Additional Resources: To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle

---

Disclaimer: The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Title of the patch: Security update for the Linux Kernel

---

Description of the patch: The SUSE Linux Enterprise 16.0 kernel was updated to fix various security issues The following security issues were fixed: - CVE-2023-20585: iommu/amd: Use maximum Event log buffer size when SNP is enabled on Family 0x19 (bsc#1243603). - CVE-2026-3150: bcache: fix cached_dev.sb_bio use-after-free and crash (bsc#1263169). - CVE-2026-23359: bpf: Fix stack-out-of-bounds write in devmap (bsc#1260584). - CVE-2026-23380: tracing: Fix WARN_ON in tracing_buffers_mmap_close (bsc#1260539). - CVE-2026-23444: wifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure (bsc#1266307). - CVE-2026-31464: scsi: ibmvfc: Fix OOB access in ibmvfc_discover_targets_done() (bsc#1262656). - CVE-2026-31480: tracing: Fix potential deadlock in cpu hotplug with osnoise (bsc#1262634). - CVE-2026-31483: s390/barrier: Make array_index_mask_nospec() __always_inline (bsc#1261590 bsc#1262771). - CVE-2026-31493: RDMA/efa: Fix use of completion ctx after free (bsc#1262668). - CVE-2026-31516: xfrm: prevent policy_hthresh.work from racing with netns teardown (bsc#1262755). - CVE-2026-31521: module: Fix kernel panic when a symbol st_shndx is out of bounds (bsc#1263102). - CVE-2026-31568: s390/mm: Add missing secure storage access fixups for donated memory (bsc#1263068). - CVE-2026-31575: mm/userfaultfd: fix hugetlb fault mutex hash calculation (bsc#1263067). - CVE-2026-31613: smb: client: fix OOB reads parsing symlink error response (bsc#1263769). - CVE-2026-31614: smb: client: fix off-by-8 bounds check in check_wsl_eas() (bsc#1263774). - CVE-2026-31729: usb: typec: ucsi: validate connector number in ucsi_notify_common() (bsc#1264112). - CVE-2026-31736: net: ethernet: mtk_ppe: avoid NULL deref when gmac0 is disabled (bsc#1263908). - CVE-2026-43012: net/mlx5: Fix switchdev mode rollback in case of failure (bsc#1264016). - CVE-2026-43013: net/mlx5: lag: Check for LAG device before creating debugfs (bsc#1264011). - CVE-2026-43054: scsi: target: tcm_loop: Drain commands in target_reset handler (bsc#1264063). - CVE-2026-43112: fs/smb/client: fix out-of-bounds read in cifs_sanitize_prepath (bsc#1264437). - CVE-2026-43234: team: avoid NETDEV_CHANGEMTU event when unregistering slave (bsc#1264409). - CVE-2026-43252: mptcp: pm: in-kernel: always set ID as avail when rm endp (bsc#1264300). - CVE-2026-43325: wifi: iwlwifi: mvm: don't send a 6E related command when not supported (bsc#1265110). - CVE-2026-43328: cpufreq: governor: fix double free in cpufreq_dbs_governor_init() error path (bsc#1264832). - CVE-2026-43333: bpf: reject direct access to nullable PTR_TO_BUF pointers (bsc#1264726). - CVE-2026-43338: btrfs: reserve enough transaction items for qgroup ioctls (bsc#1264716). - CVE-2026-43341: net/ipv6: ioam6: prevent schema length wraparound in trace fill (bsc#1265044). - CVE-2026-43359: btrfs: fix transaction abort on set received ioctl due to item overflow (bsc#1264719). - CVE-2026-43360: btrfs: fix transaction abort on file creation due to name hash collision (bsc#1264720). - CVE-2026-43361: btrfs: fix transaction abort when snapshotting received subvolumes (bsc#1264722). - CVE-2026-43362: