An update for kernel is now available for openEuler-20.03-LTS-SP4 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2026-2310 Final 1.0 1.0 2026-05-15 Initial 2026-05-15 2026-05-15 openEuler SA Tool V1.0 2026-05-15 kernel security update An update for kernel is now available for openEuler-20.03-LTS-SP4 The Linux Kernel, the operating system core itself. Security Fix(es): In the Linux kernel, the following vulnerability has been resolved: net: fix fanout UAF in packet_release() via NETDEV_UP race `packet_release()` has a race window where `NETDEV_UP` can re-register a socket into a fanout group's `arr[]` array. The re-registration is not cleaned up by `fanout_release()`, leaving a dangling pointer in the fanout array. `packet_release()` does NOT zero `po->num` in its `bind_lock` section. After releasing `bind_lock`, `po->num` is still non-zero and `po->ifindex` still matches the bound device. A concurrent `packet_notifier(NETDEV_UP)` that already found the socket in `sklist` can re-register the hook. For fanout sockets, this re-registration calls `__fanout_link(sk, po)` which adds the socket back into `f->arr[]` and increments `f->num_members`, but does NOT increment `f->sk_ref`. The fix sets `po->num` to zero in `packet_release` while `bind_lock` is held to prevent NETDEV_UP from linking, preventing the race window. This bug was found following an additional audit with Claude Code based on CVE-2025-38617.(CVE-2026-31504) In the Linux kernel, the following vulnerability has been resolved: af_key: validate families in pfkey_send_migrate() syzbot was able to trigger a crash in skb_put() [1] Issue is that pfkey_send_migrate() does not check old/new families, and that set_ipsecrequest() @family argument was truncated, thus possibly overfilling the skb. Validate families early, do not wait set_ipsecrequest(). [1] skbuff: skb_over_panic: text:ffffffff8a752120 len:392 put:16 head:ffff88802a4ad040 data:ffff88802a4ad040 tail:0x188 end:0x180 dev:<NULL> kernel BUG at net/core/skbuff.c:214 ! Call Trace: <TASK> skb_over_panic net/core/skbuff.c:219 [inline] skb_put+0x159/0x210 net/core/skbuff.c:2655 skb_put_zero include/linux/skbuff.h:2788 [inline] set_ipsecrequest net/key/af_key.c:3532 [inline] pfkey_send_migrate+0x1270/0x2e50 net/key/af_key.c:3636 km_migrate+0x155/0x260 net/xfrm/xfrm_state.c:2848 xfrm_migrate+0x2140/0x2450 net/xfrm/xfrm_policy.c:4705 xfrm_do_migrate+0x8ff/0xaa0 net/xfrm/xfrm_user.c:3150(CVE-2026-31515) In the Linux kernel, the following vulnerability has been resolved: rxrpc: proc: size address buffers for %pISpc output The AF_RXRPC procfs helpers format local and remote socket addresses into fixed 50-byte stack buffers with "%pISpc". That is too small for the longest current-tree IPv6-with-port form the formatter can produce. In lib/vsprintf.c, the compressed IPv6 path uses a dotted-quad tail not only for v4mapped addresses, but also for ISATAP addresses via ipv6_addr_is_isatap(). As a result, a case such as [ffff:ffff:ffff:ffff:0:5efe:255.255.255.255]:65535 is possible with the current formatter. That is 50 visible characters, so 51 bytes including the trailing NUL, which does not fit in the existing char[50] buffers used by net/rxrpc/proc.c. Size the buffers from the formatter's maximum textual form and switch the call sites to scnprintf(). Changes since v1: - correct the changelog to cite the actual maximum current-tree case explicitly - frame the proof around the ISATAP formatting path instead of the earlier mapped-v4 example(CVE-2026-31630) In the Linux kernel, the following vulnerability has been resolved: af_unix: read UNIX_DIAG_VFS data under unix_state_lock Exact UNIX diag lookups hold a reference to the socket, but not to u->path. Meanwhile, unix_release_sock() clears u->path under unix_state_lock() and drops the path reference after unlocking. Read the inode and device numbers for UNIX_DIAG_VFS while holding unix_state_lock(), then emit the netlink attribute after dropping the lock. This keeps the VFS data stable while the reply is being built.(CVE-2026-31673) In the Linux kernel, the following vulnerability has been resolved: netfilter: ip6t_rt: reject oversized addrnr in rt_mt6_check() Reject rt match rules whose addrnr exceeds IP6T_RT_HOPS. rt_mt6() expects addrnr to stay within the bounds of rtinfo->addrs[]. Validate addrnr during rule installation so malformed rules are rejected before the match logic can use an out-of-range value.(CVE-2026-31674) In the Linux kernel, the following vulnerability has been resolved: bridge: br_nd_send: linearize skb before parsing ND options br_nd_send() parses neighbour discovery options from ns->opt[] and assumes that these options are in the linear part of request. Its callers only guarantee that the ICMPv6 header and target address are available, so the option area can still be non-linear. Parsing ns->opt[] in that case can access data past the linear buffer. Linearize request before option parsing and derive ns from the linear network header.