool_stats+0x14c/0x2e0 __dev_ethtool+0x3d0c/0x5830 dev_ethtool+0x12d/0x270 dev_ioctl+0x53c/0xe30 sock_do_ioctl+0x1a9/0x270 sock_ioctl+0x3d4/0x5e0 __x64_sys_ioctl+0x137/0x1c0 do_syscall_64+0xf3/0x690 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f7da0e6e36d ... </TASK> The buggy address belongs to a 1-page vmalloc region starting at 0xffffc900031c9000 allocated at __dev_ethtool+0x3cc9/0x5830 The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88813a013de0 pfn:0x13a013 flags: 0x200000000000000(node=0|zone=2) raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000 raw: ffff88813a013de0 0000000000000000 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffffc900031c8f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ffffc900031c9000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffffc900031c9080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ^ ffffc900031c9100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ffffc900031c9180: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-31505.html
CVE-2026-31505
https://bugzilla.suse.com/1263093
SUSE Bug 1263093
https://bugzilla.suse.com/1263094
SUSE Bug 1263094

Описание

In the Linux kernel, the following vulnerability has been resolved: net/smc: fix double-free of smc_spd_priv when tee() duplicates splice pipe buffer smc_rx_splice() allocates one smc_spd_priv per pipe_buffer and stores the pointer in pipe_buffer.private. The pipe_buf_operations for these buffers used .get = generic_pipe_buf_get, which only increments the page reference count when tee(2) duplicates a pipe buffer. The smc_spd_priv pointer itself was not handled, so after tee() both the original and the cloned pipe_buffer share the same smc_spd_priv *. When both pipes are subsequently released, smc_rx_pipe_buf_release() is called twice against the same object: 1st call: kfree(priv) sock_put(sk) smc_rx_update_cons() [correct] 2nd call: kfree(priv) sock_put(sk) smc_rx_update_cons() [UAF] KASAN reports a slab-use-after-free in smc_rx_pipe_buf_release(), which then escalates to a NULL-pointer dereference and kernel panic via smc_rx_update_consumer() when it chases the freed priv->smc pointer: BUG: KASAN: slab-use-after-free in smc_rx_pipe_buf_release+0x78/0x2a0 Read of size 8 at addr ffff888004a45740 by task smc_splice_tee_/74 Call Trace: <TASK> dump_stack_lvl+0x53/0x70 print_report+0xce/0x650 kasan_report+0xc6/0x100 smc_rx_pipe_buf_release+0x78/0x2a0 free_pipe_info+0xd4/0x130 pipe_release+0x142/0x160 __fput+0x1c6/0x490 __x64_sys_close+0x4f/0x90 do_syscall_64+0xa6/0x1a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> BUG: kernel NULL pointer dereference, address: 0000000000000020 RIP: 0010:smc_rx_update_consumer+0x8d/0x350 Call Trace: <TASK> smc_rx_pipe_buf_release+0x121/0x2a0 free_pipe_info+0xd4/0x130 pipe_release+0x142/0x160 __fput+0x1c6/0x490 __x64_sys_close+0x4f/0x90 do_syscall_64+0xa6/0x1a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> Kernel panic - not syncing: Fatal exception Beyond the memory-safety problem, duplicating an SMC splice buffer is semantically questionable: smc_rx_update_cons() would advance the consumer cursor twice for the same data, corrupting receive-window accounting. A refcount on smc_spd_priv could fix the double-free, but the cursor-accounting issue would still need to be addressed separately. The .get callback is invoked by both tee(2) and splice_pipe_to_pipe() for partial transfers; both will now return -EFAULT. Users who need to duplicate SMC socket data must use a copy-based read path.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-31507.html
CVE-2026-31507
https://bugzilla.suse.com/1263095
SUSE Bug 1263095
https://bugzilla.suse.com/1263096
SUSE Bug 1263096

Описание

In the Linux kernel, the following vulnerability has been resolved: af_key: validate families in pfkey_send_migrate() syzbot was able to trigger a crash in skb_put() [1] Issue is that pfkey_send_migrate() does not check old/new families, and that set_ipsecrequest() @family argument was truncated, thus possibly overfilling the skb. Validate families early, do not wait set_ipsecrequest(). [1] skbuff: skb_over_panic: text:ffffffff8a752120 len:392 put:16 head:ffff88802a4ad040 data:ffff88802a4ad040 tail:0x188 end:0x180 dev:<NULL> kernel BUG at net/core/skbuff.c:214 ! Call Trace: <TASK> skb_over_panic net/core/skbuff.c:219 [inline] skb_put+0x159/0x210 net/core/skbuff.c:2655 skb_put_zero include/linux/skbuff.h:2788 [inline] set_ipsecrequest net/key/af_key.c:3532 [inline] pfkey_send_migrate+0x1270/0x2e50 net/key/af_key.c:3636 km_migrate+0x155/0x260 net/xfrm/xfrm_state.c:2848 xfrm_migrate+0x2140/0x2450 net/xfrm/xfrm_policy.c:4705 xfrm_do_migrate+0x8ff/0xaa0 net/xfrm/xfrm_user.c:3150

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-31515.html
CVE-2026-31515
https://bugzilla.suse.com/1262752
SUSE Bug 1262752

Описание

In the Linux kernel, the following vulnerability has been resolved: btrfs: set BTRFS_ROOT_ORPHAN_CLEANUP during subvol create We have recently observed a number of subvolumes with broken dentries. ls-ing the parent dir looks like: drwxrwxrwt 1 root root 16 Jan 23 16:49 . drwxr-xr-x 1 root root 24 Jan 23 16:48 .. d????????? ? ? ? ? ? broken_subvol and similarly stat-ing the file fails. In this state, deleting the subvol fails with ENOENT, but attempting to create a new file or subvol over it errors out with EEXIST and even aborts the fs. Which leaves us a bit stuck. dmesg contains a single notable error message reading: "could not do orphan cleanup -2" 2 is ENOENT and the error comes from the failure handling path of btrfs_orphan_cleanup(), with the stack leading back up to btrfs_lookup(). btrfs_lookup btrfs_lookup_dentry btrfs_orphan_cleanup // prints that message and returns -ENOENT After some detailed inspection of the internal state, it became clear that: - there are no orphan items for the subvol - the subvol is otherwise healthy looking, it is not half-deleted or anything, there is no drop progress, etc. - the subvol was created a while ago and does the meaningful first btrfs_orphan_cleanup() call that sets BTRFS_ROOT_ORPHAN_CLEANUP much later. - after btrfs_orphan_cleanup() fails, btrfs_lookup_dentry() returns -ENOENT, which results in a negative dentry for the subvolume via d_splice_alias(NULL, dentry), leading to the observed behavior. The bug can be mitigated by dropping the dentry cache, at which point we can successfully delete the subvolume if we want. i.e., btrfs_lookup() btrfs_lookup_dentry() if (!sb_rdonly(inode->vfs_inode)->vfs_inode) btrfs_orphan_cleanup(sub_root) test_and_set_bit(BTRFS_ROOT_ORPHAN_CLEANUP) btrfs_search_slot() // finds orphan item for inode N ... prints "could not do orphan cleanup -2" if (inode == ERR_PTR(-ENOENT)) inode = NULL; return d_splice_alias(NULL, dentry) // NEGATIVE DENTRY for valid subvolume btrfs_orphan_cleanup() does test_and_set_bit(BTRFS_ROOT_ORPHAN_CLEANUP) on the root when it runs, so it cannot run more than once on a given root, so something else must run concurrently. However, the obvious routes to deleting an orphan when nlinks goes to 0 should not be able to run without first doing a lookup into the subvolume, which should run btrfs_orphan_cleanup() and set the bit. The final important observation is that create_subvol() calls d_instantiate_new() but does not set BTRFS_ROOT_ORPHAN_CLEANUP, so if the dentry cache gets dropped, the next lookup into the subvolume will make a real call into btrfs_orphan_cleanup() for the first time. This opens up the possibility of concurrently deleting the inode/orphan items but most typical evict() paths will be holding a reference on the parent dentry (child dentry holds parent->d_lockref.count via dget in d_alloc(), released in __dentry_kill()) and prevent the parent from being removed from the dentry cache. The one exception is delayed iputs. Ordered extent creation calls igrab() on the inode. If the file is unlinked and closed while those refs are held, iput() in __dentry_kill() decrements i_count but does not trigger eviction (i_count > 0). The child dentry is freed and the subvol dentry's d_lockref.count drops to 0, making it evictable while the inode is still alive. Since there are two races (the race between writeback and unlink and the race between lookup and delayed iputs), and there are too many moving parts, the following three diagrams show the complete picture. (Only the second and third are races) Phase 1: Create Subvol in dentry cache without BTRFS_ROOT_ORPHAN_CLEANUP set btrfs_mksubvol() lookup_one_len() __lookup_slow() d_alloc_parallel() __d_alloc() // d_lockref.count = 1 create_subvol(dentry) // doesn't touch the bit.. d_instantiate_new(dentry, inode) // dentry in cache with d_lockref.c ---truncated---