smb: client: fix in-place encryption corruption in SMB2_write() (bsc#1264989). - CVE-2026-43414: scsi: qla2xxx: Completely fix fcport double free (bsc#1264669). - CVE-2026-43499: rtmutex: Use waiter::task instead of current in remove_waiter() (bsc#1266001). - CVE-2026-45843: slip: bound decode() reads against the compressed packet length (bsc#1266395). - CVE-2026-46110: net: stmmac: rename STMMAC_GET_ENTRY() -> STMMAC_NEXT_ENTRY() (bsc#1266759). The following non security issues were fixed: - ACPI: x86: cmos_rtc: Clean up address space handler driver (stable-fixes). - ACPI: x86: cmos_rtc: Improve coordination with ACPI TAD driver (git-fixes). - ALSA: asihpi: Fix potential OOB array access at reading cache (stable-fixes). - ALSA: hda/conexant: Renaming the codec with device ID 0x1f86 and 0x1f87 (stable-fixes). - ALSA: pcm: Don't setup bogus iov_iter for silencing (git-fixes). - ALSA: pcm: oss: Fix setup list UAF on proc write error (git-fixes). - ALSA: scarlett2: Fix 2i2 Gen 4 direct monitor gain on firmware 2417 (git-fixes). - ALSA: seq: avoid past-the-end iterator in snd_seq_create_port() (git-fixes). - ALSA: seq: Serialize UMP output teardown with event_input (git-fixes). - ALSA: timer: avoid past-the-end iterator in snd_timer_dev_register() (git-fixes). - ALSA: ua101: Reject too-short USB descriptors (git-fixes). - arm64: tlb: Flush walk cache when unsharing PMD tables (git-fixes). - ASoC: codecs: simple-mux: Fix enum control bounds check (git-fixes). - ASoC: cs35l56: Fix flushing of IRQ work in cs35l56_sdw_remove() (git-fixes). - ASoC: Intel: bytcht_es8316: Fix MCLK leak on init errors (git-fixes). - ASoC: qcom: q6asm-dai: close stream only when running (git-fixes). - ASoC: qcom: q6asm-dai: do not set stream state in event and trigger callbacks (git-fixes). - ASoC: qcom: q6asm-dai: fix error handling in prepare and set_params (git-fixes). - ASoC: SOF: ipc3: Use standard dev_dbg API (stable-fixes). - auxdisplay: line-display: fix OOB read on zero-length message_store() (git-fixes). - bcache: fix uninitialized closure object (git-fixes). - Bluetooth: 6lowpan: check skb_clone() return value in send_mcast_pkt() (git-fixes). - Bluetooth: bnep: Fix UAF read of dev->name (git-fixes). - Bluetooth: btmtk: accept too short WMT FUNC_CTRL events (git-fixes). - Bluetooth: btmtk: fix urb->setup_packet leak in error paths (git-fixes). - Bluetooth: btusb: Allow firmware re-download when version matches (git-fixes). - Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del() (git-fixes). - Bluetooth: hci_sync: fix UAF in hci_le_create_cis_sync (git-fixes). - Bluetooth: hci_sync: Set HCI_CMD_DRAIN_WORKQUEUE during device close (git-fixes). - Bluetooth: hci_uart: fix UAFs and race conditions in close and init paths (git-fixes). - Bluetooth: HIDP: fix missing length checks in hidp_input_report() (git-fixes). - Bluetooth: ISO: drop ISO_END frames received without prior ISO_START (git-fixes). - Bluetooth: ISO: fix UAF in iso_recv_frame (git-fixes). - Bluetooth: ISO: serialize iso_sock_clear_timer with socket lock (git-fixes). - Bluetooth: l2cap: clear chan->ident on ECRED reconfiguration success (git-fixes). - Bluetooth: L2CAP: ecred_reconfigure: send packed pdu, not stack pointer (git-fixes). - Bluetooth: L2CAP: fix chan ref leak in l2cap_chan_timeout() on !conn (git-fixes). - Bluetooth: