suse-sles-15-sp6-v20260424-ecs-hvm-ssd-x86_64 CVE scan on 2026-04-27T19:56:36+00:00

CVE-2024-6174 Severity: Important CVSS3 score: 8.8

Description: When a non-x86 platform is detected, cloud-init grants root access to a hardcoded url with a local IP address. To prevent this, cloud-init default configurations disable platform enumeration.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
cloud-init > 0-0 (version in image is 23.3-150100.8.85.4).

CVE-2026-3195 Severity: Important CVSS3 score: 8.8

Description: Unknown.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
qemu-img > 0-0 (version in image is 8.2.10-150600.3.43.1).

CVE-2026-33636 Severity: Important CVSS3 score: 8.6

Description: LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.6.36 through 1.6.55, an out-of-bounds read and write exists in libpng's ARM/AArch64 Neon-optimized palette expansion path. When expanding 8-bit paletted rows to RGB or RGBA, the Neon loop processes a final partial chunk without verifying that enough input pixels remain. Because the implementation works backward from the end of the row, the final iteration dereferences pointers before the start of the row buffer (OOB read) and writes expanded pixel data to the same underflowed positions (OOB write). This is reachable via normal decoding of attacker-controlled PNG input if Neon is enabled. Version 1.6.56 fixes the issue.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
libpng16-16 < 1.6.40-150600.3.17.1 (version in image is 1.6.40-150600.3.6.1).

CVE-2026-34714 Severity: Important CVSS3 score: 8.6

Description: Vim before 9.2.0272 allows code execution that happens immediately upon opening a crafted file in the default configuration, because %{expr} injection occurs with tabpanel lacking P_MLE.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
vim > 0-0 (version in image is 9.1.1629-150500.20.38.1).

CVE-2026-33747 Severity: Important CVSS3 score: 8.4

Description: BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, when using a custom BuildKit frontend, the frontend can craft an API message that causes files to be written outside of the BuildKit state directory for the execution context. The issue has been fixed in v0.28.1. The vulnerability requires using an untrusted BuildKit frontend set with `#syntax` or `--build-arg BUILDKIT_SYNTAX`. Using these options with a well-known frontend image like `docker/dockerfile` is not affected.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
docker > 0-0 (version in image is 28.5.1_ce-150000.238.1).

CVE-2024-6519 Severity: Important CVSS3 score: 8.2

Description: A use-after-free vulnerability was found in the QEMU LSI53C895A SCSI Host Bus Adapter emulation. This issue can lead to a crash or VM escape.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
qemu-img > 0-0 (version in image is 8.2.10-150600.3.43.1).

CVE-2026-1299 Severity: Important CVSS3 score: 8.2

Description: The email module, specifically the "BytesGenerator" class, didn't properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized. This is only applicable if using "LiteralHeader" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in "BytesGenerator".

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
libpython3_11-1_0 < 3.11.15-150600.3.53.1 (version in image is 3.11.14-150600.3.41.2).

CVE-2026-31402 Severity: Important CVSS3 score: 8.2

Description: In the Linux kernel, the following vulnerability has been resolved:nfsd: fix heap overflow in NFSv4.0 LOCK replay cacheThe NFSv4.0 replay cache uses a fixed 112-byte inline buffer(rp_ibuf[NFSD4_REPLAY_ISIZE]) to store encoded operation responses.This size was calculated based on OPEN responses and does not accountfor LOCK denied responses, which include the conflicting lock owner asa variable-length field up to 1024 bytes (NFS4_OPAQUE_LIMIT).When a LOCK operation is denied due to a conflict with an existing lockthat has a large owner, nfsd4_encode_operation() copies the full encodedresponse into the undersized replay buffer via read_bytes_from_xdr_buf()with no bounds check. This results in a slab-out-of-bounds write of upto 944 bytes past the end of the buffer, corrupting adjacent heap memory.This can be triggered remotely by an unauthenticated attacker with twocooperating NFSv4.0 clients: one sets a lock with a large owner string,then the other requests a conflicting lock to provoke the denial.We could fix this by increasing NFSD4_REPLAY_ISIZE to allow for a fullopaque, but that would increase the size of every stateowner, when mostlockowners are not that large.Instead, fix this by checking the encoded response length againstNFSD4_REPLAY_ISIZE before copying into the replay buffer. If theresponse is too large, set rp_buflen to 0 to skip caching the replaypayload. The status is still cached, and the client already received thecorrect response on the original request.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-34982 Severity: Important CVSS3 score: 8.2

Description: Vim is an open source, command line text editor. Prior to version 9.2.0276, a modeline sandbox bypass in Vim allows arbitrary OS command execution when a user opens a crafted file. The `complete`, `guitabtooltip` and `printheader` options are missing the `P_MLE` flag, allowing a modeline to be executed. Additionally, the `mapset()` function lacks a `check_secure()` call, allowing it to be abused from sandboxed expressions. Commit 9.2.0276 fixes the issue.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
vim > 0-0 (version in image is 9.1.1629-150500.20.38.1).

CVE-2026-1484 Severity: Important CVSS3 score: 8.1

Description: A flaw was found in the GLib Base64 encoding routine when processing very large input data. Due to incorrect use of integer types during length calculation, the library may miscalculate buffer boundaries. This can cause memory writes outside the allocated buffer. Applications that process untrusted or extremely large Base64 input using GLib may crash or behave unpredictably.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
glib2-tools < 2.78.6-150600.4.35.1 (version in image is 2.78.6-150600.4.28.1).

CVE-2026-1489 Severity: Important CVSS3 score: 8.1

Description: A flaw was found in GLib. An integer overflow vulnerability in its Unicode case conversion implementation can lead to memory corruption. By processing specially crafted and extremely large Unicode strings, an attacker could trigger an undersized memory allocation, resulting in out-of-bounds writes. This could cause applications utilizing GLib for string conversion to crash or become unstable.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
glib2-tools < 2.78.6-150600.4.35.1 (version in image is 2.78.6-150600.4.28.1).

CVE-2026-33186 Severity: Important CVSS3 score: 8.1

Description: gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific "deny" rules for canonical paths but allows other requests by default (a fallback "allow" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
containerd > 0-0 (version in image is 1.7.29-150000.128.1).

CVE-2026-33416 Severity: Important CVSS3 score: 8.1

Description: LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.2.1 through 1.6.55, `png_set_tRNS` and `png_set_PLTE` each alias a heap-allocated buffer between `png_struct` and `png_info`, sharing a single allocation across two structs with independent lifetimes. The `trans_alpha` aliasing has been present since at least libpng 1.0, and the `palette` aliasing since at least 1.2.1. Both affect all prior release lines `png_set_tRNS` sets `png_ptr->trans_alpha = info_ptr->trans_alpha` (256-byte buffer) and `png_set_PLTE` sets `info_ptr->palette = png_ptr->palette` (768-byte buffer). In both cases, calling `png_free_data` (with `PNG_FREE_TRNS` or `PNG_FREE_PLTE`) frees the buffer through `info_ptr` while the corresponding `png_ptr` pointer remains dangling. Subsequent row-transform functions dereference and, in some code paths, write to the freed memory. A second call to `png_set_tRNS` or `png_set_PLTE` has the same effect, because both functions call `png_free_data` internally before reallocating the `info_ptr` buffer. Version 1.6.56 fixes the issue.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
libpng16-16 < 1.6.40-150600.3.17.1 (version in image is 1.6.40-150600.3.6.1).

CVE-2026-6100 Severity: Important CVSS3 score: 8.1

Description: Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition.The vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
python3 > 0-0 (version in image is 3.6.15-150300.10.103.1).

CVE-2025-68973 Severity: Important CVSS3 score: 8.0

Description: In GnuPG before 2.4.9, armor_filter in g10/armor.c has two increments of an index variable where one is intended, leading to an out-of-bounds write for crafted input. (For ExtendedLTS, 2.2.51 and later are fixed versions.)

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
gpg2 > 0-0 (version in image is 2.4.4-150600.3.12.1).

CVE-2023-52656 Severity: Important CVSS3 score: 7.8

Description: In the Linux kernel, the following vulnerability has been resolved:io_uring: drop any code related to SCM_RIGHTSThis is dead code after we dropped support for passing io_uring fdsover SCM_RIGHTS, get rid of it.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-36978 Severity: Important CVSS3 score: 7.8

Description: In the Linux kernel, the following vulnerability has been resolved:net: sched: sch_multiq: fix possible OOB write in multiq_tune()q->bands will be assigned to qopt->bands to execute subsequent code logicafter kmalloc. So the old q->bands should not be used in kmalloc.Otherwise, an out-of-bounds write will occur.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-38610 Severity: Important CVSS3 score: 7.8

Description: In the Linux kernel, the following vulnerability has been resolved:drivers/virt/acrn: fix PFNMAP PTE checks in acrn_vm_ram_map()Patch series "mm: follow_pte() improvements and acrn follow_pte() fixes".Patch #1 fixes a bunch of issues I spotted in the acrn driver. Itcompiles, that's all I know. I'll appreciate some review and testing fromacrn folks.Patch #2+#3 improve follow_pte(), passing a VMA instead of the MM, addingmore sanity checks, and improving the documentation. Gave it a quick teston x86-64 using VM_PAT that ends up using follow_pte().This patch (of 3):We currently miss handling various cases, resulting in a dangerousfollow_pte() (previously follow_pfn()) usage.(1) We're not checking PTE write permissions.Maybe we should simply always require pte_write() like we do forpin_user_pages_fast(FOLL_WRITE)? Hard to tell, so let's check forACRN_MEM_ACCESS_WRITE for now.(2) We're not rejecting refcounted pages.As we are not using MMU notifiers, messing with refcounted pages isdangerous and can result in use-after-free. Let's make sure to reject them.(3) We are only looking at the first PTE of a bigger range.We only lookup a single PTE, but memmap->len may span a larger area.Let's loop over all involved PTEs and make sure the PFN range isactually contiguous. Reject everything else: it couldn't have workedeither way, and rather made use access PFNs we shouldn't be accessing.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-45582 Severity: Important CVSS3 score: 7.8

Description: GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step process. First, the victim must extract an archive that contains a ../ symlink to a critical directory. Second, the victim must extract an archive that contains a critical file, specified via a relative pathname that begins with the symlink name and ends with that critical file's name. Here, the extraction follows the symlink and overwrites the critical file. This bypasses the protection mechanism of "Member name contains '..'" that would occur for a single TAR archive that attempted to specify the critical file via a ../ approach. For example, the first archive can contain "x -> ../../../../../home/victim/.ssh" and the second archive can contain x/authorized_keys. This can affect server applications that automatically extract any number of user-supplied TAR archives, and were relying on the blocking of traversal. This can also affect software installation processes in which "tar xf" is run more than once (e.g., when installing a package can automatically install two dependencies that are set up as untrusted tarballs instead of official packages). NOTE: the official GNU Tar manual has an otherwise-empty directory for each "tar xf" in its Security Rules of Thumb; however, third-party advice leads users to run "tar xf" more than once into the same directory.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
tar > 0-0 (version in image is 1.34-150000.3.34.1).

CVE-2025-54505 Severity: Important CVSS3 score: 7.8

Description: Unknown.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-71231 Severity: Important CVSS3 score: 7.8

Description: In the Linux kernel, the following vulnerability has been resolved:crypto: iaa - Fix out-of-bounds index in find_empty_iaa_compression_modeThe local variable 'i' is initialized with -EINVAL, but the for loopimmediately overwrites it and -EINVAL is never returned.If no empty compression mode can be found, the function would return theout-of-bounds index IAA_COMP_MODES_MAX, which would cause an invalidarray access in add_iaa_compression_mode().Fix both issues by returning either a valid index or -EINVAL.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default < 6.4.0-150600.23.92.1 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-0861 Severity: Important CVSS3 score: 7.8

Description: Passing too large an alignment to the memalign suite of functions (memalign, posix_memalign, aligned_alloc) in the GNU C Library version 2.30 to 2.42 may result in an integer overflow, which could consequently result in a heap corruption.Note that the attacker must have control over both, the size as well as the alignment arguments of the memalign function to be able to exploit this. The size parameter must be close enough to PTRDIFF_MAX so as to overflow size_t along with the large alignment argument. This limits the malicious inputs for the alignment for memalign to the range [1<<62+ 1, 1<<63] and exactly 1<<63 for posix_memalign and aligned_alloc.Typically the alignment argument passed to such functions is a known constrained quantity (e.g. page size, block size, struct sizes) and is not attacker controlled, because of which this may not be easily exploitable in practice. An application bug could potentially result in the input alignment being too large, e.g. due to a different buffer overflow or integer overflow in the application or its dependent libraries, but that is again an uncommon usage pattern given typical sources of alignments.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
glibc < 2.38-150600.14.40.1 (version in image is 2.38-150600.14.37.1).

CVE-2026-23111 Severity: Important CVSS3 score: 7.8

Description: In the Linux kernel, the following vulnerability has been resolved:netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate()nft_map_catchall_activate() has an inverted element activity checkcompared to its non-catchall counterpart nft_mapelem_activate() andcompared to what is logically required.nft_map_catchall_activate() is called from the abort path to re-activatecatchall map elements that were deactivated during a failed transaction.It should skip elements that are already active (they don't needre-activation) and process elements that are inactive (they need to berestored). Instead, the current code does the opposite: it skips inactiveelements and processes active ones.Compare the non-catchall activate callback, which is correct: nft_mapelem_activate(): if (nft_set_elem_active(ext, iter->genmask)) return 0; /* skip active, process inactive */With the buggy catchall version: nft_map_catchall_activate(): if (!nft_set_elem_active(ext, genmask)) continue; /* skip inactive, process active */The consequence is that when a DELSET operation is aborted,nft_setelem_data_activate() is never called for the catchall element.For NFT_GOTO verdict elements, this means nft_data_hold() is nevercalled to restore the chain->use reference count. Each abort cyclepermanently decrements chain->use. Once chain->use reaches zero,DELCHAIN succeeds and frees the chain while catchall verdict elementsstill reference it, resulting in a use-after-free.This is exploitable for local privilege escalation from an unprivilegeduser via user namespaces + nftables on distributions that enableCONFIG_USER_NS and CONFIG_NF_TABLES.Fix by removing the negation so the check matches nft_mapelem_activate():skip active elements, process inactive ones.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default < 6.4.0-150600.23.92.1 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23209 Severity: Important CVSS3 score: 7.8

Description: In the Linux kernel, the following vulnerability has been resolved:macvlan: fix error recovery in macvlan_common_newlink()valis provided a nice repro to crash the kernel:ip link add p1 type veth peer p2ip link set address 00:00:00:00:00:20 dev p1ip link set up dev p1ip link set up dev p2ip link add mv0 link p2 type macvlan mode sourceip link add invalid% link p2 type macvlan mode source macaddr add 00:00:00:00:00:20ping -c1 -I p1 1.2.3.4He also gave a very detailed analysis:The issue is triggered when a new macvlan link is created withMACVLAN_MODE_SOURCE mode and MACVLAN_MACADDR_ADD (orMACVLAN_MACADDR_SET) parameter, lower device already has a macvlanport and register_netdevice() called from macvlan_common_newlink()fails (e.g. because of the invalid link name).In this case macvlan_hash_add_source is called frommacvlan_change_sources() / macvlan_common_newlink():This adds a reference to vlan to the port's vlan_source_hash usingmacvlan_source_entry.vlan is a pointer to the priv data of the link that is being created.When register_netdevice() fails, the error is returned frommacvlan_newlink() to rtnl_newlink_create(): if (ops->newlink) err = ops->newlink(dev, ¶ms, extack); else err = register_netdevice(dev); if (err < 0) { free_netdev(dev); goto out; }and free_netdev() is called, causing a kvfree() on the structnet_device that is still referenced in the source entry attached tothe lower device's macvlan port.Now all packets sent on the macvlan port with a matching source macaddress will trigger a use-after-free in macvlan_forward_source().With all that, my fix is to make sure we call macvlan_flush_sources()regardless of @create value whenever "goto destroy_macvlan_port;"path is taken.Many thanks to valis for following up on this issue.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default < 6.4.0-150600.23.92.1 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23236 Severity: Important CVSS3 score: 7.8

Description: In the Linux kernel, the following vulnerability has been resolved:fbdev: smscufx: properly copy ioctl memory to kernelspaceThe UFX_IOCTL_REPORT_DAMAGE ioctl does not properly copy data fromuserspace to kernelspace, and instead directly references the memory,which can cause problems if invalid data is passed from userspace. Fixthis all up by correctly copying the memory before accessing it withinthe kernel.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23243 Severity: Important CVSS3 score: 7.8

Description: In the Linux kernel, the following vulnerability has been resolved:RDMA/umad: Reject negative data_len in ib_umad_writeib_umad_write computes data_len from user-controlled count and theMAD header sizes. With a mismatched user MAD header size and RMPPheader length, data_len can become negative and reach ib_create_send_mad().This can make the padding calculation exceed the segment size and triggeran out-of-bounds memset in alloc_send_rmpp_list().Add an explicit check to reject negative data_len before creating thesend buffer.KASAN splat:[ 211.363464] BUG: KASAN: slab-out-of-bounds in ib_create_send_mad+0xa01/0x11b0[ 211.364077] Write of size 220 at addr ffff88800c3fa1f8 by task spray_thread/102[ 211.365867] ib_create_send_mad+0xa01/0x11b0[ 211.365887] ib_umad_write+0x853/0x1c80

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23317 Severity: Important CVSS3 score: 7.8

Description: In the Linux kernel, the following vulnerability has been resolved:drm/vmwgfx: Return the correct value in vmw_translate_ptr functionsBefore the referenced fixes these functions used a lookup function thatreturned a pointer. This was changed to another lookup function thatreturned an error code with the pointer becoming an out parameter.The error path when the lookup failed was not changed to reflect thischange and the code continued to return the PTR_ERR of the nowuninitialized pointer. This could cause the vmw_translate_ptr functionsto return success when they actually failed causing further uninitializedand OOB accesses.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23462 Severity: Important CVSS3 score: 7.8

Description: In the Linux kernel, the following vulnerability has been resolved:Bluetooth: HIDP: Fix possible UAFThis fixes the following trace caused by not dropping l2cap_connreference when user->remove callback is called:[ 97.809249] l2cap_conn_free: freeing conn ffff88810a171c00[ 97.809907] CPU: 1 UID: 0 PID: 1419 Comm: repro_standalon Not tainted 7.0.0-rc1-dirty #14 PREEMPT(lazy)[ 97.809935] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014[ 97.809947] Call Trace:[ 97.809954] [ 97.809961] dump_stack_lvl (lib/dump_stack.c:122)[ 97.809990] l2cap_conn_free (net/bluetooth/l2cap_core.c:1808)[ 97.810017] l2cap_conn_del (./include/linux/kref.h:66 net/bluetooth/l2cap_core.c:1821 net/bluetooth/l2cap_core.c:1798)[ 97.810055] l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7347 (discriminator 1) net/bluetooth/l2cap_core.c:7340 (discriminator 1))[ 97.810086] ? __pfx_l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7341)[ 97.810117] hci_conn_hash_flush (./include/net/bluetooth/hci_core.h:2152 (discriminator 2) net/bluetooth/hci_conn.c:2644 (discriminator 2))[ 97.810148] hci_dev_close_sync (net/bluetooth/hci_sync.c:5360)[ 97.810180] ? __pfx_hci_dev_close_sync (net/bluetooth/hci_sync.c:5285)[ 97.810212] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)[ 97.810242] ? up_write (./arch/x86/include/asm/atomic64_64.h:87 (discriminator 5) ./include/linux/atomic/atomic-arch-fallback.h:2852 (discriminator 5) ./include/linux/atomic/atomic-long.h:268 (discriminator 5) ./include/linux/atomic/atomic-instrumented.h:3391 (discriminator 5) kernel/locking/rwsem.c:1385 (discriminator 5) kernel/locking/rwsem.c:1643 (discriminator 5))[ 97.810267] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)[ 97.810290] ? rcu_is_watching (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/context_tracking.h:128 kernel/rcu/tree.c:752)[ 97.810320] hci_unregister_dev (net/bluetooth/hci_core.c:504 net/bluetooth/hci_core.c:2716)[ 97.810346] vhci_release (drivers/bluetooth/hci_vhci.c:691)[ 97.810375] ? __pfx_vhci_release (drivers/bluetooth/hci_vhci.c:678)[ 97.810404] __fput (fs/file_table.c:470)[ 97.810430] task_work_run (kernel/task_work.c:235)[ 97.810451] ? __pfx_task_work_run (kernel/task_work.c:201)[ 97.810472] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)[ 97.810495] ? do_raw_spin_unlock (./include/asm-generic/qspinlock.h:128 (discriminator 5) kernel/locking/spinlock_debug.c:142 (discriminator 5))[ 97.810527] do_exit (kernel/exit.c:972)[ 97.810547] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)[ 97.810574] ? __pfx_do_exit (kernel/exit.c:897)[ 97.810594] ? lock_acquire (kernel/locking/lockdep.c:470 (discriminator 6) kernel/locking/lockdep.c:5870 (discriminator 6) kernel/locking/lockdep.c:5825 (discriminator 6))[ 97.810616] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)[ 97.810639] ? do_raw_spin_lock (kernel/locking/spinlock_debug.c:95 (discriminator 4) kernel/locking/spinlock_debug.c:118 (discriminator 4))[ 97.810664] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)[ 97.810688] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))[ 97.810721] do_group_exit (kernel/exit.c:1093)[ 97.810745] get_signal (kernel/signal.c:3007 (discriminator 1))[ 97.810772] ? security_file_permission (./arch/x86/include/asm/jump_label.h:37 security/security.c:2366)[ 97.810803] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)[ 97.810826] ? vfs_read (fs/read_write.c:555)[ 97.810854] ? __pfx_get_signal (kernel/signal.c:2800)[ 97.810880] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)[ 97.810905] ? __pfx_vfs_read (fs/read_write.c:555)[ 97.810932] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)[ 97.810960] arch_do_signal_or_restart (arch/---truncated---

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23554 Severity: Important CVSS3 score: 7.8

Description: The Intel EPT paging code uses an optimization to defer flushing of any cachedEPT state until the p2m lock is dropped, so that multiple modifications doneunder the same locked region only issue a single flush.Freeing of paging structures however is not deferred until the flushing isdone, and can result in freed pages transiently being present in cached state.Such stale entries can point to memory ranges not owned by the guest, thusallowing access to unintended memory regions.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
xen-libs < 4.18.5_12-150600.3.40.1 (version in image is 4.18.5_10-150600.3.37.1).

CVE-2026-24882 Severity: Important CVSS3 score: 7.8

Description: In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
gpg2 < 2.4.4-150600.3.15.1 (version in image is 2.4.4-150600.3.12.1).

CVE-2026-4105 Severity: Important CVSS3 score: 7.8

Description: A flaw was found in systemd. The systemd-machined service contains an Improper Access Control vulnerability due to insufficient validation of the class parameter in the RegisterMachine D-Bus (Desktop Bus) method. A local unprivileged user can exploit this by attempting to register a machine with a specific class value, which may leave behind a usable, attacker-controlled machine object. This allows the attacker to invoke methods on the privileged object, leading to the execution of arbitrary commands with root privileges on the host system.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
libsystemd0 < 254.27-150600.4.62.1 (version in image is 254.27-150600.4.46.2).

CVE-2026-6846 Severity: Important CVSS3 score: 7.8

Description: A flaw was found in binutils. A heap-buffer-overflow vulnerability exists when processing a specially crafted XCOFF (Extended Common Object File Format) object file during linking. A local attacker could trick a user into processing this malicious file, which could lead to arbitrary code execution, allowing the attacker to run unauthorized commands, or cause a denial of service, making the system unavailable.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
binutils > 0-0 (version in image is 2.45-150100.7.57.1).

CVE-2025-13601 Severity: Important CVSS3 score: 7.7

Description: A heap-based buffer overflow problem was found in glib through an incorrect calculation of buffer size in the g_escape_uri_string() function. If the string to escape contains a very large number of unacceptable characters (which would need escaping), the calculation of the length of the escaped string could overflow, leading to a potential write off the end of the newly allocated string.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
glib2-tools > 0-0 (version in image is 2.78.6-150600.4.28.1).

CVE-2025-11234 Severity: Important CVSS3 score: 7.5

Description: A flaw was found in QEMU. If the QIOChannelWebsock object is freed while it is waiting to complete a handshake, a GSource is leaked. This can lead to the callback firing later on and triggering a use-after-free in the use of the channel. This can be abused by a malicious client with network access to the VNC WebSocket port to cause a denial of service during the WebSocket handshake prior to the VNC client authentication.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
qemu-img > 0-0 (version in image is 8.2.10-150600.3.43.1).

CVE-2025-11468 Severity: Important CVSS3 score: 7.5

Description: When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
libpython3_11-1_0 < 3.11.15-150600.3.53.1 (version in image is 3.11.14-150600.3.41.2).

CVE-2025-22869 Severity: Important CVSS3 score: 7.5

Description: SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
amazon-ssm-agent > 0-0 (version in image is 3.3.1611.0-150000.5.26.1).

CVE-2025-27144 Severity: Important CVSS3 score: 7.5

Description: Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. In versions on the 4.x branch prior to version 4.0.5, when parsing compact JWS or JWE input, Go JOSE could use excessive memory. The code used strings.Split(token, ".") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of `.` characters. An attacker could exploit this by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service. Version 4.0.5 fixes this issue. As a workaround, applications could pre-validate that payloads passed to Go JOSE do not contain an excessive number of `.` characters.

Packages affected:

sle-module-containers-release == 15.6 (version in image is 15.6-150600.37.2).
containerd > 0-0 (version in image is 1.7.29-150000.128.1).

CVE-2025-39890 Severity: Important CVSS3 score: 7.5

Description: In the Linux kernel, the following vulnerability has been resolved:wifi: ath12k: fix memory leak in ath12k_service_ready_ext_eventCurrently, in ath12k_service_ready_ext_event(), svc_rdy_ext.mac_phy_capsis not freed in the failure case, causing a memory leak. The followingtrace is observed in kmemleak:unreferenced object 0xffff8b3eb5789c00 (size 1024): comm "softirq", pid 0, jiffies 4294942577 hex dump (first 32 bytes): 00 00 00 00 01 00 00 00 00 00 00 00 7b 00 00 10 ............{... 01 00 00 00 00 00 00 00 01 00 00 00 1f 38 00 00 .............8.. backtrace (crc 44e1c357): __kmalloc_noprof+0x30b/0x410 ath12k_wmi_mac_phy_caps_parse+0x84/0x100 [ath12k] ath12k_wmi_tlv_iter+0x5e/0x140 [ath12k] ath12k_wmi_svc_rdy_ext_parse+0x308/0x4c0 [ath12k] ath12k_wmi_tlv_iter+0x5e/0x140 [ath12k] ath12k_service_ready_ext_event.isra.0+0x44/0xd0 [ath12k] ath12k_wmi_op_rx+0x2eb/0xd70 [ath12k] ath12k_htc_rx_completion_handler+0x1f4/0x330 [ath12k] ath12k_ce_recv_process_cb+0x218/0x300 [ath12k] ath12k_pci_ce_workqueue+0x1b/0x30 [ath12k] process_one_work+0x219/0x680 bh_worker+0x198/0x1f0 tasklet_action+0x13/0x30 handle_softirqs+0xca/0x460 __irq_exit_rcu+0xbe/0x110 irq_exit_rcu+0x9/0x30Free svc_rdy_ext.mac_phy_caps in the error case to fix this memory leak.Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-47913 Severity: Important CVSS3 score: 7.5

Description: SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process.

Packages affected:

sle-module-containers-release == 15.6 (version in image is 15.6-150600.37.2).
docker > 0-0 (version in image is 28.5.1_ce-150000.238.1).

CVE-2025-68813 Severity: Important CVSS3 score: 7.5

Description: In the Linux kernel, the following vulnerability has been resolved:ipvs: fix ipv4 null-ptr-deref in route error pathThe IPv4 code path in __ip_vs_get_out_rt() calls dst_link_failure()without ensuring skb->dev is set, leading to a NULL pointer dereferencein fib_compute_spec_dst() when ipv4_link_failure() attempts to sendICMP destination unreachable messages.The issue emerged after commit ed0de45a1008 ("ipv4: recompile ip optionsin ipv4_link_failure") started calling __ip_options_compile() fromipv4_link_failure(). This code path eventually calls fib_compute_spec_dst()which dereferences skb->dev. An attempt was made to fix the NULL skb->devdereference in commit 0113d9c9d1cc ("ipv4: fix null-deref inipv4_link_failure"), but it only addressed the immediate dev_net(skb->dev)dereference by using a fallback device. The fix was incomplete becausefib_compute_spec_dst() later in the call chain still accesses skb->devdirectly, which remains NULL when IPVS calls dst_link_failure().The crash occurs when:1. IPVS processes a packet in NAT mode with a misconfigured destination2. Route lookup fails in __ip_vs_get_out_rt() before establishing a route3. The error path calls dst_link_failure(skb) with skb->dev == NULL4. ipv4_link_failure() -> ipv4_send_dest_unreach() -> __ip_options_compile() -> fib_compute_spec_dst()5. fib_compute_spec_dst() dereferences NULL skb->devApply the same fix used for IPv6 in commit 326bf17ea5d4 ("ipvs: fixipv6 route unreach panic"): set skb->dev from skb_dst(skb)->dev beforecalling dst_link_failure().KASAN: null-ptr-deref in range [0x0000000000000328-0x000000000000032f]CPU: 1 PID: 12732 Comm: syz.1.3469 Not tainted 6.6.114 #2RIP: 0010:__in_dev_get_rcu include/linux/inetdevice.h:233RIP: 0010:fib_compute_spec_dst+0x17a/0x9f0 net/ipv4/fib_frontend.c:285Call Trace: spec_dst_fill net/ipv4/ip_options.c:232 spec_dst_fill net/ipv4/ip_options.c:229 __ip_options_compile+0x13a1/0x17d0 net/ipv4/ip_options.c:330 ipv4_send_dest_unreach net/ipv4/route.c:1252 ipv4_link_failure+0x702/0xb80 net/ipv4/route.c:1265 dst_link_failure include/net/dst.h:437 __ip_vs_get_out_rt+0x15fd/0x19e0 net/netfilter/ipvs/ip_vs_xmit.c:412 ip_vs_nat_xmit+0x1d8/0xc80 net/netfilter/ipvs/ip_vs_xmit.c:764

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-71085 Severity: Important CVSS3 score: 7.5

Description: In the Linux kernel, the following vulnerability has been resolved:ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr()There exists a kernel oops caused by a BUG_ON(nhead < 0) atnet/core/skbuff.c:2232 in pskb_expand_head().This bug is triggered as part of the calipso_skbuff_setattr()routine when skb_cow() is passed headroom > INT_MAX(i.e. (int)(skb_headroom(skb) + len_delta) < 0).The root cause of the bug is due to an implicit integer cast in__skb_cow(). The check (headroom > skb_headroom(skb)) is meant to ensurethat delta = headroom - skb_headroom(skb) is never negative, otherwisewe will trigger a BUG_ON in pskb_expand_head(). However, ifheadroom > INT_MAX and delta <= -NET_SKB_PAD, the check passes, deltabecomes negative, and pskb_expand_head() is passed a negative value fornhead.Fix the trigger condition in calipso_skbuff_setattr(). Avoid passing"negative" headroom sizes to skb_cow() within calipso_skbuff_setattr()by only using skb_cow() to grow headroom.PoC: Using `netlabelctl` tool: netlabelctl map del default netlabelctl calipso add pass doi:7 netlabelctl map add default address:0::1/128 protocol:calipso,7 Then run the following PoC: int fd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP); // setup msghdr int cmsg_size = 2; int cmsg_len = 0x60; struct msghdr msg; struct sockaddr_in6 dest_addr; struct cmsghdr * cmsg = (struct cmsghdr *) calloc(1, sizeof(struct cmsghdr) + cmsg_len); msg.msg_name = &dest_addr; msg.msg_namelen = sizeof(dest_addr); msg.msg_iov = NULL; msg.msg_iovlen = 0; msg.msg_control = cmsg; msg.msg_controllen = cmsg_len; msg.msg_flags = 0; // setup sockaddr dest_addr.sin6_family = AF_INET6; dest_addr.sin6_port = htons(31337); dest_addr.sin6_flowinfo = htonl(31337); dest_addr.sin6_addr = in6addr_loopback; dest_addr.sin6_scope_id = 31337; // setup cmsghdr cmsg->cmsg_len = cmsg_len; cmsg->cmsg_level = IPPROTO_IPV6; cmsg->cmsg_type = IPV6_HOPOPTS; char * hop_hdr = (char *)cmsg + sizeof(struct cmsghdr); hop_hdr[1] = 0x9; //set hop size - (0x9 + 1) * 8 = 80 sendmsg(fd, &msg, 0);

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-71120 Severity: Important CVSS3 score: 7.5

Description: In the Linux kernel, the following vulnerability has been resolved:SUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verfA zero length gss_token results in pages == 0 and in_token->pages[0]is NULL. The code unconditionally evaluatespage_address(in_token->pages[0]) for the initial memcpy, which candereference NULL even when the copy length is 0. Guard the firstmemcpy so it only runs when length > 0.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default < 6.4.0-150600.23.87.1 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-0672 Severity: Important CVSS3 score: 7.5

Description: When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
libpython3_11-1_0 < 3.11.15-150600.3.53.1 (version in image is 3.11.14-150600.3.41.2).

