SUSE-SU-2026:2858-1

Vulnerability from csaf_suse - Published: 2026-07-11 04:04 - Updated: 2026-07-11 04:04
Summary
Security update for the Linux Kernel RT (Live Patch 9 for SUSE Linux Enterprise 15 SP7)
Severity
Important
Notes
Title of the patch: Security update for the Linux Kernel RT (Live Patch 9 for SUSE Linux Enterprise 15 SP7)
Description of the patch: This update for the SUSE Linux Enterprise Kernel 6.4.0-150700.7.31 fixes various security issues The following security issues were fixed: - CVE-2026-23393: bridge: cfm: Fix race condition in peer_mep deletion (bsc#1260524). - CVE-2026-31505: iavf: fix out-of-bounds writes in iavf_get_ethtool_stats() (bsc#1263094). - CVE-2026-31533: net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption (bsc#1262759). - CVE-2026-31570: can: gw: fix OOB heap access in cgw_csum_crc8_rel() (bsc#1263118). - CVE-2026-31586: mm: blk-cgroup: fix use-after-free in cgwb_release_workfn() (bsc#1263177). - CVE-2026-31685: netfilter: ip6t_eui64: reject invalid MAC header for all packets (bsc#1263670). - CVE-2026-31758: usb: usbtmc: Flush anchored URBs in usbtmc_release (bsc#1264094). - CVE-2026-43025: netfilter: ctnetlink: ignore explicit helper on new expectations (bsc#1264253). - CVE-2026-43027: netfilter: nf_conntrack_helper: pass helper to expect cleanup (bsc#1264252). - CVE-2026-43037: ip6_tunnel: clear skb2->cb[] in ip4ip6_err() (bsc#1265197). - CVE-2026-43120: RDMA/irdma: Fix double free related to rereg_user_mr (bsc#1264567). - CVE-2026-43190: netfilter: xt_tcpmss: check remaining length before reading optlen (bsc#1264849). - CVE-2026-43366: io_uring/kbuf: check if target buffer list is still legacy on recycle (bsc#1265117). - CVE-2026-43437: ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain() (bsc#1265127). - CVE-2026-43494: RDS zerocopy attack aka PinTheft (bsc#1265945). - CVE-2026-43501: ipv6: rpl: reserve mac_len headroom when recompressed SRH grows (bsc#1266015). - CVE-2026-45970: bonding: alb: fix UAF in rlb_arp_recv during bond up/down (bsc#1267206). - CVE-2026-46120: ip6_gre: Use cached t->net in ip6erspan_changelink() (bsc#1267893). - CVE-2026-46173: exit: prevent preemption of oopsing TASK_DEAD task (bsc#1267723). - CVE-2026-46227: sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL (bsc#1267698). - CVE-2026-46243: smb: client: reject userspace cifs.spnego descriptions (CIFSwitch) (bsc#1266265). - CVE-2026-52909: ip6_vti: set netns_immutable on the fallback device (bsc#1268662). - CVE-2026-52943: net: skbuff: fix missing zerocopy reference in pskb_carve helpers (bsc#1269023). - CVE-2026-53362: ipv6: account for fraggap on the paged allocation path (bsc#1269495).
Patchnames: SUSE-2026-2858,SUSE-SLE-Module-Live-Patching-15-SP7-2026-2858
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
Affected products
Product Identifier Version Remediation
Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64
Vendor Fix
Threats
Impact important
Affected products
Product Identifier Version Remediation
Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64
Vendor Fix
Threats
Impact important
Affected products
Product Identifier Version Remediation
Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64
Vendor Fix
Threats
Impact important
Affected products
Product Identifier Version Remediation
Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64
Vendor Fix
Threats
Impact important
Affected products
Product Identifier Version Remediation
Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64
Vendor Fix
Threats
Impact important
Affected products
Product Identifier Version Remediation
Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64
Vendor Fix
Threats
Impact important
Affected products
Product Identifier Version Remediation
Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64
Vendor Fix
Threats
Impact important
Affected products
Product Identifier Version Remediation
Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64
Vendor Fix
Threats
Impact important
Affected products
Product Identifier Version Remediation
Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64
Vendor Fix
Threats
Impact important
Affected products
Product Identifier Version Remediation
Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64
Vendor Fix
Threats
Impact important
Affected products
Product Identifier Version Remediation
Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64
Vendor Fix
Threats
Impact important
Affected products
Product Identifier Version Remediation
Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64
Vendor Fix
Threats
Impact important
Affected products
Product Identifier Version Remediation
Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64
Vendor Fix
Threats
Impact important
Affected products
Product Identifier Version Remediation
Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64
Vendor Fix
Threats
Impact important
Affected products
Product Identifier Version Remediation
Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64
Vendor Fix
Threats
Impact important
Affected products
Product Identifier Version Remediation
Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64
Vendor Fix
Threats
Impact important
Affected products
Product Identifier Version Remediation
Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64
Vendor Fix
Threats
Impact important
Affected products
Product Identifier Version Remediation
Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64
Vendor Fix
Threats
Impact important
Affected products
Product Identifier Version Remediation
Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64
Vendor Fix
Threats
Impact important
Affected products
Product Identifier Version Remediation
Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64
Vendor Fix
Threats
Impact important
Affected products
Product Identifier Version Remediation
Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64
Vendor Fix
Threats
Impact important
Affected products
Product Identifier Version Remediation
Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64
Vendor Fix
Threats
Impact important
Affected products
Product Identifier Version Remediation
Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64
Vendor Fix
Threats
Impact important
Affected products
Product Identifier Version Remediation
Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64
Vendor Fix
Threats
Impact important
References
URL Category
https://www.suse.com/support/security/rating/ external
https://ftp.suse.com/pub/projects/security/csaf/s… self
https://www.suse.com/support/update/announcement/… self
https://lists.suse.com/pipermail/sle-updates/2026… self
https://bugzilla.suse.com/1260524 self
https://bugzilla.suse.com/1262759 self
https://bugzilla.suse.com/1263094 self
https://bugzilla.suse.com/1263118 self
https://bugzilla.suse.com/1263177 self
https://bugzilla.suse.com/1263670 self
https://bugzilla.suse.com/1264094 self
https://bugzilla.suse.com/1264252 self
https://bugzilla.suse.com/1264253 self
https://bugzilla.suse.com/1264567 self
https://bugzilla.suse.com/1264849 self
https://bugzilla.suse.com/1265117 self
https://bugzilla.suse.com/1265127 self
https://bugzilla.suse.com/1265197 self
https://bugzilla.suse.com/1265945 self
https://bugzilla.suse.com/1266015 self
https://bugzilla.suse.com/1266265 self
https://bugzilla.suse.com/1267206 self
https://bugzilla.suse.com/1267698 self
https://bugzilla.suse.com/1267723 self
https://bugzilla.suse.com/1267893 self
https://bugzilla.suse.com/1268662 self
https://bugzilla.suse.com/1269023 self
https://bugzilla.suse.com/1269495 self
https://www.suse.com/security/cve/CVE-2026-23393/ self
https://www.suse.com/security/cve/CVE-2026-31505/ self
https://www.suse.com/security/cve/CVE-2026-31533/ self
https://www.suse.com/security/cve/CVE-2026-31570/ self
https://www.suse.com/security/cve/CVE-2026-31586/ self
https://www.suse.com/security/cve/CVE-2026-31685/ self
https://www.suse.com/security/cve/CVE-2026-31758/ self
https://www.suse.com/security/cve/CVE-2026-43025/ self
https://www.suse.com/security/cve/CVE-2026-43027/ self
https://www.suse.com/security/cve/CVE-2026-43037/ self
https://www.suse.com/security/cve/CVE-2026-43120/ self
https://www.suse.com/security/cve/CVE-2026-43190/ self
https://www.suse.com/security/cve/CVE-2026-43366/ self
https://www.suse.com/security/cve/CVE-2026-43437/ self
https://www.suse.com/security/cve/CVE-2026-43494/ self
https://www.suse.com/security/cve/CVE-2026-43501/ self
https://www.suse.com/security/cve/CVE-2026-45970/ self
https://www.suse.com/security/cve/CVE-2026-46120/ self
https://www.suse.com/security/cve/CVE-2026-46173/ self
https://www.suse.com/security/cve/CVE-2026-46227/ self