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-31519.html
CVE-2026-31519
https://bugzilla.suse.com/1263012
SUSE Bug 1263012

Описание

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix undefined behavior in interpreter sdiv/smod for INT_MIN The BPF interpreter's signed 32-bit division and modulo handlers use the kernel abs() macro on s32 operands. The abs() macro documentation (include/linux/math.h) explicitly states the result is undefined when the input is the type minimum. When DST contains S32_MIN (0x80000000), abs((s32)DST) triggers undefined behavior and returns S32_MIN unchanged on arm64/x86. This value is then sign-extended to u64 as 0xFFFFFFFF80000000, causing do_div() to compute the wrong result. The verifier's abstract interpretation (scalar32_min_max_sdiv) computes the mathematically correct result for range tracking, creating a verifier/interpreter mismatch that can be exploited for out-of-bounds map value access. Introduce abs_s32() which handles S32_MIN correctly by casting to u32 before negating, avoiding signed overflow entirely. Replace all 8 abs((s32)...) call sites in the interpreter's sdiv32/smod32 handlers. s32 is the only affected case -- the s64 division/modulo handlers do not use abs().

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-31525.html
CVE-2026-31525
https://bugzilla.suse.com/1262725
SUSE Bug 1262725
https://bugzilla.suse.com/1262726
SUSE Bug 1262726

Описание

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix exception exit lock checking for subprogs process_bpf_exit_full() passes check_lock = !curframe to check_resource_leak(), which is false in cases when bpf_throw() is called from a static subprog. This makes check_resource_leak() to skip validation of active_rcu_locks, active_preempt_locks, and active_irq_id on exception exits from subprogs. At runtime bpf_throw() unwinds the stack via ORC without releasing any user-acquired locks, which may cause various issues as the result. Fix by setting check_lock = true for exception exits regardless of curframe, since exceptions bypass all intermediate frame cleanup. Update the error message prefix to "bpf_throw" for exception exits to distinguish them from normal BPF_EXIT. Fix reject_subprog_with_rcu_read_lock test which was previously passing for the wrong reason. Test program returned directly from the subprog call without closing the RCU section, so the error was triggered by the unclosed RCU lock on normal exit, not by bpf_throw. Update __msg annotations for affected tests to match the new "bpf_throw" error prefix. The spin_lock case is not affected because they are already checked [1] at the call site in do_check_insn() before bpf_throw can run. [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/kernel/bpf/verifier.c?h=v7.0-rc4#n21098

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-31526.html
CVE-2026-31526
https://bugzilla.suse.com/1262662
SUSE Bug 1262662

Описание

In the Linux kernel, the following vulnerability has been resolved: perf: Make sure to use pmu_ctx->pmu for groups Oliver reported that x86_pmu_del() ended up doing an out-of-bound memory access when group_sched_in() fails and needs to roll back. This *should* be handled by the transaction callbacks, but he found that when the group leader is a software event, the transaction handlers of the wrong PMU are used. Despite the move_group case in perf_event_open() and group_sched_in() using pmu_ctx->pmu. Turns out, inherit uses event->pmu to clone the events, effectively undoing the move_group case for all inherited contexts. Fix this by also making inherit use pmu_ctx->pmu, ensuring all inherited counters end up in the same pmu context. Similarly, __perf_event_read() should use equally use pmu_ctx->pmu for the group case.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-31528.html
CVE-2026-31528
https://bugzilla.suse.com/1263001
SUSE Bug 1263001
https://bugzilla.suse.com/1263002
SUSE Bug 1263002

Описание

In the Linux kernel, the following vulnerability has been resolved: net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption The -EBUSY handling in tls_do_encryption(), introduced by commit 859054147318 ("net: tls: handle backlogging of crypto requests"), has a use-after-free due to double cleanup of encrypt_pending and the scatterlist entry. When crypto_aead_encrypt() returns -EBUSY, the request is enqueued to the cryptd backlog and the async callback tls_encrypt_done() will be invoked upon completion. That callback unconditionally restores the scatterlist entry (sge->offset, sge->length) and decrements ctx->encrypt_pending. However, if tls_encrypt_async_wait() returns an error, the synchronous error path in tls_do_encryption() performs the same cleanup again, double-decrementing encrypt_pending and double-restoring the scatterlist. The double-decrement corrupts the encrypt_pending sentinel (initialized to 1), making tls_encrypt_async_wait() permanently skip the wait for pending async callbacks. A subsequent sendmsg can then free the tls_rec via bpf_exec_tx_verdict() while a cryptd callback is still pending, resulting in a use-after-free when the callback fires on the freed record. Fix this by skipping the synchronous cleanup when the -EBUSY async wait returns an error, since the callback has already handled encrypt_pending and sge restoration.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-31533.html
CVE-2026-31533
https://bugzilla.suse.com/1262758
SUSE Bug 1262758
https://bugzilla.suse.com/1262759
SUSE Bug 1262759

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/xe: Fix missing runtime PM reference in ccs_mode_store ccs_mode_store() calls xe_gt_reset() which internally invokes xe_pm_runtime_get_noresume(). That function requires the caller to already hold an outer runtime PM reference and warns if none is held: [46.891177] xe 0000:03:00.0: [drm] Missing outer runtime PM protection [46.891178] WARNING: drivers/gpu/drm/xe/xe_pm.c:885 at xe_pm_runtime_get_noresume+0x8b/0xc0 Fix this by protecting xe_gt_reset() with the scope-based guard(xe_pm_runtime)(xe), which is the preferred form when the reference lifetime matches a single scope. v2: - Use scope-based guard(xe_pm_runtime)(xe) (Shuicheng) - Update commit message accordingly (cherry picked from commit 7937ea733f79b3f25e802a0c8360bf7423856f36)

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-31547.html
CVE-2026-31547
https://bugzilla.suse.com/1263018
SUSE Bug 1263018

Описание

In the Linux kernel, the following vulnerability has been resolved: pmdomain: bcm: bcm2835-power: Increase ASB control timeout The bcm2835_asb_control() function uses a tight polling loop to wait for the ASB bridge to acknowledge a request. During intensive workloads, this handshake intermittently fails for V3D's master ASB on BCM2711, resulting in "Failed to disable ASB master for v3d" errors during runtime PM suspend. As a consequence, the failed power-off leaves V3D in a broken state, leading to bus faults or system hangs on later accesses. As the timeout is insufficient in some scenarios, increase the polling timeout from 1us to 5us, which is still negligible in the context of a power domain transition. Also, replace the open-coded ktime_get_ns()/ cpu_relax() polling loop with readl_poll_timeout_atomic().

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-31550.html
CVE-2026-31550
https://bugzilla.suse.com/1263104
SUSE Bug 1263104

Описание

In the Linux kernel, the following vulnerability has been resolved: futex: Require sys_futex_requeue() to have identical flags Nicholas reported that his LLM found it was possible to create a UaF when sys_futex_requeue() is used with different flags. The initial motivation for allowing different flags was the variable sized futex, but since that hasn't been merged (yet), simply mandate the flags are identical, as is the case for the old style sys_futex() requeue operations.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-31554.html
CVE-2026-31554
https://bugzilla.suse.com/1263107
SUSE Bug 1263107
https://bugzilla.suse.com/1263108
SUSE Bug 1263108

Описание

In the Linux kernel, the following vulnerability has been resolved: RDMA/irdma: Fix deadlock during netdev reset with active connections Resolve deadlock that occurs when user executes netdev reset while RDMA applications (e.g., rping) are active. The netdev reset causes ice driver to remove irdma auxiliary driver, triggering device_delete and subsequent client removal. During client removal, uverbs_client waits for QP reference count to reach zero while cma_client holds the final reference, creating circular dependency and indefinite wait in iWARP mode. Skip QP reference count wait during device reset to prevent deadlock.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-31565.html
CVE-2026-31565
https://bugzilla.suse.com/1263064
SUSE Bug 1263064