CVE-2026-1519 Severity: Important CVSS3 score: 7.5

Description: If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the resolver may consume excessive CPU. Authoritative-only servers are generally unaffected, although there are circumstances where authoritative servers may make recursive queries (see: https://kb.isc.org/docs/why-does-my-authoritative-server-make-recursive-queries).This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.46, 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.46-S1, and 9.20.9-S1 through 9.20.20-S1.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
bind-utils < 9.18.33-150600.3.21.1 (version in image is 9.18.33-150600.3.18.1).

CVE-2026-1965 Severity: Important CVSS3 score: 7.5

Description: libcurl can in some circumstances reuse the wrong connection when asked to doan Negotiate-authenticated HTTP or HTTPS request.libcurl features a pool of recent connections so that subsequent requests canreuse an existing connection to avoid overhead.When reusing a connection a range of criterion must first be met. Due to alogical error in the code, a request that was issued by an application couldwrongfully reuse an existing connection to the same server that wasauthenticated using different credentials. One underlying reason being thatNegotiate sometimes authenticates *connections* and not *requests*, contraryto how HTTP is designed to work.An application that allows Negotiate authentication to a server (that respondswanting Negotiate) with `user1:password1` and then does another operation tothe same server also using Negotiate but with `user2:password2` (while theprevious connection is still alive) - the second request wrongly reused thesame connection and since it then sees that the Negotiate negotiation isalready made, it just sends the request over that connection thinking it usesthe user2 credentials when it is in fact still using the connectionauthenticated for user1...The set of authentication methods to use is set with `CURLOPT_HTTPAUTH`.Applications can disable libcurl's reuse of connections and thus mitigate thisproblem, by using one of the following libcurl options to alter howconnections are or are not reused: `CURLOPT_FRESH_CONNECT`,`CURLOPT_MAXCONNECTS` and `CURLMOPT_MAX_HOST_CONNECTIONS` (if using thecurl_multi API).

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
curl < 8.14.1-150600.4.40.1 (version in image is 8.14.1-150600.4.37.1).

CVE-2026-23461 Severity: Important CVSS3 score: 7.5

Description: In the Linux kernel, the following vulnerability has been resolved:Bluetooth: L2CAP: Fix use-after-free in l2cap_unregister_userAfter commit ab4eedb790ca ("Bluetooth: L2CAP: Fix corrupted list inhci_chan_del"), l2cap_conn_del() uses conn->lock to protect access toconn->users. However, l2cap_register_user() and l2cap_unregister_user()don't use conn->lock, creating a race condition where these functions canaccess conn->users and conn->hchan concurrently with l2cap_conn_del().This can lead to use-after-free and list corruption bugs, as reportedby syzbot.Fix this by changing l2cap_register_user() and l2cap_unregister_user()to use conn->lock instead of hci_dev_lock(), ensuring consistent lockingfor the l2cap_conn structure.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23490 Severity: Important CVSS3 score: 7.5

Description: pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.2, a Denial-of-Service issue has been found that leads to memory exhaustion from malformed RELATIVE-OID with excessive continuation octets. This vulnerability is fixed in 0.6.2.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
python3-pyasn1 < 0.4.2-150000.3.13.1 (version in image is 0.4.2-150000.3.8.1).

CVE-2026-25727 Severity: Important CVSS3 score: 7.5

Description: time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary, non-malicious input will never encounter this scenario. A limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned rather than exhausting the stack.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
virtiofsd < 1.10.1-150600.4.6.1 (version in image is 1.10.1-150600.4.3.1).

CVE-2026-27135 Severity: Important CVSS3 score: 7.5

Description: nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API `nghttp2_session_terminate_session` or `nghttp2_session_terminate_session2` is called by the application. They might be called internally by the library when it detects the situation that is subject to connection error. Due to the missing internal state validation, the library keeps reading the rest of the data after one of those APIs is called. Then receiving a malformed frame that causes FRAME_SIZE_ERROR causes assertion failure. nghttp2 v1.68.1 adds missing state validation to avoid assertion failure. No known workarounds are available.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
libnghttp2-14 < 1.40.0-150600.25.5.1 (version in image is 1.40.0-150600.23.2).

CVE-2026-28388 Severity: Important CVSS3 score: 7.5

Description: Issue summary: When a delta CRL that contains a Delta CRL Indicator extensionis processed a NULL pointer dereference might happen if the required CRLNumber extension is missing.Impact summary: A NULL pointer dereference can trigger a crash whichleads to a Denial of Service for an application.When CRL processing and delta CRL processing is enabled during X.509certificate verification, the delta CRL processing does not checkwhether the CRL Number extension is NULL before dereferencing it.When a malformed delta CRL file is being processed, this parametercan be NULL, causing a NULL pointer dereference.Exploiting this issue requires the X509_V_FLAG_USE_DELTAS flag to be enabled inthe verification context, the certificate being verified to contain afreshestCRL extension or the base CRL to have the EXFLAG_FRESHEST flag set, andan attacker to provide a malformed CRL to an application that processes it.The vulnerability is limited to Denial of Service and cannot be escalated toachieve code execution or memory disclosure. For that reason the issue wasassessed as Low severity according to our Security Policy.The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,as the affected code is outside the OpenSSL FIPS module boundary.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
libopenssl1_1 < 1.1.1w-150600.5.26.2 (version in image is 1.1.1w-150600.5.18.1).

CVE-2026-30922 Severity: Important CVSS3 score: 7.5

Description: pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.3, the `pyasn1` library is vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding ASN.1 data with deeply nested structures. An attacker can supply a crafted payload containing thousands of nested `SEQUENCE` (`0x30`) or `SET` (`0x31`) tags with "Indefinite Length" (`0x80`) markers. This forces the decoder to recursively call itself until the Python interpreter crashes with a `RecursionError` or consumes all available memory (OOM), crashing the host application. This is a distinct vulnerability from CVE-2026-23490 (which addressed integer overflows in OID decoding). The fix for CVE-2026-23490 (`MAX_OID_ARC_CONTINUATION_OCTETS`) does not mitigate this recursion issue. Version 0.6.3 fixes this specific issue.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
python3-pyasn1 < 0.4.2-150000.3.16.1 (version in image is 0.4.2-150000.3.8.1).

CVE-2026-32597 Severity: Important CVSS3 score: 7.5

Description: PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 ?4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC. This vulnerability is fixed in 2.12.0.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
python3-PyJWT < 2.4.0-150200.3.11.1 (version in image is 2.4.0-150200.3.8.1).

CVE-2026-32776 Severity: Important CVSS3 score: 7.5

Description: libexpat before 2.7.5 allows a NULL pointer dereference with empty external parameter entity content.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
libexpat1 < 2.7.1-150400.3.37.1 (version in image is 2.7.1-150400.3.31.1).

CVE-2026-32777 Severity: Important CVSS3 score: 7.5

Description: libexpat before 2.7.5 allows an infinite loop while parsing DTD content.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
libexpat1 < 2.7.1-150400.3.37.1 (version in image is 2.7.1-150400.3.31.1).

CVE-2026-33748 Severity: Important CVSS3 score: 7.5

Description: BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, insufficient validation of Git URL fragment subdir components may allow access to files outside the checked-out Git repository root. Possible access is limited to files on the same mounted filesystem. The issue has been fixed in version v0.28.1 The issue affects only builds that use Git URLs with a subpath component. As a workaround, avoid building Dockerfiles from untrusted sources or using the subdir component from an untrusted Git repository where the subdir component could point to a symlink.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
docker > 0-0 (version in image is 28.5.1_ce-150000.238.1).

CVE-2026-35385 Severity: Important CVSS3 score: 7.5

Description: In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode).

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
openssh > 0-0 (version in image is 9.6p1-150600.6.34.1).

CVE-2026-4046 Severity: Important CVSS3 score: 7.5

Description: The iconv() function in the GNU C Library versions 2.43 and earlier may crash due to an assertion failure when converting inputs from the IBM1390 or IBM1399 character sets, which may be used to remotely crash an application.This vulnerability can be trivially mitigated by removing the IBM1390 and IBM1399 character sets from systems that do not need them.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
glibc > 0-0 (version in image is 2.38-150600.14.37.1).

CVE-2026-4224 Severity: Important CVSS3 score: 7.5

Description: When an Expat parser with a registered ElementDeclHandler parses an inlinedocument type definition containing a deeply nested content model a C stackoverflow occurs.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
libpython3_11-1_0 < 3.11.15-150600.3.53.1 (version in image is 3.11.14-150600.3.41.2).

CVE-2026-34743 Severity: Important CVSS3 score: 7.4

Description: XZ Utils provide a general-purpose data-compression library plus command-line tools. Prior to version 5.8.3, if lzma_index_decoder() was used to decode an Index that contained no Records, the resulting lzma_index was left in a state where where a subsequent lzma_index_append() would allocate too little memory, and a buffer overflow would occur. This issue has been patched in version 5.8.3.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
liblzma5 > 0-0 (version in image is 5.4.1-150600.3.3.1).

CVE-2026-35535 Severity: Important CVSS3 score: 7.4

Description: In Sudo through 1.9.17p2 before 3e474c2, a failure of a setuid, setgid, or setgroups call, during a privilege drop before running the mailer, is not a fatal error and can lead to privilege escalation.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
sudo < 1.9.15p5-150600.3.15.1 (version in image is 1.9.15p5-150600.3.12.1).

CVE-2025-68284 Severity: Important CVSS3 score: 7.3

Description: In the Linux kernel, the following vulnerability has been resolved:libceph: prevent potential out-of-bounds writes in handle_auth_session_key()The len field originates from untrusted network packets. Boundarychecks have been added to prevent potential out-of-bounds writes whendecrypting the connection secret or processing service tickets.[ idryomov: changelog ]

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-31789 Severity: Important CVSS3 score: 7.3

Description: Issue summary: Converting an excessively large OCTET STRING value toa hexadecimal string leads to a heap buffer overflow on 32 bit platforms.Impact summary: A heap buffer overflow may lead to a crash or possiblyan attacker controlled code execution or other undefined behavior.If an attacker can supply a crafted X.509 certificate with an excessivelylarge OCTET STRING value in extensions such as the Subject Key Identifier(SKID) or Authority Key Identifier (AKID) which are being converted to hex,the size of the buffer needed for the result is calculated as multiplicationof the input length by 3. On 32 bit platforms, this multiplication may overflowresulting in the allocation of a smaller buffer and a heap buffer overflow.Applications and services that print or log contents of untrusted X.509certificates are vulnerable to this issue. As the certificates would haveto have sizes of over 1 Gigabyte, printing or logging such certificatesis a fairly unlikely operation and only 32 bit platforms are affected,this issue was assigned Low severity.The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by thisissue, as the affected code is outside the OpenSSL FIPS module boundary.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
libopenssl1_1 < 1.1.1w-150600.5.26.2 (version in image is 1.1.1w-150600.5.18.1).

CVE-2026-41035 Severity: Important CVSS3 score: 7.2

Description: In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted length value during a qsort call, leading to a receiver use-after-free. The victim must run rsync with -X (aka --xattrs). On Linux, many (but not all) common configurations are vulnerable. Non-Linux platforms are more widely vulnerable.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
rsync > 0-0 (version in image is 3.2.7-150600.3.14.1).

CVE-2024-38564 Severity: Important CVSS3 score: 7.1

Description: In the Linux kernel, the following vulnerability has been resolved:bpf: Add BPF_PROG_TYPE_CGROUP_SKB attach type enforcement in BPF_LINK_CREATEbpf_prog_attach uses attach_type_to_prog_type to enforce properattach type for BPF_PROG_TYPE_CGROUP_SKB. link_create usesbpf_prog_get and relies on bpf_prog_attach_check_attach_typeto properly verify prog_type <> attach_type association.Add missing attach_type enforcement for the link_create case.Otherwise, it's currently possible to attach cgroup_skb progtypes to other cgroup hooks.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-14087 Severity: Important CVSS3 score: 7.1

Description: A flaw was found in GLib (Gnome Lib). This vulnerability allows a remote attacker to cause heap corruption, leading to a denial of service or potential code execution via a buffer-underflow in the GVariant parser when processing maliciously crafted input strings.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
glib2-tools > 0-0 (version in image is 2.78.6-150600.4.28.1).

CVE-2025-66293 Severity: Important CVSS3 score: 7.1

Description: LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.52, an out-of-bounds read vulnerability in libpng's simplified API allows reading up to 1012 bytes beyond the png_sRGB_base[512] array when processing valid palette PNG images with partial transparency and gamma correction. The PNG files that trigger this vulnerability are valid per the PNG specification; the bug is in libpng's internal state management. Upgrade to libpng 1.6.52 or later.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
libpng16-16 > 0-0 (version in image is 1.6.40-150600.3.6.1).

CVE-2026-23191 Severity: Important CVSS3 score: 7.1

Description: In the Linux kernel, the following vulnerability has been resolved:ALSA: aloop: Fix racy access at PCM triggerThe PCM trigger callback of aloop driver tries to check the PCM stateand stop the stream of the tied substream in the corresponding cable.Since both check and stop operations are performed outside the cablelock, this may result in UAF when a program attempts to triggerfrequently while opening/closing the tied stream, as spotted byfuzzers.For addressing the UAF, this patch changes two things:- It covers the most of code in loopback_check_format() with cable->lock spinlock, and add the proper NULL checks. This avoids already some racy accesses.- In addition, now we try to check the state of the capture PCM stream that may be stopped in this function, which was the major pain point leading to UAF.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default < 6.4.0-150600.23.92.1 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23555 Severity: Important CVSS3 score: 7.1

Description: Any guest issuing a Xenstore command accessing a node using the(illegal) node path "/local/domain/", will crash xenstored due to aclobbered error indicator in xenstored when verifying the node path.Note that the crash is forced via a failing assert() statement inxenstored. In case xenstored is being built with NDEBUG #defined,an unprivileged guest trying to access the node path "/local/domain/"will result in it no longer being serviced by xenstored, other guests(including dom0) will still be serviced, but xenstored will use upall cpu time it can get.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
xen-libs < 4.18.5_12-150600.3.40.1 (version in image is 4.18.5_10-150600.3.37.1).

CVE-2026-4786 Severity: Important CVSS3 score: 7.1

Description: Mitgation of CVE-2026-4519 was incomplete. If the URL contained "%action" the mitigation could be bypassed for certain browser types the "webbrowser.open()" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
python3 > 0-0 (version in image is 3.6.15-150300.10.103.1).

CVE-2024-35843 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:iommu/vt-d: Use device rbtree in iopf reporting pathThe existing I/O page fault handler currently locates the PCI device bycalling pci_get_domain_bus_and_slot(). This function searches the listof all PCI devices until the desired device is found. To improve lookupefficiency, replace it with device_rbtree_find() to search the devicewithin the probed device rbtree.The I/O page fault is initiated by the device, which does not have anysynchronization mechanism with the software to ensure that the devicestays in the probed device tree. Theoretically, a device could be releasedby the IOMMU subsystem after device_rbtree_find() and beforeiopf_get_dev_fault_param(), which would cause a use-after-free problem.Add a mutex to synchronize the I/O page fault reporting path and the IOMMUrelease device path. This lock doesn't introduce any performance overhead,as the conflict between I/O page fault reporting and device releasing isvery rare.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-36899 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:gpiolib: cdev: Fix use after free in lineinfo_changed_notifyThe use-after-free issue occurs as follows: when the GPIO chip device fileis being closed by invoking gpio_chrdev_release(), watched_lines is freedby bitmap_free(), but the unregistration of lineinfo_changed_nb notifierchain failed due to waiting write rwsem. Additionally, one of the GPIOchip's lines is also in the release process and holds the notifier chain'sread rwsem. Consequently, a race condition leads to the use-after-free ofwatched_lines.Here is the typical stack when issue happened:[free]gpio_chrdev_release() --> bitmap_free(cdev->watched_lines) <-- freed --> blocking_notifier_chain_unregister() --> down_write(&nh->rwsem) <-- waiting rwsem --> __down_write_common() --> rwsem_down_write_slowpath() --> schedule_preempt_disabled() --> schedule()[use]st54spi_gpio_dev_release() --> gpio_free() --> gpiod_free() --> gpiod_free_commit() --> gpiod_line_state_notify() --> blocking_notifier_call_chain() --> down_read(&nh->rwsem); <-- held rwsem --> notifier_call_chain() --> lineinfo_changed_notify() --> test_bit(xxxx, cdev->watched_lines) <-- use after freeThe side effect of the use-after-free issue is that a GPIO line event isbeing generated for userspace where it shouldn't. However, since the chrdevis being closed, userspace won't have the chance to read that event anyway.To fix the issue, call the bitmap_free() function after the unregistrationof lineinfo_changed_nb notifier chain.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-36904 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:tcp: Use refcount_inc_not_zero() in tcp_twsk_unique().Anderson Nascimento reported a use-after-free splat in tcp_twsk_unique()with nice analysis.Since commit ec94c2696f0b ("tcp/dccp: avoid one atomic operation fortimewait hashdance"), inet_twsk_hashdance() sets TIME-WAIT socket'ssk_refcnt after putting it into ehash and releasing the bucket lock.Thus, there is a small race window where other threads could try toreuse the port during connect() and call sock_hold() in tcp_twsk_unique()for the TIME-WAIT socket with zero refcnt.If that happens, the refcnt taken by tcp_twsk_unique() is overwrittenand sock_put() will cause underflow, triggering a real use-after-freesomewhere else.To avoid the use-after-free, we need to use refcount_inc_not_zero() intcp_twsk_unique() and give up on reusing the port if it returns false.[0]:refcount_t: addition on 0; use-after-free.WARNING: CPU: 0 PID: 1039313 at lib/refcount.c:25 refcount_warn_saturate+0xe5/0x110CPU: 0 PID: 1039313 Comm: trigger Not tainted 6.8.6-200.fc39.x86_64 #1Hardware name: VMware, Inc. VMware20,1/440BX Desktop Reference Platform, BIOS VMW201.00V.21805430.B64.2305221830 05/22/2023RIP: 0010:refcount_warn_saturate+0xe5/0x110Code: 42 8e ff 0f 0b c3 cc cc cc cc 80 3d aa 13 ea 01 00 0f 85 5e ff ff ff 48 c7 c7 f8 8e b7 82 c6 05 96 13 ea 01 01 e8 7b 42 8e ff <0f> 0b c3 cc cc cc cc 48 c7 c7 50 8f b7 82 c6 05 7a 13 ea 01 01 e8RSP: 0018:ffffc90006b43b60 EFLAGS: 00010282RAX: 0000000000000000 RBX: ffff888009bb3ef0 RCX: 0000000000000027RDX: ffff88807be218c8 RSI: 0000000000000001 RDI: ffff88807be218c0RBP: 0000000000069d70 R08: 0000000000000000 R09: ffffc90006b439f0R10: ffffc90006b439e8 R11: 0000000000000003 R12: ffff8880029ede84R13: 0000000000004e20 R14: ffffffff84356dc0 R15: ffff888009bb3ef0FS: 00007f62c10926c0(0000) GS:ffff88807be00000(0000) knlGS:0000000000000000CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033CR2: 0000000020ccb000 CR3: 000000004628c005 CR4: 0000000000f70ef0PKRU: 55555554Call Trace: ? refcount_warn_saturate+0xe5/0x110 ? __warn+0x81/0x130 ? refcount_warn_saturate+0xe5/0x110 ? report_bug+0x171/0x1a0 ? refcount_warn_saturate+0xe5/0x110 ? handle_bug+0x3c/0x80 ? exc_invalid_op+0x17/0x70 ? asm_exc_invalid_op+0x1a/0x20 ? refcount_warn_saturate+0xe5/0x110 tcp_twsk_unique+0x186/0x190 __inet_check_established+0x176/0x2d0 __inet_hash_connect+0x74/0x7d0 ? __pfx___inet_check_established+0x10/0x10 tcp_v4_connect+0x278/0x530 __inet_stream_connect+0x10f/0x3d0 inet_stream_connect+0x3a/0x60 __sys_connect+0xa8/0xd0 __x64_sys_connect+0x18/0x20 do_syscall_64+0x83/0x170 entry_SYSCALL_64_after_hwframe+0x78/0x80RIP: 0033:0x7f62c11a885dCode: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d a3 45 0c 00 f7 d8 64 89 01 48RSP: 002b:00007f62c1091e58 EFLAGS: 00000296 ORIG_RAX: 000000000000002aRAX: ffffffffffffffda RBX: 0000000020ccb004 RCX: 00007f62c11a885dRDX: 0000000000000010 RSI: 0000000020ccb000 RDI: 0000000000000003RBP: 00007f62c1091e90 R08: 0000000000000000 R09: 0000000000000000R10: 0000000000000000 R11: 0000000000000296 R12: 00007f62c10926c0R13: ffffffffffffff88 R14: 0000000000000000 R15: 00007ffe237885b0

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-36971 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:net: fix __dst_negative_advice() race__dst_negative_advice() does not enforce proper RCU rules whensk->dst_cache must be cleared, leading to possible UAF.RCU rules are that we must first clear sk->sk_dst_cache,then call dst_release(old_dst).Note that sk_dst_reset(sk) is implementing this protocol correctly,while __dst_negative_advice() uses the wrong order.Given that ip6_negative_advice() has special logicagainst RTF_CACHE, this means each of the three ->negative_advice()existing methods must perform the sk_dst_reset() themselves.Note the check against NULL dst is centralized in__dst_negative_advice(), there is no need to duplicateit in various callbacks.Many thanks to Clement Lecigne for tracking this issue.This old bug became visible after the blamed commit, using UDP sockets.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-3770 Severity: Important CVSS3 score: 7.0

Description: EDK2 contains a vulnerability in BIOS where an attacker may cause “Protection Mechanism Failure” by local access. Successful exploitation of this vulnerability will lead to arbitrary code execution and impact Confidentiality, Integrity, and Availability.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
qemu-img > 0-0 (version in image is 8.2.10-150600.3.43.1).

CVE-2025-39977 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:futex: Prevent use-after-free during requeue-PIsyzbot managed to trigger the following race: T1 T2 futex_wait_requeue_pi() futex_do_wait() schedule() futex_requeue() futex_proxy_trylock_atomic() futex_requeue_pi_prepare() requeue_pi_wake_futex() futex_requeue_pi_complete() /* preempt */ * timeout/ signal wakes T1 * futex_requeue_pi_wakeup_sync() // Q_REQUEUE_PI_LOCKED futex_hash_put() // back to userland, on stack futex_q is garbage /* back */ wake_up_state(q->task, TASK_NORMAL);In this scenario futex_wait_requeue_pi() is able to leave without usingfutex_q::lock_ptr for synchronization.This can be prevented by reading futex_q::task before updating thefutex_q::requeue_state. A reference on the task_struct is not neededbecause requeue_pi_wake_futex() is invoked with a spinlock_t held whichimplies a RCU read section.Even if T1 terminates immediately after, the task_struct will remain validduring T2's wake_up_state(). A READ_ONCE on futex_q::task beforefutex_requeue_pi_complete() is enough because it ensures that the variableis read before the state is updated.Read futex_q::task before updating the requeue state, use it for thefollowing wakeup.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-40215 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:xfrm: delete x->tunnel as we delete xThe ipcomp fallback tunnels currently get deleted (from the variouslists and hashtables) as the last user state that needed that fallbackis destroyed (not deleted). If a reference to that user state stillexists, the fallback state will remain on the hashtables/lists,triggering the WARN in xfrm_state_fini. Because of those remainingreferences, the fix in commit f75a2804da39 ("xfrm: destroy xfrm_statesynchronously on net exit path") is not complete.We recently fixed one such situation in TCP due to defered freeing ofskbs (commit 9b6412e6979f ("tcp: drop secpath at the same time as wecurrently drop dst")). This can also happen due to IP reassembly: skbswith a secpath remain on the reassembly queue until netnsdestruction. If we can't guarantee that the queues are flushed by thetime xfrm_state_fini runs, there may still be references to a (user)xfrm_state, preventing the timely deletion of the correspondingfallback state.Instead of chasing each instance of skbs holding a secpath one by one,this patch fixes the issue directly within xfrm, by deleting thefallback state as soon as the last user state depending on it has beendeleted. Destruction will still happen when the final reference isdropped.A separate lockdep class for the fallback state is required sincewe're going to lock x->tunnel while x is locked.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-40242 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:gfs2: Fix unlikely race in gdlm_put_lockIn gdlm_put_lock(), there is a small window of time in which theDFL_UNMOUNT flag has been set but the lockspace hasn't been released,yet. In that window, dlm may still call gdlm_ast() and gdlm_bast().To prevent it from dereferencing freed glock objects, only free theglock if the lockspace has actually been released.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-40257 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:mptcp: fix a race in mptcp_pm_del_add_timer()mptcp_pm_del_add_timer() can call sk_stop_timer_sync(sk, &entry->add_timer)while another might have free entry already, as reported by syzbot.Add RCU protection to fix this issue.Also change confusing add_timer variable with stop_timer boolean.syzbot report:BUG: KASAN: slab-use-after-free in __timer_delete_sync+0x372/0x3f0 kernel/time/timer.c:1616Read of size 4 at addr ffff8880311e4150 by task kworker/1:1/44CPU: 1 UID: 0 PID: 44 Comm: kworker/1:1 Not tainted syzkaller #0 PREEMPT_{RT,(full)}Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025Workqueue: events mptcp_workerCall Trace: dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 __timer_delete_sync+0x372/0x3f0 kernel/time/timer.c:1616 sk_stop_timer_sync+0x1b/0x90 net/core/sock.c:3631 mptcp_pm_del_add_timer+0x283/0x310 net/mptcp/pm.c:362 mptcp_incoming_options+0x1357/0x1f60 net/mptcp/options.c:1174 tcp_data_queue+0xca/0x6450 net/ipv4/tcp_input.c:5361 tcp_rcv_established+0x1335/0x2670 net/ipv4/tcp_input.c:6441 tcp_v4_do_rcv+0x98b/0xbf0 net/ipv4/tcp_ipv4.c:1931 tcp_v4_rcv+0x252a/0x2dc0 net/ipv4/tcp_ipv4.c:2374 ip_protocol_deliver_rcu+0x221/0x440 net/ipv4/ip_input.c:205 ip_local_deliver_finish+0x3bb/0x6f0 net/ipv4/ip_input.c:239 NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318 NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318 __netif_receive_skb_one_core net/core/dev.c:6079 [inline] __netif_receive_skb+0x143/0x380 net/core/dev.c:6192 process_backlog+0x31e/0x900 net/core/dev.c:6544 __napi_poll+0xb6/0x540 net/core/dev.c:7594 napi_poll net/core/dev.c:7657 [inline] net_rx_action+0x5f7/0xda0 net/core/dev.c:7784 handle_softirqs+0x22f/0x710 kernel/softirq.c:622 __do_softirq kernel/softirq.c:656 [inline] __local_bh_enable_ip+0x1a0/0x2e0 kernel/softirq.c:302 mptcp_pm_send_ack net/mptcp/pm.c:210 [inline] mptcp_pm_addr_send_ack+0x41f/0x500 net/mptcp/pm.c:-1 mptcp_pm_worker+0x174/0x320 net/mptcp/pm.c:1002 mptcp_worker+0xd5/0x1170 net/mptcp/protocol.c:2762 process_one_work kernel/workqueue.c:3263 [inline] process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Allocated by task 44: kasan_save_stack mm/kasan/common.c:56 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:77 poison_kmalloc_redzone mm/kasan/common.c:400 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:417 kasan_kmalloc include/linux/kasan.h:262 [inline] __kmalloc_cache_noprof+0x1ef/0x6c0 mm/slub.c:5748 kmalloc_noprof include/linux/slab.h:957 [inline] mptcp_pm_alloc_anno_list+0x104/0x460 net/mptcp/pm.c:385 mptcp_pm_create_subflow_or_signal_addr+0xf9d/0x1360 net/mptcp/pm_kernel.c:355 mptcp_pm_nl_fully_established net/mptcp/pm_kernel.c:409 [inline] __mptcp_pm_kernel_worker+0x417/0x1ef0 net/mptcp/pm_kernel.c:1529 mptcp_pm_worker+0x1ee/0x320 net/mptcp/pm.c:1008 mptcp_worker+0xd5/0x1170 net/mptcp/protocol.c:2762 process_one_work kernel/workqueue.c:3263 [inline] process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245Freed by task 6630: kasan_save_stack mm/kasan/common.c:56 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:77 __kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:587 kasan_save_free_info mm/kasan/kasan.h:406 [inline] poison_slab_object m---truncated---

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-40258 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:mptcp: fix race condition in mptcp_schedule_work()syzbot reported use-after-free in mptcp_schedule_work() [1]Issue here is that mptcp_schedule_work() schedules a work,then gets a refcount on sk->sk_refcnt if the work was scheduled.This refcount will be released by mptcp_worker().[A] if (schedule_work(...)) {[B] sock_hold(sk); return true; }Problem is that mptcp_worker() can run immediately and complete before [B]We need instead : sock_hold(sk); if (schedule_work(...)) return true; sock_put(sk);[1]refcount_t: addition on 0; use-after-free. WARNING: CPU: 1 PID: 29 at lib/refcount.c:25 refcount_warn_saturate+0xfa/0x1d0 lib/refcount.c:25Call Trace: __refcount_add include/linux/refcount.h:-1 [inline] __refcount_inc include/linux/refcount.h:366 [inline] refcount_inc include/linux/refcount.h:383 [inline] sock_hold include/net/sock.h:816 [inline] mptcp_schedule_work+0x164/0x1a0 net/mptcp/protocol.c:943 mptcp_tout_timer+0x21/0xa0 net/mptcp/protocol.c:2316 call_timer_fn+0x17e/0x5f0 kernel/time/timer.c:1747 expire_timers kernel/time/timer.c:1798 [inline] __run_timers kernel/time/timer.c:2372 [inline] __run_timer_base+0x648/0x970 kernel/time/timer.c:2384 run_timer_base kernel/time/timer.c:2393 [inline] run_timer_softirq+0xb7/0x180 kernel/time/timer.c:2403 handle_softirqs+0x22f/0x710 kernel/softirq.c:622 __do_softirq kernel/softirq.c:656 [inline] run_ktimerd+0xcf/0x190 kernel/softirq.c:1138 smpboot_thread_fn+0x542/0xa60 kernel/smpboot.c:160 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-40280 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:tipc: Fix use-after-free in tipc_mon_reinit_self().syzbot reported use-after-free of tipc_net(net)->monitors[]in tipc_mon_reinit_self(). [0]The array is protected by RTNL, but tipc_mon_reinit_self()iterates over it without RTNL.tipc_mon_reinit_self() is called from tipc_net_finalize(),which is always under RTNL except for tipc_net_finalize_work().Let's hold RTNL in tipc_net_finalize_work().[0]:BUG: KASAN: slab-use-after-free in __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]BUG: KASAN: slab-use-after-free in _raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162Read of size 1 at addr ffff88805eae1030 by task kworker/0:7/5989CPU: 0 UID: 0 PID: 5989 Comm: kworker/0:7 Not tainted syzkaller #0 PREEMPT_{RT,(full)}Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025Workqueue: events tipc_net_finalize_workCall Trace: dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 __kasan_check_byte+0x2a/0x40 mm/kasan/common.c:568 kasan_check_byte include/linux/kasan.h:399 [inline] lock_acquire+0x8d/0x360 kernel/locking/lockdep.c:5842 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162 rtlock_slowlock kernel/locking/rtmutex.c:1894 [inline] rwbase_rtmutex_lock_state kernel/locking/spinlock_rt.c:160 [inline] rwbase_write_lock+0xd3/0x7e0 kernel/locking/rwbase_rt.c:244 rt_write_lock+0x76/0x110 kernel/locking/spinlock_rt.c:243 write_lock_bh include/linux/rwlock_rt.h:99 [inline] tipc_mon_reinit_self+0x79/0x430 net/tipc/monitor.c:718 tipc_net_finalize+0x115/0x190 net/tipc/net.c:140 process_one_work kernel/workqueue.c:3236 [inline] process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3319 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400 kthread+0x70e/0x8a0 kernel/kthread.c:463 ret_from_fork+0x439/0x7d0 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Allocated by task 6089: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:388 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:405 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x1a8/0x320 mm/slub.c:4407 kmalloc_noprof include/linux/slab.h:905 [inline] kzalloc_noprof include/linux/slab.h:1039 [inline] tipc_mon_create+0xc3/0x4d0 net/tipc/monitor.c:657 tipc_enable_bearer net/tipc/bearer.c:357 [inline] __tipc_nl_bearer_enable+0xe16/0x13f0 net/tipc/bearer.c:1047 __tipc_nl_compat_doit net/tipc/netlink_compat.c:371 [inline] tipc_nl_compat_doit+0x3bc/0x5f0 net/tipc/netlink_compat.c:393 tipc_nl_compat_handle net/tipc/netlink_compat.c:-1 [inline] tipc_nl_compat_recv+0x83c/0xbe0 net/tipc/netlink_compat.c:1321 genl_family_rcv_msg_doit+0x215/0x300 net/netlink/genetlink.c:1115 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0x60e/0x790 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2552 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] netlink_unicast+0x846/0xa10 net/netlink/af_netlink.c:1346 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896 sock_sendmsg_nosec net/socket.c:714 [inline] __sock_sendmsg+0x21c/0x270 net/socket.c:729 ____sys_sendmsg+0x508/0x820 net/socket.c:2614 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2668 __sys_sendmsg net/socket.c:2700 [inline] __do_sys_sendmsg net/socket.c:2705 [inline] __se_sys_sendmsg net/socket.c:2703 [inline] __x64_sys_sendmsg+0x1a1/0x260 net/socket.c:2703 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/---truncated---