https://www.suse.com/security/cve/CVE-2026-46243/ self
https://www.suse.com/security/cve/CVE-2026-52909/ self
https://www.suse.com/security/cve/CVE-2026-52943/ self
https://www.suse.com/security/cve/CVE-2026-53362/ self
https://www.suse.com/security/cve/CVE-2026-23393 external
https://bugzilla.suse.com/1260522 external
https://bugzilla.suse.com/1260524 external
https://www.suse.com/security/cve/CVE-2026-31505 external
https://bugzilla.suse.com/1263093 external
https://bugzilla.suse.com/1263094 external
https://www.suse.com/security/cve/CVE-2026-31533 external
https://bugzilla.suse.com/1262758 external
https://bugzilla.suse.com/1262759 external
https://www.suse.com/security/cve/CVE-2026-31570 external
https://bugzilla.suse.com/1263065 external
https://bugzilla.suse.com/1263118 external
https://www.suse.com/security/cve/CVE-2026-31586 external
https://bugzilla.suse.com/1263176 external
https://bugzilla.suse.com/1263177 external
https://www.suse.com/security/cve/CVE-2026-31685 external
https://bugzilla.suse.com/1263668 external
https://bugzilla.suse.com/1263670 external
https://www.suse.com/security/cve/CVE-2026-31758 external
https://bugzilla.suse.com/1264093 external
https://bugzilla.suse.com/1264094 external
https://www.suse.com/security/cve/CVE-2026-43025 external
https://bugzilla.suse.com/1263931 external
https://bugzilla.suse.com/1264253 external
https://www.suse.com/security/cve/CVE-2026-43027 external
https://bugzilla.suse.com/1263933 external
https://bugzilla.suse.com/1264252 external
https://www.suse.com/security/cve/CVE-2026-43037 external
https://bugzilla.suse.com/1263995 external
https://bugzilla.suse.com/1265197 external
https://www.suse.com/security/cve/CVE-2026-43120 external
https://bugzilla.suse.com/1264566 external
https://bugzilla.suse.com/1264567 external
https://www.suse.com/security/cve/CVE-2026-43190 external
https://bugzilla.suse.com/1264848 external
https://bugzilla.suse.com/1264849 external
https://www.suse.com/security/cve/CVE-2026-43366 external
https://bugzilla.suse.com/1265116 external
https://bugzilla.suse.com/1265117 external
https://www.suse.com/security/cve/CVE-2026-43437 external
https://bugzilla.suse.com/1265126 external
https://bugzilla.suse.com/1265127 external
https://www.suse.com/security/cve/CVE-2026-43494 external
https://bugzilla.suse.com/1265626 external
https://bugzilla.suse.com/1265945 external
https://www.suse.com/security/cve/CVE-2026-43501 external
https://bugzilla.suse.com/1266009 external
https://bugzilla.suse.com/1266015 external
https://www.suse.com/security/cve/CVE-2026-45970 external
https://bugzilla.suse.com/1267205 external
https://bugzilla.suse.com/1267206 external
https://www.suse.com/security/cve/CVE-2026-46120 external
https://bugzilla.suse.com/1267640 external
https://bugzilla.suse.com/1267893 external
https://www.suse.com/security/cve/CVE-2026-46173 external
https://bugzilla.suse.com/1267722 external
https://bugzilla.suse.com/1267723 external
https://www.suse.com/security/cve/CVE-2026-46227 external
https://bugzilla.suse.com/1267697 external
https://bugzilla.suse.com/1267698 external
https://www.suse.com/security/cve/CVE-2026-46243 external
https://bugzilla.suse.com/1266238 external
https://bugzilla.suse.com/1266265 external
https://www.suse.com/security/cve/CVE-2026-52909 external
https://bugzilla.suse.com/1268660 external
https://bugzilla.suse.com/1268662 external
https://www.suse.com/security/cve/CVE-2026-52943 external
https://bugzilla.suse.com/1269022 external
https://bugzilla.suse.com/1269023 external
https://www.suse.com/security/cve/CVE-2026-53362 external
https://bugzilla.suse.com/1269493 external
https://bugzilla.suse.com/1269495 external

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for the Linux Kernel RT (Live Patch 9 for SUSE Linux Enterprise 15 SP7)",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "\nThis update for the SUSE Linux Enterprise Kernel 6.4.0-150700.7.31 fixes various security issues\n\nThe following security issues were fixed:\n\n- CVE-2026-23393: bridge: cfm: Fix race condition in peer_mep deletion (bsc#1260524).\n- CVE-2026-31505: iavf: fix out-of-bounds writes in iavf_get_ethtool_stats() (bsc#1263094).\n- CVE-2026-31533: net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption (bsc#1262759).\n- CVE-2026-31570: can: gw: fix OOB heap access in cgw_csum_crc8_rel() (bsc#1263118).\n- CVE-2026-31586: mm: blk-cgroup: fix use-after-free in cgwb_release_workfn() (bsc#1263177).\n- CVE-2026-31685: netfilter: ip6t_eui64: reject invalid MAC header for all packets (bsc#1263670).\n- CVE-2026-31758: usb: usbtmc: Flush anchored URBs in usbtmc_release (bsc#1264094).\n- CVE-2026-43025: netfilter: ctnetlink: ignore explicit helper on new expectations (bsc#1264253).\n- CVE-2026-43027: netfilter: nf_conntrack_helper: pass helper to expect cleanup (bsc#1264252).\n- CVE-2026-43037: ip6_tunnel: clear skb2-\u003ecb[] in ip4ip6_err() (bsc#1265197).\n- CVE-2026-43120: RDMA/irdma: Fix double free related to rereg_user_mr (bsc#1264567).\n- CVE-2026-43190: netfilter: xt_tcpmss: check remaining length before reading optlen (bsc#1264849).\n- CVE-2026-43366: io_uring/kbuf: check if target buffer list is still legacy on recycle (bsc#1265117).\n- CVE-2026-43437: ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain() (bsc#1265127).\n- CVE-2026-43494: RDS zerocopy attack aka PinTheft (bsc#1265945).\n- CVE-2026-43501: ipv6: rpl: reserve mac_len headroom when recompressed SRH grows (bsc#1266015).\n- CVE-2026-45970: bonding: alb: fix UAF in rlb_arp_recv during bond up/down (bsc#1267206).\n- CVE-2026-46120: ip6_gre: Use cached t-\u003enet in ip6erspan_changelink() (bsc#1267893).\n- CVE-2026-46173: exit: prevent preemption of oopsing TASK_DEAD task (bsc#1267723).\n- CVE-2026-46227: sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL (bsc#1267698).\n- CVE-2026-46243: smb: client: reject userspace cifs.spnego descriptions (CIFSwitch) (bsc#1266265).\n- CVE-2026-52909: ip6_vti: set netns_immutable on the fallback device (bsc#1268662).\n- CVE-2026-52943: net: skbuff: fix missing zerocopy reference in pskb_carve helpers (bsc#1269023).\n- CVE-2026-53362: ipv6: account for fraggap on the paged allocation path (bsc#1269495).\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-2026-2858,SUSE-SLE-Module-Live-Patching-15-SP7-2026-2858",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_2858-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2026:2858-1",
        "url": "https://www.suse.com/support/update/announcement/2026/suse-su-20262858-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2026:2858-1",
        "url": "https://lists.suse.com/pipermail/sle-updates/2026-July/048117.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1260524",
        "url": "https://bugzilla.suse.com/1260524"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1262759",
        "url": "https://bugzilla.suse.com/1262759"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1263094",
        "url": "https://bugzilla.suse.com/1263094"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1263118",
        "url": "https://bugzilla.suse.com/1263118"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1263177",
        "url": "https://bugzilla.suse.com/1263177"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1263670",
        "url": "https://bugzilla.suse.com/1263670"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1264094",
        "url": "https://bugzilla.suse.com/1264094"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1264252",
        "url": "https://bugzilla.suse.com/1264252"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1264253",
        "url": "https://bugzilla.suse.com/1264253"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1264567",
        "url": "https://bugzilla.suse.com/1264567"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1264849",
        "url": "https://bugzilla.suse.com/1264849"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1265117",
        "url": "https://bugzilla.suse.com/1265117"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1265127",
        "url": "https://bugzilla.suse.com/1265127"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1265197",
        "url": "https://bugzilla.suse.com/1265197"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1265945",
        "url": "https://bugzilla.suse.com/1265945"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1266015",
        "url": "https://bugzilla.suse.com/1266015"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1266265",
        "url": "https://bugzilla.suse.com/1266265"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1267206",
