SB20260417140 - openEuler 22.03 LTS SP4 update for kernel
Published: April 17, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 19 secuirty vulnerabilities.
1) Use-after-free (CVE-ID: CVE-2022-50300)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the read_one_chunk() function in fs/btrfs/volumes.c. A local user can escalate privileges on the system.
2) Improper locking (CVE-ID: CVE-2022-50518)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper locking within the pdc_io_reset_devices(), pdc_iodc_print() and pdc_iodc_getc() functions in arch/parisc/kernel/firmware.c. A local user can perform a denial of service (DoS) attack.
3) Use-after-free (CVE-ID: CVE-2023-53194)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the indx_get_root() function in fs/ntfs3/index.c. A local user can escalate privileges on the system.
4) Use-after-free (CVE-ID: CVE-2025-38476)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the rpl_do_srh_inline() function in net/ipv6/rpl_iptunnel.c. A local user can escalate privileges on the system.
5) Input validation error (CVE-ID: CVE-2025-39794)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the tegra_cpu_reset_handler_enable() function in arch/arm/mach-tegra/reset.c. A local user can perform a denial of service (DoS) attack.
6) Out-of-bounds read (CVE-ID: CVE-2025-40205)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to an out-of-bounds read error within the btrfs_encode_fh() function in fs/btrfs/export.c. A local user can perform a denial of service (DoS) attack.
7) Exposure of resource to wrong sphere (CVE-ID: CVE-2026-23253)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper initialization in the dvb_ringbuffer component when reopening a DVR device. A local user can open a specially crafted DVR device to cause a denial of service.
The issue arises because dvb_dvr_open() reinitializes the shared waitqueue head, which can orphan existing waitqueue entries from io_uring poll or epoll, leading to stale pointers and potential system instability.
8) Out-of-bounds read (CVE-ID: CVE-2026-23269)
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in the AppArmor subsystem's DFA state table validation when processing untrusted policy data. A local user can provide a specially crafted AppArmor policy with an out-of-bounds start state to trigger an out-of-bounds read during policy unpacking.
Exploitation requires the ability to load or modify AppArmor policies, which typically requires privileged access. The out-of-bounds read may expose contents of kernel memory.
9) Missing release of memory after effective lifetime (CVE-ID: CVE-2026-23389)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper memory management in the ice_set_ringparam() function when processing ring parameter configuration. A local user can trigger improper memory deallocation to cause a denial of service.
Exploitation requires access to the network interface control functionality, which is typically available to local users with network configuration privileges.
10) Uncontrolled Recursion (CVE-ID: CVE-2026-23404)
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to improper input validation in AppArmor profile removal functionality when handling deeply nested profiles. A local attacker can send a specially crafted request to cause a denial of service.
Exploitation requires the ability to load AppArmor profiles and trigger their removal, which is typically available to unprivileged users on systems where AppArmor is enabled.
11) Resource exhaustion (CVE-ID: CVE-2026-23405)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource management in the AppArmor policy namespace subsystem when creating nested policy namespaces. A local user can create deeply nested policy namespaces to cause a denial of service.
Exploitation requires the ability to create AppArmor policy namespaces, which is available to unprivileged users in a user namespace.
12) Out-of-bounds write (CVE-ID: CVE-2026-23406)
The vulnerability allows a local user to cause a denial of service or potentially execute arbitrary code.
The vulnerability exists due to improper pointer arithmetic in the AppArmor match_char() macro within the Linux kernel's DFA matching logic when processing path permissions during file open operations. A local user can provide a specially crafted file access request that triggers differential encoding chain traversal with a post-incremented string pointer, causing the pointer to advance multiple times per iteration and resulting in out-of-bounds memory reads. This can lead to kernel memory corruption and system instability.
The vulnerability is exploitable during AppArmor policy enforcement when opening files, and may allow privilege escalation or system crash.
13) Out-of-bounds write (CVE-ID: CVE-2026-23407)
The vulnerability allows a local user to execute arbitrary code or cause a denial of service.
The vulnerability exists due to improper bounds checking in the AppArmor verify_dfa() function when parsing a malformed DFA policy. A local user can provide a specially crafted AppArmor policy with differential encoding that triggers out-of-bounds memory access to execute arbitrary code or crash the kernel.
Successful exploitation requires the ability to load a malicious AppArmor profile, which requires user privileges but no special administrative rights beyond those needed to manage AppArmor policies.
14) Double free (CVE-ID: CVE-2026-23408)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a double free in the AppArmor profile replacement component when processing user-supplied profile data. A local user can send a specially crafted request to cause a denial of service.
15) Use-after-free (CVE-ID: CVE-2026-23410)
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to a use-after-free in AppArmor rawdata inode handling when opening rawdata files while simultaneously removing the corresponding profile. A local attacker can trigger a race condition to access freed memory and cause a denial of service.
16) Race condition (CVE-ID: CVE-2026-23411)
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to a race condition in the AppArmor i_private data management when accessing filesystem callback functions after reference removal. A local attacker can trigger a use-after-free condition by exploiting the race between freeing data and filesystem access to trigger a denial of service.
The issue arises when the inode persists beyond AppArmor data cleanup and filesystem callbacks are invoked after the reference has been released. This race condition primarily affects data stored in i_private, including rawdata/loaddata interfaces.
17) Use-after-free (CVE-ID: CVE-2026-23452)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in pm_runtime_work() when handling device removal during runtime power management. A local user can trigger a race condition involving device removal to cause a denial of service.
The issue is caused by dereferencing the dev->parent pointer after the parent device has been freed. It is reproducible sporadically with blktest block/001 and results in a KASAN-reported slab-use-after-free.
18) Use-after-free (CVE-ID: CVE-2026-31408)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in sco_recv_frame() when processing Bluetooth SCO frames during concurrent socket closure. A local user can trigger a race condition to cause a denial of service.
The issue occurs because the socket reference is not held after releasing sco_conn_lock() before accessing sk->sk_state.
19) Improper Privilege Management (CVE-ID: CVE-2026-31788)
The vulnerability allows a local user to escalate privileges and modify kernel memory contents, breaking secure boot protections.
The vulnerability exists due to improper access control in the Xen privcmd driver when handling hypercalls from user space processes in an unprivileged domU running with secure boot enabled. A local user can exploit this by issuing arbitrary hypercalls to escalate privileges and modify kernel memory, compromising the integrity of the secure boot environment.
Exploitation requires the user to have root privileges within the unprivileged domU guest. The impact is particularly severe when secure boot is enabled, as it allows bypassing memory integrity protections.
Remediation
Install update from vendor's website.