Описание

In the Linux kernel, the following vulnerability has been resolved: wireguard: device: use exit_rtnl callback instead of manual rtnl_lock in pre_exit wg_netns_pre_exit() manually acquires rtnl_lock() inside the pernet .pre_exit callback. This causes a hung task when another thread holds rtnl_mutex - the cleanup_net workqueue (or the setup_net failure rollback path) blocks indefinitely in wg_netns_pre_exit() waiting to acquire the lock. Convert to .exit_rtnl, introduced in commit 7a60d91c690b ("net: Add ->exit_rtnl() hook to struct pernet_operations."), where the framework already holds RTNL and batches all callbacks under a single rtnl_lock()/rtnl_unlock() pair, eliminating the contention window. The rcu_assign_pointer(wg->creating_net, NULL) is safe to move from .pre_exit to .exit_rtnl (which runs after synchronize_rcu()) because all RCU readers of creating_net either use maybe_get_net() - which returns NULL for a dying namespace with zero refcount - or access net->user_ns which remains valid throughout the entire ops_undo_list sequence. [ Jason: added __net_exit and __read_mostly annotations that were missing. ]

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-31579.html
CVE-2026-31579
https://bugzilla.suse.com/1263074
SUSE Bug 1263074

Описание

In the Linux kernel, the following vulnerability has been resolved: mm: blk-cgroup: fix use-after-free in cgwb_release_workfn() cgwb_release_workfn() calls css_put(wb->blkcg_css) and then later accesses wb->blkcg_css again via blkcg_unpin_online(). If css_put() drops the last reference, the blkcg can be freed asynchronously (css_free_rwork_fn -> blkcg_css_free -> kfree) before blkcg_unpin_online() dereferences the pointer to access blkcg->online_pin, resulting in a use-after-free: BUG: KASAN: slab-use-after-free in blkcg_unpin_online (./include/linux/instrumented.h:112 ./include/linux/atomic/atomic-instrumented.h:400 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 block/blk-cgroup.c:1367) Write of size 4 at addr ff11000117aa6160 by task kworker/71:1/531 Workqueue: cgwb_release cgwb_release_workfn Call Trace: <TASK> blkcg_unpin_online (./include/linux/instrumented.h:112 ./include/linux/atomic/atomic-instrumented.h:400 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 block/blk-cgroup.c:1367) cgwb_release_workfn (mm/backing-dev.c:629) process_scheduled_works (kernel/workqueue.c:3278 kernel/workqueue.c:3385) Freed by task 1016: kfree (./include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:6246 mm/slub.c:6561) css_free_rwork_fn (kernel/cgroup/cgroup.c:5542) process_scheduled_works (kernel/workqueue.c:3302 kernel/workqueue.c:3385) ** Stack based on commit 66672af7a095 ("Add linux-next specific files for 20260410") I am seeing this crash sporadically in Meta fleet across multiple kernel versions. A full reproducer is available at: https://github.com/leitao/debug/blob/main/reproducers/repro_blkcg_uaf.sh (The race window is narrow. To make it easily reproducible, inject a msleep(100) between css_put() and blkcg_unpin_online() in cgwb_release_workfn(). With that delay and a KASAN-enabled kernel, the reproducer triggers the splat reliably in less than a second.) Fix this by moving blkcg_unpin_online() before css_put(), so the cgwb's CSS reference keeps the blkcg alive while blkcg_unpin_online() accesses it.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-31586.html
CVE-2026-31586
https://bugzilla.suse.com/1263176
SUSE Bug 1263176
https://bugzilla.suse.com/1263177
SUSE Bug 1263177

Описание

In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Use scratch field in MMIO fragment to hold small write values When exiting to userspace to service an emulated MMIO write, copy the to-be-written value to a scratch field in the MMIO fragment if the size of the data payload is 8 bytes or less, i.e. can fit in a single chunk, instead of pointing the fragment directly at the source value. This fixes a class of use-after-free bugs that occur when the emulator initiates a write using an on-stack, local variable as the source, the write splits a page boundary, *and* both pages are MMIO pages. Because KVM's ABI only allows for physically contiguous MMIO requests, accesses that split MMIO pages are separated into two fragments, and are sent to userspace one at a time. When KVM attempts to complete userspace MMIO in response to KVM_RUN after the first fragment, KVM will detect the second fragment and generate a second userspace exit, and reference the on-stack variable. The issue is most visible if the second KVM_RUN is performed by a separate task, in which case the stack of the initiating task can show up as truly freed data. ================================================================== BUG: KASAN: use-after-free in complete_emulated_mmio+0x305/0x420 Read of size 1 at addr ffff888009c378d1 by task syz-executor417/984 CPU: 1 PID: 984 Comm: syz-executor417 Not tainted 5.10.0-182.0.0.95.h2627.eulerosv2r13.x86_64 #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014 Call Trace: dump_stack+0xbe/0xfd print_address_description.constprop.0+0x19/0x170 __kasan_report.cold+0x6c/0x84 kasan_report+0x3a/0x50 check_memory_region+0xfd/0x1f0 memcpy+0x20/0x60 complete_emulated_mmio+0x305/0x420 kvm_arch_vcpu_ioctl_run+0x63f/0x6d0 kvm_vcpu_ioctl+0x413/0xb20 __se_sys_ioctl+0x111/0x160 do_syscall_64+0x30/0x40 entry_SYSCALL_64_after_hwframe+0x67/0xd1 RIP: 0033:0x42477d Code: <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007faa8e6890e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00000000004d7338 RCX: 000000000042477d RDX: 0000000000000000 RSI: 000000000000ae80 RDI: 0000000000000005 RBP: 00000000004d7330 R08: 00007fff28d546df R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004d733c R13: 0000000000000000 R14: 000000000040a200 R15: 00007fff28d54720 The buggy address belongs to the page: page:0000000029f6a428 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x9c37 flags: 0xfffffc0000000(node=0|zone=1|lastcpupid=0x1fffff) raw: 000fffffc0000000 0000000000000000 ffffea0000270dc8 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888009c37780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888009c37800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff888009c37880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff888009c37900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888009c37980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== The bug can also be reproduced with a targeted KVM-Unit-Test by hacking KVM to fill a large on-stack variable in complete_emulated_mmio(), i.e. by overwrite the data value with garbage. Limit the use of the scratch fields to 8-byte or smaller accesses, and to just writes, as larger accesses and reads are not affected thanks to implementation details in the emulator, but add a sanity check to ensure those details don't change in the future. Specifically, KVM never uses on-stack variables for accesses larger that 8 bytes, e.g. uses an operand in the emulator context, and *al ---truncated---

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-31588.html
CVE-2026-31588
https://bugzilla.suse.com/1263165
SUSE Bug 1263165
https://bugzilla.suse.com/1263166
SUSE Bug 1263166

Описание

In the Linux kernel, the following vulnerability has been resolved: net: lan966x: fix use-after-free and leak in lan966x_fdma_reload() When lan966x_fdma_reload() fails to allocate new RX buffers, the restore path restarts DMA using old descriptors whose pages were already freed via lan966x_fdma_rx_free_pages(). Since page_pool_put_full_page() can release pages back to the buddy allocator, the hardware may DMA into memory now owned by other kernel subsystems. Additionally, on the restore path, the newly created page pool (if allocation partially succeeded) is overwritten without being destroyed, leaking it. Fix both issues by deferring the release of old pages until after the new allocation succeeds. Save the old page array before the allocation so old pages can be freed on the success path. On the failure path, the old descriptors, pages and page pool are all still valid, making the restore safe. Also ensure the restore path re-enables NAPI and wakes the netdev, matching the success path.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-31644.html
CVE-2026-31644
https://bugzilla.suse.com/1263048
SUSE Bug 1263048
https://bugzilla.suse.com/1263050
SUSE Bug 1263050

Описание

In the Linux kernel, the following vulnerability has been resolved: net: stmmac: fix integer underflow in chain mode The jumbo_frm() chain-mode implementation unconditionally computes len = nopaged_len - bmax; where nopaged_len = skb_headlen(skb) (linear bytes only) and bmax is BUF_SIZE_8KiB or BUF_SIZE_2KiB. However, the caller stmmac_xmit() decides to invoke jumbo_frm() based on skb->len (total length including page fragments): is_jumbo = stmmac_is_jumbo_frm(priv, skb->len, enh_desc); When a packet has a small linear portion (nopaged_len <= bmax) but a large total length due to page fragments (skb->len > bmax), the subtraction wraps as an unsigned integer, producing a huge len value (~0xFFFFxxxx). This causes the while (len != 0) loop to execute hundreds of thousands of iterations, passing skb->data + bmax * i pointers far beyond the skb buffer to dma_map_single(). On IOMMU-less SoCs (the typical deployment for stmmac), this maps arbitrary kernel memory to the DMA engine, constituting a kernel memory disclosure and potential memory corruption from hardware. Fix this by introducing a buf_len local variable clamped to min(nopaged_len, bmax). Computing len = nopaged_len - buf_len is then always safe: it is zero when the linear portion fits within a single descriptor, causing the while (len != 0) loop to be skipped naturally, and the fragment loop in stmmac_xmit() handles page fragments afterward.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-31649.html
CVE-2026-31649
https://bugzilla.suse.com/1263582
SUSE Bug 1263582
https://bugzilla.suse.com/1263676
SUSE Bug 1263676