        "url": "https://bugzilla.suse.com/1267206"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1267698",
        "url": "https://bugzilla.suse.com/1267698"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1267723",
        "url": "https://bugzilla.suse.com/1267723"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1267893",
        "url": "https://bugzilla.suse.com/1267893"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1268662",
        "url": "https://bugzilla.suse.com/1268662"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1269023",
        "url": "https://bugzilla.suse.com/1269023"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1269495",
        "url": "https://bugzilla.suse.com/1269495"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-23393 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-23393/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-31505 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-31505/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-31533 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-31533/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-31570 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-31570/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-31586 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-31586/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-31685 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-31685/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-31758 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-31758/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-43025 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-43025/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-43027 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-43027/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-43037 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-43037/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-43120 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-43120/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-43190 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-43190/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-43366 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-43366/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-43437 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-43437/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-43494 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-43494/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-43501 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-43501/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-45970 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-45970/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-46120 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-46120/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-46173 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-46173/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-46227 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-46227/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-46243 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-46243/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-52909 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-52909/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-52943 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-52943/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-53362 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-53362/"
      }
    ],
    "title": "Security update for the Linux Kernel RT (Live Patch 9 for SUSE Linux Enterprise 15 SP7)",
    "tracking": {
      "current_release_date": "2026-07-11T04:04:31Z",
      "generator": {
        "date": "2026-07-11T04:04:31Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2026:2858-1",
      "initial_release_date": "2026-07-11T04:04:31Z",
      "revision_history": [
        {
          "date": "2026-07-11T04:04:31Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64",
                "product": {
                  "name": "kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64",
                  "product_id": "kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Live Patching 15 SP7",
                "product": {
                  "name": "SUSE Linux Enterprise Live Patching 15 SP7",
                  "product_id": "SUSE Linux Enterprise Live Patching 15 SP7",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle-module-live-patching:15:sp7"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64 as component of SUSE Linux Enterprise Live Patching 15 SP7",
          "product_id": "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64"
        },
        "product_reference": "kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Live Patching 15 SP7"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-23393",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-23393"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nbridge: cfm: Fix race condition in peer_mep deletion\n\nWhen a peer MEP is being deleted, cancel_delayed_work_sync() is called\non ccm_rx_dwork before freeing. However, br_cfm_frame_rx() runs in\nsoftirq context under rcu_read_lock (without RTNL) and can re-schedule\nccm_rx_dwork via ccm_rx_timer_start() between cancel_delayed_work_sync()\nreturning and kfree_rcu() being called.\n\nThe following is a simple race scenario:\n\n           cpu0                                     cpu1\n\nmep_delete_implementation()\n  cancel_delayed_work_sync(ccm_rx_dwork);\n                                           br_cfm_frame_rx()\n                                             // peer_mep still in hlist\n                                             if (peer_mep-\u003eccm_defect)\n                                               ccm_rx_timer_start()\n                                                 queue_delayed_work(ccm_rx_dwork)\n  hlist_del_rcu(\u0026peer_mep-\u003ehead);\n  kfree_rcu(peer_mep, rcu);\n                                           ccm_rx_work_expired()\n                                             // on freed peer_mep\n\nTo prevent this, cancel_delayed_work_sync() is replaced with\ndisable_delayed_work_sync() in both peer MEP deletion paths, so\nthat subsequent queue_delayed_work() calls from br_cfm_frame_rx()\nare silently rejected.\n\nThe cc_peer_disable() helper retains cancel_delayed_work_sync()\nbecause it is also used for the CC enable/disable toggle path where\nthe work must remain re-schedulable.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-23393",
          "url": "https://www.suse.com/security/cve/CVE-2026-23393"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1260522 for CVE-2026-23393",
          "url": "https://bugzilla.suse.com/1260522"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1260524 for CVE-2026-23393",
          "url": "https://bugzilla.suse.com/1260524"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-07-11T04:04:31Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-23393"
    },
    {
      "cve": "CVE-2026-31505",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-31505"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\niavf: fix out-of-bounds writes in iavf_get_ethtool_stats()\n\niavf incorrectly uses real_num_tx_queues for ETH_SS_STATS. Since the\nvalue could change in runtime, we should use num_tx_queues instead.\n\nMoreover iavf_get_ethtool_stats() uses num_active_queues while\niavf_get_sset_count() and iavf_get_stat_strings() use\nreal_num_tx_queues, which triggers out-of-bounds writes when we do\n\"ethtool -L\" and \"ethtool -S\" simultaneously [1].\n\nFor example when we change channels from 1 to 8, Thread 3 could be\nscheduled before Thread 2, and out-of-bounds writes could be triggered\nin Thread 3:\n\nThread 1 (ethtool -L)       Thread 2 (work)        Thread 3 (ethtool -S)\niavf_set_channels()\n...\niavf_alloc_queues()\n-\u003e num_active_queues = 8\niavf_schedule_finish_config()\n                                                   iavf_get_sset_count()\n                                                   real_num_tx_queues: 1\n                                                   -\u003e buffer for 1 queue\n                                                   iavf_get_ethtool_stats()\n                                                   num_active_queues: 8\n                                                   -\u003e out-of-bounds!