SUSE-SU-2026:2863-1

Vulnerability from csaf_suse - Published: 2026-07-11 06:44 - Updated: 2026-07-11 06:44
Summary
Security update for the Linux Kernel RT (Live Patch 16 for SUSE Linux Enterprise 15 SP7)
Severity
Important
Notes
Title of the patch: Security update for the Linux Kernel RT (Live Patch 16 for SUSE Linux Enterprise 15 SP7)
Description of the patch: This update for the SUSE Linux Enterprise Kernel 6.4.0-150700.7.59 fixes various security issues The following security issues were fixed: - CVE-2026-46120: ip6_gre: Use cached t->net in ip6erspan_changelink() (bsc#1267893). - CVE-2026-46173: exit: prevent preemption of oopsing TASK_DEAD task (bsc#1267723). - CVE-2026-46227: sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL (bsc#1267698). - CVE-2026-52909: ip6_vti: set netns_immutable on the fallback device (bsc#1268662). - CVE-2026-52943: net: skbuff: fix missing zerocopy reference in pskb_carve helpers (bsc#1269023). - CVE-2026-53362: ipv6: account for fraggap on the paged allocation path (bsc#1269495).
Patchnames: SUSE-2026-2863,SUSE-SLE-Module-Live-Patching-15-SP7-2026-2863
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
Affected products
Product Identifier Version Remediation
Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_59-rt-2-150700.2.1.x86_64
Vendor Fix
Threats
Impact important
Affected products
Product Identifier Version Remediation
Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_59-rt-2-150700.2.1.x86_64
Vendor Fix
Threats
Impact important
Affected products
Product Identifier Version Remediation
Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_59-rt-2-150700.2.1.x86_64
Vendor Fix
Threats
Impact important
Affected products
Product Identifier Version Remediation
Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_59-rt-2-150700.2.1.x86_64
Vendor Fix
Threats
Impact important
Affected products
Product Identifier Version Remediation
Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_59-rt-2-150700.2.1.x86_64
Vendor Fix
Threats
Impact important
Affected products
Product Identifier Version Remediation
Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_59-rt-2-150700.2.1.x86_64
Vendor Fix
Threats
Impact important
References
URL Category
https://www.suse.com/support/security/rating/ external
https://ftp.suse.com/pub/projects/security/csaf/s… self
https://www.suse.com/support/update/announcement/… self
https://lists.suse.com/pipermail/sle-updates/2026… self
https://bugzilla.suse.com/1267698 self
https://bugzilla.suse.com/1267723 self
https://bugzilla.suse.com/1267893 self
https://bugzilla.suse.com/1268662 self
https://bugzilla.suse.com/1269023 self
https://bugzilla.suse.com/1269495 self
https://www.suse.com/security/cve/CVE-2026-46120/ self
https://www.suse.com/security/cve/CVE-2026-46173/ self
https://www.suse.com/security/cve/CVE-2026-46227/ self
https://www.suse.com/security/cve/CVE-2026-52909/ self
https://www.suse.com/security/cve/CVE-2026-52943/ self
https://www.suse.com/security/cve/CVE-2026-53362/ self
https://www.suse.com/security/cve/CVE-2026-46120 external
https://bugzilla.suse.com/1267640 external
https://bugzilla.suse.com/1267893 external
https://www.suse.com/security/cve/CVE-2026-46173 external
https://bugzilla.suse.com/1267722 external
https://bugzilla.suse.com/1267723 external
https://www.suse.com/security/cve/CVE-2026-46227 external
https://bugzilla.suse.com/1267697 external
https://bugzilla.suse.com/1267698 external
https://www.suse.com/security/cve/CVE-2026-52909 external
https://bugzilla.suse.com/1268660 external
https://bugzilla.suse.com/1268662 external
https://www.suse.com/security/cve/CVE-2026-52943 external
https://bugzilla.suse.com/1269022 external
https://bugzilla.suse.com/1269023 external
https://www.suse.com/security/cve/CVE-2026-53362 external
https://bugzilla.suse.com/1269493 external
https://bugzilla.suse.com/1269495 external