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-40297 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:net: bridge: fix use-after-free due to MST port state bypasssyzbot reported[1] a use-after-free when deleting an expired fdb. It isdue to a race condition between learning still happening and a port beingdeleted, after all its fdbs have been flushed. The port's state has beentoggled to disabled so no learning should happen at that time, but if wehave MST enabled, it will bypass the port's state, that together with VLANfiltering disabled can lead to fdb learning at a time when it shouldn'thappen while the port is being deleted. VLAN filtering must be disabledbecause we flush the port VLANs when it's being deleted which will stoplearning. This fix adds a check for the port's vlan group which isinitialized to NULL when the port is getting deleted, that avoids the portstate bypass. When MST is enabled there would be a minimal new overheadin the fast-path because the port's vlan group pointer is cache-hot.[1] https://syzkaller.appspot.com/bug?extid=dd280197f0f7ab3917be

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68285 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:libceph: fix potential use-after-free in have_mon_and_osd_map()The wait loop in __ceph_open_session() can race with the clientreceiving a new monmap or osdmap shortly after the initial map isreceived. Both ceph_monc_handle_map() and handle_one_map() installa new map immediately after freeing the old one kfree(monc->monmap); monc->monmap = monmap; ceph_osdmap_destroy(osdc->osdmap); osdc->osdmap = newmap;under client->monc.mutex and client->osdc.lock respectively, butbecause neither is taken in have_mon_and_osd_map() it's possible forclient->monc.monmap->epoch and client->osdc.osdmap->epoch arms in client->monc.monmap && client->monc.monmap->epoch && client->osdc.osdmap && client->osdc.osdmap->epoch;condition to dereference an already freed map. This happens to bereproducible with generic/395 and generic/397 with KASAN enabled: BUG: KASAN: slab-use-after-free in have_mon_and_osd_map+0x56/0x70 Read of size 4 at addr ffff88811012d810 by task mount.ceph/13305 CPU: 2 UID: 0 PID: 13305 Comm: mount.ceph Not tainted 6.14.0-rc2-build2+ #1266 ... Call Trace: have_mon_and_osd_map+0x56/0x70 ceph_open_session+0x182/0x290 ceph_get_tree+0x333/0x680 vfs_get_tree+0x49/0x180 do_new_mount+0x1a3/0x2d0 path_mount+0x6dd/0x730 do_mount+0x99/0xe0 __do_sys_mount+0x141/0x180 do_syscall_64+0x9f/0x100 entry_SYSCALL_64_after_hwframe+0x76/0x7e Allocated by task 13305: ceph_osdmap_alloc+0x16/0x130 ceph_osdc_init+0x27a/0x4c0 ceph_create_client+0x153/0x190 create_fs_client+0x50/0x2a0 ceph_get_tree+0xff/0x680 vfs_get_tree+0x49/0x180 do_new_mount+0x1a3/0x2d0 path_mount+0x6dd/0x730 do_mount+0x99/0xe0 __do_sys_mount+0x141/0x180 do_syscall_64+0x9f/0x100 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 9475: kfree+0x212/0x290 handle_one_map+0x23c/0x3b0 ceph_osdc_handle_map+0x3c9/0x590 mon_dispatch+0x655/0x6f0 ceph_con_process_message+0xc3/0xe0 ceph_con_v1_try_read+0x614/0x760 ceph_con_workfn+0x2de/0x650 process_one_work+0x486/0x7c0 process_scheduled_works+0x73/0x90 worker_thread+0x1c8/0x2a0 kthread+0x2ec/0x300 ret_from_fork+0x24/0x40 ret_from_fork_asm+0x1a/0x30Rewrite the wait loop to check the above condition directly withclient->monc.mutex and client->osdc.lock taken as appropriate. Whileat it, improve the timeout handling (previously mount_timeout could beexceeded in case wait_event_interruptible_timeout() slept more thanonce) and access client->auth_err under client->monc.mutex to matchhow it's set in finish_auth().monmap_show() and osdmap_show() now take the respective lock beforeaccessing the map as well.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68324 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:scsi: imm: Fix use-after-free bug caused by unfinished delayed workThe delayed work item 'imm_tq' is initialized in imm_attach() andscheduled via imm_queuecommand() for processing SCSI commands. When theIMM parallel port SCSI host adapter is detached through imm_detach(),the imm_struct device instance is deallocated.However, the delayed work might still be pending or executingwhen imm_detach() is called, leading to use-after-free bugswhen the work function imm_interrupt() accesses the alreadyfreed imm_struct memory.The race condition can occur as follows:CPU 0(detach thread) | CPU 1 | imm_queuecommand() | imm_queuecommand_lck()imm_detach() | schedule_delayed_work() kfree(dev) //FREE | imm_interrupt() | dev = container_of(...) //USE dev-> //USEAdd disable_delayed_work_sync() in imm_detach() to guarantee propercancellation of the delayed work item before imm_struct is deallocated.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68804 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:platform/chrome: cros_ec_ishtp: Fix UAF after unbinding driverAfter unbinding the driver, another kthread `cros_ec_console_log_work`is still accessing the device, resulting an UAF and crash.The driver doesn't unregister the EC device in .remove() which shouldshutdown sub-devices synchronously. Fix it.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default < 6.4.0-150600.23.87.1 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-71066 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:net/sched: ets: Always remove class from active list before deleting in ets_qdisc_changezdi-disclosures@trendmicro.com says:The vulnerability is a race condition between `ets_qdisc_dequeue` and`ets_qdisc_change`. It leads to UAF on `struct Qdisc` object.Attacker requires the capability to create new user and network namespacein order to trigger the bug.See my additional commentary at the end of the analysis.Analysis:static int ets_qdisc_change(struct Qdisc *sch, struct nlattr *opt, struct netlink_ext_ack *extack){... // (1) this lock is preventing .change handler (`ets_qdisc_change`) //to race with .dequeue handler (`ets_qdisc_dequeue`) sch_tree_lock(sch); for (i = nbands; i < oldbands; i++) { if (i >= q->nstrict && q->classes[i].qdisc->q.qlen) list_del_init(&q->classes[i].alist); qdisc_purge_queue(q->classes[i].qdisc); } WRITE_ONCE(q->nbands, nbands); for (i = nstrict; i < q->nstrict; i++) { if (q->classes[i].qdisc->q.qlen) { // (2) the class is added to the q->active list_add_tail(&q->classes[i].alist, &q->active); q->classes[i].deficit = quanta[i]; } } WRITE_ONCE(q->nstrict, nstrict); memcpy(q->prio2band, priomap, sizeof(priomap)); for (i = 0; i < q->nbands; i++) WRITE_ONCE(q->classes[i].quantum, quanta[i]); for (i = oldbands; i < q->nbands; i++) { q->classes[i].qdisc = queues[i]; if (q->classes[i].qdisc != &noop_qdisc) qdisc_hash_add(q->classes[i].qdisc, true); } // (3) the qdisc is unlocked, now dequeue can be called in parallel // to the rest of .change handler sch_tree_unlock(sch); ets_offload_change(sch); for (i = q->nbands; i < oldbands; i++) { // (4) we're reducing the refcount for our class's qdisc and // freeing it qdisc_put(q->classes[i].qdisc); // (5) If we call .dequeue between (4) and (5), we will have // a strong UAF and we can control RIP q->classes[i].qdisc = NULL; WRITE_ONCE(q->classes[i].quantum, 0); q->classes[i].deficit = 0; gnet_stats_basic_sync_init(&q->classes[i].bstats); memset(&q->classes[i].qstats, 0, sizeof(q->classes[i].qstats)); } return 0;}Comment:This happens because some of the classes have their qdiscs assigned toNULL, but remain in the active list. This commit fixes this issue by alwaysremoving the class from the active list before deleting and freeing itsassociated qdiscReproducer Steps(trimmed version of what was sent by zdi-disclosures@trendmicro.com)```DEV="${DEV:-lo}"ROOT_HANDLE="${ROOT_HANDLE:-1:}"BAND2_HANDLE="${BAND2_HANDLE:-20:}" # child under 1:2PING_BYTES="${PING_BYTES:-48}"PING_COUNT="${PING_COUNT:-200000}"PING_DST="${PING_DST:-127.0.0.1}"SLOW_TBF_RATE="${SLOW_TBF_RATE:-8bit}"SLOW_TBF_BURST="${SLOW_TBF_BURST:-100b}"SLOW_TBF_LAT="${SLOW_TBF_LAT:-1s}"cleanup() { tc qdisc del dev "$DEV" root 2>/dev/null}trap cleanup EXITip link set "$DEV" uptc qdisc del dev "$DEV" root 2>/dev/null || truetc qdisc add dev "$DEV" root handle "$ROOT_HANDLE" ets bands 2 strict 2tc qdisc add dev "$DEV" parent 1:2 handle "$BAND2_HANDLE" \ tbf rate "$SLOW_TBF_RATE" burst "$SLOW_TBF_BURST" latency "$SLOW_TBF_LAT"tc filter add dev "$DEV" parent 1: protocol all prio 1 u32 match u32 0 0 flowid 1:2tc -s qdisc ls dev $DEVping -I "$DEV" -f -c "$PING_COUNT" -s "$PING_BYTES" -W 0.001 "$PING_DST" \ >/dev/null 2>&1 &tc qdisc change dev "$DEV" root handle "$ROOT_HANDLE" ets bands 2 strict 0tc qdisc change dev "$DEV" root handle "$ROOT_HANDLE" ets bands 2 strict 2tc -s qdisc ls dev $DEVtc qdisc del dev "$DEV" parent ---truncated---

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-71089 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:iommu: disable SVA when CONFIG_X86 is setPatch series "Fix stale IOTLB entries for kernel address space", v7.This proposes a fix for a security vulnerability related to IOMMU SharedVirtual Addressing (SVA). In an SVA context, an IOMMU can cache kernelpage table entries. When a kernel page table page is freed andreallocated for another purpose, the IOMMU might still hold stale,incorrect entries. This can be exploited to cause a use-after-free orwrite-after-free condition, potentially leading to privilege escalation ordata corruption.This solution introduces a deferred freeing mechanism for kernel pagetable pages, which provides a safe window to notify the IOMMU toinvalidate its caches before the page is reused.This patch (of 8):In the IOMMU Shared Virtual Addressing (SVA) context, the IOMMU hardwareshares and walks the CPU's page tables. The x86 architecture maps thekernel's virtual address space into the upper portion of every process'spage table. Consequently, in an SVA context, the IOMMU hardware can walkand cache kernel page table entries.The Linux kernel currently lacks a notification mechanism for kernel pagetable changes, specifically when page table pages are freed and reused. The IOMMU driver is only notified of changes to user virtual addressmappings. This can cause the IOMMU's internal caches to retain staleentries for kernel VA.Use-After-Free (UAF) and Write-After-Free (WAF) conditions arise whenkernel page table pages are freed and later reallocated. The IOMMU couldmisinterpret the new data as valid page table entries. The IOMMU mightthen walk into attacker-controlled memory, leading to arbitrary physicalmemory DMA access or privilege escalation. This is also aWrite-After-Free issue, as the IOMMU will potentially continue to writeAccessed and Dirty bits to the freed memory while attempting to walk thestale page tables.Currently, SVA contexts are unprivileged and cannot access kernelmappings. However, the IOMMU will still walk kernel-only page tables allthe way down to the leaf entries, where it realizes the mapping is for thekernel and errors out. This means the IOMMU still caches theseintermediate page table entries, making the described vulnerability a realconcern.Disable SVA on x86 architecture until the IOMMU can receive notificationto flush the paging cache before freeing the CPU kernel page table pages.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-71112 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:net: hns3: add VLAN id validation before usingCurrently, the VLAN id may be used without validation whenreceive a VLAN configuration mailbox from VF. The length ofvlan_del_fail_bmap is BITS_TO_LONGS(VLAN_N_VID). It may causeout-of-bounds memory access once the VLAN id is bigger thanor equal to VLAN_N_VID.Therefore, VLAN id needs to be checked to ensure it is withinthe range of VLAN_N_VID.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default < 6.4.0-150600.23.87.1 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-71202 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:iommu/sva: invalidate stale IOTLB entries for kernel address spaceIntroduce a new IOMMU interface to flush IOTLB paging cache entries forthe CPU kernel address space. This interface is invoked from the x86architecture code that manages combined user and kernel page tables,specifically before any kernel page table page is freed and reused.This addresses the main issue with vfree() which is a common occurrenceand can be triggered by unprivileged users. While this resolves theprimary problem, it doesn't address some extremely rare case related tomemory unplug of memory that was present as reserved memory at boot, whichcannot be triggered by unprivileged users. The discussion can be found atthe link below.Enable SVA on x86 architecture since the IOMMU can now receivenotification to flush the paging cache before freeing the CPU kernel pagetable pages.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-22999 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:net/sched: sch_qfq: do not free existing class in qfq_change_class()Fixes qfq_change_class() error case.cl->qdisc and cl should only be freed if a new class and qdiscwere allocated, or we risk various UAF.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default < 6.4.0-150600.23.87.1 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23001 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:macvlan: fix possible UAF in macvlan_forward_source()Add RCU protection on (struct macvlan_source_entry)->vlan.Whenever macvlan_hash_del_source() is called, we must clearentry->vlan pointer before RCU grace period starts.This allows macvlan_forward_source() to skip overentries queued for freeing.Note that macvlan_dev are already RCU protected, as theyare embedded in a standard netdev (netdev_priv(ndev)).https: //lore.kernel.org/netdev/695fb1e8.050a0220.1c677c.039f.GAE@google.com/T/#u

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default < 6.4.0-150600.23.87.1 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23004 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:dst: fix races in rt6_uncached_list_del() and rt_del_uncached_list()syzbot was able to crash the kernel in rt6_uncached_list_flush_dev()in an interesting way [1]Crash happens in list_del_init()/INIT_LIST_HEAD() while writinglist->prev, while the prior write on list->next went well.static inline void INIT_LIST_HEAD(struct list_head *list){ WRITE_ONCE(list->next, list); // This went well WRITE_ONCE(list->prev, list); // Crash, @list has been freed.}Issue here is that rt6_uncached_list_del() did not attempt to lockul->lock, as list_empty(&rt->dst.rt_uncached) returnedtrue because the WRITE_ONCE(list->next, list) happened on the other CPU.We might use list_del_init_careful() and list_empty_careful(),or make sure rt6_uncached_list_del() always grabs the spinlockwhenever rt->dst.rt_uncached_list has been set.A similar fix is neeed for IPv4.[1] BUG: KASAN: slab-use-after-free in INIT_LIST_HEAD include/linux/list.h:46 [inline] BUG: KASAN: slab-use-after-free in list_del_init include/linux/list.h:296 [inline] BUG: KASAN: slab-use-after-free in rt6_uncached_list_flush_dev net/ipv6/route.c:191 [inline] BUG: KASAN: slab-use-after-free in rt6_disable_ip+0x633/0x730 net/ipv6/route.c:5020Write of size 8 at addr ffff8880294cfa78 by task kworker/u8:14/3450CPU: 0 UID: 0 PID: 3450 Comm: kworker/u8:14 Tainted: G L syzkaller #0 PREEMPT_{RT,(full)}Tainted: [L]=SOFTLOCKUPHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025Workqueue: netns cleanup_netCall Trace: dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 INIT_LIST_HEAD include/linux/list.h:46 [inline] list_del_init include/linux/list.h:296 [inline] rt6_uncached_list_flush_dev net/ipv6/route.c:191 [inline] rt6_disable_ip+0x633/0x730 net/ipv6/route.c:5020 addrconf_ifdown+0x143/0x18a0 net/ipv6/addrconf.c:3853 addrconf_notify+0x1bc/0x1050 net/ipv6/addrconf.c:-1 notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85 call_netdevice_notifiers_extack net/core/dev.c:2268 [inline] call_netdevice_notifiers net/core/dev.c:2282 [inline] netif_close_many+0x29c/0x410 net/core/dev.c:1785 unregister_netdevice_many_notify+0xb50/0x2330 net/core/dev.c:12353 ops_exit_rtnl_list net/core/net_namespace.c:187 [inline] ops_undo_list+0x3dc/0x990 net/core/net_namespace.c:248 cleanup_net+0x4de/0x7b0 net/core/net_namespace.c:696 process_one_work kernel/workqueue.c:3257 [inline] process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 Allocated by task 803: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 unpoison_slab_object mm/kasan/common.c:340 [inline] __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:366 kasan_slab_alloc include/linux/kasan.h:253 [inline] slab_post_alloc_hook mm/slub.c:4953 [inline] slab_alloc_node mm/slub.c:5263 [inline] kmem_cache_alloc_noprof+0x18d/0x6c0 mm/slub.c:5270 dst_alloc+0x105/0x170 net/core/dst.c:89 ip6_dst_alloc net/ipv6/route.c:342 [inline] icmp6_dst_alloc+0x75/0x460 net/ipv6/route.c:3333 mld_sendpack+0x683/0xe60 net/ipv6/mcast.c:1844 mld_send_cr net/ipv6/mcast.c:2154 [inline] mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693 process_one_work kernel/workqueue.c:3257 [inline] process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entr---truncated---

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default < 6.4.0-150600.23.92.1 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23066 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:rxrpc: Fix recvmsg() unconditional requeueIf rxrpc_recvmsg() fails because MSG_DONTWAIT was specified but the call atthe front of the recvmsg queue already has its mutex locked, it requeuesthe call - whether or not the call is already queued. The call may be onthe queue because MSG_PEEK was also passed and so the call was not dequeuedor because the I/O thread requeued it.The unconditional requeue may then corrupt the recvmsg queue, leading tothings like UAFs or refcount underruns.Fix this by only requeuing the call if it isn't already on the queue - andmoving it to the front if it is already queued. If we don't queue it, wehave to put the ref we obtained by dequeuing it.Also, MSG_PEEK doesn't dequeue the call so shouldn't callrxrpc_notify_socket() for the call if we didn't use up all the data on thequeue, so fix that also.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23074 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:net/sched: Enforce that teql can only be used as root qdiscDesign intent of teql is that it is only supposed to be used as root qdisc.We need to check for that constraint.Although not important, I will describe the scenario that unearthed thisissue for the curious.GangMin Kim managed to concot a scenario as follows:ROOT qdisc 1:0 (QFQ) ├── class 1:1 (weight=15, lmax=16384) netem with delay 6.4s ── class 1:2 (weight=1, lmax=1514) teqlGangMin sends a packet which is enqueued to 1:1 (netem).Any invocation of dequeue by QFQ from this class will not return a packetuntil after 6.4s. In the meantime, a second packet is sent and it lands on1:2. teql's enqueue will return success and this will activate class 1:2.Main issue is that teql only updates the parent visible qlen (sch->q.qlen)at dequeue. Since QFQ will only call dequeue if peek succeeds (and teql'speek always returns NULL), dequeue will never be called and thus the qlenwill remain as 0. With that in mind, when GangMin updates 1:2's lmax value,the qfq_change_class calls qfq_deact_rm_from_agg. Since the child qdisc'sqlen was not incremented, qfq fails to deactivate the class, but stillfrees its pointers from the aggregate. So when the first packet isrescheduled after 6.4 seconds (netem's delay), a dangling pointer isaccessed causing GangMin's causing a UAF.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default < 6.4.0-150600.23.92.1 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23202 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:spi: tegra210-quad: Protect curr_xfer in tegra_qspi_combined_seq_xferThe curr_xfer field is read by the IRQ handler without holding the lockto check if a transfer is in progress. When clearing curr_xfer in thecombined sequence transfer loop, protect it with the spinlock to preventa race with the interrupt handler.Protect the curr_xfer clearing at the exit path oftegra_qspi_combined_seq_xfer() with the spinlock to prevent a racewith the interrupt handler that reads this field.Without this protection, the IRQ handler could read a partially updatedcurr_xfer value, leading to NULL pointer dereference or use-after-free.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default < 6.4.0-150600.23.92.1 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23204 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:net/sched: cls_u32: use skb_header_pointer_careful()skb_header_pointer() does not fully validate negative @offset values.Use skb_header_pointer_careful() instead.GangMin Kim provided a report and a repro fooling u32_classify():BUG: KASAN: slab-out-of-bounds in u32_classify+0x1180/0x11b0net/sched/cls_u32.c:221

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default < 6.4.0-150600.23.92.1 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23227 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:drm/exynos: vidi: use ctx->lock to protect struct vidi_context member variables related to memory alloc/freeExynos Virtual Display driver performs memory alloc/free operationswithout lock protection, which easily causes concurrency problem.For example, use-after-free can occur in race scenario like this:``` CPU0 CPU1 CPU2 ---- ---- ---- vidi_connection_ioctl() if (vidi->connection) // true drm_edid = drm_edid_alloc(); // alloc drm_edid ... ctx->raw_edid = drm_edid; ... drm_mode_getconnector() drm_helper_probe_single_connector_modes() vidi_get_modes() if (ctx->raw_edid) // true drm_edid_dup(ctx->raw_edid); if (!drm_edid) // false ... vidi_connection_ioctl() if (vidi->connection) // false drm_edid_free(ctx->raw_edid); // free drm_edid ... drm_edid_alloc(drm_edid->edid) kmemdup(edid); // UAF!! ...```To prevent these vulns, at least in vidi_context, member variables relatedto memory alloc/free should be protected with ctx->lock.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23231 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:netfilter: nf_tables: fix use-after-free in nf_tables_addchain()nf_tables_addchain() publishes the chain to table->chains vialist_add_tail_rcu() (in nft_chain_add()) before registering hooks.If nf_tables_register_hook() then fails, the error path callsnft_chain_del() (list_del_rcu()) followed by nf_tables_chain_destroy()with no RCU grace period in between.This creates two use-after-free conditions: 1) Control-plane: nf_tables_dump_chains() traverses table->chains under rcu_read_lock(). A concurrent dump can still be walking the chain when the error path frees it. 2) Packet path: for NFPROTO_INET, nf_register_net_hook() briefly installs the IPv4 hook before IPv6 registration fails. Packets entering nft_do_chain() via the transient IPv4 hook can still be dereferencing chain->blob_gen_X when the error path frees the chain.Add synchronize_rcu() between nft_chain_del() and the chain destroyso that all RCU readers -- both dump threads and in-flight packetevaluation -- have finished before the chain is freed.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23239 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:espintcp: Fix race condition in espintcp_close()This issue was discovered during a code audit.After cancel_work_sync() is called from espintcp_close(),espintcp_tx_work() can still be scheduled from paths such asthe Delayed ACK handler or ksoftirqd.As a result, the espintcp_tx_work() worker may dereference afreed espintcp ctx or sk.The following is a simple race scenario: cpu0 cpu1 espintcp_close() cancel_work_sync(&ctx->work); espintcp_write_space() schedule_work(&ctx->work);To prevent this race condition, cancel_work_sync() isreplaced with disable_work_sync().

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23240 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:tls: Fix race condition in tls_sw_cancel_work_tx()This issue was discovered during a code audit.After cancel_delayed_work_sync() is called from tls_sk_proto_close(),tx_work_handler() can still be scheduled from paths such as theDelayed ACK handler or ksoftirqd.As a result, the tx_work_handler() worker may dereference a freedTLS object.The following is a simple race scenario: cpu0 cpu1tls_sk_proto_close() tls_sw_cancel_work_tx() tls_write_space() tls_sw_write_space() if (!test_and_set_bit(BIT_TX_SCHEDULED, &tx_ctx->tx_bitmask)) set_bit(BIT_TX_SCHEDULED, &ctx->tx_bitmask); cancel_delayed_work_sync(&ctx->tx_work.work); schedule_delayed_work(&tx_ctx->tx_work.work, 0);To prevent this race condition, cancel_delayed_work_sync() isreplaced with disable_delayed_work_sync().

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23248 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:perf/core: Fix refcount bug and potential UAF in perf_mmapSyzkaller reported a refcount_t: addition on 0; use-after-free warningin perf_mmap.The issue is caused by a race condition between a failing mmap() setupand a concurrent mmap() on a dependent event (e.g., using outputredirection).In perf_mmap(), the ring_buffer (rb) is allocated and assigned toevent->rb with the mmap_mutex held. The mutex is then released toperform map_range().If map_range() fails, perf_mmap_close() is called to clean up.However, since the mutex was dropped, another thread attaching tothis event (via inherited events or output redirection) can acquirethe mutex, observe the valid event->rb pointer, and attempt toincrement its reference count. If the cleanup path has alreadydropped the reference count to zero, this results in ause-after-free or refcount saturation warning.Fix this by extending the scope of mmap_mutex to cover themap_range() call. This ensures that the ring buffer initializationand mapping (or cleanup on failure) happens atomically effectively,preventing other threads from accessing a half-initialized ordying ring buffer.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23268 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:apparmor: fix unprivileged local user can do privileged policy managementAn unprivileged local user can load, replace, and remove profiles byopening the apparmorfs interfaces, via a confused deputy attack, bypassing the opened fd to a privileged process, and getting theprivileged process to write to the interface.This does require a privileged target that can be manipulated to dothe write for the unprivileged process, but once such access isachieved full policy management is possible and all the possibleimplications that implies: removing confinement, DoS of system ortarget applications by denying all execution, by-passing theunprivileged user namespace restriction, to exploiting kernel bugs fora local privilege escalation.The policy management interface can not have its permissions simplychanged from 0666 to 0600 because non-root processes need to be ableto load policy to different policy namespaces.Instead ensure the task writing the interface has privileges thatare a subset of the task that opened the interface. This is alreadydone via policy for confined processes, but unconfined can delegateaccess to the opened fd, by-passing the usual policy check.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default < 6.4.0-150600.23.92.1 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23272 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:netfilter: nf_tables: unconditionally bump set->nelems before insertionIn case that the set is full, a new element gets published then removedwithout waiting for the RCU grace period, while RCU reader can bewalking over it already.To address this issue, add the element transaction even if set is full,but toggle the set_full flag to report -ENFILE so the abort path safelyunwinds the set to its previous state.As for element updates, decrement set->nelems to restore it.A simpler fix is to call synchronize_rcu() in the error path.However, with a large batch adding elements to already maxed-out set,this could cause noticeable slowdown of such batches.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23274 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labelsIDLETIMER revision 0 rules reuse existing timers by label and always callmod_timer() on timer->timer.If the label was created first by revision 1 with XT_IDLETIMER_ALARM,the object uses alarm timer semantics and timer->timer is never initialized.Reusing that object from revision 0 causes mod_timer() on an uninitializedtimer_list, triggering debugobjects warnings and possible panic whenpanic_on_warn=1.Fix this by rejecting revision 0 rule insertion when an existing timer withthe same label is of ALARM type.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23278 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:netfilter: nf_tables: always walk all pending catchall elementsDuring transaction processing we might have more than one catchall element:1 live catchall element and 1 pending element that is coming as part of thenew batch.If the map holding the catchall elements is also going away, itsrequired to toggle all catchall elements and not just the first viablecandidate.Otherwise, we get: WARNING: ./include/net/netfilter/nf_tables.h:1281 at nft_data_release+0xb7/0xe0 [nf_tables], CPU#2: nft/1404 RIP: 0010:nft_data_release+0xb7/0xe0 [nf_tables] [..] __nft_set_elem_destroy+0x106/0x380 [nf_tables] nf_tables_abort_release+0x348/0x8d0 [nf_tables] nf_tables_abort+0xcf2/0x3ac0 [nf_tables] nfnetlink_rcv_batch+0x9c9/0x20e0 [..]