\n                            iavf_finish_config()\n                            -\u003e real_num_tx_queues = 8\n\nUse immutable num_tx_queues in all related functions to avoid the issue.\n\n[1]\n BUG: KASAN: vmalloc-out-of-bounds in iavf_add_one_ethtool_stat+0x200/0x270\n Write of size 8 at addr ffffc900031c9080 by task ethtool/5800\n\n CPU: 1 UID: 0 PID: 5800 Comm: ethtool Not tainted 6.19.0-enjuk-08403-g8137e3db7f1c #241 PREEMPT(full)\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n Call Trace:\n  \u003cTASK\u003e\n  dump_stack_lvl+0x6f/0xb0\n  print_report+0x170/0x4f3\n  kasan_report+0xe1/0x180\n  iavf_add_one_ethtool_stat+0x200/0x270\n  iavf_get_ethtool_stats+0x14c/0x2e0\n  __dev_ethtool+0x3d0c/0x5830\n  dev_ethtool+0x12d/0x270\n  dev_ioctl+0x53c/0xe30\n  sock_do_ioctl+0x1a9/0x270\n  sock_ioctl+0x3d4/0x5e0\n  __x64_sys_ioctl+0x137/0x1c0\n  do_syscall_64+0xf3/0x690\n  entry_SYSCALL_64_after_hwframe+0x77/0x7f\n RIP: 0033:0x7f7da0e6e36d\n ...\n  \u003c/TASK\u003e\n\n The buggy address belongs to a 1-page vmalloc region starting at 0xffffc900031c9000 allocated at __dev_ethtool+0x3cc9/0x5830\n The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000\n index:0xffff88813a013de0 pfn:0x13a013\n flags: 0x200000000000000(node=0|zone=2)\n raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000\n raw: ffff88813a013de0 0000000000000000 00000001ffffffff 0000000000000000\n page dumped because: kasan: bad access detected\n\n Memory state around the buggy address:\n  ffffc900031c8f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n  ffffc900031c9000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n \u003effffc900031c9080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n                    ^\n  ffffc900031c9100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n  ffffc900031c9180: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-31505",
          "url": "https://www.suse.com/security/cve/CVE-2026-31505"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1263093 for CVE-2026-31505",
          "url": "https://bugzilla.suse.com/1263093"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1263094 for CVE-2026-31505",
          "url": "https://bugzilla.suse.com/1263094"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-07-11T04:04:31Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-31505"
    },
    {
      "cve": "CVE-2026-31533",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-31533"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/tls: fix use-after-free in -EBUSY error path of tls_do_encryption\n\nThe -EBUSY handling in tls_do_encryption(), introduced by commit\n859054147318 (\"net: tls: handle backlogging of crypto requests\"), has\na use-after-free due to double cleanup of encrypt_pending and the\nscatterlist entry.\n\nWhen crypto_aead_encrypt() returns -EBUSY, the request is enqueued to\nthe cryptd backlog and the async callback tls_encrypt_done() will be\ninvoked upon completion. That callback unconditionally restores the\nscatterlist entry (sge-\u003eoffset, sge-\u003elength) and decrements\nctx-\u003eencrypt_pending. However, if tls_encrypt_async_wait() returns an\nerror, the synchronous error path in tls_do_encryption() performs the\nsame cleanup again, double-decrementing encrypt_pending and\ndouble-restoring the scatterlist.\n\nThe double-decrement corrupts the encrypt_pending sentinel (initialized\nto 1), making tls_encrypt_async_wait() permanently skip the wait for\npending async callbacks. A subsequent sendmsg can then free the\ntls_rec via bpf_exec_tx_verdict() while a cryptd callback is still\npending, resulting in a use-after-free when the callback fires on the\nfreed record.\n\nFix this by skipping the synchronous cleanup when the -EBUSY async\nwait returns an error, since the callback has already handled\nencrypt_pending and sge restoration.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-31533",
          "url": "https://www.suse.com/security/cve/CVE-2026-31533"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1262758 for CVE-2026-31533",
          "url": "https://bugzilla.suse.com/1262758"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1262759 for CVE-2026-31533",
          "url": "https://bugzilla.suse.com/1262759"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-07-11T04:04:31Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-31533"
    },
    {
      "cve": "CVE-2026-31570",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-31570"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: gw: fix OOB heap access in cgw_csum_crc8_rel()\n\ncgw_csum_crc8_rel() correctly computes bounds-safe indices via calc_idx():\n\n    int from = calc_idx(crc8-\u003efrom_idx, cf-\u003elen);\n    int to   = calc_idx(crc8-\u003eto_idx,   cf-\u003elen);\n    int res  = calc_idx(crc8-\u003eresult_idx, cf-\u003elen);\n\n    if (from \u003c 0 || to \u003c 0 || res \u003c 0)\n        return;\n\nHowever, the loop and the result write then use the raw s8 fields directly\ninstead of the computed variables:\n\n    for (i = crc8-\u003efrom_idx; ...)        /* BUG: raw negative index */\n    cf-\u003edata[crc8-\u003eresult_idx] = ...;    /* BUG: raw negative index */\n\nWith from_idx = to_idx = result_idx = -64 on a 64-byte CAN FD frame,\ncalc_idx(-64, 64) = 0 so the guard passes, but the loop iterates with\ni = -64, reading cf-\u003edata[-64], and the write goes to cf-\u003edata[-64].\nThis write might end up to 56 (7.0-rc) or 40 (\u003c= 6.19) bytes before the\nstart of the canfd_frame on the heap.\n\nThe companion function cgw_csum_xor_rel() uses `from`/`to`/`res`\ncorrectly throughout; fix cgw_csum_crc8_rel() to match.\n\nConfirmed with KASAN on linux-7.0-rc2:\n  BUG: KASAN: slab-out-of-bounds in cgw_csum_crc8_rel+0x515/0x5b0\n  Read of size 1 at addr ffff8880076619c8 by task poc_cgw_oob/62\n\nTo configure the can-gw crc8 checksums CAP_NET_ADMIN is needed.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-31570",
          "url": "https://www.suse.com/security/cve/CVE-2026-31570"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1263065 for CVE-2026-31570",
          "url": "https://bugzilla.suse.com/1263065"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1263118 for CVE-2026-31570",
          "url": "https://bugzilla.suse.com/1263118"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-07-11T04:04:31Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-31570"
    },
    {
      "cve": "CVE-2026-31586",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-31586"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: blk-cgroup: fix use-after-free in cgwb_release_workfn()\n\ncgwb_release_workfn() calls css_put(wb-\u003eblkcg_css) and then later accesses\nwb-\u003eblkcg_css again via blkcg_unpin_online().  If css_put() drops the last\nreference, the blkcg can be freed asynchronously (css_free_rwork_fn -\u003e\nblkcg_css_free -\u003e kfree) before blkcg_unpin_online() dereferences the\npointer to access blkcg-\u003eonline_pin, resulting in a use-after-free:\n\n  BUG: KASAN: slab-use-after-free in blkcg_unpin_online (./include/linux/instrumented.h:112 ./include/linux/atomic/atomic-instrumented.h:400 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 block/blk-cgroup.c:1367)\n  Write of size 4 at addr ff11000117aa6160 by task kworker/71:1/531\n   Workqueue: cgwb_release cgwb_release_workfn\n   Call Trace:\n    \u003cTASK\u003e\n     blkcg_unpin_online (./include/linux/instrumented.h:112 ./include/linux/atomic/atomic-instrumented.h:400 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 block/blk-cgroup.c:1367)\n     cgwb_release_workfn (mm/backing-dev.c:629)\n     process_scheduled_works (kernel/workqueue.c:3278 kernel/workqueue.c:3385)\n\n   Freed by task 1016:\n    kfree (./include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:6246 mm/slub.c:6561)\n    css_free_rwork_fn (kernel/cgroup/cgroup.c:5542)\n    process_scheduled_works (kernel/workqueue.c:3302 kernel/workqueue.c:3385)\n\n** Stack based on commit 66672af7a095 (\"Add linux-next specific files\nfor 20260410\")\n\nI am seeing this crash sporadically in Meta fleet across multiple kernel\nversions.  A full reproducer is available at:\nhttps://github.com/leitao/debug/blob/main/reproducers/repro_blkcg_uaf.sh\n\n(The race window is narrow.  To make it easily reproducible, inject a\nmsleep(100) between css_put() and blkcg_unpin_online() in\ncgwb_release_workfn().  With that delay and a KASAN-enabled kernel, the\nreproducer triggers the splat reliably in less than a second.)\n\nFix this by moving blkcg_unpin_online() before css_put(), so the\ncgwb\u0027s CSS reference keeps the blkcg alive while blkcg_unpin_online()\naccesses it.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-31586",