(CVE-2026-31682) In the Linux kernel xfrm/ESP (IPsec) subsystem, when appending pipe pages to network packets (skb) via zero-copy mechanisms such as splice() / MSG_SPLICE_PAGES, IPv4/IPv6 datagram paths are not correctly marked with the SKBFL_SHARED_FRAG flag. The ESP receive path incorrectly treats these externally owned shared pages as private data, skipping the COW (copy-on-write) step and performing in-place decryption directly, allowing an attacker to pollute otherwise read-only pages in the page cache. Combined with CVE-2026-43500, a complete exploit chain can be formed, allowing local unprivileged users to obtain root privileges. This vulnerability affects almost all Linux distributions since 2017 (kernel ~ 4.10), including Ubuntu, RHEL, AlmaLinux, Debian, Fedora, etc. A public PoC has been released and signs of active exploitation have been observed.(CVE-2026-43284) An update for kernel is now available for openEuler-20.03-LTS-SP4/openEuler-22.03-LTS-SP4/openEuler-24.03-LTS/openEuler-24.03-LTS-SP1/openEuler-24.03-LTS-SP2/openEuler-24.03-LTS-SP3/openEuler-22.03-LTS-SP3. openEuler Security has rated this update as having a security impact of critical. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Critical kernel https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2310 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-31504 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-31515 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-31630 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-31673 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-31674 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-31682 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-43284 https://nvd.nist.gov/vuln/detail/CVE-2026-31504 https://nvd.nist.gov/vuln/detail/CVE-2026-31515 https://nvd.nist.gov/vuln/detail/CVE-2026-31630 https://nvd.nist.gov/vuln/detail/CVE-2026-31673 https://nvd.nist.gov/vuln/detail/CVE-2026-31674 https://nvd.nist.gov/vuln/detail/CVE-2026-31682 https://nvd.nist.gov/vuln/detail/CVE-2026-43284 openEuler-20.03-LTS-SP4 bpftool-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm bpftool-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm kernel-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm kernel-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm kernel-debugsource-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm kernel-devel-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm kernel-source-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm kernel-tools-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm kernel-tools-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm kernel-tools-devel-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm perf-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm perf-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm python2-perf-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm python2-perf-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm python3-perf-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm python3-perf-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm bpftool-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm bpftool-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm kernel-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm kernel-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm kernel-debugsource-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm kernel-devel-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm kernel-source-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm kernel-tools-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm kernel-tools-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm kernel-tools-devel-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm perf-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm perf-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm python2-perf-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm python2-perf-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm python3-perf-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm python3-perf-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm kernel-4.19.90-2605.3.0.0372.oe2003sp4.src.rpm In the Linux kernel, the following vulnerability has been resolved: net: fix fanout UAF in packet_release() via NETDEV_UP race `packet_release()` has a race window where `NETDEV_UP` can re-register a socket into a fanout group's `arr[]` array. The re-registration is not cleaned up by `fanout_release()`, leaving a dangling pointer in the fanout array. `packet_release()` does NOT zero `po->num` in its `bind_lock` section. After releasing `bind_lock`, `po->num` is still non-zero and `po->ifindex` still matches the bound device. A concurrent `packet_notifier(NETDEV_UP)` that already found the socket in `sklist` can re-register the hook. For fanout sockets, this re-registration calls `__fanout_link(sk, po)` which adds the socket back into `f->arr[]` and increments `f->num_members`, but does NOT increment `f->sk_ref`. The fix sets `po->num` to zero in `packet_release` while `bind_lock` is held to prevent NETDEV_UP from linking, preventing the race window. This bug was found following an additional audit with Claude Code based on CVE-2025-38617. 