Описание

In the Linux kernel, the following vulnerability has been resolved: net: altera-tse: fix skb leak on DMA mapping error in tse_start_xmit() When dma_map_single() fails in tse_start_xmit(), the function returns NETDEV_TX_OK without freeing the skb. Since NETDEV_TX_OK tells the stack the packet was consumed, the skb is never freed, leaking memory on every DMA mapping failure. Add dev_kfree_skb_any() before returning to properly free the skb.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-31658.html
CVE-2026-31658
https://bugzilla.suse.com/1263052
SUSE Bug 1263052

Описание

In the Linux kernel, the following vulnerability has been resolved: tipc: fix bc_ackers underflow on duplicate GRP_ACK_MSG The GRP_ACK_MSG handler in tipc_group_proto_rcv() currently decrements bc_ackers on every inbound group ACK, even when the same member has already acknowledged the current broadcast round. Because bc_ackers is a u16, a duplicate ACK received after the last legitimate ACK wraps the counter to 65535. Once wrapped, tipc_group_bc_cong() keeps reporting congestion and later group broadcasts on the affected socket stay blocked until the group is recreated. Fix this by ignoring duplicate or stale ACKs before touching bc_acked or bc_ackers. This makes repeated GRP_ACK_MSG handling idempotent and prevents the underflow path.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-31662.html
CVE-2026-31662
https://bugzilla.suse.com/1263131
SUSE Bug 1263131
https://bugzilla.suse.com/1263132
SUSE Bug 1263132

Описание

In the Linux kernel, the following vulnerability has been resolved: btrfs: fix incorrect return value after changing leaf in lookup_extent_data_ref() After commit 1618aa3c2e01 ("btrfs: simplify return variables in lookup_extent_data_ref()"), the err and ret variables were merged into a single ret variable. However, when btrfs_next_leaf() returns 0 (success), ret is overwritten from -ENOENT to 0. If the first key in the next leaf does not match (different objectid or type), the function returns 0 instead of -ENOENT, making the caller believe the lookup succeeded when it did not. This can lead to operations on the wrong extent tree item, potentially causing extent tree corruption. Fix this by returning -ENOENT directly when the key does not match, instead of relying on the ret variable.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-31666.html
CVE-2026-31666
https://bugzilla.suse.com/1263138
SUSE Bug 1263138

Описание

In the Linux kernel, the following vulnerability has been resolved: seg6: separate dst_cache for input and output paths in seg6 lwtunnel The seg6 lwtunnel uses a single dst_cache per encap route, shared between seg6_input_core() and seg6_output_core(). These two paths can perform the post-encap SID lookup in different routing contexts (e.g., ip rules matching on the ingress interface, or VRF table separation). Whichever path runs first populates the cache, and the other reuses it blindly, bypassing its own lookup. Fix this by splitting the cache into cache_input and cache_output, so each path maintains its own cached dst independently.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-31668.html
CVE-2026-31668
https://bugzilla.suse.com/1263140
SUSE Bug 1263140

Описание

In the Linux kernel, the following vulnerability has been resolved: mptcp: fix slab-use-after-free in __inet_lookup_established The ehash table lookups are lockless and rely on SLAB_TYPESAFE_BY_RCU to guarantee socket memory stability during RCU read-side critical sections. Both tcp_prot and tcpv6_prot have their slab caches created with this flag via proto_register(). However, MPTCP's mptcp_subflow_init() copies tcpv6_prot into tcpv6_prot_override during inet_init() (fs_initcall, level 5), before inet6_init() (module_init/device_initcall, level 6) has called proto_register(&tcpv6_prot). At that point, tcpv6_prot.slab is still NULL, so tcpv6_prot_override.slab remains NULL permanently. This causes MPTCP v6 subflow child sockets to be allocated via kmalloc (falling into kmalloc-4k) instead of the TCPv6 slab cache. The kmalloc-4k cache lacks SLAB_TYPESAFE_BY_RCU, so when these sockets are freed without SOCK_RCU_FREE (which is cleared for child sockets by design), the memory can be immediately reused. Concurrent ehash lookups under rcu_read_lock can then access freed memory, triggering a slab-use-after-free in __inet_lookup_established. Fix this by splitting the IPv6-specific initialization out of mptcp_subflow_init() into a new mptcp_subflow_v6_init(), called from mptcp_proto_v6_init() before protocol registration. This ensures tcpv6_prot_override.slab correctly inherits the SLAB_TYPESAFE_BY_RCU slab cache.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-31669.html
CVE-2026-31669
https://bugzilla.suse.com/1263141
SUSE Bug 1263141
https://bugzilla.suse.com/1263144
SUSE Bug 1263144

Описание

In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_netem: fix out-of-bounds access in packet corruption In netem_enqueue(), the packet corruption logic uses get_random_u32_below(skb_headlen(skb)) to select an index for modifying skb->data. When an AF_PACKET TX_RING sends fully non-linear packets over an IPIP tunnel, skb_headlen(skb) evaluates to 0. Passing 0 to get_random_u32_below() takes the variable-ceil slow path which returns an unconstrained 32-bit random integer. Using this unconstrained value as an offset into skb->data results in an out-of-bounds memory access. Fix this by verifying skb_headlen(skb) is non-zero before attempting to corrupt the linear data area. Fully non-linear packets will silently bypass the corruption logic.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-31675.html
CVE-2026-31675
https://bugzilla.suse.com/1263556
SUSE Bug 1263556

Описание

In the Linux kernel, the following vulnerability has been resolved: openvswitch: defer tunnel netdev_put to RCU release ovs_netdev_tunnel_destroy() may run after NETDEV_UNREGISTER already detached the device. Dropping the netdev reference in destroy can race with concurrent readers that still observe vport->dev. Do not release vport->dev in ovs_netdev_tunnel_destroy(). Instead, let vport_netdev_free() drop the reference from the RCU callback, matching the non-tunnel destroy path and avoiding additional synchronization under RTNL.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-31678.html
CVE-2026-31678
https://bugzilla.suse.com/1263562
SUSE Bug 1263562

Описание

In the Linux kernel, the following vulnerability has been resolved: openvswitch: validate MPLS set/set_masked payload length validate_set() accepted OVS_KEY_ATTR_MPLS as variable-sized payload for SET/SET_MASKED actions. In action handling, OVS expects fixed-size MPLS key data (struct ovs_key_mpls). Use the already normalized key_len (masked case included) and reject non-matching MPLS action key sizes. Reject invalid MPLS action payload lengths early.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-31679.html
CVE-2026-31679
https://bugzilla.suse.com/1263592
SUSE Bug 1263592

Описание

In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_multiport: validate range encoding in checkentry ports_match_v1() treats any non-zero pflags entry as the start of a port range and unconditionally consumes the next ports[] element as the range end. The checkentry path currently validates protocol, flags and count, but it does not validate the range encoding itself. As a result, malformed rules can mark the last slot as a range start or place two range starts back to back, leaving ports_match_v1() to step past the last valid ports[] element while interpreting the rule. Reject malformed multiport v1 rules in checkentry by validating that each range start has a following element and that the following element is not itself marked as another range start.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-31681.html
CVE-2026-31681
https://bugzilla.suse.com/1263593
SUSE Bug 1263593

Описание

In the Linux kernel, the following vulnerability has been resolved: bridge: br_nd_send: linearize skb before parsing ND options br_nd_send() parses neighbour discovery options from ns->opt[] and assumes that these options are in the linear part of request. Its callers only guarantee that the ICMPv6 header and target address are available, so the option area can still be non-linear. Parsing ns->opt[] in that case can access data past the linear buffer. Linearize request before option parsing and derive ns from the linear network header.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-31682.html
CVE-2026-31682
https://bugzilla.suse.com/1263595
SUSE Bug 1263595