          "url": "https://www.suse.com/security/cve/CVE-2026-31586"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1263176 for CVE-2026-31586",
          "url": "https://bugzilla.suse.com/1263176"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1263177 for CVE-2026-31586",
          "url": "https://bugzilla.suse.com/1263177"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-07-11T04:04:31Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-31586"
    },
    {
      "cve": "CVE-2026-31685",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-31685"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ip6t_eui64: reject invalid MAC header for all packets\n\n`eui64_mt6()` derives a modified EUI-64 from the Ethernet source address\nand compares it with the low 64 bits of the IPv6 source address.\n\nThe existing guard only rejects an invalid MAC header when\n`par-\u003efragoff != 0`. For packets with `par-\u003efragoff == 0`, `eui64_mt6()`\ncan still reach `eth_hdr(skb)` even when the MAC header is not valid.\n\nFix this by removing the `par-\u003efragoff != 0` condition so that packets\nwith an invalid MAC header are rejected before accessing `eth_hdr(skb)`.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-31685",
          "url": "https://www.suse.com/security/cve/CVE-2026-31685"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1263668 for CVE-2026-31685",
          "url": "https://bugzilla.suse.com/1263668"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1263670 for CVE-2026-31685",
          "url": "https://bugzilla.suse.com/1263670"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-07-11T04:04:31Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-31685"
    },
    {
      "cve": "CVE-2026-31758",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-31758"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: usbtmc: Flush anchored URBs in usbtmc_release\n\nWhen calling usbtmc_release, pending anchored URBs must be flushed or\nkilled to prevent use-after-free errors (e.g. in the HCD giveback\npath). Call usbtmc_draw_down() to allow anchored URBs to be completed.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-31758",
          "url": "https://www.suse.com/security/cve/CVE-2026-31758"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1264093 for CVE-2026-31758",
          "url": "https://bugzilla.suse.com/1264093"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1264094 for CVE-2026-31758",
          "url": "https://bugzilla.suse.com/1264094"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-07-11T04:04:31Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-31758"
    },
    {
      "cve": "CVE-2026-43025",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-43025"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ctnetlink: ignore explicit helper on new expectations\n\nUse the existing master conntrack helper, anything else is not really\nsupported and it just makes validation more complicated, so just ignore\nwhat helper userspace suggests for this expectation.\n\nThis was uncovered when validating CTA_EXPECT_CLASS via different helper\nprovided by userspace than the existing master conntrack helper:\n\n  BUG: KASAN: slab-out-of-bounds in nf_ct_expect_related_report+0x2479/0x27c0\n  Read of size 4 at addr ffff8880043fe408 by task poc/102\n  Call Trace:\n   nf_ct_expect_related_report+0x2479/0x27c0\n   ctnetlink_create_expect+0x22b/0x3b0\n   ctnetlink_new_expect+0x4bd/0x5c0\n   nfnetlink_rcv_msg+0x67a/0x950\n   netlink_rcv_skb+0x120/0x350\n\nAllowing to read kernel memory bytes off the expectation boundary.\n\nCTA_EXPECT_HELP_NAME is still used to offer the helper name to userspace\nvia netlink dump.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-43025",
          "url": "https://www.suse.com/security/cve/CVE-2026-43025"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1263931 for CVE-2026-43025",
          "url": "https://bugzilla.suse.com/1263931"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1264253 for CVE-2026-43025",
          "url": "https://bugzilla.suse.com/1264253"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-07-11T04:04:31Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-43025"
    },
    {
      "cve": "CVE-2026-43027",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-43027"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conntrack_helper: pass helper to expect cleanup\n\nnf_conntrack_helper_unregister() calls nf_ct_expect_iterate_destroy()\nto remove expectations belonging to the helper being unregistered.\nHowever, it passes NULL instead of the helper pointer as the data\nargument, so expect_iter_me() never matches any expectation and all\nof them survive the cleanup.\n\nAfter unregister returns, nfnl_cthelper_del() frees the helper\nobject immediately.  Subsequent expectation dumps or packet-driven\ninit_conntrack() calls then dereference the freed exp-\u003ehelper,\ncausing a use-after-free.\n\nPass the actual helper pointer so expectations referencing it are\nproperly destroyed before the helper object is freed.\n\n  BUG: KASAN: slab-use-after-free in string+0x38f/0x430\n  Read of size 1 at addr ffff888003b14d20 by task poc/103\n  Call Trace:\n   string+0x38f/0x430\n   vsnprintf+0x3cc/0x1170\n   seq_printf+0x17a/0x240\n   exp_seq_show+0x2e5/0x560\n   seq_read_iter+0x419/0x1280\n   proc_reg_read+0x1ac/0x270\n   vfs_read+0x179/0x930\n   ksys_read+0xef/0x1c0\n  Freed by task 103:\n  The buggy address is located 32 bytes inside of\n   freed 192-byte region [ffff888003b14d00, ffff888003b14dc0)",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-43027",
          "url": "https://www.suse.com/security/cve/CVE-2026-43027"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1263933 for CVE-2026-43027",
          "url": "https://bugzilla.suse.com/1263933"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1264252 for CVE-2026-43027",
          "url": "https://bugzilla.suse.com/1264252"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-07-11T04:04:31Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-43027"
    },
    {
      "cve": "CVE-2026-43037",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-43037"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nip6_tunnel: clear skb2-\u003ecb[] in ip4ip6_err()\n\nOskar Kjos reported the following problem.\n\nip4ip6_err() calls icmp_send() on a cloned skb whose cb[] was written\nby the IPv6 receive path as struct inet6_skb_parm. icmp_send() passes\nIPCB(skb2) to __ip_options_echo(), which interprets that cb[] region\nas struct inet_skb_parm (IPv4). The layouts differ: inet6_skb_parm.nhoff\nat offset 14 overlaps inet_skb_parm.opt.rr, producing a non-zero rr\nvalue. __ip_options_echo() then reads optlen from attacker-controlled\npacket data at sptr[rr+1] and copies that many bytes into dopt-\u003e__data,\na fixed 40-byte stack buffer (IP_OPTIONS_DATA_FIXED_SIZE).\n\nTo fix this we clear skb2-\u003ecb[], as suggested by Oskar Kjos.\n\nAlso add minimal IPv4 header validation (version == 4, ihl \u003e= 5).",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-43037",
          "url": "https://www.suse.com/security/cve/CVE-2026-43037"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1263995 for CVE-2026-43037",
          "url": "https://bugzilla.suse.com/1263995"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1265197 for CVE-2026-43037",
          "url": "https://bugzilla.suse.com/1265197"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-07-11T04:04:31Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-43037"
    },
    {
      "cve": "CVE-2026-43120",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-43120"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/irdma: Fix double free related to rereg_user_mr\n\nIf IB_MR_REREG_TRANS is set during rereg_user_mr, the\numem will be released and a new one will be allocated\nin irdma_rereg_mr_trans. If any step of irdma_rereg_mr_trans\nfails after the new umem is allocated, it releases the umem,\nbut does not set iwmr-\u003eregion to NULL. The problem is that\nthis failure is propagated to the user, who will then call\nibv_dereg_mr (as they should). Then, the dereg_mr path will\nsee a non-NULL umem and attempt to call ib_umem_release again.\n\nFix this by setting iwmr-\u003eregion to NULL after ib_umem_release.\n\nFixed: 5ac388db27c4 (\"RDMA/irdma: Add support to re-register a memory region\")",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-43120",
          "url": "https://www.suse.com/security/cve/CVE-2026-43120"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1264566 for CVE-2026-43120",