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23392 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:netfilter: nf_tables: release flowtable after rcu grace period on errorCall synchronize_rcu() after unregistering the hooks from error path,since a hook that already refers to this flowtable can be alreadyregistered, exposing this flowtable to packet path and nfnetlink_hookcontrol plane.This error path is rare, it should only happen by reaching the maximumnumber hooks or by failing to set up to hardware offload, just callsynchronize_rcu().There is a check for already used device hooks by different flowtablethat could result in EEXIST at this late stage. The hook parser can beupdated to perform this check earlier to this error path really becomesrarely exercised.Uncovered by KASAN reported as use-after-free from nfnetlink_hook pathwhen dumping hooks.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23393 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:bridge: cfm: Fix race condition in peer_mep deletionWhen a peer MEP is being deleted, cancel_delayed_work_sync() is calledon ccm_rx_dwork before freeing. However, br_cfm_frame_rx() runs insoftirq context under rcu_read_lock (without RTNL) and can re-scheduleccm_rx_dwork via ccm_rx_timer_start() between cancel_delayed_work_sync()returning and kfree_rcu() being called.The following is a simple race scenario: cpu0 cpu1mep_delete_implementation() cancel_delayed_work_sync(ccm_rx_dwork); br_cfm_frame_rx() // peer_mep still in hlist if (peer_mep->ccm_defect) ccm_rx_timer_start() queue_delayed_work(ccm_rx_dwork) hlist_del_rcu(&peer_mep->head); kfree_rcu(peer_mep, rcu); ccm_rx_work_expired() // on freed peer_mepTo prevent this, cancel_delayed_work_sync() is replaced withdisable_delayed_work_sync() in both peer MEP deletion paths, sothat subsequent queue_delayed_work() calls from br_cfm_frame_rx()are silently rejected.The cc_peer_disable() helper retains cancel_delayed_work_sync()because it is also used for the CC enable/disable toggle path wherethe work must remain re-schedulable.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23412 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:netfilter: bpf: defer hook memory release until rcu readers are doneYiming Qian reports UaF when concurrent process is dumping hooks vianfnetlink_hooks:BUG: KASAN: slab-use-after-free in nfnl_hook_dump_one.isra.0+0xe71/0x10f0Read of size 8 at addr ffff888003edbf88 by task poc/79Call Trace: nfnl_hook_dump_one.isra.0+0xe71/0x10f0 netlink_dump+0x554/0x12b0 nfnl_hook_get+0x176/0x230 [..]Defer release until after concurrent readers have completed.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23449 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:net/sched: teql: Fix double-free in teql_master_xmitWhenever a TEQL devices has a lockless Qdisc as root, qdisc_reset shouldbe called using the seq_lock to avoid racing with the datapath. Failureto do so may cause crashes like the following:[ 238.028993][ T318] BUG: KASAN: double-free in skb_release_data (net/core/skbuff.c:1139)[ 238.029328][ T318] Free of addr ffff88810c67ec00 by task poc_teql_uaf_ke/318[ 238.029749][ T318][ 238.029900][ T318] CPU: 3 UID: 0 PID: 318 Comm: poc_teql_ke Not tainted 7.0.0-rc3-00149-ge5b31d988a41 #704 PREEMPT(full)[ 238.029906][ T318] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011[ 238.029910][ T318] Call Trace:[ 238.029913][ T318] [ 238.029916][ T318] dump_stack_lvl (lib/dump_stack.c:122)[ 238.029928][ T318] print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)[ 238.029940][ T318] ? skb_release_data (net/core/skbuff.c:1139)[ 238.029944][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)...[ 238.029957][ T318] ? skb_release_data (net/core/skbuff.c:1139)[ 238.029969][ T318] kasan_report_invalid_free (mm/kasan/report.c:221 mm/kasan/report.c:563)[ 238.029979][ T318] ? skb_release_data (net/core/skbuff.c:1139)[ 238.029989][ T318] check_slab_allocation (mm/kasan/common.c:231)[ 238.029995][ T318] kmem_cache_free (mm/slub.c:2637 (discriminator 1) mm/slub.c:6168 (discriminator 1) mm/slub.c:6298 (discriminator 1))[ 238.030004][ T318] skb_release_data (net/core/skbuff.c:1139)...[ 238.030025][ T318] sk_skb_reason_drop (net/core/skbuff.c:1256)[ 238.030032][ T318] pfifo_fast_reset (./include/linux/ptr_ring.h:171 ./include/linux/ptr_ring.h:309 ./include/linux/skb_array.h:98 net/sched/sch_generic.c:827)[ 238.030039][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)...[ 238.030054][ T318] qdisc_reset (net/sched/sch_generic.c:1034)[ 238.030062][ T318] teql_destroy (./include/linux/spinlock.h:395 net/sched/sch_teql.c:157)[ 238.030071][ T318] __qdisc_destroy (./include/net/pkt_sched.h:328 net/sched/sch_generic.c:1077)[ 238.030077][ T318] qdisc_graft (net/sched/sch_api.c:1062 net/sched/sch_api.c:1053 net/sched/sch_api.c:1159)[ 238.030089][ T318] ? __pfx_qdisc_graft (net/sched/sch_api.c:1091)[ 238.030095][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)[ 238.030102][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)[ 238.030106][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)[ 238.030114][ T318] tc_get_qdisc (net/sched/sch_api.c:1529 net/sched/sch_api.c:1556)...[ 238.072958][ T318] Allocated by task 303 on cpu 5 at 238.026275s:[ 238.073392][ T318] kasan_save_stack (mm/kasan/common.c:58)[ 238.073884][ T318] kasan_save_track (mm/kasan/common.c:64 (discriminator 5) mm/kasan/common.c:79 (discriminator 5))[ 238.074230][ T318] __kasan_slab_alloc (mm/kasan/common.c:369)[ 238.074578][ T318] kmem_cache_alloc_node_noprof (./include/linux/kasan.h:253 mm/slub.c:4542 mm/slub.c:4869 mm/slub.c:4921)[ 238.076091][ T318] kmalloc_reserve (net/core/skbuff.c:616 (discriminator 107))[ 238.076450][ T318] __alloc_skb (net/core/skbuff.c:713)[ 238.076834][ T318] alloc_skb_with_frags (./include/linux/skbuff.h:1383 net/core/skbuff.c:6763)[ 238.077178][ T318] sock_alloc_send_pskb (net/core/sock.c:2997)[ 238.077520][ T318] packet_sendmsg (net/packet/af_packet.c:2926 net/packet/af_packet.c:3019 net/packet/af_packet.c:3108)[ 238.081469][ T318][ 238.081870][ T318] Freed by task 299 on cpu 1 at 238.028496s:[ 238.082761][ T318] kasan_save_stack (mm/kasan/common.c:58)[ 238.083481][ T318] kasan_save_track (mm/kasan/common.c:64 (discriminator 5) mm/kasan/common.c:79 (discriminator 5))[ 238.085348][ T318] kasan_save_free_info (mm/kasan/generic.c:587 (discriminator 1))[ 238.085900][ T318] __kasan_slab_free (mm/---truncated---

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23450 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:net/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock()Syzkaller reported a panic in smc_tcp_syn_recv_sock() [1].smc_tcp_syn_recv_sock() is called in the TCP receive path(softirq) via icsk_af_ops->syn_recv_sock on the clcsock (TCPlistening socket). It reads sk_user_data to get the smc_sockpointer. However, when the SMC listen socket is being closedconcurrently, smc_close_active() sets clcsock->sk_user_datato NULL under sk_callback_lock, and then the smc_sock itselfcan be freed via sock_put() in smc_release().This leads to two issues:1) NULL pointer dereference: sk_user_data is NULL when accessed.2) Use-after-free: sk_user_data is read as non-NULL, but the smc_sock is freed before its fields (e.g., queued_smc_hs, ori_af_ops) are accessed.The race window looks like this (the syzkaller crash [1]triggers via the SYN cookie path: tcp_get_cookie_sock() ->smc_tcp_syn_recv_sock(), but the normal tcp_check_req() pathhas the same race): CPU A (softirq) CPU B (process ctx) tcp_v4_rcv() TCP_NEW_SYN_RECV: sk = req->rsk_listener sock_hold(sk) /* No lock on listener */ smc_close_active(): write_lock_bh(cb_lock) sk_user_data = NULL write_unlock_bh(cb_lock) ... smc_clcsock_release() sock_put(smc->sk) x2 -> smc_sock freed! tcp_check_req() smc_tcp_syn_recv_sock(): smc = user_data(sk) -> NULL or dangling smc->queued_smc_hs -> crash!Note that the clcsock and smc_sock are two independent objectswith separate refcounts. TCP stack holds a reference on theclcsock, which keeps it alive, but this does NOT prevent thesmc_sock from being freed.Fix this by using RCU and refcount_inc_not_zero() to safelyaccess smc_sock. Since smc_tcp_syn_recv_sock() is called inthe TCP three-way handshake path, taking read_lock_bh onsk_callback_lock is too heavy and would not survive a SYNflood attack. Using rcu_read_lock() is much more lightweight.- Set SOCK_RCU_FREE on the SMC listen socket so that smc_sock freeing is deferred until after the RCU grace period. This guarantees the memory is still valid when accessed inside rcu_read_lock().- Use rcu_read_lock() to protect reading sk_user_data.- Use refcount_inc_not_zero(&smc->sk.sk_refcnt) to pin the smc_sock. If the refcount has already reached zero (close path completed), it returns false and we bail out safely.Note: smc_hs_congested() has a similar lockless read ofsk_user_data without rcu_read_lock(), but it only checks forNULL and accesses the global smc_hs_wq, never dereferencingany smc_sock field, so it is not affected.Reproducer was verified with mdelay injection and smc_run,the issue no longer occurs with this patch applied.[1] https://syzkaller.appspot.com/bug?extid=827ae2bfb3a3529333e9

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23458 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct()ctnetlink_dump_exp_ct() stores a conntrack pointer in cb->data for thenetlink dump callback ctnetlink_exp_ct_dump_table(), but drops theconntrack reference immediately after netlink_dump_start(). When thedump spans multiple rounds, the second recvmsg() triggers the dumpcallback which dereferences the now-freed conntrack via nfct_help(ct),leading to a use-after-free on ct->ext.The bug is that the netlink_dump_control has no .start or .donecallbacks to manage the conntrack reference across dump rounds. Otherdump functions in the same file (e.g. ctnetlink_get_conntrack) properlyuse .start/.done callbacks for this purpose.Fix this by adding .start and .done callbacks that hold and release theconntrack reference for the duration of the dump, and move thenfct_help() call after the cb->args[0] early-return check in the dumpcallback to avoid dereferencing ct->ext unnecessarily. BUG: KASAN: slab-use-after-free in ctnetlink_exp_ct_dump_table+0x4f/0x2e0 Read of size 8 at addr ffff88810597ebf0 by task ctnetlink_poc/133 CPU: 1 UID: 0 PID: 133 Comm: ctnetlink_poc Not tainted 7.0.0-rc2+ #3 PREEMPTLAZY Call Trace: ctnetlink_exp_ct_dump_table+0x4f/0x2e0 netlink_dump+0x333/0x880 netlink_recvmsg+0x3e2/0x4b0 ? aa_sk_perm+0x184/0x450 sock_recvmsg+0xde/0xf0 Allocated by task 133: kmem_cache_alloc_noprof+0x134/0x440 __nf_conntrack_alloc+0xa8/0x2b0 ctnetlink_create_conntrack+0xa1/0x900 ctnetlink_new_conntrack+0x3cf/0x7d0 nfnetlink_rcv_msg+0x48e/0x510 netlink_rcv_skb+0xc9/0x1f0 nfnetlink_rcv+0xdb/0x220 netlink_unicast+0x3ec/0x590 netlink_sendmsg+0x397/0x690 __sys_sendmsg+0xf4/0x180 Freed by task 0: slab_free_after_rcu_debug+0xad/0x1e0 rcu_core+0x5c3/0x9c0

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23471 Severity: Important CVSS3 score: 7.0

Description: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-25646 Severity: Important CVSS3 score: 7.0

Description: LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.55, an out-of-bounds read vulnerability exists in the png_set_quantize() API function. When the function is called with no histogram and the number of colors in the palette is more than twice the maximum supported by the user's display, certain palettes will cause the function to enter into an infinite loop that reads past the end of an internal heap-allocated buffer. The images that trigger this vulnerability are valid per the PNG specification. This vulnerability is fixed in 1.6.55.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
libpng16-16 < 1.6.40-150600.3.12.1 (version in image is 1.6.40-150600.3.6.1).

CVE-2026-27459 Severity: Important CVSS3 score: 7.0

Description: pyOpenSSL is a Python wrapper around the OpenSSL library. Starting in version 22.0.0 and prior to version 26.0.0, if a user provided callback to `set_cookie_generate_callback` returned a cookie value greater than 256 bytes, pyOpenSSL would overflow an OpenSSL provided buffer. Starting in version 26.0.0, cookie values that are too long are now rejected.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
python311-pyOpenSSL < 23.2.0-150400.3.13.1 (version in image is 23.2.0-150400.3.10.1).

CVE-2026-31403 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:NFSD: Hold net reference for the lifetime of /proc/fs/nfs/exports fdThe /proc/fs/nfs/exports proc entry is created at module initand persists for the module's lifetime. exports_proc_open()captures the caller's current network namespace and storesits svc_export_cache in seq->private, but takes no referenceon the namespace. If the namespace is subsequently torn down(e.g. container destruction after the opener does setns() to adifferent namespace), nfsd_net_exit() calls nfsd_export_shutdown()which frees the cache. Subsequent reads on the still-open fddereference the freed cache_detail, walking a freed hash table.Hold a reference on the struct net for the lifetime of the openfile descriptor. This prevents nfsd_net_exit() from running --and thus prevents nfsd_export_shutdown() from freeing the cache-- while any exports fd is open. cache_detail already storesits net pointer (cd->net, set by cache_create_net()), soexports_release() can retrieve it without additional per-filestorage.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-31408 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_holdsco_recv_frame() reads conn->sk under sco_conn_lock() but immediatelyreleases the lock without holding a reference to the socket. A concurrentclose() can free the socket between the lock release and the subsequentsk->sk_state access, resulting in a use-after-free.Other functions in the same file (sco_sock_timeout(), sco_conn_del())correctly use sco_sock_hold() to safely hold a reference under the lock.Fix by using sco_sock_hold() to take a reference before releasing thelock, and adding sock_put() on all exit paths.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-31436 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:dmaengine: idxd: fix possible wrong descriptor completion in llist_abort_desc()At the end of this function, d is the traversal cursor of flist, but thecode completes found instead. This can lead to issues such as NULL pointerdereferences, double completion, or descriptor leaks.Fix this by completing d instead of found in the finallist_for_each_entry_safe() loop.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-31470 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:virt: tdx-guest: Fix handling of host controlled 'quote' buffer lengthValidate host controlled value `quote_buf->out_len` that determines howmany bytes of the quote are copied out to guest userspace. In TDXenvironments with remote attestation, quotes are not considered private,and can be forwarded to an attestation server.Catch scenarios where the host specifies a response length larger thanthe guest's allocation, or otherwise races modifying the response whilethe guest consumes it.This prevents contents beyond the pages allocated for `quote_buf`(up to TSM_REPORT_OUTBLOB_MAX) from being read out to guest userspace,and possibly forwarded in attestation requests.Recall that some deployments want per-container configs-tsm-reportinterfaces, so the leak may cross container protection boundaries, notjust local root.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-31473 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:media: mc, v4l2: serialize REINIT and REQBUFS with req_queue_mutexMEDIA_REQUEST_IOC_REINIT can run concurrently with VIDIOC_REQBUFS(0)queue teardown paths. This can race request object cleanup against vb2queue cancellation and lead to use-after-free reports.We already serialize request queueing against STREAMON/OFF withreq_queue_mutex. Extend that serialization to REQBUFS, and also takethe same mutex in media_request_ioctl_reinit() so REINIT is in thesame exclusion domain.This keeps request cleanup and queue cancellation from running inparallel for request-capable devices.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-4878 Severity: Important CVSS3 score: 7.0

Description: A flaw was found in libcap. A local unprivileged user can exploit a Time-of-check-to-time-of-use (TOCTOU) race condition in the `cap_set_file()` function. This allows an attacker with write access to a parent directory to redirect file capability updates to an attacker-controlled file. By doing so, capabilities can be injected into or stripped from unintended executables, leading to privilege escalation.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
libcap2 < 2.63-150400.3.6.1 (version in image is 2.63-150400.3.3.1).

CVE-2026-4519 Severity: Moderate CVSS3 score: 6.9

Description: The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
libpython3_11-1_0 < 3.11.15-150600.3.53.1 (version in image is 3.11.14-150600.3.41.2).

CVE-2026-5958 Severity: Moderate CVSS3 score: 6.9

Description: When sed is invoked with both -i (in-place edit) and --follow-symlinks, the function open_next_file() performs two separate, non-atomic filesystem operations on the same path: 1. resolves symlink to its target and stores the resolved path for determining when output is written,2. opens the original symlink path (not the resolved one) to read the file. Between these two calls there is a race window. If an attacker atomically replaces the symlink with a different target during that window, sed will: read content from the new (attacker-chosen) symlink target and write the processed result to the path recorded in step 1. This can lead to arbitrary file overwrite with attacker-controlled content in the context of the sed process.This issue was fixed in version 4.10.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
sed > 0-0 (version in image is 4.9-150600.1.4).

CVE-2025-15444 Severity: Moderate CVSS3 score: 6.8

Description: Crypt::Sodium::XS module versions prior to 0.000042, for Perl, include a vulnerable version of libsodiumlibsodium <= 1.0.20 or a version of libsodium released before December 30, 2025 contains a vulnerability documented as CVE-2025-69277 https://www.cve.org/CVERecord?id=CVE-2025-69277 .The libsodium vulnerability states:In atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic group.0.000042 includes a version of libsodium updated to 1.0.20-stable, released January 3, 2026, which includes a fix for the vulnerability.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
libsodium23 > 0-0 (version in image is 1.0.18-150000.4.11.1).

CVE-2025-26465 Severity: Moderate CVSS3 score: 6.8

Description: A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled. A machine-in-the-middle attack can be performed by a malicious machine impersonating a legit server. This issue occurs due to how OpenSSH mishandles error codes in specific conditions when verifying the host key. For an attack to be considered successful, the attacker needs to manage to exhaust the client's memory resource first, turning the attack complexity high.

Packages affected:

sle-module-desktop-applications-release == 15.6 (version in image is 15.6-150600.37.2).
openssh > 0-0 (version in image is 9.6p1-150600.6.34.1).

CVE-2025-64505 Severity: Moderate CVSS3 score: 6.8

Description: LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to version 1.6.51, a heap buffer over-read vulnerability exists in libpng's png_do_quantize function when processing PNG files with malformed palette indices. The vulnerability occurs when palette_lookup array bounds are not validated against externally-supplied image data, allowing an attacker to craft a PNG file with out-of-range palette indices that trigger out-of-bounds memory access. This issue has been patched in version 1.6.51.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
libpng16-16 > 0-0 (version in image is 1.6.40-150600.3.6.1).

CVE-2025-64506 Severity: Moderate CVSS3 score: 6.8

Description: LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, a heap buffer over-read vulnerability exists in libpng's png_write_image_8bit function when processing 8-bit images through the simplified write API with convert_to_8bit enabled. The vulnerability affects 8-bit grayscale+alpha, RGB/RGBA, and images with incomplete row data. A conditional guard incorrectly allows 8-bit input to enter code expecting 16-bit input, causing reads up to 2 bytes beyond allocated buffer boundaries. This issue has been patched in version 1.6.51.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
libpng16-16 > 0-0 (version in image is 1.6.40-150600.3.6.1).

CVE-2025-64720 Severity: Moderate CVSS3 score: 6.8

Description: LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, an out-of-bounds read vulnerability exists in png_image_read_composite when processing palette images with PNG_FLAG_OPTIMIZE_ALPHA enabled. The palette compositing code in png_init_read_transformations incorrectly applies background compositing during premultiplication, violating the invariant component ≤ alpha x 257 required by the simplified PNG API. This issue has been patched in version 1.6.51.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
libpng16-16 > 0-0 (version in image is 1.6.40-150600.3.6.1).

CVE-2025-65018 Severity: Moderate CVSS3 score: 6.8

Description: LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, there is a heap buffer overflow vulnerability in the libpng simplified API function png_image_finish_read when processing 16-bit interlaced PNGs with 8-bit output format. Attacker-crafted interlaced PNG files cause heap writes beyond allocated buffer bounds. This issue has been patched in version 1.6.51.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
libpng16-16 > 0-0 (version in image is 1.6.40-150600.3.6.1).

CVE-2026-22801 Severity: Moderate CVSS3 score: 6.8

Description: LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.26 to 1.6.53, there is an integer truncation in the libpng simplified write API functions png_write_image_16bit and png_write_image_8bit causes heap buffer over-read when the caller provides a negative row stride (for bottom-up image layouts) or a stride exceeding 65535 bytes. The bug was introduced in libpng 1.6.26 (October 2016) by casts added to silence compiler warnings on 16-bit systems. This vulnerability is fixed in 1.6.54.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
libpng16-16 > 0-0 (version in image is 1.6.40-150600.3.6.1).

CVE-2026-5928 Severity: Moderate CVSS3 score: 6.8

Description: Calling the ungetwc function on a FILE stream with wide characters encoded in a character set that has overlaps between its single byte and multi-byte character encodings, in the GNU C Library version 2.43 or earlier, may result in an attempt to read bytes before an allocated buffer, potentially resulting in unintentional disclosure of neighboring data in the heap, or a program crash.A bug in the wide character pushback implementation (_IO_wdefault_pbackfail in libio/wgenops.c) causes ungetwc() to operate on the regular character buffer (fp->_IO_read_ptr) instead of the actual wide-stream read pointer (fp->_wide_data->_IO_read_ptr). The program crash may happen in cases where fp->_IO_read_ptr is not initialized and hence points to NULL. The buffer under-read requires a special situation where the input character encoding is such that there are overlaps between single byte representations and multibyte representations in that encoding, resulting in spurious matches. The spurious match case is not possible in the standard Unicode character sets.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
glibc > 0-0 (version in image is 2.38-150600.14.37.1).

CVE-2024-38559 Severity: Moderate CVSS3 score: 6.7

Description: In the Linux kernel, the following vulnerability has been resolved:scsi: qedf: Ensure the copied buf is NUL terminatedCurrently, we allocate a count-sized kernel buffer and copy count fromuserspace to that buffer. Later, we use kstrtouint on this buffer but wedon't ensure that the string is terminated inside the buffer, this canlead to OOB read when using kstrtouint. Fix this issue by usingmemdup_user_nul instead of memdup_user.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-38570 Severity: Moderate CVSS3 score: 6.7

Description: In the Linux kernel, the following vulnerability has been resolved:gfs2: Fix potential glock use-after-free on unmountWhen a DLM lockspace is released and there ares still locks in thatlockspace, DLM will unlock those locks automatically. Commitfb6791d100d1b started exploiting this behavior to speed up filesystemunmount: gfs2 would simply free glocks it didn't want to unlock and thenrelease the lockspace. This didn't take the bast callbacks forasynchronous lock contention notifications into account, which remainactive until until a lock is unlocked or its lockspace is released.To prevent those callbacks from accessing deallocated objects, put theglocks that should not be unlocked on the sd_dead_glocks list, releasethe lockspace, and only then free those glocks.As an additional measure, ignore unexpected ast and bast callbacks ifthe receiving glock is dead.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-15366 Severity: Moderate CVSS3 score: 6.7

Description: The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
libpython3_11-1_0 < 3.11.14-150600.3.44.1 (version in image is 3.11.14-150600.3.41.2).

CVE-2025-15367 Severity: Moderate CVSS3 score: 6.7

Description: The poplib module, when passed a user-controlled command, can haveadditional commands injected using newlines. Mitigation rejects commandscontaining control characters.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
libpython3_11-1_0 < 3.11.14-150600.3.44.1 (version in image is 3.11.14-150600.3.41.2).

CVE-2025-68801 Severity: Moderate CVSS3 score: 6.7

Description: In the Linux kernel, the following vulnerability has been resolved:mlxsw: spectrum_router: Fix neighbour use-after-freeWe sometimes observe use-after-free when dereferencing a neighbour [1].The problem seems to be that the driver stores a pointer to theneighbour, but without holding a reference on it. A reference is onlytaken when the neighbour is used by a nexthop.Fix by simplifying the reference counting scheme. Always take areference when storing a neighbour pointer in a neighbour entry. Avoidtaking a referencing when the neighbour is used by a nexthop as theneighbour entry associated with the nexthop already holds a reference.Tested by running the test that uncovered the problem over 300 times.Without this patch the problem was reproduced after a handful ofiterations.[1]BUG: KASAN: slab-use-after-free in mlxsw_sp_neigh_entry_update+0x2d4/0x310Read of size 8 at addr ffff88817f8e3420 by task ip/3929CPU: 3 UID: 0 PID: 3929 Comm: ip Not tainted 6.18.0-rc4-virtme-g36b21a067510 #3 PREEMPT(full)Hardware name: Nvidia SN5600/VMOD0013, BIOS 5.13 05/31/2023Call Trace: dump_stack_lvl+0x6f/0xa0 print_address_description.constprop.0+0x6e/0x300 print_report+0xfc/0x1fb kasan_report+0xe4/0x110 mlxsw_sp_neigh_entry_update+0x2d4/0x310 mlxsw_sp_router_rif_gone_sync+0x35f/0x510 mlxsw_sp_rif_destroy+0x1ea/0x730 mlxsw_sp_inetaddr_port_vlan_event+0xa1/0x1b0 __mlxsw_sp_inetaddr_lag_event+0xcc/0x130 __mlxsw_sp_inetaddr_event+0xf5/0x3c0 mlxsw_sp_router_netdevice_event+0x1015/0x1580 notifier_call_chain+0xcc/0x150 call_netdevice_notifiers_info+0x7e/0x100 __netdev_upper_dev_unlink+0x10b/0x210 netdev_upper_dev_unlink+0x79/0xa0 vrf_del_slave+0x18/0x50 do_set_master+0x146/0x7d0 do_setlink.isra.0+0x9a0/0x2880 rtnl_newlink+0x637/0xb20 rtnetlink_rcv_msg+0x6fe/0xb90 netlink_rcv_skb+0x123/0x380 netlink_unicast+0x4a3/0x770 netlink_sendmsg+0x75b/0xc90 __sock_sendmsg+0xbe/0x160 ____sys_sendmsg+0x5b2/0x7d0 ___sys_sendmsg+0xfd/0x180 __sys_sendmsg+0x124/0x1c0 do_syscall_64+0xbb/0xfd0 entry_SYSCALL_64_after_hwframe+0x4b/0x53[...]Allocated by task 109: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x7b/0x90 __kmalloc_noprof+0x2c1/0x790 neigh_alloc+0x6af/0x8f0 ___neigh_create+0x63/0xe90 mlxsw_sp_nexthop_neigh_init+0x430/0x7e0 mlxsw_sp_nexthop_type_init+0x212/0x960 mlxsw_sp_nexthop6_group_info_init.constprop.0+0x81f/0x1280 mlxsw_sp_nexthop6_group_get+0x392/0x6a0 mlxsw_sp_fib6_entry_create+0x46a/0xfd0 mlxsw_sp_router_fib6_replace+0x1ed/0x5f0 mlxsw_sp_router_fib6_event_work+0x10a/0x2a0 process_one_work+0xd57/0x1390 worker_thread+0x4d6/0xd40 kthread+0x355/0x5b0 ret_from_fork+0x1d4/0x270 ret_from_fork_asm+0x11/0x20Freed by task 154: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x43/0x70 kmem_cache_free_bulk.part.0+0x1eb/0x5e0 kvfree_rcu_bulk+0x1f2/0x260 kfree_rcu_work+0x130/0x1b0 process_one_work+0xd57/0x1390 worker_thread+0x4d6/0xd40 kthread+0x355/0x5b0 ret_from_fork+0x1d4/0x270 ret_from_fork_asm+0x11/0x20Last potentially related work creation: kasan_save_stack+0x30/0x50 kasan_record_aux_stack+0x8c/0xa0 kvfree_call_rcu+0x93/0x5b0 mlxsw_sp_router_neigh_event_work+0x67d/0x860 process_one_work+0xd57/0x1390 worker_thread+0x4d6/0xd40 kthread+0x355/0x5b0 ret_from_fork+0x1d4/0x270 ret_from_fork_asm+0x11/0x20

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-22980 Severity: Moderate CVSS3 score: 6.7

Description: In the Linux kernel, the following vulnerability has been resolved:nfsd: provide locking for v4_end_graceWriting to v4_end_grace can race with server shutdown and result inmemory being accessed after it was freed - reclaim_str_hashtbl inparticularly.We cannot hold nfsd_mutex across the nfsd4_end_grace() call as that isheld while client_tracking_op->init() is called and that can wait foran upcall to nfsdcltrack which can write to v4_end_grace, resulting in adeadlock.nfsd4_end_grace() is also called by the landromat work queue and thisdoesn't require locking as server shutdown will stop the work and waitfor it before freeing anything that nfsd4_end_grace() might access.However, we must be sure that writing to v4_end_grace doesn't restartthe work item after shutdown has already waited for it. For this weadd a new flag protected with nn->client_lock. It is set only while itis safe to make client tracking calls, and v4_end_grace only scheduleswork while the flag is set with the spinlock held.So this patch adds a nfsd_net field "client_tracking_active" which isset as described. Another field "grace_end_forced", is set whenv4_end_grace is written. After this is set, and providingclient_tracking_active is set, the laundromat is scheduled.This "grace_end_forced" field bypasses other checks for whether thegrace period has finished.This resolves a race which can result in use-after-free.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-36916 Severity: Moderate CVSS3 score: 6.6

Description: In the Linux kernel, the following vulnerability has been resolved:blk-iocost: avoid out of bounds shiftUBSAN catches undefined behavior in blk-iocost, where sometimesiocg->delay is shifted right by a number that is too large,resulting in undefined behavior on some architectures.[ 186.556576] ------------[ cut here ]------------UBSAN: shift-out-of-bounds in block/blk-iocost.c:1366:23shift exponent 64 is too large for 64-bit type 'u64' (aka 'unsigned long long')CPU: 16 PID: 0 Comm: swapper/16 Tainted: G S E N 6.9.0-0_fbk700_debug_rc2_kbuilder_0_gc85af715cac0 #1Hardware name: Quanta Twin Lakes MP/Twin Lakes Passive MP, BIOS F09_3A23 12/08/2020Call Trace: dump_stack_lvl+0x8f/0xe0 __ubsan_handle_shift_out_of_bounds+0x22c/0x280 iocg_kick_delay+0x30b/0x310 ioc_timer_fn+0x2fb/0x1f80 __run_timer_base+0x1b6/0x250...Avoid that undefined behavior by simply taking the"delay = 0" branch if the shift is too large.I am not sure what the symptoms of an undefined valuedelay will be, but I suspect it could be more than alittle annoying to debug.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-13151 Severity: Moderate CVSS3 score: 6.6

Description: Stack-based buffer overflow in libtasn1 version: v4.20.0. The function fails to validate the size of input data resulting in a buffer overflow in asn1_expend_octet_string.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
libtasn1 > 0-0 (version in image is 4.13-150000.4.14.1).