Описание

In the Linux kernel, the following vulnerability has been resolved: net: sched: act_csum: validate nested VLAN headers tcf_csum_act() walks nested VLAN headers directly from skb->data when an skb still carries in-payload VLAN tags. The current code reads vlan->h_vlan_encapsulated_proto and then pulls VLAN_HLEN bytes without first ensuring that the full VLAN header is present in the linear area. If only part of an inner VLAN header is linearized, accessing h_vlan_encapsulated_proto reads past the linear area, and the following skb_pull(VLAN_HLEN) may violate skb invariants. Fix this by requiring pskb_may_pull(skb, VLAN_HLEN) before accessing and pulling each nested VLAN header. If the header still is not fully available, drop the packet through the existing error path.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-31684.html
CVE-2026-31684
https://bugzilla.suse.com/1263596
SUSE Bug 1263596

Описание

In the Linux kernel, the following vulnerability has been resolved: netfilter: ip6t_eui64: reject invalid MAC header for all packets `eui64_mt6()` derives a modified EUI-64 from the Ethernet source address and compares it with the low 64 bits of the IPv6 source address. The existing guard only rejects an invalid MAC header when `par->fragoff != 0`. For packets with `par->fragoff == 0`, `eui64_mt6()` can still reach `eth_hdr(skb)` even when the MAC header is not valid. Fix this by removing the `par->fragoff != 0` condition so that packets with an invalid MAC header are rejected before accessing `eth_hdr(skb)`.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-31685.html
CVE-2026-31685
https://bugzilla.suse.com/1263668
SUSE Bug 1263668
https://bugzilla.suse.com/1263670
SUSE Bug 1263670

Описание

In the Linux kernel, the following vulnerability has been resolved: igb: remove napi_synchronize() in igb_down() When an AF_XDP zero-copy application terminates abruptly (e.g., kill -9), the XSK buffer pool is destroyed but NAPI polling continues. igb_clean_rx_irq_zc() repeatedly returns the full budget, preventing napi_complete_done() from clearing NAPI_STATE_SCHED. igb_down() calls napi_synchronize() before napi_disable() for each queue vector. napi_synchronize() spins waiting for NAPI_STATE_SCHED to clear, which never happens. igb_down() blocks indefinitely, the TX watchdog fires, and the TX queue remains permanently stalled. napi_disable() already handles this correctly: it sets NAPI_STATE_DISABLE. After a full-budget poll, __napi_poll() checks napi_disable_pending(). If set, it forces completion and clears NAPI_STATE_SCHED, breaking the loop that napi_synchronize() cannot. napi_synchronize() was added in commit 41f149a285da ("igb: Fix possible panic caused by Rx traffic arrival while interface is down"). napi_disable() provides stronger guarantees: it prevents further scheduling and waits for any active poll to exit. Other Intel drivers (ixgbe, ice, i40e) use napi_disable() without a preceding napi_synchronize() in their down paths. Remove redundant napi_synchronize() call and reorder napi_disable() before igb_set_queue_napi() so the queue-to-NAPI mapping is only cleared after polling has fully stopped.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-31691.html
CVE-2026-31691
https://bugzilla.suse.com/1263604
SUSE Bug 1263604

Описание

In the Linux kernel, the following vulnerability has been resolved: fuse: reject oversized dirents in page cache fuse_add_dirent_to_cache() computes a serialized dirent size from the server-controlled namelen field and copies the dirent into a single page-cache page. The existing logic only checks whether the dirent fits in the remaining space of the current page and advances to a fresh page if not. It never checks whether the dirent itself exceeds PAGE_SIZE. As a result, a malicious FUSE server can return a dirent with namelen=4095, producing a serialized record size of 4120 bytes. On 4 KiB page systems this causes memcpy() to overflow the cache page by 24 bytes into the following kernel page. Reject dirents that cannot fit in a single page before copying them into the readdir cache.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-31694.html
CVE-2026-31694
https://bugzilla.suse.com/1263901
SUSE Bug 1263901
https://bugzilla.suse.com/1263902
SUSE Bug 1263902

Описание

In the Linux kernel, the following vulnerability has been resolved: net/packet: fix TOCTOU race on mmap'd vnet_hdr in tpacket_snd() In tpacket_snd(), when PACKET_VNET_HDR is enabled, vnet_hdr points directly into the mmap'd TX ring buffer shared with userspace. The kernel validates the header via __packet_snd_vnet_parse() but then re-reads all fields later in virtio_net_hdr_to_skb(). A concurrent userspace thread can modify the vnet_hdr fields between validation and use, bypassing all safety checks. The non-TPACKET path (packet_snd()) already correctly copies vnet_hdr to a stack-local variable. All other vnet_hdr consumers in the kernel (tun.c, tap.c, virtio_net.c) also use stack copies. The TPACKET TX path is the only caller of virtio_net_hdr_to_skb() that reads directly from user-controlled shared memory. Fix this by copying vnet_hdr from the mmap'd ring buffer to a stack-local variable before validation and use, consistent with the approach used in packet_snd() and all other callers.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-31700.html
CVE-2026-31700
https://bugzilla.suse.com/1263882
SUSE Bug 1263882
https://bugzilla.suse.com/1263927
SUSE Bug 1263927

Описание

In the Linux kernel, the following vulnerability has been resolved: vxlan: validate ND option lengths in vxlan_na_create vxlan_na_create() walks ND options according to option-provided lengths. A malformed option can make the parser advance beyond the computed option span or use a too-short source LLADDR option payload. Validate option lengths against the remaining NS option area before advancing, and only read source LLADDR when the option is large enough for an Ethernet address.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-31738.html
CVE-2026-31738
https://bugzilla.suse.com/1264059
SUSE Bug 1264059
https://bugzilla.suse.com/1264060
SUSE Bug 1264060

Описание

In the Linux kernel, the following vulnerability has been resolved: xen/privcmd: fix double free via VMA splitting privcmd_vm_ops defines .close (privcmd_close), but neither .may_split nor .open. When userspace does a partial munmap() on a privcmd mapping, the kernel splits the VMA via __split_vma(). Since may_split is NULL, the split is allowed. vm_area_dup() copies vm_private_data (a pages array allocated in alloc_empty_pages()) into the new VMA without any fixup, because there is no .open callback. Both VMAs now point to the same pages array. When the unmapped portion is closed, privcmd_close() calls: - xen_unmap_domain_gfn_range() - xen_free_unpopulated_pages() - kvfree(pages) The surviving VMA still holds the dangling pointer. When it is later destroyed, the same sequence runs again, which leads to a double free. Fix this issue by adding a .may_split callback denying the VMA split. This is XSA-487 / CVE-2026-31787

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-31787.html
CVE-2026-31787
https://bugzilla.suse.com/1262181
SUSE Bug 1262181

Описание

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix incorrect pruning due to atomic fetch precision tracking When backtrack_insn encounters a BPF_STX instruction with BPF_ATOMIC and BPF_FETCH, the src register (or r0 for BPF_CMPXCHG) also acts as a destination, thus receiving the old value from the memory location. The current backtracking logic does not account for this. It treats atomic fetch operations the same as regular stores where the src register is only an input. This leads the backtrack_insn to fail to propagate precision to the stack location, which is then not marked as precise! Later, the verifier's path pruning can incorrectly consider two states equivalent when they differ in terms of stack state. Meaning, two branches can be treated as equivalent and thus get pruned when they should not be seen as such. Fix it as follows: Extend the BPF_LDX handling in backtrack_insn to also cover atomic fetch operations via is_atomic_fetch_insn() helper. When the fetch dst register is being tracked for precision, clear it, and propagate precision over to the stack slot. For non-stack memory, the precision walk stops at the atomic instruction, same as regular BPF_LDX. This covers all fetch variants. Before: 0: (b7) r1 = 8 ; R1=8 1: (7b) *(u64 *)(r10 -8) = r1 ; R1=8 R10=fp0 fp-8=8 2: (b7) r2 = 0 ; R2=0 3: (db) r2 = atomic64_fetch_add((u64 *)(r10 -8), r2) ; R2=8 R10=fp0 fp-8=mmmmmmmm 4: (bf) r3 = r10 ; R3=fp0 R10=fp0 5: (0f) r3 += r2 mark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1 mark_precise: frame0: regs=r2 stack= before 4: (bf) r3 = r10 mark_precise: frame0: regs=r2 stack= before 3: (db) r2 = atomic64_fetch_add((u64 *)(r10 -8), r2) mark_precise: frame0: regs=r2 stack= before 2: (b7) r2 = 0 6: R2=8 R3=fp8 6: (b7) r0 = 0 ; R0=0 7: (95) exit After: 0: (b7) r1 = 8 ; R1=8 1: (7b) *(u64 *)(r10 -8) = r1 ; R1=8 R10=fp0 fp-8=8 2: (b7) r2 = 0 ; R2=0 3: (db) r2 = atomic64_fetch_add((u64 *)(r10 -8), r2) ; R2=8 R10=fp0 fp-8=mmmmmmmm 4: (bf) r3 = r10 ; R3=fp0 R10=fp0 5: (0f) r3 += r2 mark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1 mark_precise: frame0: regs=r2 stack= before 4: (bf) r3 = r10 mark_precise: frame0: regs=r2 stack= before 3: (db) r2 = atomic64_fetch_add((u64 *)(r10 -8), r2) mark_precise: frame0: regs= stack=-8 before 2: (b7) r2 = 0 mark_precise: frame0: regs= stack=-8 before 1: (7b) *(u64 *)(r10 -8) = r1 mark_precise: frame0: regs=r1 stack= before 0: (b7) r1 = 8 6: R2=8 R3=fp8 6: (b7) r0 = 0 ; R0=0 7: (95) exit