          "url": "https://bugzilla.suse.com/1264566"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1264567 for CVE-2026-43120",
          "url": "https://bugzilla.suse.com/1264567"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-07-11T04:04:31Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-43120"
    },
    {
      "cve": "CVE-2026-43190",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-43190"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: xt_tcpmss: check remaining length before reading optlen\n\nQuoting reporter:\n  In net/netfilter/xt_tcpmss.c (lines 53-68), the TCP option parser reads\n op[i+1] directly without validating the remaining option length.\n\n  If the last byte of the option field is not EOL/NOP (0/1), the code attempts\n  to index op[i+1]. In the case where i + 1 == optlen, this causes an\n  out-of-bounds read, accessing memory past the optlen boundary\n  (either reading beyond the stack buffer _opt or the\n  following payload).",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-43190",
          "url": "https://www.suse.com/security/cve/CVE-2026-43190"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1264848 for CVE-2026-43190",
          "url": "https://bugzilla.suse.com/1264848"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1264849 for CVE-2026-43190",
          "url": "https://bugzilla.suse.com/1264849"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-07-11T04:04:31Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-43190"
    },
    {
      "cve": "CVE-2026-43366",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-43366"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/kbuf: check if target buffer list is still legacy on recycle\n\nThere\u0027s a gap between when the buffer was grabbed and when it\npotentially gets recycled, where if the list is empty, someone could\u0027ve\nupgraded it to a ring provided type. This can happen if the request\nis forced via io-wq. The legacy recycling is missing checking if the\nbuffer_list still exists, and if it\u0027s of the correct type. Add those\nchecks.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-43366",
          "url": "https://www.suse.com/security/cve/CVE-2026-43366"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1265116 for CVE-2026-43366",
          "url": "https://bugzilla.suse.com/1265116"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1265117 for CVE-2026-43366",
          "url": "https://bugzilla.suse.com/1265117"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-07-11T04:04:31Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-43366"
    },
    {
      "cve": "CVE-2026-43437",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-43437"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain()\n\nIn the drain loop, the local variable \u0027runtime\u0027 is reassigned to a\nlinked stream\u0027s runtime (runtime = s-\u003eruntime at line 2157).  After\nreleasing the stream lock at line 2169, the code accesses\nruntime-\u003eno_period_wakeup, runtime-\u003erate, and runtime-\u003ebuffer_size\n(lines 2170-2178) - all referencing the linked stream\u0027s runtime without\nany lock or refcount protecting its lifetime.\n\nA concurrent close() on the linked stream\u0027s fd triggers\nsnd_pcm_release_substream() -\u003e snd_pcm_drop() -\u003e pcm_release_private()\n-\u003e snd_pcm_unlink() -\u003e snd_pcm_detach_substream() -\u003e kfree(runtime).\nNo synchronization prevents kfree(runtime) from completing while the\ndrain path dereferences the stale pointer.\n\nFix by caching the needed runtime fields (no_period_wakeup, rate,\nbuffer_size) into local variables while still holding the stream lock,\nand using the cached values after the lock is released.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-43437",
          "url": "https://www.suse.com/security/cve/CVE-2026-43437"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1265126 for CVE-2026-43437",
          "url": "https://bugzilla.suse.com/1265126"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1265127 for CVE-2026-43437",
          "url": "https://bugzilla.suse.com/1265127"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-07-11T04:04:31Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-43437"
    },
    {
      "cve": "CVE-2026-43494",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-43494"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/rds: reset op_nents when zerocopy page pin fails\n\nWhen iov_iter_get_pages2() fails in rds_message_zcopy_from_user(),\nthe pinned pages are released with put_page(), and\nrm-\u003edata.op_mmp_znotifier is cleared.  But we fail to properly\nclear rm-\u003edata.op_nents.\n\nLater when rds_message_purge() is called from rds_sendmsg() the\ncleanup loop iterates over the incorrectly non zero number of\nop_nents and frees them again.\n\nFix this by properly resetting op_nents when it should be in\nrds_message_zcopy_from_user().",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-43494",
          "url": "https://www.suse.com/security/cve/CVE-2026-43494"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1265626 for CVE-2026-43494",
          "url": "https://bugzilla.suse.com/1265626"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1265945 for CVE-2026-43494",
          "url": "https://bugzilla.suse.com/1265945"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.4,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-07-11T04:04:31Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-43494"
    },
    {
      "cve": "CVE-2026-43501",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-43501"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: rpl: reserve mac_len headroom when recompressed SRH grows\n\nipv6_rpl_srh_rcv() decompresses an RFC 6554 Source Routing Header, swaps\nthe next segment into ipv6_hdr-\u003edaddr, recompresses, then pulls the old\nheader and pushes the new one plus the IPv6 header back.  The\nrecompressed header can be larger than the received one when the swap\nreduces the common-prefix length the segments share with daddr (CmprI=0,\nCmprE\u003e0, seg[0][0] != daddr[0] gives the maximum +8 bytes).\n\npskb_expand_head() was gated on segments_left == 0, so on earlier\nsegments the push consumed unchecked headroom.  Once skb_push() leaves\nfewer than skb-\u003emac_len bytes in front of data,\nskb_mac_header_rebuild()\u0027s call to:\n\n\tskb_set_mac_header(skb, -skb-\u003emac_len);\n\nwill store (data - head) - mac_len into the u16 mac_header field, which\nwraps to ~65530, and the following memmove() writes mac_len bytes ~64KiB\npast skb-\u003ehead.\n\nA single AF_INET6/SOCK_RAW/IPV6_HDRINCL packet over lo with a two\nsegment type-3 SRH (CmprI=0, CmprE=15) reaches headroom 8 after one\npass; KASAN reports a 14-byte OOB write in ipv6_rthdr_rcv.\n\nFix this by expanding the head whenever the remaining room is less than\nthe push size plus mac_len, and request that much extra so the rebuilt\nMAC header fits afterwards.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-43501",
          "url": "https://www.suse.com/security/cve/CVE-2026-43501"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1266009 for CVE-2026-43501",
          "url": "https://bugzilla.suse.com/1266009"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1266015 for CVE-2026-43501",
          "url": "https://bugzilla.suse.com/1266015"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-07-11T04:04:31Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-43501"
    },
    {
