Main Vulnerability Database SB20260417143

SB20260417143 - openEuler 24.03 LTS SP1 update for kernel

Published: April 17, 2026

Security Bulletin ID SB20260417143

Severity

High

Patch available

YES

Number of vulnerabilities 12

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 12 secuirty vulnerabilities.

1) Use of uninitialized resource (CVE-ID: CVE-2025-68291)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to use of uninitialized resource within the mptcp_do_fastclose() function in net/mptcp/protocol.c. A local user can perform a denial of service (DoS) attack.

2) Exposure of sensitive information to an unauthorized actor (CVE-ID: CVE-2026-23247)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper output neutralization in the TCP sequence number generation mechanism when handling SYN cookies. A remote attacker can send specially crafted TCP connection requests to disclose sensitive information.

The attacker can exploit the side-channel to infer TCP source ports, enabling off-path attacks that leak information about connection parameters.

3) Out-of-bounds read (CVE-ID: CVE-2026-23269)

The vulnerability allows a local user to disclose sensitive information.

The vulnerability exists due to an out-of-bounds read in the AppArmor subsystem's DFA state table validation when processing untrusted policy data. A local user can provide a specially crafted AppArmor policy with an out-of-bounds start state to trigger an out-of-bounds read during policy unpacking.

Exploitation requires the ability to load or modify AppArmor policies, which typically requires privileged access. The out-of-bounds read may expose contents of kernel memory.

4) Missing release of memory after effective lifetime (CVE-ID: CVE-2026-23389)

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper memory management in the ice_set_ringparam() function when processing ring parameter configuration. A local user can trigger improper memory deallocation to cause a denial of service.

Exploitation requires access to the network interface control functionality, which is typically available to local users with network configuration privileges.

5) Race condition (CVE-ID: CVE-2026-23440)

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a race condition in the net/mlx5e IPSec ESN update handling path when processing ESN wrap events in IPSec full offload mode. A local user can trigger duplicate ESN update handling to cause a denial of service.

Processing the same event twice can incorrectly increment the ESN high-order bits and program invalid ESN state into hardware, resulting in anti-replay failures and a complete halt of IPSec traffic.

6) Race condition (CVE-ID: CVE-2026-23441)

The vulnerability allows a local user to cause unexpected behavior and incorrect results.

The vulnerability exists due to a race condition in the IPSec ASO context handling in the mlx5e driver when processing concurrent IPSec offload ASO operations. A local user can trigger concurrent query or update operations to cause unexpected behavior and incorrect results.

The issue arises because a shared DMA-mapped context is used for ASO operations and can be overwritten before earlier hardware processing completes.

7) Memory leak (CVE-ID: CVE-2026-23444)

The vulnerability allows a local attacker to cause a denial of service.

The vulnerability exists due to improper memory management in ieee80211_tx_prepare_skb() when processing transmit skbs. A local attacker can trigger an error path that does not free an skb to cause a denial of service.

The issue affects the first error path where ieee80211_tx_prepare() returns TX_DROP, resulting in inconsistent skb handling compared to the other error paths.

8) Use-after-free (CVE-ID: CVE-2026-23461)

The vulnerability allows a local attacker to cause a denial of service.

The vulnerability exists due to a use-after-free in l2cap_unregister_user when accessing conn->users and conn->hchan concurrently with l2cap_conn_del(). A local attacker can trigger a race condition to cause a denial of service.

The issue is caused by inconsistent locking on the l2cap_conn structure and may also result in list corruption.

9) Out-of-bounds read (CVE-ID: CVE-2026-31393)

The vulnerability allows a remote attacker to disclose adjacent memory contents.

The vulnerability exists due to an out-of-bounds read in l2cap_information_rsp() when processing a truncated L2CAP_INFO_RSP packet with a successful result. A remote attacker can send a specially crafted Bluetooth L2CAP response to disclose adjacent memory contents.

The issue occurs because the code reads response payload data beyond the validated fixed header length for L2CAP_IT_FEAT_MASK and L2CAP_IT_FIXED_CHAN cases.

10) Use-after-free (CVE-ID: CVE-2026-31399)

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to use-after-free in nd_async_device_register() when handling asynchronous device initialization after device_add() failure. A local user can trigger the vulnerable code path to cause a denial of service.

The issue occurs because the parent pointer may be accessed after the device reference count drops to zero. No user interaction is required.

11) Out-of-bounds read (CVE-ID: CVE-2026-31405)

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to an out-of-bounds read in handle_one_ule_extension() extension handler tables when processing network-controlled ULE extension header data. A remote attacker can send a specially crafted SNDU with an extension header type value of 255 to execute arbitrary code.

The out-of-bounds value may be dereferenced and called as a function pointer.

12) Use-after-free (CVE-ID: CVE-2026-31408)

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to use-after-free in sco_recv_frame() when processing Bluetooth SCO frames during concurrent socket closure. A local user can trigger a race condition to cause a denial of service.

The issue occurs because the socket reference is not held after releasing sco_conn_lock() before accessing sk->sk_state.

Remediation

Install update from vendor's website.

References

https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2026-1947

Vulnerable Software

openEuler: 24.03 LTS SP1
python3-perf-debuginfo: before 6.6.0-145.0.3.143
python3-perf: before 6.6.0-145.0.3.143
perf-debuginfo: before 6.6.0-145.0.3.143
perf: before 6.6.0-145.0.3.143
kernel-tools-devel: before 6.6.0-145.0.3.143
kernel-tools-debuginfo: before 6.6.0-145.0.3.143
kernel-tools: before 6.6.0-145.0.3.143
kernel-source: before 6.6.0-145.0.3.143
kernel-headers: before 6.6.0-145.0.3.143
kernel-devel: before 6.6.0-145.0.3.143
kernel-debugsource: before 6.6.0-145.0.3.143
kernel-debuginfo: before 6.6.0-145.0.3.143
bpftool-debuginfo: before 6.6.0-145.0.3.143
bpftool: before 6.6.0-145.0.3.143
kernel: before 6.6.0-145.0.3.143

SB20260417143 - openEuler 24.03 LTS SP1 update for kernel

Breakdown by Severity

Description

Remediation

References

Please verify you're human