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-43009.html
CVE-2026-43009
https://bugzilla.suse.com/1264014
SUSE Bug 1264014

Описание

In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: ignore explicit helper on new expectations Use the existing master conntrack helper, anything else is not really supported and it just makes validation more complicated, so just ignore what helper userspace suggests for this expectation. This was uncovered when validating CTA_EXPECT_CLASS via different helper provided by userspace than the existing master conntrack helper: BUG: KASAN: slab-out-of-bounds in nf_ct_expect_related_report+0x2479/0x27c0 Read of size 4 at addr ffff8880043fe408 by task poc/102 Call Trace: nf_ct_expect_related_report+0x2479/0x27c0 ctnetlink_create_expect+0x22b/0x3b0 ctnetlink_new_expect+0x4bd/0x5c0 nfnetlink_rcv_msg+0x67a/0x950 netlink_rcv_skb+0x120/0x350 Allowing to read kernel memory bytes off the expectation boundary. CTA_EXPECT_HELP_NAME is still used to offer the helper name to userspace via netlink dump.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-43025.html
CVE-2026-43025
https://bugzilla.suse.com/1263931
SUSE Bug 1263931
https://bugzilla.suse.com/1264253
SUSE Bug 1264253

Описание

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_helper: pass helper to expect cleanup nf_conntrack_helper_unregister() calls nf_ct_expect_iterate_destroy() to remove expectations belonging to the helper being unregistered. However, it passes NULL instead of the helper pointer as the data argument, so expect_iter_me() never matches any expectation and all of them survive the cleanup. After unregister returns, nfnl_cthelper_del() frees the helper object immediately. Subsequent expectation dumps or packet-driven init_conntrack() calls then dereference the freed exp->helper, causing a use-after-free. Pass the actual helper pointer so expectations referencing it are properly destroyed before the helper object is freed. BUG: KASAN: slab-use-after-free in string+0x38f/0x430 Read of size 1 at addr ffff888003b14d20 by task poc/103 Call Trace: string+0x38f/0x430 vsnprintf+0x3cc/0x1170 seq_printf+0x17a/0x240 exp_seq_show+0x2e5/0x560 seq_read_iter+0x419/0x1280 proc_reg_read+0x1ac/0x270 vfs_read+0x179/0x930 ksys_read+0xef/0x1c0 Freed by task 103: The buggy address is located 32 bytes inside of freed 192-byte region [ffff888003b14d00, ffff888003b14dc0)

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-43027.html
CVE-2026-43027
https://bugzilla.suse.com/1263933
SUSE Bug 1263933
https://bugzilla.suse.com/1264252
SUSE Bug 1264252

Описание

In the Linux kernel, the following vulnerability has been resolved: ip6_tunnel: clear skb2->cb[] in ip4ip6_err() Oskar Kjos reported the following problem. ip4ip6_err() calls icmp_send() on a cloned skb whose cb[] was written by the IPv6 receive path as struct inet6_skb_parm. icmp_send() passes IPCB(skb2) to __ip_options_echo(), which interprets that cb[] region as struct inet_skb_parm (IPv4). The layouts differ: inet6_skb_parm.nhoff at offset 14 overlaps inet_skb_parm.opt.rr, producing a non-zero rr value. __ip_options_echo() then reads optlen from attacker-controlled packet data at sptr[rr+1] and copies that many bytes into dopt->__data, a fixed 40-byte stack buffer (IP_OPTIONS_DATA_FIXED_SIZE). To fix this we clear skb2->cb[], as suggested by Oskar Kjos. Also add minimal IPv4 header validation (version == 4, ihl >= 5).

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-43037.html
CVE-2026-43037
https://bugzilla.suse.com/1263995
SUSE Bug 1263995
https://bugzilla.suse.com/1265197
SUSE Bug 1265197

Описание

In the Linux kernel, the following vulnerability has been resolved: ipv6: icmp: clear skb2->cb[] in ip6_err_gen_icmpv6_unreach() Sashiko AI-review observed: In ip6_err_gen_icmpv6_unreach(), the skb is an outer IPv4 ICMP error packet where its cb contains an IPv4 inet_skb_parm. When skb is cloned into skb2 and passed to icmp6_send(), it uses IP6CB(skb2). IP6CB interprets the IPv4 inet_skb_parm as an inet6_skb_parm. The cipso offset in inet_skb_parm.opt directly overlaps with dsthao in inet6_skb_parm at offset 18. If an attacker sends a forged ICMPv4 error with a CIPSO IP option, dsthao would be a non-zero offset. Inside icmp6_send(), mip6_addr_swap() is called and uses ipv6_find_tlv(skb, opt->dsthao, IPV6_TLV_HAO). This would scan the inner, attacker-controlled IPv6 packet starting at that offset, potentially returning a fake TLV without checking if the remaining packet length can hold the full 18-byte struct ipv6_destopt_hao. Could mip6_addr_swap() then perform a 16-byte swap that extends past the end of the packet data into skb_shared_info? Should the cb array also be cleared in ip6_err_gen_icmpv6_unreach() and ip6ip6_err() to prevent this? This patch implements the first suggestion. I am not sure if ip6ip6_err() needs to be changed. A separate patch would be better anyway.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-43038.html
CVE-2026-43038
https://bugzilla.suse.com/1264097
SUSE Bug 1264097

Описание

In the Linux kernel, the following vulnerability has been resolved: mshv: Fix error handling in mshv_region_pin The current error handling has two issues: First, pin_user_pages_fast() can return a short pin count (less than requested but greater than zero) when it cannot pin all requested pages. This is treated as success, leading to partially pinned regions being used, which causes memory corruption. Second, when an error occurs mid-loop, already pinned pages from the current batch are not properly accounted for before calling mshv_region_invalidate_pages(), causing a page reference leak. Treat short pins as errors and fix partial batch accounting before cleanup.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-43045.html
CVE-2026-43045
https://bugzilla.suse.com/1263942
SUSE Bug 1263942
https://bugzilla.suse.com/1263943
SUSE Bug 1263943

Описание

In the Linux kernel, the following vulnerability has been resolved: atm: lec: fix use-after-free in sock_def_readable() A race condition exists between lec_atm_close() setting priv->lecd to NULL and concurrent access to priv->lecd in send_to_lecd(), lec_handle_bridge(), and lec_atm_send(). When the socket is freed via RCU while another thread is still using it, a use-after-free occurs in sock_def_readable() when accessing the socket's wait queue. The root cause is that lec_atm_close() clears priv->lecd without any synchronization, while callers dereference priv->lecd without any protection against concurrent teardown. Fix this by converting priv->lecd to an RCU-protected pointer: - Mark priv->lecd as __rcu in lec.h - Use rcu_assign_pointer() in lec_atm_close() and lecd_attach() for safe pointer assignment - Use rcu_access_pointer() for NULL checks that do not dereference the pointer in lec_start_xmit(), lec_push(), send_to_lecd() and lecd_attach() - Use rcu_read_lock/rcu_dereference/rcu_read_unlock in send_to_lecd(), lec_handle_bridge() and lec_atm_send() to safely access lecd - Use rcu_assign_pointer() followed by synchronize_rcu() in lec_atm_close() to ensure all readers have completed before proceeding. This is safe since lec_atm_close() is called from vcc_release() which holds lock_sock(), a sleeping lock. - Remove the manual sk_receive_queue drain from lec_atm_close() since vcc_destroy_socket() already drains it after lec_atm_close() returns. v2: Switch from spinlock + sock_hold/put approach to RCU to properly fix the race. The v1 spinlock approach had two issues pointed out by Eric Dumazet: 1. priv->lecd was still accessed directly after releasing the lock instead of using a local copy. 2. The spinlock did not prevent packets being queued after lec_atm_close() drains sk_receive_queue since timer and workqueue paths bypass netif_stop_queue(). Note: Syzbot patch testing was attempted but the test VM terminated unexpectedly with "Connection to localhost closed by remote host", likely due to a QEMU AHCI emulation issue unrelated to this fix. Compile testing with "make W=1 net/atm/lec.o" passes cleanly.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-43050.html
CVE-2026-43050
https://bugzilla.suse.com/1264082
SUSE Bug 1264082
https://bugzilla.suse.com/1264083
SUSE Bug 1264083