      "cve": "CVE-2026-45970",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-45970"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nbonding: alb: fix UAF in rlb_arp_recv during bond up/down\n\nThe ALB RX path may access rx_hashtbl concurrently with bond\nteardown. During rapid bond up/down cycles, rlb_deinitialize()\nfrees rx_hashtbl while RX handlers are still running, leading\nto a null pointer dereference detected by KASAN.\n\nHowever, the root cause is that rlb_arp_recv() can still be accessed\nafter setting recv_probe to NULL, which is actually a use-after-free\n(UAF) issue. That is the reason for using the referenced commit in the\nFixes tag.\n\n[  214.174138] Oops: general protection fault, probably for non-canonical address 0xdffffc000000001d: 0000 [#1] SMP KASAN PTI\n[  214.186478] KASAN: null-ptr-deref in range [0x00000000000000e8-0x00000000000000ef]\n[  214.194933] CPU: 30 UID: 0 PID: 2375 Comm: ping Kdump: loaded Not tainted 6.19.0-rc8+ #2 PREEMPT(voluntary)\n[  214.205907] Hardware name: Dell Inc. PowerEdge R730/0WCJNT, BIOS 2.14.0 01/14/2022\n[  214.214357] RIP: 0010:rlb_arp_recv+0x505/0xab0 [bonding]\n[  214.220320] Code: 0f 85 2b 05 00 00 48 b8 00 00 00 00 00 fc ff df 40 0f b6 ed 48 c1 e5 06 49 03 ad 78 01 00 00 48 8d 7d 28 48 89 fa 48 c1 ea 03 \u003c0f\u003e b6\n 04 02 84 c0 74 06 0f 8e 12 05 00 00 80 7d 28 00 0f 84 8c 00\n[  214.241280] RSP: 0018:ffffc900073d8870 EFLAGS: 00010206\n[  214.247116] RAX: dffffc0000000000 RBX: ffff888168556822 RCX: ffff88816855681e\n[  214.255082] RDX: 000000000000001d RSI: dffffc0000000000 RDI: 00000000000000e8\n[  214.263048] RBP: 00000000000000c0 R08: 0000000000000002 R09: ffffed11192021c8\n[  214.271013] R10: ffff8888c9010e43 R11: 0000000000000001 R12: 1ffff92000e7b119\n[  214.278978] R13: ffff8888c9010e00 R14: ffff888168556822 R15: ffff888168556810\n[  214.286943] FS:  00007f85d2d9cb80(0000) GS:ffff88886ccb3000(0000) knlGS:0000000000000000\n[  214.295966] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  214.302380] CR2: 00007f0d047b5e34 CR3: 00000008a1c2e002 CR4: 00000000001726f0\n[  214.310347] Call Trace:\n[  214.313070]  \u003cIRQ\u003e\n[  214.315318]  ? __pfx_rlb_arp_recv+0x10/0x10 [bonding]\n[  214.320975]  bond_handle_frame+0x166/0xb60 [bonding]\n[  214.326537]  ? __pfx_bond_handle_frame+0x10/0x10 [bonding]\n[  214.332680]  __netif_receive_skb_core.constprop.0+0x576/0x2710\n[  214.339199]  ? __pfx_arp_process+0x10/0x10\n[  214.343775]  ? sched_balance_find_src_group+0x98/0x630\n[  214.349513]  ? __pfx___netif_receive_skb_core.constprop.0+0x10/0x10\n[  214.356513]  ? arp_rcv+0x307/0x690\n[  214.360311]  ? __pfx_arp_rcv+0x10/0x10\n[  214.364499]  ? __lock_acquire+0x58c/0xbd0\n[  214.368975]  __netif_receive_skb_one_core+0xae/0x1b0\n[  214.374518]  ? __pfx___netif_receive_skb_one_core+0x10/0x10\n[  214.380743]  ? lock_acquire+0x10b/0x140\n[  214.385026]  process_backlog+0x3f1/0x13a0\n[  214.389502]  ? process_backlog+0x3aa/0x13a0\n[  214.394174]  __napi_poll.constprop.0+0x9f/0x370\n[  214.399233]  net_rx_action+0x8c1/0xe60\n[  214.403423]  ? __pfx_net_rx_action+0x10/0x10\n[  214.408193]  ? lock_acquire.part.0+0xbd/0x260\n[  214.413058]  ? sched_clock_cpu+0x6c/0x540\n[  214.417540]  ? mark_held_locks+0x40/0x70\n[  214.421920]  handle_softirqs+0x1fd/0x860\n[  214.426302]  ? __pfx_handle_softirqs+0x10/0x10\n[  214.431264]  ? __neigh_event_send+0x2d6/0xf50\n[  214.436131]  do_softirq+0xb1/0xf0\n[  214.439830]  \u003c/IRQ\u003e\n\nThe issue is reproducible by repeatedly running\nip link set bond0 up/down while receiving ARP messages, where\nrlb_arp_recv() can race with rlb_deinitialize() and dereference\na freed rx_hashtbl entry.\n\nFix this by setting recv_probe to NULL and then calling\nsynchronize_net() to wait for any concurrent RX processing to finish.\nThis ensures that no RX handler can access rx_hashtbl after it is freed\nin bond_alb_deinitialize().",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-45970",
          "url": "https://www.suse.com/security/cve/CVE-2026-45970"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1267205 for CVE-2026-45970",
          "url": "https://bugzilla.suse.com/1267205"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1267206 for CVE-2026-45970",
          "url": "https://bugzilla.suse.com/1267206"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-07-11T04:04:31Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-45970"
    },
    {
      "cve": "CVE-2026-46120",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-46120"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nip6_gre: Use cached t-\u003enet in ip6erspan_changelink().\n\nAfter commit 5e72ce3e3980 (\"net: ipv6: Use link netns in newlink() of\nrtnl_link_ops\"), ip6erspan_newlink() correctly resolves the per-netns\nip6gre hash via link_net. ip6erspan_changelink() was not converted in\nthat series and still uses dev_net(dev), which diverges from the\ndevice\u0027s creation netns after IFLA_NET_NS_FD migration.\n\nThis re-inserts the tunnel into the wrong per-netns hash. The\noriginal netns keeps a stale entry. When that netns is later\ndestroyed, ip6gre_exit_rtnl_net() walks the stale entry, producing a\nslab-use-after-free reported by KASAN, followed by a kernel BUG at\nnet/core/dev.c (LIST_POISON1) in unregister_netdevice_many_notify().\n\nReachable from an unprivileged user namespace (unshare --user\n--map-root-user --net).\n\nip6gre_changelink() earlier in the same file already uses the cached\nt-\u003enet; only ip6erspan_changelink() has the wrong shape.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-46120",
          "url": "https://www.suse.com/security/cve/CVE-2026-46120"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1267640 for CVE-2026-46120",
          "url": "https://bugzilla.suse.com/1267640"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1267893 for CVE-2026-46120",
          "url": "https://bugzilla.suse.com/1267893"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-07-11T04:04:31Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-46120"
    },
    {
      "cve": "CVE-2026-46173",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-46173"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nexit: prevent preemption of oopsing TASK_DEAD task\n\nWhen an already-exiting task oopses, make_task_dead() currently calls\ndo_task_dead() with preemption enabled.  That is forbidden:\ndo_task_dead() calls __schedule(), which has a comment saying \"WARNING:\nmust be called with preemption disabled!\".\n\nIf an oopsing task is preempted in do_task_dead(), between becoming\nTASK_DEAD and entering the scheduler explicitly, bad things happen:\nfinish_task_switch() assumes that once the scheduler has switched away\nfrom a TASK_DEAD task, the task can never run again and its stack is no\nlonger needed; but that assumption apparently doesn\u0027t hold if the dead\ntask was preempted (the SM_PREEMPT case).\n\nThis means that the scheduler ends up repeatedly dropping references on\nthe dead task\u0027s stack, which can lead to use-after-free or double-free\nof the entire task stack; in other words, two tasks can end up running\non the same stack, resulting in various kinds of memory corruption.\n\n(This does not just affect \"recursively oopsing\" tasks; it is enough to\noops once during task exit, for example in a file_operations::release\nhandler)",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-46173",
          "url": "https://www.suse.com/security/cve/CVE-2026-46173"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1267722 for CVE-2026-46173",
          "url": "https://bugzilla.suse.com/1267722"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1267723 for CVE-2026-46173",
          "url": "https://bugzilla.suse.com/1267723"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-07-11T04:04:31Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-46173"
    },
    {
      "cve": "CVE-2026-46227",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-46227"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL\n\nThe SCTP_SENDALL path in sctp_sendmsg() iterates ep-\u003easocs with\nlist_for_each_entry_safe(), which caches the next entry in @tmp before\nthe loop body runs.  The body calls sctp_sendmsg_to_asoc(), which may\ndrop the socket lock inside sctp_wait_for_sndbuf().\n\nWhile the lock is dropped, another thread can SCTP_SOCKOPT_PEELOFF the\nassociation cached in @tmp, migrating it to a new endpoint via\nsctp_sock_migrate() (list_del_init() + list_add_tail() to\nnewep-\u003easocs), and optionally close the new socket which frees the\nassociation via kfree_rcu().  The cached @tmp can also be freed by a\nnetwork ABORT for that association, processed in softirq while the\nlock is dropped.\n\nsctp_wait_for_sndbuf() revalidates @asoc (the current entry) on re-lock\nvia the \"sk != asoc-\u003ebase.sk\" and \"asoc-\u003ebase.dead\" checks, but nothing\nrevalidates @tmp.  After a successful return, the iterator advances to\nthe stale @tmp, yielding either a use-after-free (if the peeled socket\nwas closed) or a list-walk onto the new endpoint\u0027s list head (type\nconfusion of \u0026newep-\u003easocs as a struct sctp_association *).\n\nBoth are reachable from CapEff=0; the type-confusion path gives\ncontrolled indirect call via the outqueue.sched-\u003einit_sid pointer.\n\nFix by re-deriving @tmp from @asoc after sctp_sendmsg_to_asoc()\nreturns.  @asoc is known to still be on ep-\u003easocs at that point: the\nonly callers that list_del an association from ep-\u003easocs are\nsctp_association_free() (which sets asoc-\u003ebase.dead) and\nsctp_assoc_migrate() (which changes asoc-\u003ebase.sk), and\nsctp_wait_for_sndbuf() checks both under the lock before any\nsuccessful return; a tripped check propagates as err \u003c 0 and the loop\nbails before the re-derive.\n\nThe SCTP_ABORT path in sctp_sendmsg_check_sflags() returns 0 and the\nloop hits \u0027continue\u0027 before sctp_sendmsg_to_asoc() is ever called, so\nthe @tmp cached by list_for_each_entry_safe() still covers the\nlock-held free that ba59fb027307 (\"sctp: walk the list of asoc\nsafely\") was added for.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-46227",