L2CAP: Fix possible crash on l2cap_ecred_conn_rsp (git-fixes). - Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen() (git-fixes). - Bluetooth: MGMT: validate Add Extended Advertising Data length (git-fixes). - Bluetooth: serialize accept_q access (git-fixes). - btrfs: do not mark inode incompressible after inline attempt fails (git-fixes). - comedi: comedi_test: fix check for valid scan_begin_src in waveform_ai_cmdtest() (git-fixes). - comedi: comedi_test: Fix limiting of convert_arg in waveform_ai_cmdtest() (git-fixes). - device property: set fwnode->secondary to NULL in fwnode_init() (git-fixes). - dm: fix a buffer overflow in ioctl processing (git-fixes). - drm/amd/display: Fix integer overflow in bios_get_image() (stable-fixes). - drm/amd/display: Validate GPIO pin LUT table size before iterating (stable-fixes). - drm/amd/display: Validate payload length and link_index in dc_process_dmub_aux_transfer_async (stable-fixes). - drm/amd/pm/si: Disregard vblank time when no displays are connected (git-fixes). - drm/amdgpu/uvd3.1: Don't validate the firmware when already validated (git-fixes). - drm/amdgpu/uvd4.2: Don't initialize UVD 4.2 when DPM is disabled (git-fixes). - drm/amdgpu/vce2: Fix VCE 2 firmware size and offsets (git-fixes). - drm/amdgpu/vce3: Fix VCE 3 firmware size and offsets (git-fixes). - drm/amdgpu/vpe: Force collaborate sync after TRAP (stable-fixes). - drm/amdgpu: add amdgpu_device reference in ip block (stable-fixes). - drm/amdgpu: fix spelling typos (stable-fixes). - drm/amdgpu: update the handle ptr in dump_ip_state (stable-fixes). - drm/amdgpu: update the handle ptr in early_init (stable-fixes). - drm/bridge: chipone-icn6211: use devm_drm_bridge_add in i2c probe (git-fixes). - drm/bridge: it66121: acquire reset GPIO in probe (git-fixes). - drm/bridge: megachips: remove bridge when irq request fails (git-fixes). - drm/hyperv: validate resolution_count and fix WIN8 fallback (git-fixes). - drm/hyperv: validate VMBus packet size in receive callback (git-fixes). - drm/i915/dp: Fix readback for target_rr in Adaptive Sync SDP (git-fixes). - drm/i915: Fix potential UAF in TTM object purge (git-fixes). - drm/msm/dsi: don't dump registers past the mapped region (git-fixes). - drm/msm/snapshot: fix dumping of the unaligned regions (git-fixes). - drm/radeon/evergreen_cs: Add missing NULL prefix check in surface check (git-fixes). - drm/virtio: use uninterruptible resv lock for plane updates (git-fixes). - drm/xe/gsc: Fix double-free of managed BO in error path (git-fixes). - drm/xe/oa: Fix exec_queue leak on width check in stream open (git-fixes). - drm/xe/pf: Fix CFI failure in debugfs access (git-fixes). - drm/xe/vf: Fix signature of print functions (git-fixes). - drm/xe: Define CACHE_MODE_1 as MCR register (git-fixes). - efi: Allocate runtime workqueue before ACPI init (git-fixes). - firmware: arm_ffa: Align RxTx buffer size before mapping (git-fixes). - firmware: arm_ffa: Check for NULL FF-A ID table while driver registration (git-fixes). - firmware: arm_ffa: Fix per-vcpu self notifications handling in workqueue (git-fixes). - firmware: arm_ffa: Skip free_pages on RX buffer alloc failure (git-fixes). - gve: Add RSS cache for non RSS device option scenario (bsc#1265925). - gve: add XDP DROP and PASS support for DQ (bsc#1265925). - gve: Enable reading max ring