CVE-2025-68340 Severity: Moderate CVSS3 score: 6.6

Description: In the Linux kernel, the following vulnerability has been resolved:team: Move team device type change at the end of team_port_addAttempting to add a port device that is already up will expectedly fail,but not before modifying the team device header_ops.In the case of the syzbot reproducer the gre0 device isalready in state UP when it attempts to add it as aport device of team0, this fails but before thatheader_ops->create of team0 is changed from eth_header to ipgre_headerin the call to team_dev_type_check_change.Later when we end up in ipgre_header() struct ip_tunnel* points to nonsenseas the private data of the device still holds a struct team.Example sequence of iproute2 commands to reproduce the hang/BUG():ip link add dev team0 type teamip link add dev gre0 type greip link set dev gre0 upip link set dev gre0 master team0ip link set dev team0 upping -I team0 1.1.1.1Move team_dev_type_check_change down where all other checks have passedas it changes the dev type with no way to restore it in caseone of the checks that follow it fail.Also make sure to preserve the origial mtu assignment: - If port_dev is not the same type as dev, dev takes mtu from port_dev - If port_dev is the same type as dev, port_dev takes mtu from devThis is done by adding a conditional before the call to dev_set_mtuto prevent it from assigning port_dev->mtu = dev->mtu and insteadletting team_dev_type_check_change assign dev->mtu = port_dev->mtu.The conditional is needed because the patch moves the call toteam_dev_type_check_change past dev_set_mtu.Testing: - team device driver in-tree selftests - Add/remove various devices as slaves of team device - syzbot

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-71113 Severity: Moderate CVSS3 score: 6.6

Description: In the Linux kernel, the following vulnerability has been resolved:crypto: af_alg - zero initialize memory allocated via sock_kmallocSeveral crypto user API contexts and requests allocated withsock_kmalloc() were left uninitialized, relying on callers toset fields explicitly. This resulted in the use of uninitializeddata in certain error paths or when new fields are added in thefuture.The ACVP patches also contain two user-space interface files:algif_kpp.c and algif_akcipher.c. These too rely on properinitialization of their context structures.A particular issue has been observed with the newly added'inflight' variable introduced in af_alg_ctx by commit: 67b164a871af ("crypto: af_alg - Disallow multiple in-flight AIO requests")Because the context is not memset to zero after allocation,the inflight variable has contained garbage values. As a result,af_alg_alloc_areq() has incorrectly returned -EBUSY randomly whenthe garbage value was interpreted as true: https://github.com/gregkh/linux/blame/master/crypto/af_alg.c#L1209The check directly tests ctx->inflight without explicitlycomparing against true/false. Since inflight is only ever set totrue or false later, an uninitialized value has triggered-EBUSY failures. Zero-initializing memory allocated withsock_kmalloc() ensures inflight and other fields start in a knownstate, removing random issues caused by uninitialized data.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default < 6.4.0-150600.23.92.1 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23003 Severity: Moderate CVSS3 score: 6.6

Description: In the Linux kernel, the following vulnerability has been resolved:ip6_tunnel: use skb_vlan_inet_prepare() in __ip6_tnl_rcv()Blamed commit did not take care of VLAN encapsulationsas spotted by syzbot [1].Use skb_vlan_inet_prepare() instead of pskb_inet_may_pull().[1] BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] BUG: KMSAN: uninit-value in IP6_ECN_decapsulate+0x7a8/0x1fa0 include/net/inet_ecn.h:321 __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] IP6_ECN_decapsulate+0x7a8/0x1fa0 include/net/inet_ecn.h:321 ip6ip6_dscp_ecn_decapsulate+0x16f/0x1b0 net/ipv6/ip6_tunnel.c:729 __ip6_tnl_rcv+0xed9/0x1b50 net/ipv6/ip6_tunnel.c:860 ip6_tnl_rcv+0xc3/0x100 net/ipv6/ip6_tunnel.c:903 gre_rcv+0x1529/0x1b90 net/ipv6/ip6_gre.c:-1 ip6_protocol_deliver_rcu+0x1c89/0x2c60 net/ipv6/ip6_input.c:438 ip6_input_finish+0x1f4/0x4a0 net/ipv6/ip6_input.c:489 NF_HOOK include/linux/netfilter.h:318 [inline] ip6_input+0x9c/0x330 net/ipv6/ip6_input.c:500 ip6_mc_input+0x7ca/0xc10 net/ipv6/ip6_input.c:590 dst_input include/net/dst.h:474 [inline] ip6_rcv_finish+0x958/0x990 net/ipv6/ip6_input.c:79 NF_HOOK include/linux/netfilter.h:318 [inline] ipv6_rcv+0xf1/0x3c0 net/ipv6/ip6_input.c:311 __netif_receive_skb_one_core net/core/dev.c:6139 [inline] __netif_receive_skb+0x1df/0xac0 net/core/dev.c:6252 netif_receive_skb_internal net/core/dev.c:6338 [inline] netif_receive_skb+0x57/0x630 net/core/dev.c:6397 tun_rx_batched+0x1df/0x980 drivers/net/tun.c:1485 tun_get_user+0x5c0e/0x6c60 drivers/net/tun.c:1953 tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1999 new_sync_write fs/read_write.c:593 [inline] vfs_write+0xbe2/0x15d0 fs/read_write.c:686 ksys_write fs/read_write.c:738 [inline] __do_sys_write fs/read_write.c:749 [inline] __se_sys_write fs/read_write.c:746 [inline] __x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746 x64_sys_call+0x30ab/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:2 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7fUninit was created at: slab_post_alloc_hook mm/slub.c:4960 [inline] slab_alloc_node mm/slub.c:5263 [inline] kmem_cache_alloc_node_noprof+0x9e7/0x17a0 mm/slub.c:5315 kmalloc_reserve+0x13c/0x4b0 net/core/skbuff.c:586 __alloc_skb+0x805/0x1040 net/core/skbuff.c:690 alloc_skb include/linux/skbuff.h:1383 [inline] alloc_skb_with_frags+0xc5/0xa60 net/core/skbuff.c:6712 sock_alloc_send_pskb+0xacc/0xc60 net/core/sock.c:2995 tun_alloc_skb drivers/net/tun.c:1461 [inline] tun_get_user+0x1142/0x6c60 drivers/net/tun.c:1794 tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1999 new_sync_write fs/read_write.c:593 [inline] vfs_write+0xbe2/0x15d0 fs/read_write.c:686 ksys_write fs/read_write.c:738 [inline] __do_sys_write fs/read_write.c:749 [inline] __se_sys_write fs/read_write.c:746 [inline] __x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746 x64_sys_call+0x30ab/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:2 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7fCPU: 0 UID: 0 PID: 6465 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(none)Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23057 Severity: Moderate CVSS3 score: 6.6

Description: In the Linux kernel, the following vulnerability has been resolved:vsock/virtio: Coalesce only linear skbvsock/virtio common tries to coalesce buffers in rx queue: if a linear skb(with a spare tail room) is followed by a small skb (length limited byGOOD_COPY_LEN = 128), an attempt is made to join them.Since the introduction of MSG_ZEROCOPY support, assumption that a small skbwill always be linear is incorrect. In the zerocopy case, data is lost andthe linear skb is appended with uninitialized kernel memory.Of all 3 supported virtio-based transports, only loopback-transport isaffected. G2H virtio-transport rx queue operates on explicitly linear skbs;see virtio_vsock_alloc_linear_skb() in virtio_vsock_rx_fill(). H2Gvhost-transport may allocate non-linear skbs, but only for sizes that arenot considered for coalescence; see PAGE_ALLOC_COSTLY_ORDER invirtio_vsock_alloc_skb().Ensure only linear skbs are coalesced. Note that skb_tailroom(last_skb) > 0guarantees last_skb is linear.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23403 Severity: Moderate CVSS3 score: 6.6

Description: In the Linux kernel, the following vulnerability has been resolved:apparmor: fix memory leak in verify_headerThe function sets `*ns = NULL` on every call, leaking the namespacestring allocated in previous iterations when multiple profiles areunpacked. This also breaks namespace consistency checking since *nsis always NULL when the comparison is made.Remove the incorrect assignment.The caller (aa_unpack) initializes *ns to NULL once before the loop,which is sufficient.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-31426 Severity: Moderate CVSS3 score: 6.6

Description: In the Linux kernel, the following vulnerability has been resolved:ACPI: EC: clean up handlers on probe failure in acpi_ec_setup()When ec_install_handlers() returns -EPROBE_DEFER on reduced-hardwareplatforms, it has already started the EC and installed the addressspace handler with the struct acpi_ec pointer as handler context.However, acpi_ec_setup() propagates the error without any cleanup.The caller acpi_ec_add() then frees the struct acpi_ec for non-bootinstances, leaving a dangling handler context in ACPICA.Any subsequent AML evaluation that accesses an EC OpRegion fielddispatches into acpi_ec_space_handler() with the freed pointer,causing a use-after-free: BUG: KASAN: slab-use-after-free in mutex_lock (kernel/locking/mutex.c:289) Write of size 8 at addr ffff88800721de38 by task init/1 Call Trace: mutex_lock (kernel/locking/mutex.c:289) acpi_ec_space_handler (drivers/acpi/ec.c:1362) acpi_ev_address_space_dispatch (drivers/acpi/acpica/evregion.c:293) acpi_ex_access_region (drivers/acpi/acpica/exfldio.c:246) acpi_ex_field_datum_io (drivers/acpi/acpica/exfldio.c:509) acpi_ex_extract_from_field (drivers/acpi/acpica/exfldio.c:700) acpi_ex_read_data_from_field (drivers/acpi/acpica/exfield.c:327) acpi_ex_resolve_node_to_value (drivers/acpi/acpica/exresolv.c:392) Allocated by task 1: acpi_ec_alloc (drivers/acpi/ec.c:1424) acpi_ec_add (drivers/acpi/ec.c:1692) Freed by task 1: kfree (mm/slub.c:6876) acpi_ec_add (drivers/acpi/ec.c:1751)The bug triggers on reduced-hardware EC platforms (ec->gpe < 0)when the GPIO IRQ provider defers probing. Once the stale handlerexists, any unprivileged sysfs read that causes AML to touch anEC OpRegion (battery, thermal, backlight) exercises the danglingpointer.Fix this by calling ec_remove_handlers() in the error path ofacpi_ec_setup() before clearing first_ec. ec_remove_handlers()checks each EC_FLAGS_* bit before acting, so it is safe to callregardless of how far ec_install_handlers() progressed: -ENODEV (handler not installed): only calls acpi_ec_stop() -EPROBE_DEFER (handler installed): removes handler, stops EC

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-12801 Severity: Moderate CVSS3 score: 6.5

Description: A vulnerability was recently discovered in the rpc.mountd daemon in the nfs-utils package for Linux, that allows a NFSv3 client to escalate theprivileges assigned to it in the /etc/exports file at mount time. In particular, it allows the client to access any subdirectory or subtree of an exported directory, regardless of the set file permissions, and regardless of any 'root_squash' or 'all_squash' attributes that would normally be expected to apply to that client.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
libnfsidmap1 < 1.0-150600.28.19.1 (version in image is 1.0-150600.28.12.1).

CVE-2025-13836 Severity: Moderate CVSS3 score: 6.5

Description: When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This allows a malicious server to cause the client to read large amounts of data into memory, potentially causing OOM or other DoS.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
python3 > 0-0 (version in image is 3.6.15-150300.10.103.1).

CVE-2025-14512 Severity: Moderate CVSS3 score: 6.5

Description: A flaw was found in glib. This vulnerability allows a heap buffer overflow and denial-of-service (DoS) via an integer overflow in GLib's GIO (GLib Input/Output) escape_byte_string() function when processing malicious file or remote filesystem attribute values.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
glib2-tools > 0-0 (version in image is 2.78.6-150600.4.28.1).

CVE-2025-15282 Severity: Moderate CVSS3 score: 6.5

Description: User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
libpython3_11-1_0 < 3.11.15-150600.3.53.1 (version in image is 3.11.14-150600.3.41.2).

CVE-2025-38224 Severity: Moderate CVSS3 score: 6.5

Description: In the Linux kernel, the following vulnerability has been resolved:can: kvaser_pciefd: refine error prone echo_skb_max handling logicecho_skb_max should define the supported upper limit of echo_skb[]allocated inside the netdevice's priv. The corresponding size valueprovided by this driver to alloc_candev() is KVASER_PCIEFD_CAN_TX_MAX_COUNTwhich is 17.But later echo_skb_max is rounded up to the nearest power of two (for themax case, that would be 32) and the tx/ack indices calculated furtherduring tx/rx may exceed the upper array boundary. Kasan reported this forthe ack case inside kvaser_pciefd_handle_ack_packet(), though the xmitfunction has actually caught the same thing earlier. BUG: KASAN: slab-out-of-bounds in kvaser_pciefd_handle_ack_packet+0x2d7/0x92a drivers/net/can/kvaser_pciefd.c:1528 Read of size 8 at addr ffff888105e4f078 by task swapper/4/0 CPU: 4 UID: 0 PID: 0 Comm: swapper/4 Not tainted 6.15.0 #12 PREEMPT(voluntary) Call Trace: dump_stack_lvl lib/dump_stack.c:122 print_report mm/kasan/report.c:521 kasan_report mm/kasan/report.c:634 kvaser_pciefd_handle_ack_packet drivers/net/can/kvaser_pciefd.c:1528 kvaser_pciefd_read_packet drivers/net/can/kvaser_pciefd.c:1605 kvaser_pciefd_read_buffer drivers/net/can/kvaser_pciefd.c:1656 kvaser_pciefd_receive_irq drivers/net/can/kvaser_pciefd.c:1684 kvaser_pciefd_irq_handler drivers/net/can/kvaser_pciefd.c:1733 __handle_irq_event_percpu kernel/irq/handle.c:158 handle_irq_event kernel/irq/handle.c:210 handle_edge_irq kernel/irq/chip.c:833 __common_interrupt arch/x86/kernel/irq.c:296 common_interrupt arch/x86/kernel/irq.c:286 Tx max count definitely matters for kvaser_pciefd_tx_avail(), but for seqnumbers' generation that's not the case - we're free to calculate them aswould be more convenient, not taking tx max count into account. The onlydownside is that the size of echo_skb[] should correspond to the max seqnumber (not tx max count), so in some situations a bit more memory wouldbe consumed than could be.Thus make the size of the underlying echo_skb[] sufficient for the roundedmax tx value.Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68468 Severity: Moderate CVSS3 score: 6.5

Description: Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, avahi-daemon can be crashed by sending unsolicited announcements containing CNAME resource records pointing it to resource records with short TTLs. As soon as they expire avahi-daemon crashes.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
libavahi-client3 > 0-0 (version in image is 0.8-150600.15.12.1).

CVE-2025-68471 Severity: Moderate CVSS3 score: 6.5

Description: Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, avahi-daemon can be crashed by sending 2 unsolicited announcements with CNAME resource records 2 seconds apart.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
libavahi-client3 > 0-0 (version in image is 0.8-150600.15.12.1).

CVE-2025-71104 Severity: Moderate CVSS3 score: 6.5

Description: In the Linux kernel, the following vulnerability has been resolved:KVM: x86: Fix VM hard lockup after prolonged inactivity with periodic HV timerWhen advancing the target expiration for the guest's APIC timer in periodicmode, set the expiration to "now" if the target expiration is in the past(similar to what is done in update_target_expiration()). Blindly addingthe period to the previous target expiration can result in KVM generatinga practically unbounded number of hrtimer IRQs due to programming anexpired timer over and over. In extreme scenarios, e.g. if userspacepauses/suspends a VM for an extended duration, this can even cause hardlockups in the host.Currently, the bug only affects Intel CPUs when using the hypervisor timer(HV timer), a.k.a. the VMX preemption timer. Unlike the software timer,a.k.a. hrtimer, which KVM keeps running even on exits to userspace, theHV timer only runs while the guest is active. As a result, if the vCPUdoes not run for an extended duration, there will be a huge gap betweenthe target expiration and the current time the vCPU resumes running.Because the target expiration is incremented by only one period on eachtimer expiration, this leads to a series of timer expirations occurringrapidly after the vCPU/VM resumes.More critically, when the vCPU first triggers a periodic HV timerexpiration after resuming, advancing the expiration by only one periodwill result in a target expiration in the past. As a result, the deltamay be calculated as a negative value. When the delta is converted intoan absolute value (tscdeadline is an unsigned u64), the resulting valuecan overflow what the HV timer is capable of programming. I.e. the largevalue will exceed the VMX Preemption Timer's maximum bit width ofcpu_preemption_timer_multi + 32, and thus cause KVM to switch from theHV timer to the software timer (hrtimers).After switching to the software timer, periodic timer expiration callbacksmay be executed consecutively within a single clock interrupt handler,because hrtimers honors KVM's request for an expiration in the past andimmediately re-invokes KVM's callback after reprogramming. And becausethe interrupt handler runs with IRQs disabled, restarting KVM's hrtimerover and over until the target expiration is advanced to "now" can resultin a hard lockup.E.g. the following hard lockup was triggered in the host when running aWindows VM (only relevant because it used the APIC timer in periodic mode)after resuming the VM from a long suspend (in the host). NMI watchdog: Watchdog detected hard LOCKUP on cpu 45 ... RIP: 0010:advance_periodic_target_expiration+0x4d/0x80 [kvm] ... RSP: 0018:ff4f88f5d98d8ef0 EFLAGS: 00000046 RAX: fff0103f91be678e RBX: fff0103f91be678e RCX: 00843a7d9e127bcc RDX: 0000000000000002 RSI: 0052ca4003697505 RDI: ff440d5bfbdbd500 RBP: ff440d5956f99200 R08: ff2ff2a42deb6a84 R09: 000000000002a6c0 R10: 0122d794016332b3 R11: 0000000000000000 R12: ff440db1af39cfc0 R13: ff440db1af39cfc0 R14: ffffffffc0d4a560 R15: ff440db1af39d0f8 FS: 00007f04a6ffd700(0000) GS:ff440db1af380000(0000) knlGS:000000e38a3b8000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000d5651feff8 CR3: 000000684e038002 CR4: 0000000000773ee0 PKRU: 55555554 Call Trace: apic_timer_fn+0x31/0x50 [kvm] __hrtimer_run_queues+0x100/0x280 hrtimer_interrupt+0x100/0x210 ? ttwu_do_wakeup+0x19/0x160 smp_apic_timer_interrupt+0x6a/0x130 apic_timer_interrupt+0xf/0x20 Moreover, if the suspend duration of the virtual machine is not long enoughto trigger a hard lockup in this scenario, since commit 98c25ead5eda("KVM: VMX: Move preemption timer <=> hrtimer dance to common x86"), KVMwill continue using the software timer until the guest reprograms the APICtimer in some way. Since the periodic timer does not require frequent APICtimer register programming, the guest may continue to use the softwaretimer in ---truncated---

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-71238 Severity: Moderate CVSS3 score: 6.5

Description: In the Linux kernel, the following vulnerability has been resolved:scsi: qla2xxx: Fix bsg_done() causing double freeKernel panic observed on system,[5353358.825191] BUG: unable to handle page fault for address: ff5f5e897b024000[5353358.825194] #PF: supervisor write access in kernel mode[5353358.825195] #PF: error_code(0x0002) - not-present page[5353358.825196] PGD 100006067 P4D 0[5353358.825198] Oops: 0002 [#1] PREEMPT SMP NOPTI[5353358.825200] CPU: 5 PID: 2132085 Comm: qlafwupdate.sub Kdump: loaded Tainted: G W L ------- --- 5.14.0-503.34.1.el9_5.x86_64 #1[5353358.825203] Hardware name: HPE ProLiant DL360 Gen11/ProLiant DL360 Gen11, BIOS 2.44 01/17/2025[5353358.825204] RIP: 0010:memcpy_erms+0x6/0x10[5353358.825211] RSP: 0018:ff591da8f4f6b710 EFLAGS: 00010246[5353358.825212] RAX: ff5f5e897b024000 RBX: 0000000000007090 RCX: 0000000000001000[5353358.825213] RDX: 0000000000001000 RSI: ff591da8f4fed090 RDI: ff5f5e897b024000[5353358.825214] RBP: 0000000000010000 R08: ff5f5e897b024000 R09: 0000000000000000[5353358.825215] R10: ff46cf8c40517000 R11: 0000000000000001 R12: 0000000000008090[5353358.825216] R13: ff591da8f4f6b720 R14: 0000000000001000 R15: 0000000000000000[5353358.825218] FS: 00007f1e88d47740(0000) GS:ff46cf935f940000(0000) knlGS:0000000000000000[5353358.825219] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033[5353358.825220] CR2: ff5f5e897b024000 CR3: 0000000231532004 CR4: 0000000000771ef0[5353358.825221] PKRU: 55555554[5353358.825222] Call Trace:[5353358.825223] [5353358.825224] ? show_trace_log_lvl+0x1c4/0x2df[5353358.825229] ? show_trace_log_lvl+0x1c4/0x2df[5353358.825232] ? sg_copy_buffer+0xc8/0x110[5353358.825236] ? __die_body.cold+0x8/0xd[5353358.825238] ? page_fault_oops+0x134/0x170[5353358.825242] ? kernelmode_fixup_or_oops+0x84/0x110[5353358.825244] ? exc_page_fault+0xa8/0x150[5353358.825247] ? asm_exc_page_fault+0x22/0x30[5353358.825252] ? memcpy_erms+0x6/0x10[5353358.825253] sg_copy_buffer+0xc8/0x110[5353358.825259] qla2x00_process_vendor_specific+0x652/0x1320 [qla2xxx][5353358.825317] qla24xx_bsg_request+0x1b2/0x2d0 [qla2xxx]Most routines in qla_bsg.c call bsg_done() only for success cases.However a few invoke it for failure case as well leading to a doublefree. Validate before calling bsg_done().

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-0865 Severity: Moderate CVSS3 score: 6.5

Description: User-controlled header names and values containing newlines can allow injecting HTTP headers.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
libpython3_11-1_0 < 3.11.15-150600.3.53.1 (version in image is 3.11.14-150600.3.41.2).

CVE-2026-0966 Severity: Moderate CVSS3 score: 6.5

Description: The API function `ssh_get_hexa()` is vulnerable, when 0-lenghtinput is provided to this function. This function is used internallyin `ssh_get_fingerprint_hash()` and `ssh_print_hexa()` (deprecated),which is vulnerable to the same input (length is provided by thecalling application).The function is also used internally in the gssapi code for loggingthe OIDs received by the server during GSSAPI authentication. Thiscould be triggered remotely, when the server allows GSSAPI authenticationand logging verbosity is set at least to SSH_LOG_PACKET (3). Thiscould cause self-DoS of the per-connection daemon process.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
libssh-config > 0-0 (version in image is 0.9.8-150600.11.6.1).

CVE-2026-22990 Severity: Moderate CVSS3 score: 6.5

Description: In the Linux kernel, the following vulnerability has been resolved:libceph: replace overzealous BUG_ON in osdmap_apply_incremental()If the osdmap is (maliciously) corrupted such that the incrementalosdmap epoch is different from what is expected, there is no need toBUG. Instead, just declare the incremental osdmap to be invalid.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-22992 Severity: Moderate CVSS3 score: 6.5

Description: In the Linux kernel, the following vulnerability has been resolved:libceph: return the handler error from mon_handle_auth_done()Currently any error from ceph_auth_handle_reply_done() is propagatedvia finish_auth() but isn't returned from mon_handle_auth_done(). Thisresults in higher layers learning that (despite the monitor consideringus to be successfully authenticated) something went wrong in theauthentication phase and reacting accordingly, but msgr2 still tryingto proceed with establishing the session in the background. In thecase of secure mode this can trigger a WARN in setup_crypto() and laterlead to a NULL pointer dereference inside of prepare_auth_signature().

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23060 Severity: Moderate CVSS3 score: 6.5

Description: In the Linux kernel, the following vulnerability has been resolved:crypto: authencesn - reject too-short AAD (assoclen<8) to match ESP/ESN specauthencesn assumes an ESP/ESN-formatted AAD. When assoclen is shorter thanthe minimum expected length, crypto_authenc_esn_decrypt() can advance pastthe end of the destination scatterlist and trigger a NULL pointer dereferencein scatterwalk_map_and_copy(), leading to a kernel panic (DoS).Add a minimum AAD length check to fail fast on invalid inputs.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default < 6.4.0-150600.23.92.1 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23086 Severity: Moderate CVSS3 score: 6.5

Description: In the Linux kernel, the following vulnerability has been resolved:vsock/virtio: cap TX credit to local buffer sizeThe virtio transports derives its TX credit directly from peer_buf_alloc,which is set from the remote endpoint's SO_VM_SOCKETS_BUFFER_SIZE value.On the host side this means that the amount of data we are willing toqueue for a connection is scaled by a guest-chosen buffer size, ratherthan the host's own vsock configuration. A malicious guest can advertisea large buffer and read slowly, causing the host to allocate acorrespondingly large amount of sk_buff memory.The same thing would happen in the guest with a malicious host, sincevirtio transports share the same code base.Introduce a small helper, virtio_transport_tx_buf_size(), thatreturns min(peer_buf_alloc, buf_alloc), and use it wherever we consumepeer_buf_alloc.This ensures the effective TX window is bounded by both the peer'sadvertised buffer and our own buf_alloc (already clamped tobuffer_max_size via SO_VM_SOCKETS_BUFFER_MAX_SIZE), so a remote peercannot force the other to queue more data than allowed by its ownvsock settings.On an unpatched Ubuntu 22.04 host (~64 GiB RAM), running a PoC with32 guest vsock connections advertising 2 GiB each and reading slowlydrove Slab/SUnreclaim from ~0.5 GiB to ~57 GiB; the system onlyrecovered after killing the QEMU process. That said, if QEMU memory islimited with cgroups, the maximum memory used will be limited.With this patch applied: Before: MemFree: ~61.6 GiB Slab: ~142 MiB SUnreclaim: ~117 MiB After 32 high-credit connections: MemFree: ~61.5 GiB Slab: ~178 MiB SUnreclaim: ~152 MiBOnly ~35 MiB increase in Slab/SUnreclaim, no host OOM, and the guestremains responsive.Compatibility with non-virtio transports: - VMCI uses the AF_VSOCK buffer knobs to size its queue pairs per socket based on the local vsk->buffer_* values; the remote side cannot enlarge those queues beyond what the local endpoint configured. - Hyper-V's vsock transport uses fixed-size VMBus ring buffers and an MTU bound; there is no peer-controlled credit field comparable to peer_buf_alloc, and the remote endpoint cannot drive in-flight kernel memory above those ring sizes. - The loopback path reuses virtio_transport_common.c, so it naturally follows the same semantics as the virtio transport.This change is limited to virtio_transport_common.c and thus affectsvirtio-vsock, vhost-vsock, and loopback, bringing them in line with the"remote window intersected with local policy" behaviour that VMCI andHyper-V already effectively have.[Stefano: small adjustments after changing the previous patch][Stefano: tweak the commit message]

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23223 Severity: Moderate CVSS3 score: 6.5

Description: In the Linux kernel, the following vulnerability has been resolved:xfs: fix UAF in xchk_btree_check_block_ownerWe cannot dereference bs->cur when trying to determine if bs->curaliases bs->sc->sa.{bno,rmap}_cur after the latter has been freed.Fix this by sampling before type before any freeing could happen.The correct temporal ordering was broken when we removed xfs_btnum_t.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23276 Severity: Moderate CVSS3 score: 6.5

Description: In the Linux kernel, the following vulnerability has been resolved:net: add xmit recursion limit to tunnel xmit functionsTunnel xmit functions (iptunnel_xmit, ip6tunnel_xmit) lack their ownrecursion limit. When a bond device in broadcast mode has GRE tapinterfaces as slaves, and those GRE tunnels route back through thebond, multicast/broadcast traffic triggers infinite recursion betweenbond_xmit_broadcast() and ip_tunnel_xmit()/ip6_tnl_xmit(), causingkernel stack overflow.The existing XMIT_RECURSION_LIMIT (8) in the no-qdisc path is notsufficient because tunnel recursion involves route lookups and full IPoutput, consuming much more stack per level. Use a lower limit of 4(IP_TUNNEL_RECURSION_LIMIT) to prevent overflow.Add recursion detection using dev_xmit_recursion helpers directly iniptunnel_xmit() and ip6tunnel_xmit() to cover all IPv4/IPv6 tunnelpaths including UDP encapsulated tunnels (VXLAN, Geneve, etc.).Move dev_xmit_recursion helpers from net/core/dev.h to public headerinclude/linux/netdevice.h so they can be used by tunnel code. BUG: KASAN: stack-out-of-bounds in blake2s.constprop.0+0xe7/0x160 Write of size 32 at addr ffff88810033fed0 by task kworker/0:1/11 Workqueue: mld mld_ifc_work Call Trace: __build_flow_key.constprop.0 (net/ipv4/route.c:515) ip_rt_update_pmtu (net/ipv4/route.c:1073) iptunnel_xmit (net/ipv4/ip_tunnel_core.c:84) ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847) gre_tap_xmit (net/ipv4/ip_gre.c:779) dev_hard_start_xmit (net/core/dev.c:3887) sch_direct_xmit (net/sched/sch_generic.c:347) __dev_queue_xmit (net/core/dev.c:4802) bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312) bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279) bond_start_xmit (drivers/net/bonding/bond_main.c:5530) dev_hard_start_xmit (net/core/dev.c:3887) __dev_queue_xmit (net/core/dev.c:4841) ip_finish_output2 (net/ipv4/ip_output.c:237) ip_output (net/ipv4/ip_output.c:438) iptunnel_xmit (net/ipv4/ip_tunnel_core.c:86) gre_tap_xmit (net/ipv4/ip_gre.c:779) dev_hard_start_xmit (net/core/dev.c:3887) sch_direct_xmit (net/sched/sch_generic.c:347) __dev_queue_xmit (net/core/dev.c:4802) bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312) bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279) bond_start_xmit (drivers/net/bonding/bond_main.c:5530) dev_hard_start_xmit (net/core/dev.c:3887) __dev_queue_xmit (net/core/dev.c:4841) ip_finish_output2 (net/ipv4/ip_output.c:237) ip_output (net/ipv4/ip_output.c:438) iptunnel_xmit (net/ipv4/ip_tunnel_core.c:86) ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847) gre_tap_xmit (net/ipv4/ip_gre.c:779) dev_hard_start_xmit (net/core/dev.c:3887) sch_direct_xmit (net/sched/sch_generic.c:347) __dev_queue_xmit (net/core/dev.c:4802) bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312) bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279) bond_start_xmit (drivers/net/bonding/bond_main.c:5530) dev_hard_start_xmit (net/core/dev.c:3887) __dev_queue_xmit (net/core/dev.c:4841) mld_sendpack mld_ifc_work process_one_work worker_thread

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23279 Severity: Moderate CVSS3 score: 6.5

Description: In the Linux kernel, the following vulnerability has been resolved:wifi: mac80211: fix NULL pointer dereference in mesh_rx_csa_frame()In mesh_rx_csa_frame(), elems->mesh_chansw_params_ie is dereferencedat lines 1638 and 1642 without a prior NULL check: ifmsh->chsw_ttl = elems->mesh_chansw_params_ie->mesh_ttl; ... pre_value = le16_to_cpu(elems->mesh_chansw_params_ie->mesh_pre_value);The mesh_matches_local() check above only validates the Mesh ID,Mesh Configuration, and Supported Rates IEs. It does not verify thepresence of the Mesh Channel Switch Parameters IE (element ID 118).When a received CSA action frame omits that IE, ieee802_11_parse_elems()leaves elems->mesh_chansw_params_ie as NULL, and the unconditionaldereference causes a kernel NULL pointer dereference.A remote mesh peer with an established peer link (PLINK_ESTAB) cantrigger this by sending a crafted SPECTRUM_MGMT/CHL_SWITCH action framethat includes a matching Mesh ID and Mesh Configuration IE but omits theMesh Channel Switch Parameters IE. No authentication beyond the defaultopen mesh peering is required.Crash confirmed on kernel 6.17.0-5-generic via mac80211_hwsim: BUG: kernel NULL pointer dereference, address: 0000000000000000 Oops: Oops: 0000 [#1] SMP NOPTI RIP: 0010:ieee80211_mesh_rx_queued_mgmt+0x143/0x2a0 [mac80211] CR2: 0000000000000000Fix by adding a NULL check for mesh_chansw_params_ie aftermesh_matches_local() returns, consistent with how other optional IEsare guarded throughout the mesh code.The bug has been present since v3.13 (released 2014-01-19).

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23395 Severity: Moderate CVSS3 score: 6.5

Description: In the Linux kernel, the following vulnerability has been resolved:Bluetooth: L2CAP: Fix accepting multiple L2CAP_ECRED_CONN_REQCurrently the code attempts to accept requests regardless of thecommand identifier which may cause multiple requests to be markedas pending (FLAG_DEFER_SETUP) which can cause more thanL2CAP_ECRED_MAX_CID(5) to be allocated in l2cap_ecred_rsp_defercausing an overflow.The spec is quite clear that the same identifier shall not be used onsubsequent requests:'Within each signaling channel a different Identifier shall be usedfor each successive request or indication.'https://www.bluetooth.com/wp-content/uploads/Files/Specification/HTML/Core-62/out/en/host/logical-link-control-and-adaptation-protocol-specification.html#UUID-32a25a06-4aa4-c6c7-77c5-dcfe3682355dSo this attempts to check if there are any channels pending with thesame identifier and rejects if any are found.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23396 Severity: Moderate CVSS3 score: 6.5

Description: In the Linux kernel, the following vulnerability has been resolved:wifi: mac80211: fix NULL deref in mesh_matches_local()mesh_matches_local() unconditionally dereferences ie->mesh_config tocompare mesh configuration parameters. When called frommesh_rx_csa_frame(), the parsed action-frame elements may not contain aMesh Configuration IE, leaving ie->mesh_config NULL and triggering akernel NULL pointer dereference.The other two callers are already safe: - ieee80211_mesh_rx_bcn_presp() checks !elems->mesh_config before calling mesh_matches_local() - mesh_plink_get_event() is only reached through mesh_process_plink_frame(), which checks !elems->mesh_config, toomesh_rx_csa_frame() is the only caller that passes raw parsed elementsto mesh_matches_local() without guarding mesh_config. An adjacentattacker can exploit this by sending a crafted CSA action frame thatincludes a valid Mesh ID IE but omits the Mesh Configuration IE,crashing the kernel.The captured crash log:Oops: general protection fault, probably for non-canonical address ...KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]Workqueue: events_unbound cfg80211_wiphy_work[...]Call Trace: ? __pfx_mesh_matches_local (net/mac80211/mesh.c:65) ieee80211_mesh_rx_queued_mgmt (net/mac80211/mesh.c:1686) [...] ieee80211_iface_work (net/mac80211/iface.c:1754 net/mac80211/iface.c:1802) [...] cfg80211_wiphy_work (net/wireless/core.c:426) process_one_work (net/kernel/workqueue.c:3280) ? assign_work (net/kernel/workqueue.c:1219) worker_thread (net/kernel/workqueue.c:3352) ? __pfx_worker_thread (net/kernel/workqueue.c:3385) kthread (net/kernel/kthread.c:436) [...] ret_from_fork_asm (net/arch/x86/entry/entry_64.S:255) This patch adds a NULL check for ie->mesh_config at the top ofmesh_matches_local() to return false early when the Mesh ConfigurationIE is absent.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23401 Severity: Moderate CVSS3 score: 6.5

Description: In the Linux kernel, the following vulnerability has been resolved:KVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTEWhen installing an emulated MMIO SPTE, do so *after* dropping/zapping theexisting SPTE (if it's shadow-present). While commit a54aa15c6bda3 wasright about it being impossible to convert a shadow-present SPTE to anMMIO SPTE due to a _guest_ write, it failed to account for writes to guestmemory that are outside the scope of KVM.E.g. if host userspace modifies a shadowed gPTE to switch from a memslotto emulted MMIO and then the guest hits a relevant page fault, KVM willinstall the MMIO SPTE without first zapping the shadow-present SPTE. ------------[ cut here ]------------ is_shadow_present_pte(*sptep) WARNING: arch/x86/kvm/mmu/mmu.c:484 at mark_mmio_spte+0xb2/0xc0 [kvm], CPU#0: vmx_ept_stale_r/4292 Modules linked in: kvm_intel kvm irqbypass CPU: 0 UID: 1000 PID: 4292 Comm: vmx_ept_stale_r Not tainted 7.0.0-rc2-eafebd2d2ab0-sink-vm #319 PREEMPT Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 RIP: 0010:mark_mmio_spte+0xb2/0xc0 [kvm] Call Trace: mmu_set_spte+0x237/0x440 [kvm] ept_page_fault+0x535/0x7f0 [kvm] kvm_mmu_do_page_fault+0xee/0x1f0 [kvm] kvm_mmu_page_fault+0x8d/0x620 [kvm] vmx_handle_exit+0x18c/0x5a0 [kvm_intel] kvm_arch_vcpu_ioctl_run+0xc55/0x1c20 [kvm] kvm_vcpu_ioctl+0x2d5/0x980 [kvm] __x64_sys_ioctl+0x8a/0xd0 do_syscall_64+0xb5/0x730 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x47fa3f ---[ end trace 0000000000000000 ]---

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23442 Severity: Moderate CVSS3 score: 6.5

Description: In the Linux kernel, the following vulnerability has been resolved:ipv6: add NULL checks for idev in SRv6 paths__in6_dev_get() can return NULL when the device has no IPv6 configuration(e.g. MTU < IPV6_MIN_MTU or after NETDEV_UNREGISTER).Add NULL checks for idev returned by __in6_dev_get() in bothseg6_hmac_validate_skb() and ipv6_srh_rcv() to prevent potential NULLpointer dereferences.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-24401 Severity: Moderate CVSS3 score: 6.5

Description: Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In versions 0.9rc2 and below, avahi-daemon can be crashed via a segmentation fault by sending an unsolicited mDNS response containing a recursive CNAME record, where the alias and canonical name point to the same domain (e.g., "h.local" as a CNAME for "h.local"). This causes unbounded recursion in the lookup_handle_cname function, leading to stack exhaustion. The vulnerability affects record browsers where AVAHI_LOOKUP_USE_MULTICAST is set explicitly, which includes record browsers created by resolvers used by nss-mdns. This issue is patched in commit 78eab31128479f06e30beb8c1cbf99dd921e2524.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
libavahi-client3 > 0-0 (version in image is 0.8-150600.15.12.1).