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for the Linux Kernel RT (Live Patch 16 for SUSE Linux Enterprise 15 SP7)",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "\nThis update for the SUSE Linux Enterprise Kernel 6.4.0-150700.7.59 fixes various security issues\n\nThe following security issues were fixed:\n\n- CVE-2026-46120: ip6_gre: Use cached t-\u003enet in ip6erspan_changelink() (bsc#1267893).\n- CVE-2026-46173: exit: prevent preemption of oopsing TASK_DEAD task (bsc#1267723).\n- CVE-2026-46227: sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL (bsc#1267698).\n- CVE-2026-52909: ip6_vti: set netns_immutable on the fallback device (bsc#1268662).\n- CVE-2026-52943: net: skbuff: fix missing zerocopy reference in pskb_carve helpers (bsc#1269023).\n- CVE-2026-53362: ipv6: account for fraggap on the paged allocation path (bsc#1269495).\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-2026-2863,SUSE-SLE-Module-Live-Patching-15-SP7-2026-2863",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_2863-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2026:2863-1",
        "url": "https://www.suse.com/support/update/announcement/2026/suse-su-20262863-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2026:2863-1",
        "url": "https://lists.suse.com/pipermail/sle-updates/2026-July/048114.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1267698",
        "url": "https://bugzilla.suse.com/1267698"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1267723",
        "url": "https://bugzilla.suse.com/1267723"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1267893",
        "url": "https://bugzilla.suse.com/1267893"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1268662",
        "url": "https://bugzilla.suse.com/1268662"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1269023",
        "url": "https://bugzilla.suse.com/1269023"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1269495",
        "url": "https://bugzilla.suse.com/1269495"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-46120 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-46120/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-46173 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-46173/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-46227 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-46227/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-52909 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-52909/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-52943 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-52943/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-53362 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-53362/"
      }
    ],
    "title": "Security update for the Linux Kernel RT (Live Patch 16 for SUSE Linux Enterprise 15 SP7)",
    "tracking": {
      "current_release_date": "2026-07-11T06:44:07Z",
      "generator": {
        "date": "2026-07-11T06:44:07Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2026:2863-1",
      "initial_release_date": "2026-07-11T06:44:07Z",
      "revision_history": [
        {
          "date": "2026-07-11T06:44:07Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "kernel-livepatch-6_4_0-150700_7_59-rt-2-150700.2.1.x86_64",
                "product": {
                  "name": "kernel-livepatch-6_4_0-150700_7_59-rt-2-150700.2.1.x86_64",
                  "product_id": "kernel-livepatch-6_4_0-150700_7_59-rt-2-150700.2.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Live Patching 15 SP7",
                "product": {
                  "name": "SUSE Linux Enterprise Live Patching 15 SP7",
                  "product_id": "SUSE Linux Enterprise Live Patching 15 SP7",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle-module-live-patching:15:sp7"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kernel-livepatch-6_4_0-150700_7_59-rt-2-150700.2.1.x86_64 as component of SUSE Linux Enterprise Live Patching 15 SP7",
          "product_id": "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_59-rt-2-150700.2.1.x86_64"
        },
        "product_reference": "kernel-livepatch-6_4_0-150700_7_59-rt-2-150700.2.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Live Patching 15 SP7"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-46120",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-46120"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nip6_gre: Use cached t-\u003enet in ip6erspan_changelink().\n\nAfter commit 5e72ce3e3980 (\"net: ipv6: Use link netns in newlink() of\nrtnl_link_ops\"), ip6erspan_newlink() correctly resolves the per-netns\nip6gre hash via link_net. ip6erspan_changelink() was not converted in\nthat series and still uses dev_net(dev), which diverges from the\ndevice\u0027s creation netns after IFLA_NET_NS_FD migration.\n\nThis re-inserts the tunnel into the wrong per-netns hash. The\noriginal netns keeps a stale entry. When that netns is later\ndestroyed, ip6gre_exit_rtnl_net() walks the stale entry, producing a\nslab-use-after-free reported by KASAN, followed by a kernel BUG at\nnet/core/dev.c (LIST_POISON1) in unregister_netdevice_many_notify().\n\nReachable from an unprivileged user namespace (unshare --user\n--map-root-user --net).\n\nip6gre_changelink() earlier in the same file already uses the cached\nt-\u003enet; only ip6erspan_changelink() has the wrong shape.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_59-rt-2-150700.2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-46120",
