An update for kernel is now available for openEuler-24.03-LTS-SP3 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2026-2314 Final 1.0 1.0 2026-05-15 Initial 2026-05-15 2026-05-15 openEuler SA Tool V1.0 2026-05-15 kernel security update An update for kernel is now available for openEuler-24.03-LTS-SP3 The Linux Kernel, the operating system core itself. Security Fix(es): In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: fix possible wrong descriptor completion in llist_abort_desc() At the end of this function, d is the traversal cursor of flist, but the code completes found instead. This can lead to issues such as NULL pointer dereferences, double completion, or descriptor leaks. Fix this by completing d instead of found in the final list_for_each_entry_safe() loop.(CVE-2026-31436) In the Linux kernel, the following vulnerability has been resolved: hwmon: (pmbus/core) Protect regulator operations with mutex The regulator operations pmbus_regulator_get_voltage(), pmbus_regulator_set_voltage(), and pmbus_regulator_list_voltage() access PMBus registers and shared data but were not protected by the update_lock mutex. This could lead to race conditions. However, adding mutex protection directly to these functions causes a deadlock because pmbus_regulator_notify() (which calls regulator_notifier_call_chain()) is often called with the mutex already held (e.g., from pmbus_fault_handler()). If a regulator callback then calls one of the now-protected voltage functions, it will attempt to acquire the same mutex. Rework pmbus_regulator_notify() to utilize a worker function to send notifications outside of the mutex protection. Events are stored as atomics in a per-page bitmask and processed by the worker. Initialize the worker and its associated data during regulator registration, and ensure it is cancelled on device removal using devm_add_action_or_reset(). While at it, remove the unnecessary include of linux/of.h.(CVE-2026-31486) In the Linux kernel, the following vulnerability has been resolved: net: fix fanout UAF in packet_release() via NETDEV_UP race `packet_release()` has a race window where `NETDEV_UP` can re-register a socket into a fanout group's `arr[]` array. The re-registration is not cleaned up by `fanout_release()`, leaving a dangling pointer in the fanout array. `packet_release()` does NOT zero `po->num` in its `bind_lock` section. After releasing `bind_lock`, `po->num` is still non-zero and `po->ifindex` still matches the bound device. A concurrent `packet_notifier(NETDEV_UP)` that already found the socket in `sklist` can re-register the hook. For fanout sockets, this re-registration calls `__fanout_link(sk, po)` which adds the socket back into `f->arr[]` and increments `f->num_members`, but does NOT increment `f->sk_ref`. The fix sets `po->num` to zero in `packet_release` while `bind_lock` is held to prevent NETDEV_UP from linking, preventing the race window. This bug was found following an additional audit with Claude Code based on CVE-2025-38617.(CVE-2026-31504) In the Linux kernel, the following vulnerability has been resolved: af_key: validate families in pfkey_send_migrate() syzbot was able to trigger a crash in skb_put() [1] Issue is that pfkey_send_migrate() does not check old/new families, and that set_ipsecrequest() @family argument was truncated, thus possibly overfilling the skb. Validate families early, do not wait set_ipsecrequest(). [1] skbuff: skb_over_panic: text:ffffffff8a752120 len:392 put:16 head:ffff88802a4ad040 data:ffff88802a4ad040 tail:0x188 end:0x180 dev:<NULL> kernel BUG at net/core/skbuff.c:214 ! Call Trace: <TASK> skb_over_panic net/core/skbuff.c:219 [inline] skb_put+0x159/0x210 net/core/skbuff.c:2655 skb_put_zero include/linux/skbuff.h:2788 [inline] set_ipsecrequest net/key/af_key.c:3532 [inline] pfkey_send_migrate+0x1270/0x2e50 net/key/af_key.c:3636 km_migrate+0x155/0x260 net/xfrm/xfrm_state.c:2848 xfrm_migrate+0x2140/0x2450 net/xfrm/xfrm_policy.c:4705 xfrm_do_migrate+0x8ff/0xaa0 net/xfrm/xfrm_user.c:3150(CVE-2026-31515) In the Linux kernel, the following vulnerability has been resolved: mm/userfaultfd: fix hugetlb fault mutex hash calculation In mfill_atomic_hugetlb(), linear_page_index() is used to calculate the page index for hugetlb_fault_mutex_hash(). However, linear_page_index() returns the index in PAGE_SIZE units, while hugetlb_fault_mutex_hash() expects the index in huge page units. This mismatch means that different addresses within the same huge page can produce different hash values, leading to the use of different mutexes for the same huge page. This can cause races between faulting threads, which can corrupt the reservation map and trigger the BUG_ON in resv_map_release(). Fix this by introducing hugetlb_linear_page_index(), which returns the page index in huge page granularity, and using it in place of linear_page_index().