CVE-2026-25210 Severity: Moderate CVSS3 score: 6.5

Description: In libexpat before 2.7.4, the doContent function does not properly determine the buffer size bufSize because there is no integer overflow check for tag buffer reallocation.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
libexpat1 > 0-0 (version in image is 2.7.1-150400.3.31.1).

CVE-2026-28387 Severity: Moderate CVSS3 score: 6.5

Description: Issue summary: An uncommon configuration of clients performing DANE TLSA-basedserver authentication, when paired with uncommon server DANE TLSA records, mayresult in a use-after-free and/or double-free on the client side.Impact summary: A use after free can have a range of potential consequencessuch as the corruption of valid data, crashes or execution of arbitrary code.However, the issue only affects clients that make use of TLSA records with boththe PKIX-TA(0/PKIX-EE(1) certificate usages and the DANE-TA(2) certificateusage.By far the most common deployment of DANE is in SMTP MTAs for which RFC7672recommends that clients treat as 'unusable' any TLSA records that have the PKIXcertificate usages. These SMTP (or other similar) clients are not vulnerableto this issue. Conversely, any clients that support only the PKIX usages, andignore the DANE-TA(2) usage are also not vulnerable.The client would also need to be communicating with a server that publishes aTLSA RRset with both types of TLSA records.No FIPS modules are affected by this issue, the problem code is outside theFIPS module boundary.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
libopenssl1_1 < 1.1.1w-150600.5.26.2 (version in image is 1.1.1w-150600.5.18.1).

CVE-2026-31790 Severity: Moderate CVSS3 score: 6.5

Description: Issue summary: Applications using RSASVE key encapsulation to establisha secret encryption key can send contents of an uninitialized memory buffer toa malicious peer.Impact summary: The uninitialized buffer might contain sensitive data from theprevious execution of the application process which leads to sensitive dataleakage to an attacker.RSA_public_encrypt() returns the number of bytes written on success and -1on error. The affected code tests only whether the return value is non-zero.As a result, if RSA encryption fails, encapsulation can still return success tothe caller, set the output lengths, and leave the caller to use the contents ofthe ciphertext buffer as if a valid KEM ciphertext had been produced.If applications use EVP_PKEY_encapsulate() with RSA/RSASVE on anattacker-supplied invalid RSA public key without first validating that key,then this may cause stale or uninitialized contents of the caller-providedciphertext buffer to be disclosed to the attacker in place of the KEMciphertext.As a workaround calling EVP_PKEY_public_check() orEVP_PKEY_public_check_quick() before EVP_PKEY_encapsulate() will mitigatethe issue.The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.1 and 3.0 are affected by this issue.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
libopenssl3 < 3.1.4-150600.5.45.1 (version in image is 3.1.4-150600.5.42.1).

CVE-2026-3196 Severity: Moderate CVSS3 score: 6.5

Description: Unknown.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
qemu-img > 0-0 (version in image is 8.2.10-150600.3.43.1).

CVE-2026-3497 Severity: Moderate CVSS3 score: 6.5

Description: Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions. This vulnerability affects the GSSAPI patches added by various Linux distributions and does not affect the OpenSSH upstream project itself. The usage of sshpkt_disconnect() on an error, which does not terminate the process, allows an attacker to send an unexpected GSSAPI message type during the GSSAPI key exchange to the server, which will call the underlying function and continue the execution of the program without setting the related connection variables. As the variables are not initialized to NULL the code later accesses those uninitialized variables, accessing random memory, which could lead to undefined behavior. The recommended workaround is to use ssh_packet_disconnect() instead, which does terminate the process. The impact of the vulnerability depends heavily on the compiler flag hardening configuration.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
openssh > 0-0 (version in image is 9.6p1-150600.6.34.1).

CVE-2026-35469 Severity: Moderate CVSS3 score: 6.5

Description: spdystream is a Go library for multiplexing streams over SPDY connections. In versions 0.5.0 and below, the SPDY/3 frame parser does not validate attacker-controlled counts and lengths before allocating memory. Three allocation paths are affected: the SETTINGS frame entry count, the header count in parseHeaderValueBlock, and individual header field sizes - all read as 32-bit integers and used directly as allocation sizes with no bounds checking. Because SPDY header blocks are zlib-compressed, a small on-the-wire payload can decompress into large attacker-controlled values. A remote peer that can send SPDY frames to a service using spdystream can exhaust process memory and cause an out-of-memory crash with a single crafted control frame. This issue has been fixed in version 0.5.1.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
containerd > 0-0 (version in image is 1.7.29-150000.128.1).

CVE-2026-3644 Severity: Moderate CVSS3 score: 6.5

Description: The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
libpython3_11-1_0 < 3.11.15-150600.3.53.1 (version in image is 3.11.14-150600.3.41.2).

CVE-2025-40342 Severity: Moderate CVSS3 score: 6.4

Description: In the Linux kernel, the following vulnerability has been resolved:nvme-fc: use lock accessing port_state and rport statenvme_fc_unregister_remote removes the remote port on a lport object atany point in time when there is no active association. This races withwith the reconnect logic, because nvme_fc_create_association is nottaking a lock to check the port_state and atomically increase theactive count on the rport.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68283 Severity: Moderate CVSS3 score: 6.4

Description: In the Linux kernel, the following vulnerability has been resolved:libceph: replace BUG_ON with bounds check for map->max_osdOSD indexes come from untrusted network packets. Boundary checks areadded to validate these against map->max_osd.[ idryomov: drop BUG_ON in ceph_get_primary_affinity(), minor cosmetic edits ]

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68800 Severity: Moderate CVSS3 score: 6.4

Description: In the Linux kernel, the following vulnerability has been resolved:mlxsw: spectrum_mr: Fix use-after-free when updating multicast route statsCited commit added a dedicated mutex (instead of RTNL) to protect themulticast route list, so that it will not change while the driverperiodically traverses it in order to update the kernel about multicastroute stats that were queried from the device.One instance of list entry deletion (during route replace) was missedand it can result in a use-after-free [1].Fix by acquiring the mutex before deleting the entry from the list andreleasing it afterwards.[1]BUG: KASAN: slab-use-after-free in mlxsw_sp_mr_stats_update+0x4a5/0x540 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:1006 [mlxsw_spectrum]Read of size 8 at addr ffff8881523c2fa8 by task kworker/2:5/22043CPU: 2 UID: 0 PID: 22043 Comm: kworker/2:5 Not tainted 6.18.0-rc1-custom-g1a3d6d7cd014 #1 PREEMPT(full)Hardware name: Mellanox Technologies Ltd. MSN2010/SA002610, BIOS 5.6.5 08/24/2017Workqueue: mlxsw_core mlxsw_sp_mr_stats_update [mlxsw_spectrum]Call Trace: dump_stack_lvl+0xba/0x110 print_report+0x174/0x4f5 kasan_report+0xdf/0x110 mlxsw_sp_mr_stats_update+0x4a5/0x540 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:1006 [mlxsw_spectrum] process_one_work+0x9cc/0x18e0 worker_thread+0x5df/0xe40 kthread+0x3b8/0x730 ret_from_fork+0x3e9/0x560 ret_from_fork_asm+0x1a/0x30 Allocated by task 29933: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x8f/0xa0 mlxsw_sp_mr_route_add+0xd8/0x4770 [mlxsw_spectrum] mlxsw_sp_router_fibmr_event_work+0x371/0xad0 drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c:7965 [mlxsw_spectrum] process_one_work+0x9cc/0x18e0 worker_thread+0x5df/0xe40 kthread+0x3b8/0x730 ret_from_fork+0x3e9/0x560 ret_from_fork_asm+0x1a/0x30Freed by task 29933: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_save_free_info+0x3b/0x70 __kasan_slab_free+0x43/0x70 kfree+0x14e/0x700 mlxsw_sp_mr_route_add+0x2dea/0x4770 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:444 [mlxsw_spectrum] mlxsw_sp_router_fibmr_event_work+0x371/0xad0 drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c:7965 [mlxsw_spectrum] process_one_work+0x9cc/0x18e0 worker_thread+0x5df/0xe40 kthread+0x3b8/0x730 ret_from_fork+0x3e9/0x560 ret_from_fork_asm+0x1a/0x30

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-71081 Severity: Moderate CVSS3 score: 6.4

Description: In the Linux kernel, the following vulnerability has been resolved:ASoC: stm32: sai: fix OF node leak on probeThe reference taken to the sync provider OF node when probing theplatform device is currently only dropped if the set_sync() callbackfails during DAI probe.Make sure to drop the reference on platform probe failures (e.g. probedeferral) and on driver unbind.This also avoids a potential use-after-free in case the DAI is everreprobed without first rebinding the platform driver.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default < 6.4.0-150600.23.87.1 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23245 Severity: Moderate CVSS3 score: 6.4

Description: In the Linux kernel, the following vulnerability has been resolved:net/sched: act_gate: snapshot parameters with RCU on replaceThe gate action can be replaced while the hrtimer callback or dump path iswalking the schedule list.Convert the parameters to an RCU-protected snapshot and swap updates undertcf_lock, freeing the previous snapshot via call_rcu(). When REPLACE omitsthe entry list, preserve the existing schedule so the effective state isunchanged.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23284 Severity: Moderate CVSS3 score: 6.4

Description: In the Linux kernel, the following vulnerability has been resolved:net: ethernet: mtk_eth_soc: Reset prog ptr to old_prog in case of error in mtk_xdp_setup()Reset eBPF program pointer to old_prog and do not decrease its ref-countif mtk_open routine in mtk_xdp_setup() fails.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23319 Severity: Moderate CVSS3 score: 6.4

Description: In the Linux kernel, the following vulnerability has been resolved:bpf: Fix a UAF issue in bpf_trampoline_link_cgroup_shimThe root cause of this bug is that when 'bpf_link_put' reduces therefcount of 'shim_link->link.link' to zero, the resource is consideredreleased but may still be referenced via 'tr->progs_hlist' in'cgroup_shim_find'. The actual cleanup of 'tr->progs_hlist' in'bpf_shim_tramp_link_release' is deferred. During this window, anotherprocess can cause a use-after-free via 'bpf_trampoline_link_cgroup_shim'.Based on Martin KaFai Lau's suggestions, I have created a simple patch.To fix this: Add an atomic non-zero check in 'bpf_trampoline_link_cgroup_shim'. Only increment the refcount if it is not already zero.Testing: I verified the fix by adding a delay in 'bpf_shim_tramp_link_release' to make the bug easier to trigger:static void bpf_shim_tramp_link_release(struct bpf_link *link){ /* ... */ if (!shim_link->trampoline) return;+ msleep(100); WARN_ON_ONCE(bpf_trampoline_unlink_prog(&shim_link->link, shim_link->trampoline, NULL)); bpf_trampoline_put(shim_link->trampoline);}Before the patch, running a PoC easily reproduced the crash(almost 100%)with a call trace similar to KaiyanM's report.After the patch, the bug no longer occurs even after millions ofiterations.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23340 Severity: Moderate CVSS3 score: 6.4

Description: In the Linux kernel, the following vulnerability has been resolved:net: sched: avoid qdisc_reset_all_tx_gt() vs dequeue race for lockless qdiscsWhen shrinking the number of real tx queues,netif_set_real_num_tx_queues() calls qdisc_reset_all_tx_gt() to flushqdiscs for queues which will no longer be used.qdisc_reset_all_tx_gt() currently serializes qdisc_reset() withqdisc_lock(). However, for lockless qdiscs, the dequeue path isserialized by qdisc_run_begin/end() using qdisc->seqlock instead, soqdisc_reset() can run concurrently with __qdisc_run() and free skbswhile they are still being dequeued, leading to UAF.This can easily be reproduced on e.g. virtio-net by imposing heavytraffic while frequently changing the number of queue pairs: iperf3 -ub0 -c $peer -t 0 & while :; do ethtool -L eth0 combined 1 ethtool -L eth0 combined 2 doneWith KASAN enabled, this leads to reports like: BUG: KASAN: slab-use-after-free in __qdisc_run+0x133f/0x1760 ... Call Trace: ... __qdisc_run+0x133f/0x1760 __dev_queue_xmit+0x248f/0x3550 ip_finish_output2+0xa42/0x2110 ip_output+0x1a7/0x410 ip_send_skb+0x2e6/0x480 udp_send_skb+0xb0a/0x1590 udp_sendmsg+0x13c9/0x1fc0 ... Allocated by task 1270 on cpu 5 at 44.558414s: ... alloc_skb_with_frags+0x84/0x7c0 sock_alloc_send_pskb+0x69a/0x830 __ip_append_data+0x1b86/0x48c0 ip_make_skb+0x1e8/0x2b0 udp_sendmsg+0x13a6/0x1fc0 ... Freed by task 1306 on cpu 3 at 44.558445s: ... kmem_cache_free+0x117/0x5e0 pfifo_fast_reset+0x14d/0x580 qdisc_reset+0x9e/0x5f0 netif_set_real_num_tx_queues+0x303/0x840 virtnet_set_channels+0x1bf/0x260 [virtio_net] ethnl_set_channels+0x684/0xae0 ethnl_default_set_doit+0x31a/0x890 ...Serialize qdisc_reset_all_tx_gt() against the lockless dequeue path bytaking qdisc->seqlock for TCQ_F_NOLOCK qdiscs, matching theserialization model already used by dev_reset_queue().Additionally clear QDISC_STATE_NON_EMPTY after reset so the qdisc statereflects an empty queue, avoiding needless re-scheduling.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23410 Severity: Moderate CVSS3 score: 6.4

Description: In the Linux kernel, the following vulnerability has been resolved:apparmor: fix race on rawdata dereferenceThere is a race condition that leads to a use-after-free situation:because the rawdata inodes are not refcounted, an attacker can startopen()ing one of the rawdata files, and at the same time remove thelast reference to this rawdata (by removing the corresponding profile,for example), which frees its struct aa_loaddata; as a result, whenseq_rawdata_open() is reached, i_private is a dangling pointer andfreed memory is accessed.The rawdata inodes weren't refcounted to avoid a circular refcount andwere supposed to be held by the profile rawdata reference. Howeverduring profile removal there is a window where the vfs and profiledestruction race, resulting in the use after free.Fix this by moving to a double refcount scheme. Where the profilerefcount on rawdata is used to break the circular dependency. Allowingfor freeing of the rawdata once all inode references to the rawdataare put.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23411 Severity: Moderate CVSS3 score: 6.4

Description: In the Linux kernel, the following vulnerability has been resolved:apparmor: fix race between freeing data and fs accessing itAppArmor was putting the reference to i_private data on its end afterremoving the original entry from the file system. However the inodecan aand does live beyond that point and it is possible that some ofthe fs call back functions will be invoked after the reference hasbeen put, which results in a race between freeing the data andaccessing it through the fs.While the rawdata/loaddata is the most likely candidate to fail therace, as it has the fewest references. If properly crafted it might bepossible to trigger a race for the other types stored in i_private.Fix this by moving the put of i_private referenced data to the correctplace which is during inode eviction.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23413 Severity: Moderate CVSS3 score: 6.4

Description: In the Linux kernel, the following vulnerability has been resolved:clsact: Fix use-after-free in init/destroy rollback asymmetryFix a use-after-free in the clsact qdisc upon init/destroy rollback asymmetry.The latter is achieved by first fully initializing a clsact instance, andthen in a second step having a replacement failure for the new clsact qdiscinstance. clsact_init() initializes ingress first and then takes care of theegress part. This can fail midway, for example, via tcf_block_get_ext(). Uponfailure, the kernel will trigger the clsact_destroy() callback.Commit 1cb6f0bae504 ("bpf: Fix too early release of tcx_entry") details theway how the transition is happening. If tcf_block_get_ext on the q->ingress_blockends up failing, we took the tcx_miniq_inc reference count on the ingressside, but not yet on the egress side. clsact_destroy() tests whether the{ingress,egress}_entry was non-NULL. However, even in midway failure on thereplacement, both are in fact non-NULL with a valid egress_entry from theprevious clsact instance.What we really need to test for is whether the qdisc instance-specific ingressor egress side previously got initialized. This adds a small helper for checkingthe miniq initialization called mini_qdisc_pair_inited, and utilizes that uponclsact_destroy() in order to fix the use-after-free scenario. Convert theingress_destroy() side as well so both are consistent to each other.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23454 Severity: Moderate CVSS3 score: 6.4

Description: In the Linux kernel, the following vulnerability has been resolved:net: mana: fix use-after-free in mana_hwc_destroy_channel() by reordering teardownA potential race condition exists in mana_hwc_destroy_channel() wherehwc->caller_ctx is freed before the HWC's Completion Queue (CQ) andEvent Queue (EQ) are destroyed. This allows an in-flight CQ interrupthandler to dereference freed memory, leading to a use-after-free orNULL pointer dereference in mana_hwc_handle_resp().mana_smc_teardown_hwc() signals the hardware to stop but does notsynchronize against IRQ handlers already executing on other CPUs. TheIRQ synchronization only happens in mana_hwc_destroy_cq() viamana_gd_destroy_eq() -> mana_gd_deregister_irq(). Since this runsafter kfree(hwc->caller_ctx), a concurrent mana_hwc_rx_event_handler()can dereference freed caller_ctx (and rxq->msg_buf) inmana_hwc_handle_resp().Fix this by reordering teardown to reverse-of-creation order: destroythe TX/RX work queues and CQ/EQ before freeing hwc->caller_ctx. Thisensures all in-flight interrupt handlers complete before the memory theyaccess is freed.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-31419 Severity: Moderate CVSS3 score: 6.4

Description: In the Linux kernel, the following vulnerability has been resolved:net: bonding: fix use-after-free in bond_xmit_broadcast()bond_xmit_broadcast() reuses the original skb for the last slave(determined by bond_is_last_slave()) and clones it for others.Concurrent slave enslave/release can mutate the slave list duringRCU-protected iteration, changing which slave is "last" mid-loop.This causes the original skb to be double-consumed (double-freed).Replace the racy bond_is_last_slave() check with a simple indexcomparison (i + 1 == slaves_count) against the pre-snapshot slavecount taken via READ_ONCE() before the loop. This preserves thezero-copy optimization for the last slave while making the "last"determination stable against concurrent list mutations.The UAF can trigger the following crash:==================================================================BUG: KASAN: slab-use-after-free in skb_cloneRead of size 8 at addr ffff888100ef8d40 by task exploit/147CPU: 1 UID: 0 PID: 147 Comm: exploit Not tainted 7.0.0-rc3+ #4 PREEMPTLAZYCall Trace: dump_stack_lvl (lib/dump_stack.c:123) print_report (mm/kasan/report.c:379 mm/kasan/report.c:482) kasan_report (mm/kasan/report.c:597) skb_clone (include/linux/skbuff.h:1724 include/linux/skbuff.h:1792 include/linux/skbuff.h:3396 net/core/skbuff.c:2108) bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5334) bond_start_xmit (drivers/net/bonding/bond_main.c:5567 drivers/net/bonding/bond_main.c:5593) dev_hard_start_xmit (include/linux/netdevice.h:5325 include/linux/netdevice.h:5334 net/core/dev.c:3871 net/core/dev.c:3887) __dev_queue_xmit (include/linux/netdevice.h:3601 net/core/dev.c:4838) ip6_finish_output2 (include/net/neighbour.h:540 include/net/neighbour.h:554 net/ipv6/ip6_output.c:136) ip6_finish_output (net/ipv6/ip6_output.c:208 net/ipv6/ip6_output.c:219) ip6_output (net/ipv6/ip6_output.c:250) ip6_send_skb (net/ipv6/ip6_output.c:1985) udp_v6_send_skb (net/ipv6/udp.c:1442) udpv6_sendmsg (net/ipv6/udp.c:1733) __sys_sendto (net/socket.c:730 net/socket.c:742 net/socket.c:2206) __x64_sys_sendto (net/socket.c:2209) do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) Allocated by task 147:Freed by task 147:The buggy address belongs to the object at ffff888100ef8c80 which belongs to the cache skbuff_head_cache of size 224The buggy address is located 192 bytes inside of freed 224-byte region [ffff888100ef8c80, ffff888100ef8d60)Memory state around the buggy address: ffff888100ef8c00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc ffff888100ef8c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb>ffff888100ef8d00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ^ ffff888100ef8d80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ffff888100ef8e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb==================================================================

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-31493 Severity: Moderate CVSS3 score: 6.4

Description: In the Linux kernel, the following vulnerability has been resolved:RDMA/efa: Fix use of completion ctx after freeOn admin queue completion handling, if the admin command completed witherror we print data from the completion context. The issue is that wealready freed the completion context in polling/interrupts handler whichmeans we print data from context in an unknown state (it might bealready used again).Change the admin submission flow so alloc/dealloc of the context will besymmetric and dealloc will be called after any potential use of thecontext.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-40226 Severity: Moderate CVSS3 score: 6.4

Description: In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
libsystemd0 > 0-0 (version in image is 254.27-150600.4.46.2).

CVE-2026-2781 Severity: Important CVSS3 score: 6.3

Description: Integer overflow in the Libraries component in NSS. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, Thunderbird 140.8, and Firefox ESR 115.35.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
mozilla-nss-certs < 3.112.3-150400.3.63.1 (version in image is 3.112.2-150400.3.60.1).

CVE-2024-27414 Severity: Moderate CVSS3 score: 6.3

Description: In the Linux kernel, the following vulnerability has been resolved:rtnetlink: fix error logic of IFLA_BRIDGE_FLAGS writing backIn the commit d73ef2d69c0d ("rtnetlink: let rtnl_bridge_setlink checksIFLA_BRIDGE_MODE length"), an adjustment was made to the old loop logicin the function `rtnl_bridge_setlink` to enable the loop to also checkthe length of the IFLA_BRIDGE_MODE attribute. However, this adjustmentremoved the `break` statement and led to an error logic of the flagswriting back at the end of this function.if (have_flags) memcpy(nla_data(attr), &flags, sizeof(flags)); // attr should point to IFLA_BRIDGE_FLAGS NLA !!!Before the mentioned commit, the `attr` is granted to be IFLA_BRIDGE_FLAGS.However, this is not necessarily true fow now as the updated loop will letthe attr point to the last NLA, even an invalid NLA which could causeoverflow writes.This patch introduces a new variable `br_flag` to save the NLA pointerthat points to IFLA_BRIDGE_FLAGS and uses it to resolve the mentionederror logic.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-42084 Severity: Moderate CVSS3 score: 6.3

Description: In the Linux kernel, the following vulnerability has been resolved:ftruncate: pass a signed offsetThe old ftruncate() syscall, using the 32-bit off_t misses a signextension when called in compat mode on 64-bit architectures. As aresult, passing a negative length accidentally succeeds in truncatingto file size between 2GiB and 4GiB.Changing the type of the compat syscall to the signed compat_off_tchanges the behavior so it instead returns -EINVAL.The native entry point, the truncate() syscall and the correspondingloff_t based variants are all correct already and do not sufferfrom this mistake.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-14017 Severity: Moderate CVSS3 score: 6.3

Description: When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl,changing TLS options in one thread would inadvertently change them globallyand therefore possibly also affect other concurrently setup transfers.Disabling certificate verification for a specific transfer couldunintentionally disable the feature for other threads as well.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
curl > 0-0 (version in image is 8.14.1-150600.4.37.1).

CVE-2025-40099 Severity: Moderate CVSS3 score: 6.3

Description: In the Linux kernel, the following vulnerability has been resolved:cifs: parse_dfs_referrals: prevent oob on malformed inputMalicious SMB server can send invalid reply to FSCTL_DFS_GET_REFERRALS- reply smaller than sizeof(struct get_dfs_referral_rsp)- reply with number of referrals smaller than NumberOfReferrals in theheaderProcessing of such replies will cause oob.Return -EINVAL error on such replies to prevent oob-s.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-40158 Severity: Moderate CVSS3 score: 6.3

Description: In the Linux kernel, the following vulnerability has been resolved:ipv6: use RCU in ip6_output()Use RCU in ip6_output() in order to use dst_dev_rcu() to preventpossible UAF.We can remove rcu_read_lock()/rcu_read_unlock() pairsfrom ip6_finish_output2().

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-40170 Severity: Moderate CVSS3 score: 6.3

Description: In the Linux kernel, the following vulnerability has been resolved:net: use dst_dev_rcu() in sk_setup_caps()Use RCU to protect accesses to dst->dev from sk_setup_caps()and sk_dst_gso_max_size().Also use dst_dev_rcu() in ip6_dst_mtu_maybe_forward(),and ip_dst_mtu_maybe_forward().ip4_dst_hoplimit() can use dst_dev_net_rcu().

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68188 Severity: Moderate CVSS3 score: 6.3

Description: In the Linux kernel, the following vulnerability has been resolved:tcp: use dst_dev_rcu() in tcp_fastopen_active_disable_ofo_check()Use RCU to avoid a pair of atomic operations and a potentialUAF on dst_dev()->flags.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68255 Severity: Moderate CVSS3 score: 6.3

Description: In the Linux kernel, the following vulnerability has been resolved:staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsingThe Supported Rates IE length from an incoming Association Request framewas used directly as the memcpy() length when copying into a fixed-size16-byte stack buffer (supportRate). A malicious station can advertise anIE length larger than 16 bytes, causing a stack buffer overflow.Clamp ie_len to the buffer size before copying the Supported Rates IE,and correct the bounds check when merging Extended Supported Rates toprevent a second potential overflow.This prevents kernel stack corruption triggered by malformed associationrequests.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68264 Severity: Moderate CVSS3 score: 6.3

Description: In the Linux kernel, the following vulnerability has been resolved:ext4: refresh inline data size before write operationsThe cached ei->i_inline_size can become stale between the initial sizecheck and when ext4_update_inline_data()/ext4_create_inline_data() useit. Although ext4_get_max_inline_size() reads the correct value at thetime of the check, concurrent xattr operations can modify i_inline_sizebefore ext4_write_lock_xattr() is acquired.This causes ext4_update_inline_data() and ext4_create_inline_data() towork with stale capacity values, leading to a BUG_ON() crash inext4_write_inline_data(): kernel BUG at fs/ext4/inline.c:1331! BUG_ON(pos + len > EXT4_I(inode)->i_inline_size);The race window:1. ext4_get_max_inline_size() reads i_inline_size = 60 (correct)2. Size check passes for 50-byte write3. [Another thread adds xattr, i_inline_size changes to 40]4. ext4_write_lock_xattr() acquires lock5. ext4_update_inline_data() uses stale i_inline_size = 606. Attempts to write 50 bytes but only 40 bytes actually available7. BUG_ON() triggersFix this by recalculating i_inline_size via ext4_find_inline_data_nolock()immediately after acquiring xattr_sem. This ensures ext4_update_inline_data()and ext4_create_inline_data() work with current values that are protectedfrom concurrent modifications.This is similar to commit a54c4613dac1 ("ext4: fix race writing to aninline_data file while its xattrs are changing") which fixed i_inline_offstaleness. This patch addresses the related i_inline_size staleness issue.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68794 Severity: Moderate CVSS3 score: 6.3

Description: In the Linux kernel, the following vulnerability has been resolved:iomap: adjust read range correctly for non-block-aligned positionsiomap_adjust_read_range() assumes that the position and length passed inare block-aligned. This is not always the case however, as shown in thesyzbot generated case for erofs. This causes too many bytes to beskipped for uptodate blocks, which results in returning the incorrectposition and length to read in. If all the blocks are uptodate, thisunderflows length and returns a position beyond the folio.Fix the calculation to also take into account the block offset whencalculating how many bytes can be skipped for uptodate blocks.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-71116 Severity: Moderate CVSS3 score: 6.3

Description: In the Linux kernel, the following vulnerability has been resolved:libceph: make decode_pool() more resilient against corrupted osdmapsIf the osdmap is (maliciously) corrupted such that the encoded lengthof ceph_pg_pool envelope is less than what is expected for a particularencoding version, out-of-bounds reads may ensue because the only boundscheck that is there is based on that length value.This patch adds explicit bounds checks for each field that is decodedor skipped.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-71152 Severity: Moderate CVSS3 score: 6.3