Описание

In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_ct: drop pending enqueued packets on removal Packets sitting in nfqueue might hold a reference to: - templates that specify the conntrack zone, because a percpu area is used and module removal is possible. - conntrack timeout policies and helper, where object removal leave a stale reference. Since these objects can just go away, drop enqueued packets to avoid stale reference to them. If there is a need for finer grain removal, this logic can be revisited to make selective packet drop upon dependencies.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-43060.html
CVE-2026-43060
https://bugzilla.suse.com/1264183
SUSE Bug 1264183

Описание

In the Linux kernel, the following vulnerability has been resolved: net: txgbe: leave space for null terminators on property_entry Lists of struct property_entry are supposed to be terminated with an empty property, this driver currently seems to be allocating exactly the amount of entry used. Change the struct definition to leave an extra element for all property_entry.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-43082.html
CVE-2026-43082
https://bugzilla.suse.com/1264233
SUSE Bug 1264233

Описание

In the Linux kernel, the following vulnerability has been resolved: net: af_key: zero aligned sockaddr tail in PF_KEY exports PF_KEY export paths use `pfkey_sockaddr_size()` when reserving sockaddr payload space, so IPv6 addresses occupy 32 bytes on the wire. However, `pfkey_sockaddr_fill()` initializes only the first 28 bytes of `struct sockaddr_in6`, leaving the final 4 aligned bytes uninitialized. Not every PF_KEY message is affected. The state and policy dump builders already zero the whole message buffer before filling the sockaddr payloads. Keep the fix to the export paths that still append aligned sockaddr payloads with plain `skb_put()`: - `SADB_ACQUIRE` - `SADB_X_NAT_T_NEW_MAPPING` - `SADB_X_MIGRATE` Fix those paths by clearing only the aligned sockaddr tail after `pfkey_sockaddr_fill()`.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-43088.html
CVE-2026-43088
https://bugzilla.suse.com/1264469
SUSE Bug 1264469

Описание

In the Linux kernel, the following vulnerability has been resolved: xfs: remove xfs_attr_leaf_hasname The calling convention of xfs_attr_leaf_hasname() is problematic, because it returns a NULL buffer when xfs_attr3_leaf_read fails, a valid buffer when xfs_attr3_leaf_lookup_int returns -ENOATTR or -EEXIST, and a non-NULL buffer pointer for an already released buffer when xfs_attr3_leaf_lookup_int fails with other error values. Fix this by simply open coding xfs_attr_leaf_hasname in the callers, so that the buffer release code is done by each caller of xfs_attr3_leaf_read.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-43153.html
CVE-2026-43153
https://bugzilla.suse.com/1264586
SUSE Bug 1264586
https://bugzilla.suse.com/1265065
SUSE Bug 1265065

Описание

In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_tcpmss: check remaining length before reading optlen Quoting reporter: In net/netfilter/xt_tcpmss.c (lines 53-68), the TCP option parser reads op[i+1] directly without validating the remaining option length. If the last byte of the option field is not EOL/NOP (0/1), the code attempts to index op[i+1]. In the case where i + 1 == optlen, this causes an out-of-bounds read, accessing memory past the optlen boundary (either reading beyond the stack buffer _opt or the following payload).

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-43190.html
CVE-2026-43190
https://bugzilla.suse.com/1264848
SUSE Bug 1264848
https://bugzilla.suse.com/1264849
SUSE Bug 1264849

Описание

In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Ignore -EBUSY when checking nested events from vcpu_block() Ignore -EBUSY when checking nested events after exiting a blocking state while L2 is active, as exiting to userspace will generate a spurious userspace exit, usually with KVM_EXIT_UNKNOWN, and likely lead to the VM's demise. Continuing with the wakeup isn't perfect either, as *something* has gone sideways if a vCPU is awakened in L2 with an injected event (or worse, a nested run pending), but continuing on gives the VM a decent chance of surviving without any major side effects. As explained in the Fixes commits, it _should_ be impossible for a vCPU to be put into a blocking state with an already-injected event (exception, IRQ, or NMI). Unfortunately, userspace can stuff MP_STATE and/or injected events, and thus put the vCPU into what should be an impossible state. Don't bother trying to preserve the WARN, e.g. with an anti-syzkaller Kconfig, as WARNs can (hopefully) be added in paths where _KVM_ would be violating x86 architecture, e.g. by WARNing if KVM attempts to inject an exception or interrupt while the vCPU isn't running.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-43265.html
CVE-2026-43265
https://bugzilla.suse.com/1264427
SUSE Bug 1264427

Описание

In the Linux kernel, the following vulnerability has been resolved: netfilter: flowtable: strictly check for maximum number of actions The maximum number of flowtable hardware offload actions in IPv6 is: * ethernet mangling (4 payload actions, 2 for each ethernet address) * SNAT (4 payload actions) * DNAT (4 payload actions) * Double VLAN (4 vlan actions, 2 for popping vlan, and 2 for pushing) for QinQ. * Redirect (1 action) Which makes 17, while the maximum is 16. But act_ct supports for tunnels actions too. Note that payload action operates at 32-bit word level, so mangling an IPv6 address takes 4 payload actions. Update flow_action_entry_next() calls to check for the maximum number of supported actions. While at it, rise the maximum number of actions per flow from 16 to 24 so this works fine with IPv6 setups.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-43329.html
CVE-2026-43329
https://bugzilla.suse.com/1265085
SUSE Bug 1265085
https://bugzilla.suse.com/1265317
SUSE Bug 1265317

Описание

In the Linux kernel, the following vulnerability has been resolved: xfs: fix undersized l_iclog_roundoff values If the superblock doesn't list a log stripe unit, we set the incore log roundoff value to 512. This leads to corrupt logs and unmountable filesystems in generic/617 on a disk with 4k physical sectors... XFS (sda1): Mounting V5 Filesystem ff3121ca-26e6-4b77-b742-aaff9a449e1c XFS (sda1): Torn write (CRC failure) detected at log block 0x318e. Truncating head block from 0x3197. XFS (sda1): failed to locate log tail XFS (sda1): log mount/recovery failed: error -74 XFS (sda1): log mount failed XFS (sda1): Mounting V5 Filesystem ff3121ca-26e6-4b77-b742-aaff9a449e1c XFS (sda1): Ending clean mount ...on the current xfsprogs for-next which has a broken mkfs. xfs_info shows this... meta-data=/dev/sda1 isize=512 agcount=4, agsize=644992 blks = sectsz=4096 attr=2, projid32bit=1 = crc=1 finobt=1, sparse=1, rmapbt=1 = reflink=1 bigtime=1 inobtcount=1 nrext64=1 = exchange=1 metadir=1 data = bsize=4096 blocks=2579968, imaxpct=25 = sunit=0 swidth=0 blks naming =version 2 bsize=4096 ascii-ci=0, ftype=1, parent=1 log =internal log bsize=4096 blocks=16384, version=2 = sectsz=4096 sunit=0 blks, lazy-count=1 realtime =none extsz=4096 blocks=0, rtextents=0 = rgcount=0 rgsize=268435456 extents = zoned=0 start=0 reserved=0 ...observe that the log section has sectsz=4096 sunit=0, which means that the roundoff factor is 512, not 4096 as you'd expect. We should fix mkfs not to generate broken filesystems, but anyone can fuzz the ondisk superblock so we should be more cautious. I think the inadequate logic predates commit a6a65fef5ef8d0, but that's clearly going to require a different backport.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-43365.html
CVE-2026-43365
https://bugzilla.suse.com/1265119
SUSE Bug 1265119
https://bugzilla.suse.com/1265120
SUSE Bug 1265120