          "url": "https://www.suse.com/security/cve/CVE-2026-46120"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1267640 for CVE-2026-46120",
          "url": "https://bugzilla.suse.com/1267640"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1267893 for CVE-2026-46120",
          "url": "https://bugzilla.suse.com/1267893"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_59-rt-2-150700.2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_59-rt-2-150700.2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-07-11T06:44:07Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-46120"
    },
    {
      "cve": "CVE-2026-46173",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-46173"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nexit: prevent preemption of oopsing TASK_DEAD task\n\nWhen an already-exiting task oopses, make_task_dead() currently calls\ndo_task_dead() with preemption enabled.  That is forbidden:\ndo_task_dead() calls __schedule(), which has a comment saying \"WARNING:\nmust be called with preemption disabled!\".\n\nIf an oopsing task is preempted in do_task_dead(), between becoming\nTASK_DEAD and entering the scheduler explicitly, bad things happen:\nfinish_task_switch() assumes that once the scheduler has switched away\nfrom a TASK_DEAD task, the task can never run again and its stack is no\nlonger needed; but that assumption apparently doesn\u0027t hold if the dead\ntask was preempted (the SM_PREEMPT case).\n\nThis means that the scheduler ends up repeatedly dropping references on\nthe dead task\u0027s stack, which can lead to use-after-free or double-free\nof the entire task stack; in other words, two tasks can end up running\non the same stack, resulting in various kinds of memory corruption.\n\n(This does not just affect \"recursively oopsing\" tasks; it is enough to\noops once during task exit, for example in a file_operations::release\nhandler)",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_59-rt-2-150700.2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-46173",
          "url": "https://www.suse.com/security/cve/CVE-2026-46173"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1267722 for CVE-2026-46173",
          "url": "https://bugzilla.suse.com/1267722"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1267723 for CVE-2026-46173",
          "url": "https://bugzilla.suse.com/1267723"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_59-rt-2-150700.2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_59-rt-2-150700.2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-07-11T06:44:07Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-46173"
    },
    {
      "cve": "CVE-2026-46227",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-46227"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL\n\nThe SCTP_SENDALL path in sctp_sendmsg() iterates ep-\u003easocs with\nlist_for_each_entry_safe(), which caches the next entry in @tmp before\nthe loop body runs.  The body calls sctp_sendmsg_to_asoc(), which may\ndrop the socket lock inside sctp_wait_for_sndbuf().\n\nWhile the lock is dropped, another thread can SCTP_SOCKOPT_PEELOFF the\nassociation cached in @tmp, migrating it to a new endpoint via\nsctp_sock_migrate() (list_del_init() + list_add_tail() to\nnewep-\u003easocs), and optionally close the new socket which frees the\nassociation via kfree_rcu().  The cached @tmp can also be freed by a\nnetwork ABORT for that association, processed in softirq while the\nlock is dropped.\n\nsctp_wait_for_sndbuf() revalidates @asoc (the current entry) on re-lock\nvia the \"sk != asoc-\u003ebase.sk\" and \"asoc-\u003ebase.dead\" checks, but nothing\nrevalidates @tmp.  After a successful return, the iterator advances to\nthe stale @tmp, yielding either a use-after-free (if the peeled socket\nwas closed) or a list-walk onto the new endpoint\u0027s list head (type\nconfusion of \u0026newep-\u003easocs as a struct sctp_association *).