Description: In the Linux kernel, the following vulnerability has been resolved:net: dsa: properly keep track of conduit referenceProblem description-------------------DSA has a mumbo-jumbo of reference handling of the conduit net deviceand its kobject which, sadly, is just wrong and doesn't make sense.There are two distinct problems.1. The OF path, which uses of_find_net_device_by_node(), never releases the elevated refcount on the conduit's kobject. Nominally, the OF and non-OF paths should result in objects having identical reference counts taken, and it is already suspicious that dsa_dev_to_net_device() has a put_device() call which is missing in dsa_port_parse_of(), but we can actually even verify that an issue exists. With CONFIG_DEBUG_KOBJECT_RELEASE=y, if we run this command "before" and "after" applying this patch:(unbind the conduit driver for net device eno2)echo 0000:00:00.2 > /sys/bus/pci/drivers/fsl_enetc/unbindwe see these lines in the output diff which appear only with the patchapplied:kobject: 'eno2' (ffff002009a3a6b8): kobject_release, parent 0000000000000000 (delayed 1000)kobject: '109' (ffff0020099d59a0): kobject_release, parent 0000000000000000 (delayed 1000)2. After we find the conduit interface one way (OF) or another (non-OF), it can get unregistered at any time, and DSA remains with a long-lived, but in this case stale, cpu_dp->conduit pointer. Holding the net device's underlying kobject isn't actually of much help, it just prevents it from being freed (but we never need that kobject directly). What helps us to prevent the net device from being unregistered is the parallel netdev reference mechanism (dev_hold() and dev_put()).Actually we actually use that netdev tracker mechanism implicitly onuser ports since commit 2f1e8ea726e9 ("net: dsa: link interfaces withthe DSA master to get rid of lockdep warnings"), via netdev_upper_dev_link().But time still passes at DSA switch probe time between the initialof_find_net_device_by_node() code and the user port creation time, timeduring which the conduit could unregister itself and DSA wouldn't knowabout it.So we have to run of_find_net_device_by_node() under rtnl_lock() toprevent that from happening, and release the lock only with the netdevtracker having acquired the reference.Do we need to keep the reference until dsa_unregister_switch() /dsa_switch_shutdown()?1: Maybe yes. A switch device will still be registered even if all user ports failed to probe, see commit 86f8b1c01a0a ("net: dsa: Do not make user port errors fatal"), and the cpu_dp->conduit pointers remain valid. I haven't audited all call paths to see whether they will actually use the conduit in lack of any user port, but if they do, it seems safer to not rely on user ports for that reference.2. Definitely yes. We support changing the conduit which a user port is associated to, and we can get into a situation where we've moved all user ports away from a conduit, thus no longer hold any reference to it via the net device tracker. But we shouldn't let it go nonetheless - see the next change in relation to dsa_tree_find_first_conduit() and LAG conduits which disappear. We have to be prepared to return to the physical conduit, so the CPU port must explicitly keep another reference to it. This is also to say: the user ports and their CPU ports may not always keep a reference to the same conduit net device, and both are needed.As for the conduit's kobject for the /sys/class/net/ entry, we don'tcare about it, we can release it as soon as we hold the net deviceobject itself.History and blame attribution-----------------------------The code has been refactored so many times, it is very difficult tofollow and properly attribute a blame, but I'll try to make a shorthistory which I hope to be correct.We have two distinct probing paths:- one for OF, introduced in 2016 i---truncated---

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23078 Severity: Moderate CVSS3 score: 6.3

Description: In the Linux kernel, the following vulnerability has been resolved:ALSA: scarlett2: Fix buffer overflow in config retrievalThe scarlett2_usb_get_config() function has a logic error in theendianness conversion code that can cause buffer overflows whencount > 1.The code checks `if (size == 2)` where `size` is the total buffer size inbytes, then loops `count` times treating each element as u16 (2 bytes).This causes the loop to access `count * 2` bytes when the buffer onlyhas `size` bytes allocated.Fix by checking the element size (config_item->size) instead of thetotal buffer size. This ensures the endianness conversion matches theactual element type.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23262 Severity: Moderate CVSS3 score: 6.3

Description: In the Linux kernel, the following vulnerability has been resolved:gve: Fix stats report corruption on queue count changeThe driver and the NIC share a region in memory for stats reporting.The NIC calculates its offset into this region based on the total sizeof the stats region and the size of the NIC's stats.When the number of queues is changed, the driver's stats region isresized. If the queue count is increased, the NIC can write pastthe end of the allocated stats region, causing memory corruption.If the queue count is decreased, there is a gap between the driverand NIC stats, leading to incorrect stats reporting.This change fixes the issue by allocating stats region with maximumsize, and the offset calculation for NIC stats is changed to matchwith the calculation of the NIC.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23281 Severity: Moderate CVSS3 score: 6.3

Description: In the Linux kernel, the following vulnerability has been resolved:wifi: libertas: fix use-after-free in lbs_free_adapter()The lbs_free_adapter() function uses timer_delete() (non-synchronous)for both command_timer and tx_lockup_timer before the structure isfreed. This is incorrect because timer_delete() does not wait forany running timer callback to complete.If a timer callback is executing when lbs_free_adapter() is called,the callback will access freed memory since lbs_cfg_free() frees thecontaining structure immediately after lbs_free_adapter() returns.Both timer callbacks (lbs_cmd_timeout_handler and lbs_tx_lockup_handler)access priv->driver_lock, priv->cur_cmd, priv->dev, and other fields,which would all be use-after-free violations.Use timer_delete_sync() instead to ensure any running timer callbackhas completed before returning.This bug was introduced in commit 8f641d93c38a ("libertas: detect TXlockups and reset hardware") where del_timer() was used instead ofdel_timer_sync() in the cleanup path. The command_timer has had thesame issue since the driver was first written.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23356 Severity: Moderate CVSS3 score: 6.3

Description: In the Linux kernel, the following vulnerability has been resolved:drbd: fix "LOGIC BUG" in drbd_al_begin_io_nonblock()Even though we check that we "should" be able to do lc_get_cumulative()while holding the device->al_lock spinlock, it may still fail,if some other code path decided to do lc_try_lock() with bad timing.If that happened, we logged "LOGIC BUG for enr=...",but still did not return an error.The rest of the code now assumed that this request has referencesfor the relevant activity log extents.The implcations are that during an active resync, mutual exclusivity ofresync versus application IO is not guaranteed. And a potential crashat this point may not realizs that these extents could have been targetof in-flight IO and would need to be resynced just in case.Also, once the request completes, it will give up activity log references itdoes not even hold, which will trigger a BUG_ON(refcnt == 0) in lc_put().Fix:Do not crash the kernel for a condition that is harmless during normaloperation: also catch "e->refcnt == 0", not only "e == NULL"when being noisy about "al_complete_io() called on inactive extent %u\n".And do not try to be smart and "guess" whether something will work, thenbe surprised when it does not.Deal with the fact that it may or may not work. If it does not, remember apossible "partially in activity log" state (only possible for requests thatcross extent boundaries), and return an error code fromdrbd_al_begin_io_nonblock().A latter call for the same request will then resume from where we left off.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23367 Severity: Moderate CVSS3 score: 6.3

Description: In the Linux kernel, the following vulnerability has been resolved:wifi: radiotap: reject radiotap with unknown bitsThe radiotap parser is currently only used with the radiotapnamespace (not with vendor namespaces), but if the undefinedfield 18 is used, the alignment/size is unknown as well. Inthis case, iterator->_next_ns_data isn't initialized (it'sonly set for skipping vendor namespaces), and syzbot pointsout that we later compare against this uninitialized value.Fix this by moving the rejection of unknown radiotap fieldsdown to after the in-namespace lookup, so it will really useiterator->_next_ns_data only for vendor namespaces, even incase undefined fields are present.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23378 Severity: Moderate CVSS3 score: 6.3

Description: In the Linux kernel, the following vulnerability has been resolved:net/sched: act_ife: Fix metalist update behaviorWhenever an ife action replace changes the metalist, instead ofreplacing the old data on the metalist, the current ife code is appendingthe new metadata. Aside from being innapropriate behavior, this may leadto an unbounded addition of metadata to the metalist which might cause anout of bounds error when running the encode op:[ 138.423369][ C1] ==================================================================[ 138.424317][ C1] BUG: KASAN: slab-out-of-bounds in ife_tlv_meta_encode (net/ife/ife.c:168)[ 138.424906][ C1] Write of size 4 at addr ffff8880077f4ffe by task ife_out_out_bou/255[ 138.425778][ C1] CPU: 1 UID: 0 PID: 255 Comm: ife_out_out_bou Not tainted 7.0.0-rc1-00169-gfbdfa8da05b6 #624 PREEMPT(full)[ 138.425795][ C1] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011[ 138.425800][ C1] Call Trace:[ 138.425804][ C1] [ 138.425808][ C1] dump_stack_lvl (lib/dump_stack.c:122)[ 138.425828][ C1] print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)[ 138.425839][ C1] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)[ 138.425844][ C1] ? __virt_addr_valid (./arch/x86/include/asm/preempt.h:95 (discriminator 1) ./include/linux/rcupdate.h:975 (discriminator 1) ./include/linux/mmzone.h:2207 (discriminator 1) arch/x86/mm/physaddr.c:54 (discriminator 1))[ 138.425853][ C1] ? ife_tlv_meta_encode (net/ife/ife.c:168)[ 138.425859][ C1] kasan_report (mm/kasan/report.c:221 mm/kasan/report.c:597)[ 138.425868][ C1] ? ife_tlv_meta_encode (net/ife/ife.c:168)[ 138.425878][ C1] kasan_check_range (mm/kasan/generic.c:186 (discriminator 1) mm/kasan/generic.c:200 (discriminator 1))[ 138.425884][ C1] __asan_memset (mm/kasan/shadow.c:84 (discriminator 2))[ 138.425889][ C1] ife_tlv_meta_encode (net/ife/ife.c:168)[ 138.425893][ C1] ? ife_tlv_meta_encode (net/ife/ife.c:171)[ 138.425898][ C1] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)[ 138.425903][ C1] ife_encode_meta_u16 (net/sched/act_ife.c:57)[ 138.425910][ C1] ? __pfx_do_raw_spin_lock (kernel/locking/spinlock_debug.c:114)[ 138.425916][ C1] ? __asan_memcpy (mm/kasan/shadow.c:105 (discriminator 3))[ 138.425921][ C1] ? __pfx_ife_encode_meta_u16 (net/sched/act_ife.c:45)[ 138.425927][ C1] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)[ 138.425931][ C1] tcf_ife_act (net/sched/act_ife.c:847 net/sched/act_ife.c:879)To solve this issue, fix the replace behavior by adding the metalist tothe ife rcu data structure.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23388 Severity: Moderate CVSS3 score: 6.3

Description: In the Linux kernel, the following vulnerability has been resolved:Squashfs: check metadata block offset is within rangeSyzkaller reports a "general protection fault in squashfs_copy_data"This is ultimately caused by a corrupted index look-up table, whichproduces a negative metadata block offset.This is subsequently passed to squashfs_copy_data (viasquashfs_read_metadata) where the negative offset causes an out of boundsaccess.The fix is to check that the offset is within range insquashfs_read_metadata. This will trap this and other cases.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23409 Severity: Moderate CVSS3 score: 6.3

Description: In the Linux kernel, the following vulnerability has been resolved:apparmor: fix differential encoding verificationDifferential encoding allows loops to be created if it is abused. Toprevent this the unpack should verify that a diff-encode chainterminates.Unfortunately the differential encode verification had two bugs.1. it conflated states that had gone through check and already been marked, with states that were currently being checked and marked. This means that loops in the current chain being verified are treated as a chain that has already been verified.2. the order bailout on already checked states compared current chain check iterators j,k instead of using the outer loop iterator i. Meaning a step backwards in states in the current chain verification was being mistaken for moving to an already verified state.Move to a double mark scheme where already verified states get adifferent mark, than the current chain being kept. This enables usto also drop the backwards verification check that was the cause ofthe second error as any already verified state is already marked.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23455 Severity: Moderate CVSS3 score: 6.3

Description: In the Linux kernel, the following vulnerability has been resolved:netfilter: nf_conntrack_h323: check for zero length in DecodeQ931()In DecodeQ931(), the UserUserIE code path reads a 16-bit length fromthe packet, then decrements it by 1 to skip the protocol discriminatorbyte before passing it to DecodeH323_UserInformation(). If the encodedlength is 0, the decrement wraps to -1, which is then passed as alarge value to the decoder, leading to an out-of-bounds read.Add a check to ensure len is positive after the decrement.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-41989 Severity: Moderate CVSS3 score: 6.3

Description: Libgcrypt before 1.12.2 sometimes allows a heap-based buffer overflow and denial of service via crafted ECDH ciphertext to gcry_pk_decrypt.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
grub2 > 0-0 (version in image is 2.12-150600.8.44.2).

CVE-2023-54169 Severity: Moderate CVSS3 score: 6.2

Description: In the Linux kernel, the following vulnerability has been resolved:net/mlx5e: fix memory leak in mlx5e_ptp_openWhen kvzalloc_node or kvzalloc failed in mlx5e_ptp_open, the memorypointed by "c" or "cparams" is not freed, which can lead to a memoryleak. Fix by freeing the array in the error path.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-12464 Severity: Moderate CVSS3 score: 6.2

Description: A stack-based buffer overflow was found in the QEMU e1000 network device. The code for padding short frames was dropped from individual network devices and moved to the net core code. The issue stems from the device's receive code still being able to process a short frame in loopback mode. This could lead to a buffer overrun in the e1000_receive_iov() function via the loopback code path. A malicious guest user could use this vulnerability to crash the QEMU process on the host, resulting in a denial of service.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
qemu-img > 0-0 (version in image is 8.2.10-150600.3.43.1).

CVE-2025-68160 Severity: Moderate CVSS3 score: 6.2

Description: Issue summary: Writing large, newline-free data into a BIO chain using theline-buffering filter where the next BIO performs short writes can triggera heap-based out-of-bounds write.Impact summary: This out-of-bounds write can cause memory corruption whichtypically results in a crash, leading to Denial of Service for an application.The line-buffering BIO filter (BIO_f_linebuffer) is not used by default inTLS/SSL data paths. In OpenSSL command-line applications, it is typicallyonly pushed onto stdout/stderr on VMS systems. Third-party applications thatexplicitly use this filter with a BIO chain that can short-write and thatwrite large, newline-free data influenced by an attacker would be affected.However, the circumstances where this could happen are unlikely to be underattacker control, and BIO_f_linebuffer is unlikely to be handling non-curateddata controlled by an attacker. For that reason the issue was assessed asLow severity.The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,as the BIO implementation is outside the OpenSSL FIPS module boundary.OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
libopenssl1_1 < 1.1.1w-150600.5.21.1 (version in image is 1.1.1w-150600.5.18.1).

CVE-2025-69419 Severity: Moderate CVSS3 score: 6.2

Description: Issue summary: Calling PKCS12_get_friendlyname() function on a maliciouslycrafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containingnon-ASCII BMP code point can trigger a one byte write before the allocatedbuffer.Impact summary: The out-of-bounds write can cause a memory corruptionwhich can have various consequences including a Denial of Service.The OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12BMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes,the helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16source byte count as the destination buffer capacity to UTF8_putc(). For BMPcode points above U+07FF, UTF-8 requires three bytes, but the forwardedcapacity can be just two bytes. UTF8_putc() then returns -1, and this negativevalue is added to the output length without validation, causing thelength to become negative. The subsequent trailing NUL byte is then writtenat a negative offset, causing write outside of heap allocated buffer.The vulnerability is reachable via the public PKCS12_get_friendlyname() APIwhen parsing attacker-controlled PKCS#12 files. While PKCS12_parse() uses adifferent code path that avoids this issue, PKCS12_get_friendlyname() directlyinvokes the vulnerable function. Exploitation requires an attacker to providea malicious PKCS#12 file to be parsed by the application and the attackercan just trigger a one zero byte write before the allocated buffer.For that reason the issue was assessed as Low severity according to ourSecurity Policy.The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary.OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.OpenSSL 1.0.2 is not affected by this issue.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
libopenssl1_1 < 1.1.1w-150600.5.21.1 (version in image is 1.1.1w-150600.5.18.1).

CVE-2025-69421 Severity: Moderate CVSS3 score: 6.2

Description: Issue summary: Processing a malformed PKCS#12 file can trigger a NULL pointerdereference in the PKCS12_item_decrypt_d2i_ex() function.Impact summary: A NULL pointer dereference can trigger a crash which leads toDenial of Service for an application processing PKCS#12 files.The PKCS12_item_decrypt_d2i_ex() function does not check whether the octparameter is NULL before dereferencing it. When called fromPKCS12_unpack_p7encdata() with a malformed PKCS#12 file, this parameter canbe NULL, causing a crash. The vulnerability is limited to Denial of Serviceand cannot be escalated to achieve code execution or memory disclosure.Exploiting this issue requires an attacker to provide a malformed PKCS#12 fileto an application that processes it. For that reason the issue was assessed asLow severity according to our Security Policy.The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary.OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
libopenssl1_1 < 1.1.1w-150600.5.21.1 (version in image is 1.1.1w-150600.5.18.1).

CVE-2026-22795 Severity: Moderate CVSS3 score: 6.2

Description: Issue summary: An invalid or NULL pointer dereference can happen inan application processing a malformed PKCS#12 file.Impact summary: An application processing a malformed PKCS#12 file can becaused to dereference an invalid or NULL pointer on memory read, resultingin a Denial of Service.A type confusion vulnerability exists in PKCS#12 parsing code wherean ASN1_TYPE union member is accessed without first validating the type,causing an invalid pointer read.The location is constrained to a 1-byte address space, meaning anyattempted pointer manipulation can only target addresses between 0x00 and 0xFF.This range corresponds to the zero page, which is unmapped on most modernoperating systems and will reliably result in a crash, leading only to aDenial of Service. Exploiting this issue also requires a user or applicationto process a maliciously crafted PKCS#12 file. It is uncommon to acceptuntrusted PKCS#12 files in applications as they are usually used to storeprivate keys which are trusted by definition. For these reasons, the issuewas assessed as Low severity.The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,as the PKCS12 implementation is outside the OpenSSL FIPS module boundary.OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.OpenSSL 1.0.2 is not affected by this issue.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
libopenssl1_1 < 1.1.1w-150600.5.21.1 (version in image is 1.1.1w-150600.5.18.1).

CVE-2024-36017 Severity: Moderate CVSS3 score: 6.1

Description: In the Linux kernel, the following vulnerability has been resolved:rtnetlink: Correct nested IFLA_VF_VLAN_LIST attribute validationEach attribute inside a nested IFLA_VF_VLAN_LIST is assumed to be astruct ifla_vf_vlan_info so the size of such attribute needs to be at leastof sizeof(struct ifla_vf_vlan_info) which is 14 bytes.The current size validation in do_setvfinfo is against NLA_HDRLEN (4 bytes)which is less than sizeof(struct ifla_vf_vlan_info) so this validationis not enough and a too small attribute might be cast to astruct ifla_vf_vlan_info, this might result in an out of bandsread access when accessing the saved (casted) entry in ivvl.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-37354 Severity: Moderate CVSS3 score: 6.1

Description: In the Linux kernel, the following vulnerability has been resolved:btrfs: fix crash on racing fsync and size-extending write into preallocWe have been seeing crashes on duplicate keys inbtrfs_set_item_key_safe(): BTRFS critical (device vdb): slot 4 key (450 108 8192) new key (450 108 8192) ------------[ cut here ]------------ kernel BUG at fs/btrfs/ctree.c:2620! invalid opcode: 0000 [#1] PREEMPT SMP PTI CPU: 0 PID: 3139 Comm: xfs_io Kdump: loaded Not tainted 6.9.0 #6 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 RIP: 0010:btrfs_set_item_key_safe+0x11f/0x290 [btrfs]With the following stack trace: #0 btrfs_set_item_key_safe (fs/btrfs/ctree.c:2620:4) #1 btrfs_drop_extents (fs/btrfs/file.c:411:4) #2 log_one_extent (fs/btrfs/tree-log.c:4732:9) #3 btrfs_log_changed_extents (fs/btrfs/tree-log.c:4955:9) #4 btrfs_log_inode (fs/btrfs/tree-log.c:6626:9) #5 btrfs_log_inode_parent (fs/btrfs/tree-log.c:7070:8) #6 btrfs_log_dentry_safe (fs/btrfs/tree-log.c:7171:8) #7 btrfs_sync_file (fs/btrfs/file.c:1933:8) #8 vfs_fsync_range (fs/sync.c:188:9) #9 vfs_fsync (fs/sync.c:202:9) #10 do_fsync (fs/sync.c:212:9) #11 __do_sys_fdatasync (fs/sync.c:225:9) #12 __se_sys_fdatasync (fs/sync.c:223:1) #13 __x64_sys_fdatasync (fs/sync.c:223:1) #14 do_syscall_x64 (arch/x86/entry/common.c:52:14) #15 do_syscall_64 (arch/x86/entry/common.c:83:7) #16 entry_SYSCALL_64+0xaf/0x14c (arch/x86/entry/entry_64.S:121)So we're logging a changed extent from fsync, which is splitting anextent in the log tree. But this split part already exists in the tree,triggering the BUG().This is the state of the log tree at the time of the crash, dumped withdrgn (https://github.com/osandov/drgn/blob/main/contrib/btrfs_tree.py)to get more details than btrfs_print_leaf() gives us: >>> print_extent_buffer(prog.crashed_thread().stack_trace()[0]["eb"]) leaf 33439744 level 0 items 72 generation 9 owner 18446744073709551610 leaf 33439744 flags 0x100000000000000 fs uuid e5bd3946-400c-4223-8923-190ef1f18677 chunk uuid d58cb17e-6d02-494a-829a-18b7d8a399da item 0 key (450 INODE_ITEM 0) itemoff 16123 itemsize 160 generation 7 transid 9 size 8192 nbytes 8473563889606862198 block group 0 mode 100600 links 1 uid 0 gid 0 rdev 0 sequence 204 flags 0x10(PREALLOC) atime 1716417703.220000000 (2024-05-22 15:41:43) ctime 1716417704.983333333 (2024-05-22 15:41:44) mtime 1716417704.983333333 (2024-05-22 15:41:44) otime 17592186044416.000000000 (559444-03-08 01:40:16) item 1 key (450 INODE_REF 256) itemoff 16110 itemsize 13 index 195 namelen 3 name: 193 item 2 key (450 XATTR_ITEM 1640047104) itemoff 16073 itemsize 37 location key (0 UNKNOWN.0 0) type XATTR transid 7 data_len 1 name_len 6 name: user.a data a item 3 key (450 EXTENT_DATA 0) itemoff 16020 itemsize 53 generation 9 type 1 (regular) extent data disk byte 303144960 nr 12288 extent data offset 0 nr 4096 ram 12288 extent compression 0 (none) item 4 key (450 EXTENT_DATA 4096) itemoff 15967 itemsize 53 generation 9 type 2 (prealloc) prealloc data disk byte 303144960 nr 12288 prealloc data offset 4096 nr 8192 item 5 key (450 EXTENT_DATA 8192) itemoff 15914 itemsize 53 generation 9 type 2 (prealloc) prealloc data disk byte 303144960 nr 12288 prealloc data offset 8192 nr 4096 ...So the real problem happened earlier: notice that items 4 (4k-12k) and 5(8k-12k) overlap. Both are prealloc extents. Item 4 straddles i_size anditem 5 starts at i_size.Here is the state of ---truncated---

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-38542 Severity: Moderate CVSS3 score: 6.1

Description: In the Linux kernel, the following vulnerability has been resolved:RDMA/mana_ib: boundary check before installing cq callbacksAdd a boundary check inside mana_ib_install_cq_cb to prevent index overflow.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default < 6.4.0-150600.23.92.1 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-38568 Severity: Moderate CVSS3 score: 6.1

Description: In the Linux kernel, the following vulnerability has been resolved:drivers/perf: hisi: hns3: Fix out-of-bound access when valid event groupThe perf tool allows users to create event groups through followingcmd [1], but the driver does not check whether the array index is outof bounds when writing data to the event_group array. If the number ofevents in an event_group is greater than HNS3_PMU_MAX_HW_EVENTS, thememory write overflow of event_group array occurs.Add array index check to fix the possible array out of bounds violation,and return directly when write new events are written to array bounds.There are 9 different events in an event_group.[1] perf stat -e '{pmu/event1/, ... ,pmu/event9/}

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-38569 Severity: Moderate CVSS3 score: 6.1

Description: In the Linux kernel, the following vulnerability has been resolved:drivers/perf: hisi_pcie: Fix out-of-bound access when valid event groupThe perf tool allows users to create event groups through followingcmd [1], but the driver does not check whether the array index is out ofbounds when writing data to the event_group array. If the number of eventsin an event_group is greater than HISI_PCIE_MAX_COUNTERS, the memory writeoverflow of event_group array occurs.Add array index check to fix the possible array out of bounds violation,and return directly when write new events are written to array bounds.There are 9 different events in an event_group.[1] perf stat -e '{pmu/event1/, ... ,pmu/event9/}'

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-38594 Severity: Moderate CVSS3 score: 6.1

Description: In the Linux kernel, the following vulnerability has been resolved:net: stmmac: move the EST lock to struct stmmac_privReinitialize the whole EST structure would also reset the mutexlock which is embedded in the EST structure, and then triggerthe following warning. To address this, move the lock to structstmmac_priv. We also need to reacquire the mutex lock when doingthis initialization.DEBUG_LOCKS_WARN_ON(lock->magic != lock)WARNING: CPU: 3 PID: 505 at kernel/locking/mutex.c:587 __mutex_lock+0xd84/0x1068 Modules linked in: CPU: 3 PID: 505 Comm: tc Not tainted 6.9.0-rc6-00053-g0106679839f7-dirty #29 Hardware name: NXP i.MX8MPlus EVK board (DT) pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __mutex_lock+0xd84/0x1068 lr : __mutex_lock+0xd84/0x1068 sp : ffffffc0864e3570 x29: ffffffc0864e3570 x28: ffffffc0817bdc78 x27: 0000000000000003 x26: ffffff80c54f1808 x25: ffffff80c9164080 x24: ffffffc080d723ac x23: 0000000000000000 x22: 0000000000000002 x21: 0000000000000000 x20: 0000000000000000 x19: ffffffc083bc3000 x18: ffffffffffffffff x17: ffffffc08117b080 x16: 0000000000000002 x15: ffffff80d2d40000 x14: 00000000000002da x13: ffffff80d2d404b8 x12: ffffffc082b5a5c8 x11: ffffffc082bca680 x10: ffffffc082bb2640 x9 : ffffffc082bb2698 x8 : 0000000000017fe8 x7 : c0000000ffffefff x6 : 0000000000000001 x5 : ffffff8178fe0d48 x4 : 0000000000000000 x3 : 0000000000000027 x2 : ffffff8178fe0d50 x1 : 0000000000000000 x0 : 0000000000000000 Call trace: __mutex_lock+0xd84/0x1068 mutex_lock_nested+0x28/0x34 tc_setup_taprio+0x118/0x68c stmmac_setup_tc+0x50/0xf0 taprio_change+0x868/0xc9c

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-14104 Severity: Moderate CVSS3 score: 6.1

Description: A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.

Packages affected:

sle-module-server-applications-release == 15.6 (version in image is 15.6-150600.37.2).
util-linux > 0-0 (version in image is 2.39.3-150600.4.15.1).

CVE-2025-38243 Severity: Moderate CVSS3 score: 6.1

Description: In the Linux kernel, the following vulnerability has been resolved:btrfs: fix invalid inode pointer dereferences during log replayIn a few places where we call read_one_inode(), if we get a NULL pointerwe end up jumping into an error path, or fallthrough in case of__add_inode_ref(), where we then do something like this: iput(&inode->vfs_inode);which results in an invalid inode pointer that triggers an invalid memoryaccess, resulting in a crash.Fix this by making sure we don't do such dereferences.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default < 6.4.0-150600.23.87.1 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-39716 Severity: Moderate CVSS3 score: 6.1

Description: In the Linux kernel, the following vulnerability has been resolved:parisc: Revise __get_user() to probe user read accessBecause of the way read access support is implemented, read accessinterruptions are only triggered at privilege levels 2 and 3. Thekernel executes at privilege level 0, so __get_user() never triggersa read access interruption (code 26). Thus, it is currently possiblefor user code to access a read protected address via a system call.Fix this by probing read access rights at privilege level 3 (PRIV_USER)and setting __gu_err to -EFAULT (-14) if access isn't allowed.Note the cmpiclr instruction does a 32-bit compare because COND macrodoesn't work inside asm.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-39998 Severity: Moderate CVSS3 score: 6.1

Description: In the Linux kernel, the following vulnerability has been resolved:scsi: target: target_core_configfs: Add length check to avoid buffer overflowA buffer overflow arises from the usage of snprintf to write into thebuffer "buf" in target_lu_gp_members_show function located in/drivers/target/target_core_configfs.c. This buffer is allocated withsize LU_GROUP_NAME_BUF (256 bytes).snprintf(...) formats multiple strings into buf with the HBA name(hba->hba_group.cg_item), a slash character, a devicename (dev->dev_group.cg_item) and a newline character, the total formatted stringlength may exceed the buffer size of 256 bytes.Since snprintf() returns the total number of bytes that would have beenwritten (the length of %s/%sn ), this value may exceed the buffer length(256 bytes) passed to memcpy(), this will ultimately cause functionmemcpy reporting a buffer overflow error.An additional check of the return value of snprintf() can avoid thisbuffer overflow.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-40135 Severity: Moderate CVSS3 score: 6.1

Description: In the Linux kernel, the following vulnerability has been resolved:ipv6: use RCU in ip6_xmit()Use RCU in ip6_xmit() in order to use dst_dev_rcu() to preventpossible UAF.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-40190 Severity: Moderate CVSS3 score: 6.1

Description: In the Linux kernel, the following vulnerability has been resolved:ext4: guard against EA inode refcount underflow in xattr updatesyzkaller found a path where ext4_xattr_inode_update_ref() reads an EAinode refcount that is already <= 0 and then applies ref_change (often-1). That lets the refcount underflow and we proceed with a bogus value,triggering errors like: EXT4-fs error: EA inode ref underflow: ref_count=-1 ref_change=-1 EXT4-fs warning: ea_inode dec ref err=-117Make the invariant explicit: if the current refcount is non-positive,treat this as on-disk corruption, emit ext4_error_inode(), and fail theoperation with -EFSCORRUPTED instead of updating the refcount. Delete theWARN_ONCE() as negative refcounts are now impossible; keep error reportingin ext4_error_inode().This prevents the underflow and the follow-on orphan/cleanup churn.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-40213 Severity: Moderate CVSS3 score: 6.1

Description: In the Linux kernel, the following vulnerability has been resolved:Bluetooth: MGMT: fix crash in set_mesh_sync and set_mesh_completeThere is a BUG: KASAN: stack-out-of-bounds in set_mesh_sync due tomemcpy from badly declared on-stack flexible array.Another crash is in set_mesh_complete() due to double list_del viamgmt_pending_valid + mgmt_pending_remove.Use DEFINE_FLEX to declare the flexible array right, and don't memcpyoutside bounds.As mgmt_pending_valid removes the cmd from list, use mgmt_pending_free,and also report status on error.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-40220 Severity: Moderate CVSS3 score: 6.1

Description: In the Linux kernel, the following vulnerability has been resolved:fuse: fix livelock in synchronous file put from fuseblk workersI observed a hang when running generic/323 against a fuseblk server.This test opens a file, initiates a lot of AIO writes to that filedescriptor, and closes the file descriptor before the writes complete.Unsurprisingly, the AIO exerciser threads are mostly stuck waiting forresponses from the fuseblk server:# cat /proc/372265/task/372313/stack[<0>] request_wait_answer+0x1fe/0x2a0 [fuse][<0>] __fuse_simple_request+0xd3/0x2b0 [fuse][<0>] fuse_do_getattr+0xfc/0x1f0 [fuse][<0>] fuse_file_read_iter+0xbe/0x1c0 [fuse][<0>] aio_read+0x130/0x1e0[<0>] io_submit_one+0x542/0x860[<0>] __x64_sys_io_submit+0x98/0x1a0[<0>] do_syscall_64+0x37/0xf0[<0>] entry_SYSCALL_64_after_hwframe+0x4b/0x53But the /weird/ part is that the fuseblk server threads are waiting forresponses from itself:# cat /proc/372210/task/372232/stack[<0>] request_wait_answer+0x1fe/0x2a0 [fuse][<0>] __fuse_simple_request+0xd3/0x2b0 [fuse][<0>] fuse_file_put+0x9a/0xd0 [fuse][<0>] fuse_release+0x36/0x50 [fuse][<0>] __fput+0xec/0x2b0[<0>] task_work_run+0x55/0x90[<0>] syscall_exit_to_user_mode+0xe9/0x100[<0>] do_syscall_64+0x43/0xf0[<0>] entry_SYSCALL_64_after_hwframe+0x4b/0x53The fuseblk server is fuse2fs so there's nothing all that exciting inthe server itself. So why is the fuse server calling fuse_file_put?The commit message for the fstest sheds some light on that:"By closing the file descriptor before calling io_destroy, you prettymuch guarantee that the last put on the ioctx will be done in interruptcontext (during I/O completion).Aha. AIO fgets a new struct file from the fd when it queues the ioctx.The completion of the FUSE_WRITE command from userspace causes the fuseserver to call the AIO completion function. The completion puts thestruct file, queuing a delayed fput to the fuse server task. When thefuse server task returns to userspace, it has to run the delayed fput,which in the case of a fuseblk server, it does synchronously.Sending the FUSE_RELEASE command sychronously from fuse server threadsis a bad idea because a client program can initiate enough simultaneousAIOs such that all the fuse server threads end up in delayed_fput, andnow there aren't any threads left to handle the queued fuse commands.Fix this by only using asynchronous fputs when closing files, and leavea comment explaining why.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-0665 Severity: Moderate CVSS3 score: 6.1

Description: An off-by-one error was found in QEMU's KVM Xen guest support. A malicious guest could use this flaw to trigger out-of-bounds heap accesses in the QEMU process via the emulated Xen physdev hypercall interface, leading to a denial of service or potential memory corruption.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
qemu-img > 0-0 (version in image is 8.2.10-150600.3.43.1).