(CVE-2026-31575) In the Linux kernel, the following vulnerability has been resolved: HID: core: clamp report_size in s32ton() to avoid undefined shift s32ton() shifts by n-1 where n is the field's report_size, a value that comes directly from a HID device. The HID parser bounds report_size only to <= 256, so a broken HID device can supply a report descriptor with a wide field that triggers shift exponents up to 256 on a 32-bit type when an output report is built via hid_output_field() or hid_set_field(). Commit ec61b41918587 ("HID: core: fix shift-out-of-bounds in hid_report_raw_event") added the same n > 32 clamp to the function snto32(), but s32ton() was never given the same fix as I guess syzbot hadn't figured out how to fuzz a device the same way. Fix this up by just clamping the max value of n, just like snto32() does.(CVE-2026-31624) In the Linux kernel, the following vulnerability has been resolved: HID: alps: fix NULL pointer dereference in alps_raw_event() Commit ecfa6f34492c ("HID: Add HID_CLAIMED_INPUT guards in raw_event callbacks missing them") attempted to fix up the HID drivers that had missed the previous fix that was done in 2ff5baa9b527 ("HID: appleir: Fix potential NULL dereference at raw event handle"), but the alps driver was missed. Fix this up by properly checking in the hid-alps driver that it had been claimed correctly before attempting to process the raw event.(CVE-2026-31625) In the Linux kernel, the following vulnerability has been resolved: af_unix: read UNIX_DIAG_VFS data under unix_state_lock Exact UNIX diag lookups hold a reference to the socket, but not to u->path. Meanwhile, unix_release_sock() clears u->path under unix_state_lock() and drops the path reference after unlocking. Read the inode and device numbers for UNIX_DIAG_VFS while holding unix_state_lock(), then emit the netlink attribute after dropping the lock. This keeps the VFS data stable while the reply is being built.(CVE-2026-31673) In the Linux kernel, the following vulnerability has been resolved: netfilter: ip6t_rt: reject oversized addrnr in rt_mt6_check() Reject rt match rules whose addrnr exceeds IP6T_RT_HOPS. rt_mt6() expects addrnr to stay within the bounds of rtinfo->addrs[]. Validate addrnr during rule installation so malformed rules are rejected before the match logic can use an out-of-range value.(CVE-2026-31674) In the Linux kernel, the following vulnerability has been resolved: bridge: br_nd_send: linearize skb before parsing ND options br_nd_send() parses neighbour discovery options from ns->opt[] and assumes that these options are in the linear part of request. Its callers only guarantee that the ICMPv6 header and target address are available, so the option area can still be non-linear. Parsing ns->opt[] in that case can access data past the linear buffer. Linearize request before option parsing and derive ns from the linear network header.(CVE-2026-31682) In the Linux kernel, the following vulnerability has been resolved: net/mlx5: lag: Check for LAG device before creating debugfs __mlx5_lag_dev_add_mdev() may return 0 (success) even when an error occurs that is handled gracefully. Consequently, the initialization flow proceeds to call mlx5_ldev_add_debugfs() even when there is no valid LAG context. mlx5_ldev_add_debugfs() blindly created the debugfs directory and attributes. This exposed interfaces (like the members file) that rely on a valid ldev pointer, leading to potential NULL pointer dereferences if accessed when ldev is NULL. Add a check to verify that mlx5_lag_dev(dev) returns a valid pointer before attempting to create the debugfs entries.(CVE-2026-43013) In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: validate mesh send advertising payload length mesh_send() currently bounds MGMT_OP_MESH_SEND by total command length, but it never verifies that the bytes supplied for the flexible adv_data[] array actually match the embedded adv_data_len field. MGMT_MESH_SEND_SIZE only covers the fixed header, so a truncated command can still pass the existing 20..50 byte range check and later drive the async mesh send path past the end of the queued command buffer. Keep rejecting zero-length and oversized advertising payloads, but validate adv_data_len explicitly and require the command length to exactly match the flexible array size before queueing the request.(CVE-2026-43017) In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: fix potential UAF in hci_le_remote_conn_param_req_evt hci_conn lookup and field access must be covered by hdev lock in hci_le_remote_conn_param_req_evt, otherwise it's possible it is freed concurrently. Extend the hci_dev_lock critical section to cover all conn usage.(CVE-2026-43018) In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_conn: fix potential UAF in set_cig_params_sync hci_conn lookup and field access must be covered by hdev lock in set_cig_params_sync, otherwise it's possible it is freed concurrently. Take hdev lock to prevent hci_conn from being deleted or modified concurrently. Just RCU lock is not suitable here, as we also want to avoid "tearing" in the configuration.(CVE-2026-43019) In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Add SRCU protection for reading PDPTRs in __get_sregs2() Add SRCU read-side protection when reading PDPTR registers in __get_sregs2(). Reading PDPTRs may trigger access to guest memory: kvm_pdptr_read() -> svm_cache_reg() -> load_pdptrs() -> kvm_vcpu_read_guest_page() -> kvm_vcpu_gfn_to_memslot() kvm_vcpu_gfn_to_memslot() dereferences memslots via __kvm_memslots(), which uses srcu_dereference_check() and requires either kvm->srcu or kvm->slots_lock to be held. Currently only vcpu->mutex is held, triggering lockdep warning: ============================= WARNING: suspicious RCU usage in kvm_vcpu_gfn_to_memslot 6.12.59+ #3 Not tainted include/linux/kvm_host.h:1062 suspicious rcu_dereference_check() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 1 lock held by syz.5.1717/15100: #0: ff1100002f4b00b0 (&vcpu->mutex){+.