\n\nBoth are reachable from CapEff=0; the type-confusion path gives\ncontrolled indirect call via the outqueue.sched-\u003einit_sid pointer.\n\nFix by re-deriving @tmp from @asoc after sctp_sendmsg_to_asoc()\nreturns.  @asoc is known to still be on ep-\u003easocs at that point: the\nonly callers that list_del an association from ep-\u003easocs are\nsctp_association_free() (which sets asoc-\u003ebase.dead) and\nsctp_assoc_migrate() (which changes asoc-\u003ebase.sk), and\nsctp_wait_for_sndbuf() checks both under the lock before any\nsuccessful return; a tripped check propagates as err \u003c 0 and the loop\nbails before the re-derive.\n\nThe SCTP_ABORT path in sctp_sendmsg_check_sflags() returns 0 and the\nloop hits \u0027continue\u0027 before sctp_sendmsg_to_asoc() is ever called, so\nthe @tmp cached by list_for_each_entry_safe() still covers the\nlock-held free that ba59fb027307 (\"sctp: walk the list of asoc\nsafely\") was added for.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_59-rt-2-150700.2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-46227",
          "url": "https://www.suse.com/security/cve/CVE-2026-46227"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1267697 for CVE-2026-46227",
          "url": "https://bugzilla.suse.com/1267697"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1267698 for CVE-2026-46227",
          "url": "https://bugzilla.suse.com/1267698"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_59-rt-2-150700.2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_59-rt-2-150700.2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-07-11T06:44:07Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-46227"
    },
    {
      "cve": "CVE-2026-52909",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-52909"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nip6_vti: set netns_immutable on the fallback device.\n\njohn1988 and Noam Rathaus reported that vti6_init_net() does not set the\nnetns_immutable flag on the per-netns fallback tunnel device (ip6_vti0).\n\nOther similar tunnel drivers (like ip6_tunnel, sit, ip6_gre, and ip_tunnel)\ncorrectly set this flag during their fallback device initialization to\nprevent them from being moved to another network namespace.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_59-rt-2-150700.2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-52909",
          "url": "https://www.suse.com/security/cve/CVE-2026-52909"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1268660 for CVE-2026-52909",
          "url": "https://bugzilla.suse.com/1268660"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1268662 for CVE-2026-52909",
          "url": "https://bugzilla.suse.com/1268662"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_59-rt-2-150700.2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_59-rt-2-150700.2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-07-11T06:44:07Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-52909"
    },
    {
      "cve": "CVE-2026-52943",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-52943"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: skbuff: fix missing zerocopy reference in pskb_carve helpers\n\npskb_carve_inside_header() and pskb_carve_inside_nonlinear() both copy\nthe old skb_shared_info header into a new buffer via memcpy(), which\nincludes the destructor_arg pointer (uarg) for MSG_ZEROCOPY skbs.\nNeither function calls net_zcopy_get() for the new shinfo, creating an\nunaccounted holder: every skb_shared_info with destructor_arg set will\ncall skb_zcopy_clear() once when freed, but the corresponding\nnet_zcopy_get() was never called for the new copy. Repeated calls\ndrive uarg-\u003erefcnt to zero prematurely, freeing ubuf_info_msgzc while\nTX skbs still hold live destructor_arg pointers.