Описание

In the Linux kernel, the following vulnerability has been resolved: io_uring/kbuf: check if target buffer list is still legacy on recycle There's a gap between when the buffer was grabbed and when it potentially gets recycled, where if the list is empty, someone could've upgraded it to a ring provided type. This can happen if the request is forced via io-wq. The legacy recycling is missing checking if the buffer_list still exists, and if it's of the correct type. Add those checks.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-43366.html
CVE-2026-43366
https://bugzilla.suse.com/1265116
SUSE Bug 1265116
https://bugzilla.suse.com/1265117
SUSE Bug 1265117

Описание

In the Linux kernel, the following vulnerability has been resolved: net: bonding: Fix nd_tbl NULL dereference when IPv6 is disabled When booting with the 'ipv6.disable=1' parameter, the nd_tbl is never initialized because inet6_init() exits before ndisc_init() is called which initializes it. If bonding ARP/NS validation is enabled, an IPv6 NS/NA packet received on a slave can reach bond_validate_na(), which calls bond_has_this_ip6(). That path calls ipv6_chk_addr() and can crash in __ipv6_chk_addr_and_flags(). BUG: kernel NULL pointer dereference, address: 00000000000005d8 Oops: Oops: 0000 [#1] SMP NOPTI RIP: 0010:__ipv6_chk_addr_and_flags+0x69/0x170 Call Trace: <IRQ> ipv6_chk_addr+0x1f/0x30 bond_validate_na+0x12e/0x1d0 [bonding] ? __pfx_bond_handle_frame+0x10/0x10 [bonding] bond_rcv_validate+0x1a0/0x450 [bonding] bond_handle_frame+0x5e/0x290 [bonding] ? srso_alias_return_thunk+0x5/0xfbef5 __netif_receive_skb_core.constprop.0+0x3e8/0xe50 ? srso_alias_return_thunk+0x5/0xfbef5 ? update_cfs_rq_load_avg+0x1a/0x240 ? srso_alias_return_thunk+0x5/0xfbef5 ? __enqueue_entity+0x5e/0x240 __netif_receive_skb_one_core+0x39/0xa0 process_backlog+0x9c/0x150 __napi_poll+0x30/0x200 ? srso_alias_return_thunk+0x5/0xfbef5 net_rx_action+0x338/0x3b0 handle_softirqs+0xc9/0x2a0 do_softirq+0x42/0x60 </IRQ> <TASK> __local_bh_enable_ip+0x62/0x70 __dev_queue_xmit+0x2d3/0x1000 ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 ? packet_parse_headers+0x10a/0x1a0 packet_sendmsg+0x10da/0x1700 ? kick_pool+0x5f/0x140 ? srso_alias_return_thunk+0x5/0xfbef5 ? __queue_work+0x12d/0x4f0 __sys_sendto+0x1f3/0x220 __x64_sys_sendto+0x24/0x30 do_syscall_64+0x101/0xf80 ? exc_page_fault+0x6e/0x170 ? srso_alias_return_thunk+0x5/0xfbef5 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> Fix this by checking ipv6_mod_enabled() before dispatching IPv6 packets to bond_na_rcv(). If IPv6 is disabled, return early from bond_rcv_validate() and avoid the path to ipv6_chk_addr().

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-43441.html
CVE-2026-43441
https://bugzilla.suse.com/1264674
SUSE Bug 1264674
https://bugzilla.suse.com/1264675
SUSE Bug 1264675

Описание

In the Linux kernel, the following vulnerability has been resolved: net/rds: reset op_nents when zerocopy page pin fails When iov_iter_get_pages2() fails in rds_message_zcopy_from_user(), the pinned pages are released with put_page(), and rm->data.op_mmp_znotifier is cleared. But we fail to properly clear rm->data.op_nents. Later when rds_message_purge() is called from rds_sendmsg() the cleanup loop iterates over the incorrectly non zero number of op_nents and frees them again. Fix this by properly resetting op_nents when it should be in rds_message_zcopy_from_user().

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-43494.html
CVE-2026-43494
https://bugzilla.suse.com/1265626
SUSE Bug 1265626
https://bugzilla.suse.com/1265945
SUSE Bug 1265945

Описание

In the Linux kernel, the following vulnerability has been resolved: net: skbuff: propagate shared-frag marker through frag-transfer helpers Two frag-transfer helpers (__pskb_copy_fclone() and skb_shift()) fail to propagate the SKBFL_SHARED_FRAG bit in skb_shinfo()->flags when moving frags from source to destination. __pskb_copy_fclone() defers the rest of the shinfo metadata to skb_copy_header() after copying frag descriptors, but that helper only carries over gso_{size,segs, type} and never touches skb_shinfo()->flags; skb_shift() moves frag descriptors directly and leaves flags untouched. As a result, the destination skb keeps a reference to the same externally-owned or page-cache-backed pages while reporting skb_has_shared_frag() as false. The mismatch is harmful in any in-place writer that uses skb_has_shared_frag() to decide whether shared pages must be detoured through skb_cow_data(). ESP input is one such writer (esp4.c, esp6.c), and a single nft 'dup to <local>' rule -- or any other nf_dup_ipv4() / xt_TEE caller -- is enough to land a pskb_copy()'d skb in esp_input() with the marker stripped, letting an unprivileged user write into the page cache of a root-owned read-only file via authencesn-ESN stray writes. Set SKBFL_SHARED_FRAG on the destination whenever frag descriptors were actually moved from the source. skb_copy() and skb_copy_expand() share skb_copy_header() too but linearize all paged data into freshly allocated head storage and emerge with nr_frags == 0, so skb_has_shared_frag() returns false on its own; they need no change. The same omission exists in skb_gro_receive() and skb_gro_receive_list(). The former moves the incoming skb's frag descriptors into the accumulator's last sub-skb via two paths (a direct frag-move loop and the head_frag + memcpy path); the latter chains the incoming skb whole onto p's frag_list. Downstream skb_segment() reads only skb_shinfo(p)->flags, and skb_segment_list() reuses each sub-skb's shinfo as the nskb -- both p and lp must carry the marker. The same omission also exists in tcp_clone_payload(), which builds an MTU probe skb by moving frag descriptors from skbs on sk_write_queue into a freshly allocated nskb. The helper falls into the same family and warrants the same fix for consistency; no TCP TX-side in-place writer is currently known to reach a user page through this gap, but a future consumer depending on the marker would regress silently. The same omission exists in skb_segment(): the per-iteration flag merge takes only head_skb's flag, and the inner switch that rebinds frag_skb to list_skb on head_skb-frags exhaustion does not fold the new frag_skb's flag into nskb. Fold frag_skb's flag at both sites so segments drawing frags from frag_list members carry the marker.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-43503.html
CVE-2026-43503
https://bugzilla.suse.com/1265209
SUSE Bug 1265209
https://bugzilla.suse.com/1265960
SUSE Bug 1265960
https://bugzilla.suse.com/1266229
SUSE Bug 1266229

Описание

In the Linux kernel, the following vulnerability has been resolved: ptrace: slightly saner 'get_dumpable()' logic The 'dumpability' of a task is fundamentally about the memory image of the task - the concept comes from whether it can core dump or not - and makes no sense when you don't have an associated mm. And almost all users do in fact use it only for the case where the task has a mm pointer. But we have one odd special case: ptrace_may_access() uses 'dumpable' to check various other things entirely independently of the MM (typically explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for threads that no longer have a VM (and maybe never did, like most kernel threads). It's not what this flag was designed for, but it is what it is. The ptrace code does check that the uid/gid matches, so you do have to be uid-0 to see kernel thread details, but this means that the traditional "drop capabilities" model doesn't make any difference for this all. Make it all make a *bit* more sense by saying that if you don't have a MM pointer, we'll use a cached "last dumpability" flag if the thread ever had a MM (it will be zero for kernel threads since it is never set), and require a proper CAP_SYS_PTRACE capability to override.

Затронутые продукты

openSUSE Leap 16.0:cluster-md-kmp-64kb-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-azure-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-default-6.12.0-160000.33.1

openSUSE Leap 16.0:cluster-md-kmp-rt-6.12.0-160000.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-46333.html
CVE-2026-46333
https://bugzilla.suse.com/1265308
SUSE Bug 1265308
https://bugzilla.suse.com/1265384
SUSE Bug 1265384

openSUSE-SU-2026:20826-1

Описание

Список пакетов

openSUSE Leap 16.0

Ссылки

Уязвимость: CVE-2023-2058

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2024-14027

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2025-40181

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2025-40219

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2025-68265

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2025-68310

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2025-71238

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2025-71268

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2025-71269

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2025-71302

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2026-23168

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2026-23209

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2026-23236

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2026-23237

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2026-23245

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2026-23246

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2026-23253

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2026-23260

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2026-23261

Описание

Затронутые продукты