+.}-{3:3}, at: kvm_vcpu_ioctl+0x1d5/0x1590 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0xf0/0x120 lib/dump_stack.c:120 lockdep_rcu_suspicious+0x1e3/0x270 kernel/locking/lockdep.c:6824 __kvm_memslots include/linux/kvm_host.h:1062 [inline] __kvm_memslots include/linux/kvm_host.h:1059 [inline] kvm_vcpu_memslots include/linux/kvm_host.h:1076 [inline] kvm_vcpu_gfn_to_memslot+0x518/0x5e0 virt/kvm/kvm_main.c:2617 kvm_vcpu_read_guest_page+0x27/0x50 virt/kvm/kvm_main.c:3302 load_pdptrs+0xff/0x4b0 arch/x86/kvm/x86.c:1065 svm_cache_reg+0x1c9/0x230 arch/x86/kvm/svm/svm.c:1688 kvm_pdptr_read arch/x86/kvm/kvm_cache_regs.h:141 [inline] __get_sregs2 arch/x86/kvm/x86.c:11784 [inline] kvm_arch_vcpu_ioctl+0x3e20/0x4aa0 arch/x86/kvm/x86.c:6279 kvm_vcpu_ioctl+0x856/0x1590 virt/kvm/kvm_main.c:4663 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __x64_sys_ioctl+0x18b/0x210 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xbd/0x1d0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Found by Linux Verification Center (linuxtesting.org) with Syzkaller.(CVE-2026-43214) In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Ignore -EBUSY when checking nested events from vcpu_block() Ignore -EBUSY when checking nested events after exiting a blocking state while L2 is active, as exiting to userspace will generate a spurious userspace exit, usually with KVM_EXIT_UNKNOWN, and likely lead to the VM's demise. Continuing with the wakeup isn't perfect either, as *something* has gone sideways if a vCPU is awakened in L2 with an injected event (or worse, a nested run pending), but continuing on gives the VM a decent chance of surviving without any major side effects. As explained in the Fixes commits, it _should_ be impossible for a vCPU to be put into a blocking state with an already-injected event (exception, IRQ, or NMI). Unfortunately, userspace can stuff MP_STATE and/or injected events, and thus put the vCPU into what should be an impossible state. Don't bother trying to preserve the WARN, e.g. with an anti-syzkaller Kconfig, as WARNs can (hopefully) be added in paths where _KVM_ would be violating x86 architecture, e.g. by WARNing if KVM attempts to inject an exception or interrupt while the vCPU isn't running.(CVE-2026-43265) In the Linux kernel xfrm/ESP (IPsec) subsystem, when appending pipe pages to network packets (skb) via zero-copy mechanisms such as splice() / MSG_SPLICE_PAGES, IPv4/IPv6 datagram paths are not correctly marked with the SKBFL_SHARED_FRAG flag. The ESP receive path incorrectly treats these externally owned shared pages as private data, skipping the COW (copy-on-write) step and performing in-place decryption directly, allowing an attacker to pollute otherwise read-only pages in the page cache. Combined with CVE-2026-43500, a complete exploit chain can be formed, allowing local unprivileged users to obtain root privileges. This vulnerability affects almost all Linux distributions since 2017 (kernel ~ 4.10), including Ubuntu, RHEL, AlmaLinux, Debian, Fedora, etc. A public PoC has been released and signs of active exploitation have been observed.(CVE-2026-43284) A NULL-pointer dereference vulnerability exists in the ACPI processor driver of the Linux kernel. In the acpi_processor_errata_piix4() function, the pointer dev is first assigned an IDE device and then reassigned an ISA device. If the first lookup succeeds but the second fails, dev becomes NULL. This leads to a potential null-pointer dereference when dev_dbg() is called. The fix is to use two temporary pointers and retrieve each device independently, avoiding overwriting dev with a possible NULL value.(CVE-2026-43313) In the Linux kernel x86 APIC (Advanced Programmable Interrupt Controller) subsystem, when the system resumes from suspend (s2ram/suspend-to-RAM) state, if the kernel expects to disable x2APIC mode at startup, but the BIOS/firmware re-enables x2APIC during the recovery process, the kernel and hardware status will be inconsistent. This status mismatch may cause interrupt handling exceptions, system instability, or denial of service. The vulnerability belongs to CWE-372 (Internal State Corruption).(CVE-2026-43363) In the Linux kernel, there is a race condition vulnerability in the Ceph filesystem. During async unlink, the `i_nlink` counter is dropped before receiving the completion (that will eventually update the `i_nlink`) because "we assume that the unlink will succeed". That is not a bad idea, but it races against deletions by other clients (or against the completion of our own unlink) and can lead to an underrun which emits a WARNING like this one: WARNING: CPU: 85 PID: 25093 at fs/inode.c:407 drop_nlink+0x50/0x68 Modules linked in: CPU: 85 UID: 3221252029 PID: 25093 Comm: php-cgi8.1 Not tainted 6.14.11-cm4all1-ampere #655 Hardware name: Supermicro ARS-110M-NR/R12SPD-A, BIOS 1.1b 10/17/2023 In ceph_unlink(), a call to ceph_mdsc_submit_request() submits the CEPH_MDS_OP_UNLINK to