          "url": "https://www.suse.com/security/cve/CVE-2026-46227"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1267697 for CVE-2026-46227",
          "url": "https://bugzilla.suse.com/1267697"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1267698 for CVE-2026-46227",
          "url": "https://bugzilla.suse.com/1267698"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-07-11T04:04:31Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-46227"
    },
    {
      "cve": "CVE-2026-46243",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-46243"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: reject userspace cifs.spnego descriptions\n\ncifs.spnego key descriptions contain authority-bearing fields such as\npid, uid, creduid, and upcall_target that cifs.upcall treats as\nkernel-originating inputs. However, userspace can also create keys of\nthis type through request_key(2) or add_key(2), allowing those fields to\nbe supplied without CIFS origin.\n\nOnly accept cifs.spnego descriptions while CIFS is using its private\nspnego_cred to request the key.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-46243",
          "url": "https://www.suse.com/security/cve/CVE-2026-46243"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1266238 for CVE-2026-46243",
          "url": "https://bugzilla.suse.com/1266238"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1266265 for CVE-2026-46243",
          "url": "https://bugzilla.suse.com/1266265"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-07-11T04:04:31Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-46243"
    },
    {
      "cve": "CVE-2026-52909",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-52909"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nip6_vti: set netns_immutable on the fallback device.\n\njohn1988 and Noam Rathaus reported that vti6_init_net() does not set the\nnetns_immutable flag on the per-netns fallback tunnel device (ip6_vti0).\n\nOther similar tunnel drivers (like ip6_tunnel, sit, ip6_gre, and ip_tunnel)\ncorrectly set this flag during their fallback device initialization to\nprevent them from being moved to another network namespace.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-52909",
          "url": "https://www.suse.com/security/cve/CVE-2026-52909"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1268660 for CVE-2026-52909",
          "url": "https://bugzilla.suse.com/1268660"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1268662 for CVE-2026-52909",
          "url": "https://bugzilla.suse.com/1268662"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-07-11T04:04:31Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-52909"
    },
    {
      "cve": "CVE-2026-52943",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-52943"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: skbuff: fix missing zerocopy reference in pskb_carve helpers\n\npskb_carve_inside_header() and pskb_carve_inside_nonlinear() both copy\nthe old skb_shared_info header into a new buffer via memcpy(), which\nincludes the destructor_arg pointer (uarg) for MSG_ZEROCOPY skbs.\nNeither function calls net_zcopy_get() for the new shinfo, creating an\nunaccounted holder: every skb_shared_info with destructor_arg set will\ncall skb_zcopy_clear() once when freed, but the corresponding\nnet_zcopy_get() was never called for the new copy. Repeated calls\ndrive uarg-\u003erefcnt to zero prematurely, freeing ubuf_info_msgzc while\nTX skbs still hold live destructor_arg pointers.\n\nKASAN reports use-after-free on a freed ubuf_info_msgzc:\n\n  BUG: KASAN: slab-use-after-free in skb_release_data+0x77b/0x810\n  Read of size 8 at addr ffff88801574d3e8 by task poc/220\n\n  Call Trace:\n   skb_release_data+0x77b/0x810\n   kfree_skb_list_reason+0x13e/0x610\n   skb_release_data+0x4cd/0x810\n   sk_skb_reason_drop+0xf3/0x340\n   skb_queue_purge_reason+0x282/0x440\n   rds_tcp_inc_free+0x1e/0x30\n   rds_recvmsg+0x354/0x1780\n   __sys_recvmsg+0xdf/0x180\n\n  Allocated by task 219:\n   msg_zerocopy_realloc+0x157/0x7b0\n   tcp_sendmsg_locked+0x2892/0x3ba0\n\n  Freed by task 219:\n   ip_recv_error+0x74a/0xb10\n   tcp_recvmsg+0x475/0x530\n\nThe skb consuming the late access still referenced the same uarg via\nshinfo-\u003edestructor_arg copied by pskb_carve_inside_nonlinear() without\na refcount bump. This has been verified to be reliably exploitable: a\nworking proof-of-concept achieves full root privilege escalation from\nan unprivileged local user on a default kernel configuration.\n\nThe fix follows the pattern of pskb_expand_head() which has the same\nmemcpy/cloned structure. For pskb_carve_inside_header(), net_zcopy_get()\nis placed after skb_orphan_frags() succeeds, so the orphan error path\nneeds no cleanup. For pskb_carve_inside_nonlinear(), net_zcopy_get() is\nplaced after all failure points and just before skb_release_data(), so\nno error path needs cleanup at all -- matching pskb_expand_head() more\nclosely and avoiding the need for a balancing net_zcopy_put().",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-52943",
          "url": "https://www.suse.com/security/cve/CVE-2026-52943"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1269022 for CVE-2026-52943",
          "url": "https://bugzilla.suse.com/1269022"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1269023 for CVE-2026-52943",
          "url": "https://bugzilla.suse.com/1269023"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-07-11T04:04:31Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-52943"
    },
    {
      "cve": "CVE-2026-53362",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-53362"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: account for fraggap on the paged allocation path\n\nIn __ip6_append_data(), when the paged-allocation branch is taken\n(MSG_MORE / NETIF_F_SG / large fraglen), alloclen and pagedlen are\ncomputed as\n\n\talloclen = fragheaderlen + transhdrlen;\n\tpagedlen = datalen - transhdrlen;\n\ndatalen already includes fraggap (datalen = length + fraggap). When\nfraggap is non-zero, this is not the first skb and transhdrlen is zero.\nThe fraggap bytes carried over from the previous skb are copied just past\nthe fragment headers in the new skb\u0027s linear area. The linear area is\ntherefore undersized by fraggap bytes while pagedlen is overstated by the\nsame amount, and the copy writes past skb-\u003eend into the trailing\nskb_shared_info.\n\nAn unprivileged user can trigger this via a UDPv6 socket using\nMSG_MORE together with MSG_SPLICE_PAGES.\n\nThe bad accounting was introduced by commit 773ba4fe9104 (\"ipv6:\navoid partial copy for zc\"). Before commit ce650a166335 (\"udp6: Fix\n__ip6_append_data()\u0027s handling of MSG_SPLICE_PAGES\"), the negative\ncopy value caused -EINVAL to be returned. That later commit allowed\nMSG_SPLICE_PAGES to proceed in this case, making the corruption\ntriggerable.\n\nThe non-paged branch sets alloclen to fraglen, which already accounts\nfor fraggap because datalen does. Bring the paged branch in line by\nadding fraggap to alloclen and subtracting it from pagedlen.\n\nAfter this adjustment, copy no longer collapses to -fraggap on the\npaged path, so remove the stale comment describing that old arithmetic.\nSince a negative copy is no longer expected for a valid MSG_SPLICE_PAGES\ncase, remove the MSG_SPLICE_PAGES exception from the negative copy check.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-53362",
          "url": "https://www.suse.com/security/cve/CVE-2026-53362"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1269493 for CVE-2026-53362",
          "url": "https://bugzilla.suse.com/1269493"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1269495 for CVE-2026-53362",
          "url": "https://bugzilla.suse.com/1269495"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_31-rt-8-150700.2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-07-11T04:04:31Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-53362"
    }
  ]
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…