2026-05-15 CVE-2026-31504 openEuler-20.03-LTS-SP4 High 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H kernel security update 2026-05-15 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2310 In the Linux kernel, the following vulnerability has been resolved: af_key: validate families in pfkey_send_migrate() syzbot was able to trigger a crash in skb_put() [1] Issue is that pfkey_send_migrate() does not check old/new families, and that set_ipsecrequest() @family argument was truncated, thus possibly overfilling the skb. Validate families early, do not wait set_ipsecrequest(). [1] skbuff: skb_over_panic: text:ffffffff8a752120 len:392 put:16 head:ffff88802a4ad040 data:ffff88802a4ad040 tail:0x188 end:0x180 dev:<NULL> kernel BUG at net/core/skbuff.c:214 ! Call Trace: <TASK> skb_over_panic net/core/skbuff.c:219 [inline] skb_put+0x159/0x210 net/core/skbuff.c:2655 skb_put_zero include/linux/skbuff.h:2788 [inline] set_ipsecrequest net/key/af_key.c:3532 [inline] pfkey_send_migrate+0x1270/0x2e50 net/key/af_key.c:3636 km_migrate+0x155/0x260 net/xfrm/xfrm_state.c:2848 xfrm_migrate+0x2140/0x2450 net/xfrm/xfrm_policy.c:4705 xfrm_do_migrate+0x8ff/0xaa0 net/xfrm/xfrm_user.c:3150 2026-05-15 CVE-2026-31515 openEuler-20.03-LTS-SP4 Medium 5.5 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H kernel security update 2026-05-15 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2310 In the Linux kernel, the following vulnerability has been resolved: rxrpc: proc: size address buffers for %pISpc output The AF_RXRPC procfs helpers format local and remote socket addresses into fixed 50-byte stack buffers with "%pISpc". That is too small for the longest current-tree IPv6-with-port form the formatter can produce. In lib/vsprintf.c, the compressed IPv6 path uses a dotted-quad tail not only for v4mapped addresses, but also for ISATAP addresses via ipv6_addr_is_isatap(). As a result, a case such as [ffff:ffff:ffff:ffff:0:5efe:255.255.255.255]:65535 is possible with the current formatter. That is 50 visible characters, so 51 bytes including the trailing NUL, which does not fit in the existing char[50] buffers used by net/rxrpc/proc.c. Size the buffers from the formatter's maximum textual form and switch the call sites to scnprintf(). Changes since v1: - correct the changelog to cite the actual maximum current-tree case explicitly - frame the proof around the ISATAP formatting path instead of the earlier mapped-v4 example 2026-05-15 CVE-2026-31630 openEuler-20.03-LTS-SP4 High 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H kernel security update 2026-05-15 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2310 In the Linux kernel, the following vulnerability has been resolved: af_unix: read UNIX_DIAG_VFS data under unix_state_lock Exact UNIX diag lookups hold a reference to the socket, but not to u->path. Meanwhile, unix_release_sock() clears u->path under unix_state_lock() and drops the path reference after unlocking. Read the inode and device numbers for UNIX_DIAG_VFS while holding unix_state_lock(), then emit the netlink attribute after dropping the lock. This keeps the VFS data stable while the reply is being built. 2026-05-15 CVE-2026-31673 openEuler-20.03-LTS-SP4 High 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H kernel security update 2026-05-15 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2310 In the Linux kernel, the following vulnerability has been resolved: netfilter: ip6t_rt: reject oversized addrnr in rt_mt6_check() Reject rt match rules whose addrnr exceeds IP6T_RT_HOPS. rt_mt6() expects addrnr to stay within the bounds of rtinfo->addrs[]. Validate addrnr during rule installation so malformed rules are rejected before the match logic can use an out-of-range value. 2026-05-15 CVE-2026-31674 openEuler-20.03-LTS-SP4 High 7.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H kernel security update 2026-05-15 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2310 In the Linux kernel, the following vulnerability has been resolved: bridge: br_nd_send: linearize skb before parsing ND options br_nd_send() parses neighbour discovery options from ns->opt[] and assumes that these options are in the linear part of request. Its callers only guarantee that the ICMPv6 header and target address are available, so the option area can still be non-linear. Parsing ns->opt[] in that case can access data past the linear buffer. Linearize request before option parsing and derive ns from the linear network header. 2026-05-15 CVE-2026-31682 openEuler-20.03-LTS-SP4 Critical 9.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H kernel security update 2026-05-15 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2310 In the Linux kernel xfrm/ESP (IPsec) subsystem, when appending pipe pages to network packets (skb) via zero-copy mechanisms such as splice() / MSG_SPLICE_PAGES, IPv4/IPv6 datagram paths are not correctly marked with the SKBFL_SHARED_FRAG flag. The ESP receive path incorrectly treats these externally owned shared pages as private data, skipping the COW (copy-on-write) step and performing in-place decryption directly, allowing an attacker to pollute otherwise read-only pages in the page cache. Combined with CVE-2026-43500, a complete exploit chain can be formed, allowing local unprivileged users to obtain root privileges. This vulnerability affects almost all Linux distributions since 2017 (kernel ~ 4.10), including Ubuntu, RHEL, AlmaLinux, Debian, Fedora, etc. A public PoC has been released and signs of active exploitation have been observed. 2026-05-15 CVE-2026-43284 openEuler-20.03-LTS-SP4 High 8.8 AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H kernel security update 2026-05-15 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2310