the MDS, but does not wait for completion. Meanwhile, between this call and the following drop_nlink() call, a worker thread may process a CEPH_CAP_OP_IMPORT, CEPH_CAP_OP_GRANT or just a CEPH_MSG_CLIENT_REPLY (the latter of which could be our own completion). These will lead to a set_nlink() call, updating the `i_nlink` counter to the value received from the MDS. If that new `i_nlink` value happens to be zero, it is illegal to decrement it further. But that is exactly what ceph_unlink() will do then. The root cause of this vulnerability is updating the `i_nlink` counter without proper lock protection, creating a TOCTOU (Time-of-Check Time-of-Use) race condition. Since ceph_fill_inode() and handle_cap_grant() both hold the `ceph_inode_info.i_ceph_lock` spinlock while set_nlink() runs, this seems like the proper lock to protect the `i_nlink` updates.(CVE-2026-43420) In the Linux kernel, there is a security vulnerability in the USB Test and Measurement Class driver (usbtmc). The driver accepts timeout values specified by the user via an ioctl command and uses these timeouts for usb_bulk_msg() calls. Since the user can specify arbitrarily long timeouts and usb_bulk_msg() uses unkillable waits, this may cause kernel threads to hang indefinitely.(CVE-2026-43429) An update for kernel is now available for openEuler-24.03-LTS-SP3. openEuler Security has rated this update as having a security impact of critical. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Critical kernel https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2314 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-31436 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-31486 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-31504 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-31515 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-31575 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-31624 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-31625 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-31673 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-31674 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-31682 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-43013 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-43017 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-43018 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-43019 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-43214 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-43265 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-43284 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-43313 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-43363 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-43420 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-43429 https://nvd.nist.gov/vuln/detail/CVE-2026-31436 https://nvd.nist.gov/vuln/detail/CVE-2026-31486 https://nvd.nist.gov/vuln/detail/CVE-2026-31504 https://nvd.nist.gov/vuln/detail/CVE-2026-31515 https://nvd.nist.gov/vuln/detail/CVE-2026-31575 https://nvd.nist.gov/vuln/detail/CVE-2026-31624 https://nvd.nist.gov/vuln/detail/CVE-2026-31625 https://nvd.nist.gov/vuln/detail/CVE-2026-31673 https://nvd.nist.gov/vuln/detail/CVE-2026-31674 https://nvd.nist.gov/vuln/detail/CVE-2026-31682 https://nvd.nist.gov/vuln/detail/CVE-2026-43013 https://nvd.nist.gov/vuln/detail/CVE-2026-43017 https://nvd.nist.gov/vuln/detail/CVE-2026-43018 https://nvd.nist.gov/vuln/detail/CVE-2026-43019 https://nvd.nist.gov/vuln/detail/CVE-2026-43214 https://nvd.nist.gov/vuln/detail/CVE-2026-43265 https://nvd.nist.gov/vuln/detail/CVE-2026-43284 https://nvd.nist.gov/vuln/detail/CVE-2026-43313 https://nvd.nist.gov/vuln/detail/CVE-2026-43363 https://nvd.nist.gov/vuln/detail/CVE-2026-43420 https://nvd.nist.gov/vuln/detail/CVE-2026-43429 openEuler-24.03-LTS-SP3 bpftool-6.6.0-145.0.10.141.oe2403sp3.aarch64.rpm bpftool-debuginfo-6.6.0-145.0.10.141.oe2403sp3.aarch64.rpm kernel-6.6.0-145.0.10.141.oe2403sp3.aarch64.rpm kernel-debuginfo-6.6.0-145.0.10.141.oe2403sp3.aarch64.rpm kernel-debugsource-6.6.0-145.0.10.141.oe2403sp3.aarch64.rpm kernel-devel-6.6.0-145.0.10.141.oe2403sp3.aarch64.rpm kernel-extra-modules-6.6.0-145.0.10.141.oe2403sp3.aarch64.rpm kernel-headers-6.6.0-145.0.10.141.oe2403sp3.aarch64.rpm kernel-source-6.6.0-145.0.10.141.oe2403sp3.aarch64.rpm kernel-tools-6.6.0-145.0.10.141.oe2403sp3.aarch64.rpm kernel-tools-debuginfo-6.6.0-145.0.10.141.oe2403sp3.aarch64.rpm kernel-tools-devel-6.6.0-145.0.10.141.oe2403sp3.aarch64.rpm perf-6.6.0-145.0.10.141.oe2403sp3.aarch64.rpm perf-debuginfo-6.6.0-145.0.10.141.oe2403sp3.aarch64.rpm python3-perf-6.6.0-145.0.10.141.oe2403sp3.aarch64.rpm python3-perf-debuginfo-6.6.0-145.0.10.141.oe2403sp3.aarch64.rpm bpftool-6.6.0-145.0.10.141.oe2403sp3.x86_64.rpm bpftool-debuginfo-6.6.0-145.0.10.141.oe2403sp3.x86_64.rpm kernel-6.6.0-145.0.10.141.oe2403sp3.x86_64.rpm kernel-debuginfo-6.6.0-145.0.10.141.oe2403sp3.x86_64.rpm kernel-debugsource-6.6.0-145.0.10.141.oe2403sp3.x86_64.rpm kernel-devel-6.6.0-145.0.10.141.oe2403sp3.x86_64.rpm kernel-extra-modules-6.6.0-145.0.10.141.oe2403sp3.x86_64.rpm kernel-headers-6.6.0-145.0.10.141.oe2403sp3.x86_64.rpm kernel-source-6.6.0-145.0.10.141.oe2403sp3.x86_64.rpm kernel-tools-6.6.0-145.0.10.141.oe2403sp3.x86_64.rpm