size from the device in DQO-QPL mode (bsc#1265925). - gve: introduce config-based allocation for XDP (bsc#1265925). - gve: merge packet buffer size fields (bsc#1265925). - gve: remove xdp_xsk_done and xdp_xsk_wakeup statistics (bsc#1265925). - gve: update GQ RX to use buf_size (bsc#1265925). - gve: Update QPL page registration logic (bsc#1265925). - gve: update XDP allocation path support RX buffer posting (bsc#1265925). - HID: playstation: Clamp num_touch_reports (git-fixes). - HID: quirks: really enable the intended work around for appledisplay (git-fixes). - HID: uclogic: Fix regression of input name assignment (git-fixes). - hwmon: (lenovo-ec-sensors): Convert to devm_request_region() (git-fixes). - hwmon: (lenovo-ec-sensors): Fix EC "MCHP" signature validation logic (git-fixes). - hwmon: (pmbus/adm1266) bounce blackbox records through a protocol-sized buffer (git-fixes). - hwmon: (pmbus/adm1266) cap PDIO scan in get_multiple at ADM1266_PDIO_NR (git-fixes). - hwmon: (pmbus/adm1266) don't clobber GPIO bits before PDIO read in get_multiple (git-fixes). - hwmon: (pmbus/adm1266) include adapter number in GPIO line label (git-fixes). - hwmon: (pmbus/adm1266) include PEC byte in pmbus_block_xfer read buffer (git-fixes). - hwmon: (pmbus/adm1266) register the gpio_chip after pmbus_do_probe() (git-fixes). - hwmon: (pmbus/adm1266) register the nvmem device after pmbus_do_probe() (git-fixes). - hwmon: (pmbus/adm1266) reject implausible blackbox record_count (git-fixes). - hwmon: (pmbus/adm1266) reject short block-read responses in the GPIO accessors (git-fixes). - hwmon: (pmbus/adm1266) seed timestamp from the real-time clock (git-fixes). - hwmon: (pmbus/adm1266) widen blackbox-info buffer to I2C_SMBUS_BLOCK_MAX (git-fixes). - iio: adc: mt6359: fix unchecked return value in mt6358_read_imp (git-fixes). - iio: adc: npcm: fix unbalanced clk_disable_unprepare() (git-fixes). - iio: adc: viperboard: Fix error handling in vprbrd_iio_read_raw (git-fixes). - iio: adc: xilinx-xadc: Fix sequencer mode in postdisable for dual mux (git-fixes). - iio: buffer: Fix DMA fence leak in iio_buffer_enqueue_dmabuf() (git-fixes). - iio: buffer: hw-consumer: fix use-after-free in error path (git-fixes). - iio: dac: ad5686: acquire lock when doing powerdown control (git-fixes). - iio: dac: ad5686: fix input raw value check (git-fixes). - iio: dac: max5821: fix return value check in powerdown sync (git-fixes). - iio: gyro: adis16260: fix division by zero in write_raw (git-fixes). - iio: gyro: itg3200: fix i2c read into the wrong stack location (git-fixes). - iio: imu: st_lsm6dsx: fix stack leak in tagged FIFO buffer (git-fixes). - iio: light: cm3323: fix reg_conf not being initialized correctly (git-fixes). - iio: magnetometer: st_magn: fix default DRDY pin selection for LIS2MDL (git-fixes). - iio: ssp_sensors: cancel delayed work_refresh on remove (git-fixes). - iio: temperature: tsys01: fix broken PROM checksum validation (git-fixes). - Input: atmel_mxt_ts - fix boundary check in mxt_prepare_cfg_mem (git-fixes). - Input: ims-pcu - fix usb_free_coherent() size in ims_pcu_buffers_free() (git-fixes). - Input: usbtouchscreen - clamp NEXIO data_len/x_len to URB buffer size (git-fixes). - Input: xpad - fix out-of-bounds access for Share button (git-fixes). - KVM: nSVM: Avoid incorrect injection of SVM_EXIT_CR0_SEL_WRITE (git-fixes). - KVM: nSVM: Propagate SVM_EXIT_CR0_SEL_WRITE correctly for LMSW emulation (git-fixes). - KVM: SVM: Inject #UD for INVLPGA if EFER.SVME=0 (git-fixes). - KVM: x86: Fix Xen hypercall tracepoint argument assignment (git-fixes). - KVM: x86: Return the VM's configured APIC bus frequency when queried (git-fixes). - media: i2c: og01a1b: Fix V4L2 subdevice data initialization on probe (git-fixes). - media: i2c: og01a1b: Replace client->dev usage (stable-fixes). - net: mana: Add NULL guards in teardown path to prevent panic on attach failure (git-fixes). - net: mana: Expose hardware diagnostic info via debugfs (bsc#1266414). - net: mana: Fix TOCTOU double-fetch of hwc_msg_id from DMA buffer (bsc#1265928). - net: mana: hardening: Reject zero max_num_queues from GDMA_QUERY_MAX_RESOURCES (git-fixes). - net: mana: hardening: Reject zero max_num_queues from MANA_QUERY_VPORT_CONFIG (git-fixes). - net: mana: Skip redundant detach on already-detached port (git-fixes). - net: mana: Use kvmalloc for large RX queue and buffer allocations (bsc#1266765). - net: mana: Use per-queue allocation for tx_qp to reduce allocation size (bsc#1266765). - net: mana: validate rx_req_idx to prevent out-of-bounds array access (bsc#1266402). - parport: Fix race between port and client registration (git-fixes). - platform/surface: aggregator_registry: omit battery & AC nodes on Surface Laptop 7 (git-fixes). - platform/x86: adv_swbutton: Check ACPI_HANDLE() against NULL (git-fixes). - platform/x86: hp_accel: Check ACPI_COMPANION() against NULL (git-fixes). - platform/x86: intel-hid: Check ACPI_HANDLE() against NULL (git-fixes). - platform/x86: intel-vbtn: Check ACPI_HANDLE() against NULL (git-fixes). - RDMA/efa: Check stored completion CTX command ID with received one (git-fixes). - RDMA/efa: Extend admin timeout error print (git-fixes). - RDMA/efa: Fix possible deadlock (git-fixes). - RDMA/efa: Improve admin completion context state machine (git-fixes). - RDMA/mana_ib: Report max_msg_sz in mana_ib_query_port (git-fixes). - Revert "ACPI: CPPC: Adjust debug messages in amd_set_max_freq_ratio() to warn" (git-fixes). - s390/pfault: Fix virtual vs physical address confusion (bsc#1262754). - scsi: devinfo: Add BLIST_SKIP_IO_HINTS for Iomega ZIP (git-fixes). - scsi: mpi3mr: Clear reset history on ready and recheck state after timeout (git-fixes). - scsi: ses: Handle positive SCSI error from ses_recv_diag() (git-fixes). - scsi: ufs: core: Fix shift out of bounds when MAXQ=32 (git-fixes). - security/keys: fix missed RCU read section on lookup (stable-fixes). - serial: fsl_lpuart: fix rx buffer and DMA map leaks in start_rx_dma (git-fixes). - serial: qcom-geni: fix UART_RX_PAR_EN bit position (git-fixes). - serial: qcom_geni: fix kfifo underflow when flush precedes DMA completion IRQ (git-fixes). - smb: client: reject userspace cifs.spnego descriptions (bsc#1266238). - spi: ep93xx: fix error pointer deref after DMA setup failure (git-fixes). - spi: mtk-snfi: Fix resource leak in mtk_snand_read_page_cache() (git-fixes). - spi: qup: fix error pointer deref after DMA setup failure (git-fixes). - spi: sprd: fix error pointer deref after DMA setup failure (git-fixes). - spi: ti-qspi: fix use-after-free after DMA setup failure (git-fixes). - thunderbolt: property: Reject dir_len < 4 to prevent size_t underflow (git-fixes). - thunderbolt: property: Reject u32 wrap in tb_property_entry_valid() (git-fixes). - tracing: Switch trace_osnoise.c code over to use guard() and __free() (bsc#1262634). - tty: serial: pch_uart: add check for dma_alloc_coherent() (git-fixes). - tty: serial: samsung: Remove redundant port lock acquisition in rx helpers (git-fixes). - USB: cdc-acm: Fix bit overlap and move quirk definitions to header (git-fixes). - usb: cdns3: gadget: fix request skipping after clearing halt (git-fixes). - usb: cdns3: plat: fix leaked usb2_phy initialization on usb3_phy acquisition failure (git-fixes). - usb: chipidea: core: convert ci_role_switch to local variable (git-fixes). - usb: dwc2: Fix use after free in debug code (git-fixes). - usb: gadget: composite: fix integer underflow in WebUSB GET_URL handling (git-fixes). - usb: gadget: dummy_hcd: Reject hub port requests for non-existent ports (git-fixes). - usb: gadget: f_fs: copy only received bytes on short ep0 read (git-fixes). - usb: gadget: f_fs: serialize DMABUF cancel against request completion (git-fixes). - usb: gadget: f_hid: fix device reference leak in hidg_alloc() (git-fixes). - usb: gadget: net2280: Fix double free in probe error path (git-fixes). - usb: gadget: uvc: hold opts->lock across XU walks in uvc_function_bind (git-fixes). - USB: serial: belkin_sa: validate interrupt status length (git-fixes). - USB: serial: cypress_m8: validate interrupt packet headers (git-fixes). - USB: serial: keyspan: fix missing indat transfer sanity check (git-fixes). - USB: serial: mct_u232: fix missing interrupt-in transfer sanity check (git-fixes). - USB: serial: mxuport: fix memory corruption with small endpoint (git-fixes). - USB: serial: omninet: fix memory corruption with small endpoint (git-fixes). - USB: serial: option: add missing RSVD(5) flag for Rolling RW135R-GL (git-fixes). - USB: serial: safe_serial: fix memory corruption with small endpoint (git-fixes). - usb: typec: tcpm: improve handling of DISCOVER_MODES failures (git-fixes). - usb: typec: ucsi: Don't update power_supply on power role change if not connected (git-fixes). - usb: usbtmc: check URB actual_length for interrupt-IN notifications (git-fixes). - usb: usbtmc: reject interrupt endpoints with small wMaxPacketSize (git-fixes). - usbip: vudc: Fix use after free bug in vudc_remove due to race condition (git-fixes). - virt: sev-guest: Explicitly leak pages in unknown state (git-fixes). - wifi: ath10k: skip WMI and beacon transmission when device is wedged (git-fixes). - wifi: ath11k: clear shared SRNG pointer state on restart (git-fixes). - wifi: ath11k: fix error path leak in ath11k_tm_cmd_wmi_ftm() (git-fixes). - wifi: ath11k: fix error path leaks in some WMI calls (git-fixes). - wifi: ath11k: fix error path leaks in some WMI WOW calls (git-fixes). - wifi: ath11k: fix peer resolution on rx path when peer_id=0 (git-fixes). - wifi: ath11k: fix use after free in ath11k_dp_rx_msdu_coalesce() (git-fixes). - wifi: cfg80211: advance loop vars in cfg80211_merge_profile() (git-fixes). - wifi: mac80211: consume only present negotiated TTLM maps (git-fixes). - wifi: mac80211: fix MLE defragmentation (git-fixes). - wifi: mac80211: fix multi-link element inheritance (git-fixes).

---

Patchnames: openSUSE-Leap-16.0-897

---

Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).