\n\nKASAN reports use-after-free on a freed ubuf_info_msgzc:\n\n  BUG: KASAN: slab-use-after-free in skb_release_data+0x77b/0x810\n  Read of size 8 at addr ffff88801574d3e8 by task poc/220\n\n  Call Trace:\n   skb_release_data+0x77b/0x810\n   kfree_skb_list_reason+0x13e/0x610\n   skb_release_data+0x4cd/0x810\n   sk_skb_reason_drop+0xf3/0x340\n   skb_queue_purge_reason+0x282/0x440\n   rds_tcp_inc_free+0x1e/0x30\n   rds_recvmsg+0x354/0x1780\n   __sys_recvmsg+0xdf/0x180\n\n  Allocated by task 219:\n   msg_zerocopy_realloc+0x157/0x7b0\n   tcp_sendmsg_locked+0x2892/0x3ba0\n\n  Freed by task 219:\n   ip_recv_error+0x74a/0xb10\n   tcp_recvmsg+0x475/0x530\n\nThe skb consuming the late access still referenced the same uarg via\nshinfo-\u003edestructor_arg copied by pskb_carve_inside_nonlinear() without\na refcount bump. This has been verified to be reliably exploitable: a\nworking proof-of-concept achieves full root privilege escalation from\nan unprivileged local user on a default kernel configuration.\n\nThe fix follows the pattern of pskb_expand_head() which has the same\nmemcpy/cloned structure. For pskb_carve_inside_header(), net_zcopy_get()\nis placed after skb_orphan_frags() succeeds, so the orphan error path\nneeds no cleanup. For pskb_carve_inside_nonlinear(), net_zcopy_get() is\nplaced after all failure points and just before skb_release_data(), so\nno error path needs cleanup at all -- matching pskb_expand_head() more\nclosely and avoiding the need for a balancing net_zcopy_put().",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_59-rt-2-150700.2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-52943",
          "url": "https://www.suse.com/security/cve/CVE-2026-52943"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1269022 for CVE-2026-52943",
          "url": "https://bugzilla.suse.com/1269022"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1269023 for CVE-2026-52943",
          "url": "https://bugzilla.suse.com/1269023"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_59-rt-2-150700.2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_59-rt-2-150700.2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-07-11T06:44:07Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-52943"
    },
    {
      "cve": "CVE-2026-53362",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-53362"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: account for fraggap on the paged allocation path\n\nIn __ip6_append_data(), when the paged-allocation branch is taken\n(MSG_MORE / NETIF_F_SG / large fraglen), alloclen and pagedlen are\ncomputed as\n\n\talloclen = fragheaderlen + transhdrlen;\n\tpagedlen = datalen - transhdrlen;\n\ndatalen already includes fraggap (datalen = length + fraggap). When\nfraggap is non-zero, this is not the first skb and transhdrlen is zero.\nThe fraggap bytes carried over from the previous skb are copied just past\nthe fragment headers in the new skb\u0027s linear area. The linear area is\ntherefore undersized by fraggap bytes while pagedlen is overstated by the\nsame amount, and the copy writes past skb-\u003eend into the trailing\nskb_shared_info.\n\nAn unprivileged user can trigger this via a UDPv6 socket using\nMSG_MORE together with MSG_SPLICE_PAGES.\n\nThe bad accounting was introduced by commit 773ba4fe9104 (\"ipv6:\navoid partial copy for zc\"). Before commit ce650a166335 (\"udp6: Fix\n__ip6_append_data()\u0027s handling of MSG_SPLICE_PAGES\"), the negative\ncopy value caused -EINVAL to be returned. That later commit allowed\nMSG_SPLICE_PAGES to proceed in this case, making the corruption\ntriggerable.\n\nThe non-paged branch sets alloclen to fraglen, which already accounts\nfor fraggap because datalen does. Bring the paged branch in line by\nadding fraggap to alloclen and subtracting it from pagedlen.\n\nAfter this adjustment, copy no longer collapses to -fraggap on the\npaged path, so remove the stale comment describing that old arithmetic.\nSince a negative copy is no longer expected for a valid MSG_SPLICE_PAGES\ncase, remove the MSG_SPLICE_PAGES exception from the negative copy check.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_59-rt-2-150700.2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-53362",
          "url": "https://www.suse.com/security/cve/CVE-2026-53362"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1269493 for CVE-2026-53362",
          "url": "https://bugzilla.suse.com/1269493"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1269495 for CVE-2026-53362",
          "url": "https://bugzilla.suse.com/1269495"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_59-rt-2-150700.2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_59-rt-2-150700.2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-07-11T06:44:07Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-53362"
    }
  ]
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…