kernel-tools-debuginfo-6.6.0-145.0.10.141.oe2403sp3.x86_64.rpm kernel-tools-devel-6.6.0-145.0.10.141.oe2403sp3.x86_64.rpm perf-6.6.0-145.0.10.141.oe2403sp3.x86_64.rpm perf-debuginfo-6.6.0-145.0.10.141.oe2403sp3.x86_64.rpm python3-perf-6.6.0-145.0.10.141.oe2403sp3.x86_64.rpm python3-perf-debuginfo-6.6.0-145.0.10.141.oe2403sp3.x86_64.rpm kernel-6.6.0-145.0.10.141.oe2403sp3.src.rpm In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: fix possible wrong descriptor completion in llist_abort_desc() At the end of this function, d is the traversal cursor of flist, but the code completes found instead. This can lead to issues such as NULL pointer dereferences, double completion, or descriptor leaks. Fix this by completing d instead of found in the final list_for_each_entry_safe() loop. 2026-05-15 CVE-2026-31436 openEuler-24.03-LTS-SP3 Critical 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H kernel security update 2026-05-15 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2314 In the Linux kernel, the following vulnerability has been resolved: hwmon: (pmbus/core) Protect regulator operations with mutex The regulator operations pmbus_regulator_get_voltage(), pmbus_regulator_set_voltage(), and pmbus_regulator_list_voltage() access PMBus registers and shared data but were not protected by the update_lock mutex. This could lead to race conditions. However, adding mutex protection directly to these functions causes a deadlock because pmbus_regulator_notify() (which calls regulator_notifier_call_chain()) is often called with the mutex already held (e.g., from pmbus_fault_handler()). If a regulator callback then calls one of the now-protected voltage functions, it will attempt to acquire the same mutex. Rework pmbus_regulator_notify() to utilize a worker function to send notifications outside of the mutex protection. Events are stored as atomics in a per-page bitmask and processed by the worker. Initialize the worker and its associated data during regulator registration, and ensure it is cancelled on device removal using devm_add_action_or_reset(). While at it, remove the unnecessary include of linux/of.h. 2026-05-15 CVE-2026-31486 openEuler-24.03-LTS-SP3 High 7.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H kernel security update 2026-05-15 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2314 In the Linux kernel, the following vulnerability has been resolved: net: fix fanout UAF in packet_release() via NETDEV_UP race `packet_release()` has a race window where `NETDEV_UP` can re-register a socket into a fanout group's `arr[]` array. The re-registration is not cleaned up by `fanout_release()`, leaving a dangling pointer in the fanout array. `packet_release()` does NOT zero `po->num` in its `bind_lock` section. After releasing `bind_lock`, `po->num` is still non-zero and `po->ifindex` still matches the bound device. A concurrent `packet_notifier(NETDEV_UP)` that already found the socket in `sklist` can re-register the hook. For fanout sockets, this re-registration calls `__fanout_link(sk, po)` which adds the socket back into `f->arr[]` and increments `f->num_members`, but does NOT increment `f->sk_ref`. The fix sets `po->num` to zero in `packet_release` while `bind_lock` is held to prevent NETDEV_UP from linking, preventing the race window. This bug was found following an additional audit with Claude Code based on CVE-2025-38617. 2026-05-15 CVE-2026-31504 openEuler-24.03-LTS-SP3 High 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H kernel security update 2026-05-15 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2314 In the Linux kernel, the following vulnerability has been resolved: af_key: validate families in pfkey_send_migrate() syzbot was able to trigger a crash in skb_put() [1] Issue is that pfkey_send_migrate() does not check old/new families, and that set_ipsecrequest() @family argument was truncated, thus possibly overfilling the skb. Validate families early, do not wait set_ipsecrequest(). [1] skbuff: skb_over_panic: text:ffffffff8a752120 len:392 put:16 head:ffff88802a4ad040 data:ffff88802a4ad040 tail:0x188 end:0x180 dev:<NULL> kernel BUG at net/core/skbuff.c:214 ! Call Trace: <TASK> skb_over_panic net/core/skbuff.c:219 [inline] skb_put+0x159/0x210 net/core/skbuff.c:2655 skb_put_zero include/linux/skbuff.h:2788 [inline] set_ipsecrequest net/key/af_key.c:3532 [inline] pfkey_send_migrate+0x1270/0x2e50 net/key/af_key.c:3636 km_migrate+0x155/0x260 net/xfrm/xfrm_state.c:2848 xfrm_migrate+0x2140/0x2450 net/xfrm/xfrm_policy.c:4705 xfrm_do_migrate+0x8ff/0xaa0 net/xfrm/xfrm_user.c:3150 2026-05-15 CVE-2026-31515 openEuler-24.03-LTS-SP3 Medium 5.5 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H kernel security update 2026-05-15 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2314 In the Linux kernel, the following vulnerability has been resolved: mm/userfaultfd: fix hugetlb fault mutex hash calculation In mfill_atomic_hugetlb(), linear_page_index() is used to calculate the page index for hugetlb_fault_mutex_hash(). However, linear_page_index() returns the index in PAGE_SIZE units, while hugetlb_fault_mutex_hash() expects the index in huge page units. This mismatch means that different addresses within the same huge page can produce different hash values, leading to the use of different mutexes for the same huge page. This can cause races between faulting threads, which can corrupt the reservation map and trigger the BUG_ON in resv_map_release(). Fix this by introducing hugetlb_linear_page_index(), which returns the page index in huge page granularity, and using it in place of linear_page_index(). 2026-05-15 CVE-2026-31575 openEuler-24.03-LTS-SP3 Medium 5.5 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H kernel security update 2026-05-15 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2314 In the Linux kernel, the following vulnerability has been resolved: HID: core: clamp report_size in s32ton() to avoid undefined shift s32ton() shifts by n-1 where n is the field's report_size, a value that comes directly from a HID device. The HID parser bounds report_size only to <= 256, so a broken HID device can supply a report descriptor with a wide field that triggers shift exponents up to 256 on a 32-bit type when an output report is built via hid_output_field() or hid_set_field(). Commit ec61b41918587 ("HID: core: fix shift-out-of-bounds in hid_report_raw_event") added the same n > 32 clamp to the function snto32(), but s32ton() was never given the same fix as I guess syzbot hadn't figured out how to fuzz a device the same way. Fix this up by just clamping the max value of n, just like snto32() does. 2026-05-15 CVE-2026-31624 openEuler-24.03-LTS-SP3 Medium 5.5 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H kernel security update 2026-05-15 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2314 In the Linux kernel, the following vulnerability has been resolved: HID: alps: fix NULL pointer dereference in alps_raw_event() Commit ecfa6f34492c ("HID: Add HID_CLAIMED_INPUT guards in raw_event callbacks missing them") attempted to fix up the HID drivers that had missed the previous fix that was done in 2ff5baa9b527 ("HID: appleir: Fix potential NULL dereference at raw event handle"), but the alps driver was missed. Fix this up by properly checking in the hid-alps driver that it had been claimed correctly before attempting to process the raw event. 2026-05-15 CVE-2026-31625 openEuler-24.03-LTS-SP3 Medium 5.5 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H kernel security update 2026-05-15 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2314 In the Linux kernel, the following vulnerability has been resolved: af_unix: read UNIX_DIAG_VFS data under unix_state_lock Exact UNIX diag lookups hold a reference to the socket, but not to u->path. Meanwhile, unix_release_sock() clears u->path under unix_state_lock() and drops the path reference after unlocking. Read the inode and device numbers for UNIX_DIAG_VFS while holding unix_state_lock(), then emit the netlink attribute after dropping the lock. This keeps the VFS data stable while the reply is being built. 2026-05-15 CVE-2026-31673 openEuler-24.03-LTS-SP3 High 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H kernel security update 2026-05-15 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2314 In the Linux kernel, the following vulnerability has been resolved: netfilter: ip6t_rt: reject oversized addrnr in rt_mt6_check() Reject rt match rules whose addrnr exceeds IP6T_RT_HOPS. rt_mt6() expects addrnr to stay within the bounds of rtinfo->addrs[]. Validate addrnr during rule installation so malformed rules are rejected before the match logic can use an out-of-range value. 2026-05-15 CVE-2026-31674 openEuler-24.03-LTS-SP3 High 7.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H kernel security update 2026-05-15 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2314 In the Linux kernel, the following vulnerability has been resolved: bridge: br_nd_send: linearize skb before parsing ND options br_nd_send() parses neighbour discovery options from ns->opt[] and assumes that these options are in the linear part of request. Its callers only guarantee that the ICMPv6 header and target address are available, so the option area can still be non-linear. Parsing ns->opt[] in that case can access data past the linear buffer. Linearize request before option parsing and derive ns from the linear network header. 2026-05-15 CVE-2026-31682 openEuler-24.03-LTS-SP3 Critical 9.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H kernel security update 2026-05-15 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2314 In the Linux kernel, the following vulnerability has been resolved: net/mlx5: lag: Check for LAG device before creating debugfs __mlx5_lag_dev_add_mdev() may return 0 (success) even when an error occurs that is handled gracefully. Consequently, the initialization flow proceeds to call mlx5_ldev_add_debugfs() even when there is no valid LAG context. mlx5_ldev_add_debugfs() blindly created the debugfs directory and attributes. This exposed interfaces (like the members file) that rely on a valid ldev pointer, leading to potential NULL pointer dereferences if accessed when ldev is NULL. Add a check to verify that mlx5_lag_dev(dev) returns a valid pointer before attempting to create the debugfs entries. 2026-05-15 CVE-2026-43013 openEuler-24.03-LTS-SP3 Medium 5.5 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H kernel security update 2026-05-15 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2314 In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: validate mesh send advertising payload length mesh_send() currently bounds MGMT_OP_MESH_SEND by total command length, but it never verifies that the bytes supplied for the flexible adv_data[] array actually match the embedded adv_data_len field. MGMT_MESH_SEND_SIZE only covers the fixed header, so a truncated command can still pass the existing 20..50 byte range check and later drive the async mesh send path past the end of the queued command buffer. Keep rejecting zero-length and oversized advertising payloads, but validate adv_data_len explicitly and require the command length to exactly match the flexible array size before queueing the request. 2026-05-15 CVE-2026-43017 openEuler-24.03-LTS-SP3 Medium 5.5 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H kernel security update 2026-05-15 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2314 In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: fix potential UAF in hci_le_remote_conn_param_req_evt hci_conn lookup and field access must be covered by hdev lock in hci_le_remote_conn_param_req_evt, otherwise it's possible it is freed concurrently. Extend the hci_dev_lock critical section to cover all conn usage. 2026-05-15 CVE-2026-43018 openEuler-24.03-LTS-SP3 High 8.8 AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H kernel security update 2026-05-15 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2314 In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_conn: fix potential UAF in set_cig_params_sync hci_conn lookup and field access must be covered by hdev lock in set_cig_params_sync, otherwise it's possible it is freed concurrently. Take hdev lock to prevent hci_conn from being deleted or modified concurrently. Just RCU lock is not suitable here, as we also want to avoid "tearing" in the configuration. 2026-05-15 CVE-2026-43019 openEuler-24.03-LTS-SP3 High 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H kernel security update 2026-05-15 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2314 In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Add SRCU protection for reading PDPTRs in __get_sregs2() Add SRCU read-side protection when reading PDPTR registers in __get_sregs2(). Reading PDPTRs may trigger access to guest memory: kvm_pdptr_read() -> svm_cache_reg() -> load_pdptrs() -> kvm_vcpu_read_guest_page() -> kvm_vcpu_gfn_to_memslot() kvm_vcpu_gfn_to_memslot() dereferences memslots via __kvm_memslots(), which uses srcu_dereference_check() and requires either kvm->srcu or kvm->slots_lock to be held. Currently only vcpu->mutex is held, triggering lockdep warning: ============================= WARNING: suspicious RCU usage in kvm_vcpu_gfn_to_memslot 6.12.59+ #3 Not tainted include/linux/kvm_host.h:1062 suspicious rcu_dereference_check() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 1 lock held by syz.5.1717/15100: #0: ff1100002f4b00b0 (&vcpu->mutex){+.+.}-{3:3}, at: kvm_vcpu_ioctl+0x1d5/0x1590 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0xf0/0x120 lib/dump_stack.c:120 lockdep_rcu_suspicious+0x1e3/0x270 kernel/locking/lockdep.c:6824 __kvm_memslots include/linux/kvm_host.h:1062 [inline] __kvm_memslots include/linux/kvm_host.h:1059 [inline] kvm_vcpu_memslots include/linux/kvm_host.h:1076 [inline] kvm_vcpu_gfn_to_memslot+0x518/0x5e0 virt/kvm/kvm_main.c:2617 kvm_vcpu_read_guest_page+0x27/0x50 virt/kvm/kvm_main.c:3302 load_pdptrs+0xff/0x4b0 arch/x86/kvm/x86.c:1065 svm_cache_reg+0x1c9/0x230 arch/x86/kvm/svm/svm.c:1688 kvm_pdptr_read arch/x86/kvm/kvm_cache_regs.h:141 [inline] __get_sregs2 arch/x86/kvm/x86.c:11784 [inline] kvm_arch_vcpu_ioctl+0x3e20/0x4aa0 arch/x86/kvm/x86.c:6279 kvm_vcpu_ioctl+0x856/0x1590 virt/kvm/kvm_main.c:4663 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __x64_sys_ioctl+0x18b/0x210 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xbd/0x1d0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Found by Linux Verification Center (linuxtesting.org) with Syzkaller. 2026-05-15 CVE-2026-43214 openEuler-24.03-LTS-SP3 High 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H kernel security update 2026-05-15 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2314 In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Ignore -EBUSY when checking nested events from vcpu_block() Ignore -EBUSY when checking nested events after exiting a blocking state while L2 is active, as exiting to userspace will generate a spurious userspace exit, usually with KVM_EXIT_UNKNOWN, and likely lead to the VM's demise. Continuing with the wakeup isn't perfect either, as *something* has gone sideways if a vCPU is awakened in L2 with an injected event (or worse, a nested run pending), but continuing on gives the VM a decent chance of surviving without any major side effects. As explained in the Fixes commits, it _should_ be impossible for a vCPU to be put into a blocking state with an already-injected event (exception, IRQ, or NMI). Unfortunately, userspace can stuff MP_STATE and/or injected events, and thus put the vCPU into what should be an impossible state. Don't bother trying to preserve the WARN, e.g. with an anti-syzkaller Kconfig, as WARNs can (hopefully) be added in paths where _KVM_ would be violating x86 architecture, e.g. by WARNing if KVM attempts to inject an exception or interrupt while the vCPU isn't running. 2026-05-15 CVE-2026-43265 openEuler-24.03-LTS-SP3 Medium 5.5 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H kernel security update 2026-05-15 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2314 In the Linux kernel xfrm/ESP (IPsec) subsystem, when appending pipe pages to network packets (skb) via zero-copy mechanisms such as splice() / MSG_SPLICE_PAGES, IPv4/IPv6 datagram paths are not correctly marked with the SKBFL_SHARED_FRAG flag. The ESP receive path incorrectly treats these externally owned shared pages as private data, skipping the COW (copy-on-write) step and performing in-place decryption directly, allowing an attacker to pollute otherwise read-only pages in the page cache. Combined with CVE-2026-43500, a complete exploit chain can be formed, allowing local unprivileged users to obtain root privileges. This vulnerability affects almost all Linux distributions since 2017 (kernel ~ 4.10), including Ubuntu, RHEL, AlmaLinux, Debian, Fedora, etc. A public PoC has been released and signs of active exploitation have been observed. 2026-05-15 CVE-2026-43284 openEuler-24.03-LTS-SP3 High 8.8 AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H kernel security update 2026-05-15 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2314 A NULL-pointer dereference vulnerability exists in the ACPI processor driver of the Linux kernel. In the acpi_processor_errata_piix4() function, the pointer dev is first assigned an IDE device and then reassigned an ISA device. If the first lookup succeeds but the second fails, dev becomes NULL. This leads to a potential null-pointer dereference when dev_dbg() is called. The fix is to use two temporary pointers and retrieve each device independently, avoiding overwriting dev with a possible NULL value. 2026-05-15 CVE-2026-43313 openEuler-24.03-LTS-SP3 Medium 5.5 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H kernel security update 2026-05-15 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2314 In the Linux kernel x86 APIC (Advanced Programmable Interrupt Controller) subsystem, when the system resumes from suspend (s2ram/suspend-to-RAM) state, if the kernel expects to disable x2APIC mode at startup, but the BIOS/firmware re-enables x2APIC during the recovery process, the kernel and hardware status will be inconsistent. This status mismatch may cause interrupt handling exceptions, system instability, or denial of service. The vulnerability belongs to CWE-372 (Internal State Corruption). 2026-05-15 CVE-2026-43363 openEuler-24.03-LTS-SP3 Medium 5.5 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H kernel security update 2026-05-15 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2314 In the Linux kernel, there is a race condition vulnerability in the Ceph filesystem. During async unlink, the `i_nlink` counter is dropped before receiving the completion (that will eventually update the `i_nlink`) because "we assume that the unlink will succeed". That is not a bad idea, but it races against deletions by other clients (or against the completion of our own unlink) and can lead to an underrun which emits a WARNING like this one: WARNING: CPU: 85 PID: 25093 at fs/inode.c:407 drop_nlink+0x50/0x68 Modules linked in: CPU: 85 UID: 3221252029 PID: 25093 Comm: php-cgi8.1 Not tainted 6.14.11-cm4all1-ampere #655 Hardware name: Supermicro ARS-110M-NR/R12SPD-A, BIOS 1.1b 10/17/2023 In ceph_unlink(), a call to ceph_mdsc_submit_request() submits the CEPH_MDS_OP_UNLINK to the MDS, but does not wait for completion. Meanwhile, between this call and the following drop_nlink() call, a worker thread may process a CEPH_CAP_OP_IMPORT, CEPH_CAP_OP_GRANT or just a CEPH_MSG_CLIENT_REPLY (the latter of which could be our own completion). These will lead to a set_nlink() call, updating the `i_nlink` counter to the value received from the MDS. If that new `i_nlink` value happens to be zero, it is illegal to decrement it further. But that is exactly what ceph_unlink() will do then. The root cause of this vulnerability is updating the `i_nlink` counter without proper lock protection, creating a TOCTOU (Time-of-Check Time-of-Use) race condition. Since ceph_fill_inode() and handle_cap_grant() both hold the `ceph_inode_info.i_ceph_lock` spinlock while set_nlink() runs, this seems like the proper lock to protect the `i_nlink` updates. 2026-05-15 CVE-2026-43420 openEuler-24.03-LTS-SP3 Medium 5.5 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H kernel security update 2026-05-15 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2314 In the Linux kernel, there is a security vulnerability in the USB Test and Measurement Class driver (usbtmc). The driver accepts timeout values specified by the user via an ioctl command and uses these timeouts for usb_bulk_msg() calls. Since the user can specify arbitrarily long timeouts and usb_bulk_msg() uses unkillable waits, this may cause kernel threads to hang indefinitely. 2026-05-15 CVE-2026-43429 openEuler-24.03-LTS-SP3 Medium 5.5 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H kernel security update 2026-05-15 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2314