CVE-2026-22978 Severity: Moderate CVSS3 score: 6.1

Description: In the Linux kernel, the following vulnerability has been resolved:wifi: avoid kernel-infoleak from struct iw_pointstruct iw_point has a 32bit hole on 64bit arches.struct iw_point { void __user *pointer; /* Pointer to the data (in user space) */ __u16 length; /* number of fields or size in bytes */ __u16 flags; /* Optional params */};Make sure to zero the structure to avoid disclosing 32bits of kernel datato user space.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23010 Severity: Moderate CVSS3 score: 6.1

Description: In the Linux kernel, the following vulnerability has been resolved:ipv6: Fix use-after-free in inet6_addr_del().syzbot reported use-after-free of inet6_ifaddr ininet6_addr_del(). [0]The cited commit accidentally moved ipv6_del_addr() formngtmpaddr before reading its ifp->flags for temporaryaddresses in inet6_addr_del().Let's move ipv6_del_addr() down to fix the UAF.[0]:BUG: KASAN: slab-use-after-free in inet6_addr_del.constprop.0+0x67a/0x6b0 net/ipv6/addrconf.c:3117Read of size 4 at addr ffff88807b89c86c by task syz.3.1618/9593CPU: 0 UID: 0 PID: 9593 Comm: syz.3.1618 Not tainted syzkaller #0 PREEMPT(full)Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xcd/0x630 mm/kasan/report.c:482 kasan_report+0xe0/0x110 mm/kasan/report.c:595 inet6_addr_del.constprop.0+0x67a/0x6b0 net/ipv6/addrconf.c:3117 addrconf_del_ifaddr+0x11e/0x190 net/ipv6/addrconf.c:3181 inet6_ioctl+0x1e5/0x2b0 net/ipv6/af_inet6.c:582 sock_do_ioctl+0x118/0x280 net/socket.c:1254 sock_ioctl+0x227/0x6b0 net/socket.c:1375 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl fs/ioctl.c:583 [inline] __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7fRIP: 0033:0x7f164cf8f749Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48RSP: 002b:00007f164de64038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010RAX: ffffffffffffffda RBX: 00007f164d1e5fa0 RCX: 00007f164cf8f749RDX: 0000200000000000 RSI: 0000000000008936 RDI: 0000000000000003RBP: 00007f164d013f91 R08: 0000000000000000 R09: 0000000000000000R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000R13: 00007f164d1e6038 R14: 00007f164d1e5fa0 R15: 00007ffde15c8288 Allocated by task 9593: kasan_save_stack+0x33/0x60 mm/kasan/common.c:56 kasan_save_track+0x14/0x30 mm/kasan/common.c:77 poison_kmalloc_redzone mm/kasan/common.c:397 [inline] __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:414 kmalloc_noprof include/linux/slab.h:957 [inline] kzalloc_noprof include/linux/slab.h:1094 [inline] ipv6_add_addr+0x4e3/0x2010 net/ipv6/addrconf.c:1120 inet6_addr_add+0x256/0x9b0 net/ipv6/addrconf.c:3050 addrconf_add_ifaddr+0x1fc/0x450 net/ipv6/addrconf.c:3160 inet6_ioctl+0x103/0x2b0 net/ipv6/af_inet6.c:580 sock_do_ioctl+0x118/0x280 net/socket.c:1254 sock_ioctl+0x227/0x6b0 net/socket.c:1375 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl fs/ioctl.c:583 [inline] __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7fFreed by task 6099: kasan_save_stack+0x33/0x60 mm/kasan/common.c:56 kasan_save_track+0x14/0x30 mm/kasan/common.c:77 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:584 poison_slab_object mm/kasan/common.c:252 [inline] __kasan_slab_free+0x5f/0x80 mm/kasan/common.c:284 kasan_slab_free include/linux/kasan.h:234 [inline] slab_free_hook mm/slub.c:2540 [inline] slab_free_freelist_hook mm/slub.c:2569 [inline] slab_free_bulk mm/slub.c:6696 [inline] kmem_cache_free_bulk mm/slub.c:7383 [inline] kmem_cache_free_bulk+0x2bf/0x680 mm/slub.c:7362 kfree_bulk include/linux/slab.h:830 [inline] kvfree_rcu_bulk+0x1b7/0x1e0 mm/slab_common.c:1523 kvfree_rcu_drain_ready mm/slab_common.c:1728 [inline] kfree_rcu_monitor+0x1d0/0x2f0 mm/slab_common.c:1801 process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257 process_scheduled_works kernel/workqu---truncated---

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default < 6.4.0-150600.23.87.1 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23112 Severity: Moderate CVSS3 score: 6.1

Description: In the Linux kernel, the following vulnerability has been resolved:nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovecnvmet_tcp_build_pdu_iovec() could walk past cmd->req.sg when a PDUlength or offset exceeds sg_cnt and then use bogus sg->length/offsetvalues, leading to _copy_to_iter() GPF/KASAN. Guard sg_idx, remainingentries, and sg->length/offset before building the bvec.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23269 Severity: Moderate CVSS3 score: 6.1

Description: In the Linux kernel, the following vulnerability has been resolved:apparmor: validate DFA start states are in bounds in unpack_pdbStart states are read from untrusted data and used as indexes into theDFA state tables. The aa_dfa_next() function call in unpack_pdb() willaccess dfa->tables[YYTD_ID_BASE][start], and if the start state exceedsthe number of states in the DFA, this results in an out-of-bound read.================================================================== BUG: KASAN: slab-out-of-bounds in aa_dfa_next+0x2a1/0x360 Read of size 4 at addr ffff88811956fb90 by task su/1097 ...Reject policies with out-of-bounds start states during unpackingto prevent the issue.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default < 6.4.0-150600.23.92.1 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23406 Severity: Moderate CVSS3 score: 6.1

Description: In the Linux kernel, the following vulnerability has been resolved:apparmor: fix side-effect bug in match_char() macro usageThe match_char() macro evaluates its character parameter multipletimes when traversing differential encoding chains. When invokedwith *str++, the string pointer advances on each iteration of theinner do-while loop, causing the DFA to check different charactersat each iteration and therefore skip input characters.This results in out-of-bounds reads when the pointer advances pastthe input buffer boundary.[ 94.984676] ==================================================================[ 94.985301] BUG: KASAN: slab-out-of-bounds in aa_dfa_match+0x5ae/0x760[ 94.985655] Read of size 1 at addr ffff888100342000 by task file/976[ 94.986319] CPU: 7 UID: 1000 PID: 976 Comm: file Not tainted 6.19.0-rc7-next-20260127 #1 PREEMPT(lazy)[ 94.986322] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014[ 94.986329] Call Trace:[ 94.986341] [ 94.986347] dump_stack_lvl+0x5e/0x80[ 94.986374] print_report+0xc8/0x270[ 94.986384] ? aa_dfa_match+0x5ae/0x760[ 94.986388] kasan_report+0x118/0x150[ 94.986401] ? aa_dfa_match+0x5ae/0x760[ 94.986405] aa_dfa_match+0x5ae/0x760[ 94.986408] __aa_path_perm+0x131/0x400[ 94.986418] aa_path_perm+0x219/0x2f0[ 94.986424] apparmor_file_open+0x345/0x570[ 94.986431] security_file_open+0x5c/0x140[ 94.986442] do_dentry_open+0x2f6/0x1120[ 94.986450] vfs_open+0x38/0x2b0[ 94.986453] ? may_open+0x1e2/0x2b0[ 94.986466] path_openat+0x231b/0x2b30[ 94.986469] ? __x64_sys_openat+0xf8/0x130[ 94.986477] do_file_open+0x19d/0x360[ 94.986487] do_sys_openat2+0x98/0x100[ 94.986491] __x64_sys_openat+0xf8/0x130[ 94.986499] do_syscall_64+0x8e/0x660[ 94.986515] ? count_memcg_events+0x15f/0x3c0[ 94.986526] ? srso_alias_return_thunk+0x5/0xfbef5[ 94.986540] ? handle_mm_fault+0x1639/0x1ef0[ 94.986551] ? vma_start_read+0xf0/0x320[ 94.986558] ? srso_alias_return_thunk+0x5/0xfbef5[ 94.986561] ? srso_alias_return_thunk+0x5/0xfbef5[ 94.986563] ? fpregs_assert_state_consistent+0x50/0xe0[ 94.986572] ? srso_alias_return_thunk+0x5/0xfbef5[ 94.986574] ? arch_exit_to_user_mode_prepare+0x9/0xb0[ 94.986587] ? srso_alias_return_thunk+0x5/0xfbef5[ 94.986588] ? irqentry_exit+0x3c/0x590[ 94.986595] entry_SYSCALL_64_after_hwframe+0x76/0x7e[ 94.986597] RIP: 0033:0x7fda4a79c3eaFix by extracting the character value before invoking match_char,ensuring single evaluation per outer loop.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23407 Severity: Moderate CVSS3 score: 6.1

Description: In the Linux kernel, the following vulnerability has been resolved:apparmor: fix missing bounds check on DEFAULT table in verify_dfa()The verify_dfa() function only checks DEFAULT_TABLE bounds when the stateis not differentially encoded.When the verification loop traverses the differential encoding chain,it reads k = DEFAULT_TABLE[j] and uses k as an array index withoutvalidation. A malformed DFA with DEFAULT_TABLE[j] >= state_count,therefore, causes both out-of-bounds reads and writes.[ 57.179855] ==================================================================[ 57.180549] BUG: KASAN: slab-out-of-bounds in verify_dfa+0x59a/0x660[ 57.180904] Read of size 4 at addr ffff888100eadec4 by task su/993[ 57.181554] CPU: 1 UID: 0 PID: 993 Comm: su Not tainted 6.19.0-rc7-next-20260127 #1 PREEMPT(lazy)[ 57.181558] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014[ 57.181563] Call Trace:[ 57.181572] [ 57.181577] dump_stack_lvl+0x5e/0x80[ 57.181596] print_report+0xc8/0x270[ 57.181605] ? verify_dfa+0x59a/0x660[ 57.181608] kasan_report+0x118/0x150[ 57.181620] ? verify_dfa+0x59a/0x660[ 57.181623] verify_dfa+0x59a/0x660[ 57.181627] aa_dfa_unpack+0x1610/0x1740[ 57.181629] ? __kmalloc_cache_noprof+0x1d0/0x470[ 57.181640] unpack_pdb+0x86d/0x46b0[ 57.181647] ? srso_alias_return_thunk+0x5/0xfbef5[ 57.181653] ? srso_alias_return_thunk+0x5/0xfbef5[ 57.181656] ? aa_unpack_nameX+0x1a8/0x300[ 57.181659] aa_unpack+0x20b0/0x4c30[ 57.181662] ? srso_alias_return_thunk+0x5/0xfbef5[ 57.181664] ? stack_depot_save_flags+0x33/0x700[ 57.181681] ? kasan_save_track+0x4f/0x80[ 57.181683] ? kasan_save_track+0x3e/0x80[ 57.181686] ? __kasan_kmalloc+0x93/0xb0[ 57.181688] ? __kvmalloc_node_noprof+0x44a/0x780[ 57.181693] ? aa_simple_write_to_buffer+0x54/0x130[ 57.181697] ? policy_update+0x154/0x330[ 57.181704] aa_replace_profiles+0x15a/0x1dd0[ 57.181707] ? srso_alias_return_thunk+0x5/0xfbef5[ 57.181710] ? __kvmalloc_node_noprof+0x44a/0x780[ 57.181712] ? aa_loaddata_alloc+0x77/0x140[ 57.181715] ? srso_alias_return_thunk+0x5/0xfbef5[ 57.181717] ? _copy_from_user+0x2a/0x70[ 57.181730] policy_update+0x17a/0x330[ 57.181733] profile_replace+0x153/0x1a0[ 57.181735] ? rw_verify_area+0x93/0x2d0[ 57.181740] vfs_write+0x235/0xab0[ 57.181745] ksys_write+0xb0/0x170[ 57.181748] do_syscall_64+0x8e/0x660[ 57.181762] entry_SYSCALL_64_after_hwframe+0x76/0x7e[ 57.181765] RIP: 0033:0x7f6192792eb2Remove the MATCH_FLAG_DIFF_ENCODE condition to validate all DEFAULT_TABLEentries unconditionally.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23408 Severity: Moderate CVSS3 score: 6.1

Description: In the Linux kernel, the following vulnerability has been resolved:apparmor: Fix double free of ns_name in aa_replace_profiles()if ns_name is NULL after1071 error = aa_unpack(udata, &lh, &ns_name);and if ent->ns_name contains an ns_name in1089 } else if (ent->ns_name) {then ns_name is assigned the ent->ns_name1095 ns_name = ent->ns_name;however ent->ns_name is freed at1262 aa_load_ent_free(ent);and then again when freeing ns_name at1270 kfree(ns_name);Fix this by NULLing out ent->ns_name after it is transferred to ns_name")

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23434 Severity: Moderate CVSS3 score: 6.1

Description: In the Linux kernel, the following vulnerability has been resolved:mtd: rawnand: serialize lock/unlock against other NAND operationsnand_lock() and nand_unlock() call into chip->ops.lock_area/unlock_areawithout holding the NAND device lock. On controllers that implementSET_FEATURES via multiple low-level PIO commands, these can race withconcurrent UBI/UBIFS background erase/write operations that hold thedevice lock, resulting in cmd_pending conflicts on the NAND controller.Add nand_get_device()/nand_release_device() around the lock/unlockoperations to serialize them against all other NAND controller access.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23447 Severity: Moderate CVSS3 score: 6.1

Description: In the Linux kernel, the following vulnerability has been resolved:net: usb: cdc_ncm: add ndpoffset to NDP32 nframes bounds checkThe same bounds-check bug fixed for NDP16 in the previous patch alsoexists in cdc_ncm_rx_verify_ndp32(). The DPE array size is validatedagainst the total skb length without accounting for ndpoffset, allowingout-of-bounds reads when the NDP32 is placed near the end of the NTB.Add ndpoffset to the nframes bounds check and use struct_size_t() toexpress the NDP-plus-DPE-array size more clearly.Compile-tested only.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23448 Severity: Moderate CVSS3 score: 6.1

Description: In the Linux kernel, the following vulnerability has been resolved:net: usb: cdc_ncm: add ndpoffset to NDP16 nframes bounds checkcdc_ncm_rx_verify_ndp16() validates that the NDP header and its DPEentries fit within the skb. The first check correctly accounts forndpoffset: if ((ndpoffset + sizeof(struct usb_cdc_ncm_ndp16)) > skb_in->len)but the second check omits it: if ((sizeof(struct usb_cdc_ncm_ndp16) + ret * (sizeof(struct usb_cdc_ncm_dpe16))) > skb_in->len)This validates the DPE array size against the total skb length as ifthe NDP were at offset 0, rather than at ndpoffset. When the NDP isplaced near the end of the NTB (large wNdpIndex), the DPE entries canextend past the skb data buffer even though the check passes.cdc_ncm_rx_fixup() then reads out-of-bounds memory when iteratingthe DPE array.Add ndpoffset to the nframes bounds check and use struct_size_t() toexpress the NDP-plus-DPE-array size more clearly.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23465 Severity: Moderate CVSS3 score: 6.1

Description: In the Linux kernel, the following vulnerability has been resolved:btrfs: log new dentries when logging parent dir of a conflicting inodeIf we log the parent directory of a conflicting inode, we are not loggingthe new dentries of the directory, so when we finish we have the parentdirectory's inode marked as logged but we did not log its new dentries.As a consequence if the parent directory is explicitly fsynced later andit does not have any new changes since we logged it, the fsync is a no-opand after a power failure the new dentries are missing.Example scenario: $ mkdir foo $ sync $rmdir foo $ mkdir dir1 $ mkdir dir2 # A file with the same name and parent as the directory we just deleted # and was persisted in a past transaction. So the deleted directory's # inode is a conflicting inode of this new file's inode. $ touch foo $ ln foo dir2/link # The fsync on dir2 will log the parent directory (".") because the # conflicting inode (deleted directory) does not exists anymore, but it # it does not log its new dentries (dir1). $ xfs_io -c "fsync" dir2 # This fsync on the parent directory is no-op, since the previous fsync # logged it (but without logging its new dentries). $ xfs_io -c "fsync" . # After log replay dir1 is missing.Fix this by ensuring we log new dir dentries whenever we log the parentdirectory of a no longer existing conflicting inode.A test case for fstests will follow soon.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-31392 Severity: Moderate CVSS3 score: 6.1

Description: In the Linux kernel, the following vulnerability has been resolved:smb: client: fix krb5 mount with username optionCustomer reported that some of their krb5 mounts were failing againsta single server as the client was trying to mount the shares withwrong credentials. It turned out the client was reusing SMB sessionfrom first mount to try mounting the other shares, even though adifferent username= option had been specified to the other mounts.By using username mount option along with sec=krb5 to search forprincipals from keytab is supported by cifs.upcall(8) sincecifs-utils-4.8. So fix this by matching username mount option inmatch_session() even with Kerberos.For example, the second mount below should fail with -ENOKEY as thereis no 'foobar' principal in keytab (/etc/krb5.keytab). The clientends up reusing SMB session from first mount to perform the secondone, which is wrong.```$ ktutilktutil: add_entry -password -p testuser -k 1 -e aes256-ctsPassword for testuser@ZELDA.TEST:ktutil: write_kt /etc/krb5.keytabktutil: quit$ klist -keKeytab name: FILE:/etc/krb5.keytabKVNO Principal ---- ---------------------------------------------------------------- 1 testuser@ZELDA.TEST (aes256-cts-hmac-sha1-96)$ mount.cifs //w22-root2/scratch /mnt/1 -o sec=krb5,username=testuser$ mount.cifs //w22-root2/scratch /mnt/2 -o sec=krb5,username=foobar$ mount -t cifs | grep -Po 'username=\K\w+'testusertestuser```

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-31396 Severity: Moderate CVSS3 score: 6.1

Description: In the Linux kernel, the following vulnerability has been resolved:net: macb: fix use-after-free access to PTP clockPTP clock is registered on every opening of the interface and destroyed onevery closing. However it may be accessed via get_ts_info ethtool callwhich is possible while the interface is just present in the kernel.BUG: KASAN: use-after-free in ptp_clock_index+0x47/0x50 drivers/ptp/ptp_clock.c:426Read of size 4 at addr ffff8880194345cc by task syz.0.6/948CPU: 1 PID: 948 Comm: syz.0.6 Not tainted 6.1.164+ #109Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.1-0-g3208b098f51a-prebuilt.qemu.org 04/01/2014Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x8d/0xba lib/dump_stack.c:106 print_address_description mm/kasan/report.c:316 [inline] print_report+0x17f/0x496 mm/kasan/report.c:420 kasan_report+0xd9/0x180 mm/kasan/report.c:524 ptp_clock_index+0x47/0x50 drivers/ptp/ptp_clock.c:426 gem_get_ts_info+0x138/0x1e0 drivers/net/ethernet/cadence/macb_main.c:3349 macb_get_ts_info+0x68/0xb0 drivers/net/ethernet/cadence/macb_main.c:3371 __ethtool_get_ts_info+0x17c/0x260 net/ethtool/common.c:558 ethtool_get_ts_info net/ethtool/ioctl.c:2367 [inline] __dev_ethtool net/ethtool/ioctl.c:3017 [inline] dev_ethtool+0x2b05/0x6290 net/ethtool/ioctl.c:3095 dev_ioctl+0x637/0x1070 net/core/dev_ioctl.c:510 sock_do_ioctl+0x20d/0x2c0 net/socket.c:1215 sock_ioctl+0x577/0x6d0 net/socket.c:1320 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x18c/0x210 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:46 [inline] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:76 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 Allocated by task 457: kmalloc include/linux/slab.h:563 [inline] kzalloc include/linux/slab.h:699 [inline] ptp_clock_register+0x144/0x10e0 drivers/ptp/ptp_clock.c:235 gem_ptp_init+0x46f/0x930 drivers/net/ethernet/cadence/macb_ptp.c:375 macb_open+0x901/0xd10 drivers/net/ethernet/cadence/macb_main.c:2920 __dev_open+0x2ce/0x500 net/core/dev.c:1501 __dev_change_flags+0x56a/0x740 net/core/dev.c:8651 dev_change_flags+0x92/0x170 net/core/dev.c:8722 do_setlink+0xaf8/0x3a80 net/core/rtnetlink.c:2833 __rtnl_newlink+0xbf4/0x1940 net/core/rtnetlink.c:3608 rtnl_newlink+0x63/0xa0 net/core/rtnetlink.c:3655 rtnetlink_rcv_msg+0x3c6/0xed0 net/core/rtnetlink.c:6150 netlink_rcv_skb+0x15d/0x430 net/netlink/af_netlink.c:2511 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x6d7/0xa30 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x97e/0xeb0 net/netlink/af_netlink.c:1872 sock_sendmsg_nosec net/socket.c:718 [inline] __sock_sendmsg+0x14b/0x180 net/socket.c:730 __sys_sendto+0x320/0x3b0 net/socket.c:2152 __do_sys_sendto net/socket.c:2164 [inline] __se_sys_sendto net/socket.c:2160 [inline] __x64_sys_sendto+0xdc/0x1b0 net/socket.c:2160 do_syscall_x64 arch/x86/entry/common.c:46 [inline] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:76 entry_SYSCALL_64_after_hwframe+0x6e/0xd8Freed by task 938: kasan_slab_free include/linux/kasan.h:177 [inline] slab_free_hook mm/slub.c:1729 [inline] slab_free_freelist_hook mm/slub.c:1755 [inline] slab_free mm/slub.c:3687 [inline] __kmem_cache_free+0xbc/0x320 mm/slub.c:3700 device_release+0xa0/0x240 drivers/base/core.c:2507 kobject_cleanup lib/kobject.c:681 [inline] kobject_release lib/kobject.c:712 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x1cd/0x350 lib/kobject.c:729 put_device+0x1b/0x30 drivers/base/core.c:3805 ptp_clock_unregister+0x171/0x270 drivers/ptp/ptp_clock.c:391 gem_ptp_remove+0x4e/0x1f0 drivers/net/ethernet/cadence/macb_ptp.c:404 macb_close+0x1c8/0x270 drivers/net/ethernet/cadence/macb_main.c:2966 __dev_close_many+0x1b9/0x310 net/core/dev.c:1585 __dev_close net/core/dev.c:1597 [inline] __dev_change_flags+0x2bb/0x740 net/core/dev.c:8649 dev_change_fl---truncated---

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-31430 Severity: Moderate CVSS3 score: 6.1

Description: In the Linux kernel, the following vulnerability has been resolved:X.509: Fix out-of-bounds access when parsing extensionsLeo reports an out-of-bounds access when parsing a certificate withempty Basic Constraints or Key Usage extension because the first byte ofthe extension is read before checking its length. Fix it.The bug can be triggered by an unprivileged user by submitting aspecially crafted certificate to the kernel through the keyrings(7) API.Leo has demonstrated this with a proof-of-concept program responsiblydisclosed off-list.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-3441 Severity: Moderate CVSS3 score: 6.1

Description: A flaw was found in GNU Binutils. This heap-based buffer overflow vulnerability, specifically an out-of-bounds read in the bfd linker, allows an attacker to gain access to sensitive information. By convincing a user to process a specially crafted XCOFF object file, an attacker can trigger this flaw, potentially leading to information disclosure or an application level denial of service.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
binutils > 0-0 (version in image is 2.45-150100.7.57.1).

CVE-2026-3442 Severity: Moderate CVSS3 score: 6.1

Description: A flaw was found in GNU Binutils. This vulnerability, a heap-based buffer overflow, specifically an out-of-bounds read, exists in the bfd linker component. An attacker could exploit this by convincing a user to process a specially crafted malicious XCOFF object file. Successful exploitation may lead to the disclosure of sensitive information or cause the application to crash, resulting in an application level denial of service.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
binutils > 0-0 (version in image is 2.45-150100.7.57.1).

CVE-2026-4647 Severity: Moderate CVSS3 score: 6.1

Description: A flaw was found in the GNU Binutils BFD library, a widely used component for handling binary files such as object files and executables. The issue occurs when processing specially crafted XCOFF object files, where a relocation type value is not properly validated before being used. This can cause the program to read memory outside of intended bounds. As a result, affected tools may crash or expose unintended memory contents, leading to denial-of-service or limited information disclosure risks.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
binutils > 0-0 (version in image is 2.45-150100.7.57.1).

CVE-2022-3872 Severity: Moderate CVSS3 score: 6.0

Description: An off-by-one read/write issue was found in the SDHCI device of QEMU. It occurs when reading/writing the Buffer Data Port Register in sdhci_read_dataport and sdhci_write_dataport, respectively, if data_count == block_size. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
qemu-img > 0-0 (version in image is 8.2.10-150600.3.43.1).

CVE-2025-40281 Severity: Moderate CVSS3 score: 6.0

Description: In the Linux kernel, the following vulnerability has been resolved:sctp: prevent possible shift-out-of-bounds in sctp_transport_update_rtosyzbot reported a possible shift-out-of-bounds [1]Blamed commit added rto_alpha_max and rto_beta_max set to 1000.It is unclear if some sctp users are setting very large rto_alphaand/or rto_beta.In order to prevent user regression, perform the test at run time.Also add READ_ONCE() annotations as sysctl values can change under us.[1]UBSAN: shift-out-of-bounds in net/sctp/transport.c:509:41shift exponent 64 is too large for 32-bit type 'unsigned int'CPU: 0 UID: 0 PID: 16704 Comm: syz.2.2320 Not tainted syzkaller #0 PREEMPT(full)Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:233 [inline] __ubsan_handle_shift_out_of_bounds+0x27f/0x420 lib/ubsan.c:494 sctp_transport_update_rto.cold+0x1c/0x34b net/sctp/transport.c:509 sctp_check_transmitted+0x11c4/0x1c30 net/sctp/outqueue.c:1502 sctp_outq_sack+0x4ef/0x1b20 net/sctp/outqueue.c:1338 sctp_cmd_process_sack net/sctp/sm_sideeffect.c:840 [inline] sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1372 [inline]

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-40292 Severity: Moderate CVSS3 score: 6.0

Description: In the Linux kernel, the following vulnerability has been resolved:virtio-net: fix received length check in big packetsSince commit 4959aebba8c0 ("virtio-net: use mtu size as buffer lengthfor big packets"), when guest gso is off, the allocated size for bigpackets is not MAX_SKB_FRAGS * PAGE_SIZE anymore but depends onnegotiated MTU. The number of allocated frags for big packets is storedin vi->big_packets_num_skbfrags.Because the host announced buffer length can be malicious (e.g. the hostvhost_net driver's get_rx_bufs is modified to announce incorrectlength), we need a check in virtio_net receive path. Currently, thecheck is not adapted to the new change which can lead to NULL pagepointer dereference in the below while loop when receiving length thatis larger than the allocated one.This commit fixes the received length check corresponding to the newchange.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68208 Severity: Moderate CVSS3 score: 6.0

Description: In the Linux kernel, the following vulnerability has been resolved:bpf: account for current allocated stack depth in widen_imprecise_scalars()The usage pattern for widen_imprecise_scalars() looks as follows: prev_st = find_prev_entry(env, ...); queued_st = push_stack(...); widen_imprecise_scalars(env, prev_st, queued_st);Where prev_st is an ancestor of the queued_st in the explored statestree. This ancestor is not guaranteed to have same allocated stackdepth as queued_st. E.g. in the following case: def main(): for i in 1..2: foo(i) // same callsite, differnt param def foo(i): if i == 1: use 128 bytes of stack iterator based loopHere, for a second 'foo' call prev_st->allocated_stack is 128,while queued_st->allocated_stack is much smaller.widen_imprecise_scalars() needs to take this into account and avoidaccessing bpf_verifier_state->frame[*]->stack out of bounds.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68741 Severity: Moderate CVSS3 score: 6.0

Description: In the Linux kernel, the following vulnerability has been resolved:scsi: qla2xxx: Fix improper freeing of purex itemIn qla2xxx_process_purls_iocb(), an item is allocated viaqla27xx_copy_multiple_pkt(), which internally callsqla24xx_alloc_purex_item().The qla24xx_alloc_purex_item() function may return a pre-allocated itemfrom a per-adapter pool for small allocations, instead of dynamicallyallocating memory with kzalloc().An error handling path in qla2xxx_process_purls_iocb() incorrectly useskfree() to release the item. If the item was from the pre-allocatedpool, calling kfree() on it is a bug that can lead to memory corruption.Fix this by using the correct deallocation function,qla24xx_free_purex_item(), which properly handles both dynamicallyallocated and pre-allocated items.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23306 Severity: Moderate CVSS3 score: 6.0

Description: In the Linux kernel, the following vulnerability has been resolved:scsi: pm8001: Fix use-after-free in pm8001_queue_command()Commit e29c47fe8946 ("scsi: pm8001: Simplify pm8001_task_exec()") refactorspm8001_queue_command(), however it introduces a potential cause of a doublefree scenario when it changes the function to return -ENODEV in case of phydown/device gone state.In this path, pm8001_queue_command() updates task status and callstask_done to indicate to upper layer that the task has been handled.However, this also frees the underlying SAS task. A -ENODEV is thenreturned to the caller. When libsas sas_ata_qc_issue() receives this errorvalue, it assumes the task wasn't handled/queued by LLDD and proceeds toclean up and free the task again, resulting in a double free.Since pm8001_queue_command() handles the SAS task in this case, it shouldreturn 0 to the caller indicating that the task has been handled.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-39881 Severity: Moderate CVSS3 score: 6.0

Description: Vim is an open source, command line text editor. Prior to 9.2.0316, a command injection vulnerability in Vim's netbeans interface allows a malicious netbeans server to execute arbitrary Ex commands when Vim connects to it, via unsanitized strings in the defineAnnoType and specialKeys protocol messages. This vulnerability is fixed in 9.2.0316.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
vim > 0-0 (version in image is 9.1.1629-150500.20.38.1).

CVE-2024-11584 Severity: Moderate CVSS3 score: 5.9

Description: cloud-init through 25.1.2 includes the systemd socket unit cloud-init-hotplugd.socket with default SocketMode that grants 0666 permissions, making it world-writable. This is used for the "/run/cloud-init/hook-hotplug-cmd" FIFO. An unprivileged user could trigger hotplug-hook commands.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
cloud-init > 0-0 (version in image is 23.3-150100.8.85.4).

CVE-2025-68768 Severity: Moderate CVSS3 score: 5.9

Description: In the Linux kernel, the following vulnerability has been resolved:inet: frags: flush pending skbs in fqdir_pre_exit()We have been seeing occasional deadlocks on pernet_ops_rwsem sinceSeptember in NIPA. The stuck task was usually modprobe (often loadinga driver like ipvlan), trying to take the lock as a Writer.lockdep does not track readers for rwsems so the read wasn't obviousfrom the reports.On closer inspection the Reader holding the lock was conntrack loopingforever in nf_conntrack_cleanup_net_list(). Based on past experiencewith occasional NIPA crashes I looked thru the tests which run beforethe crash and noticed that the crash follows ip_defrag.sh. An immediatered flag. Scouring thru (de)fragmentation queues reveals skbs sittingaround, holding conntrack references.The problem is that since conntrack depends on nf_defrag_ipv6,nf_defrag_ipv6 will load first. Since nf_defrag_ipv6 loads first itsnetns exit hooks run _after_ conntrack's netns exit hook.Flush all fragment queue SKBs during fqdir_pre_exit() to releaseconntrack references before conntrack cleanup runs. Also flushthe queues in timer expiry handlers when they discover fqdir->deadis set, in case packet sneaks in while we're running the pre_exitflush.The commit under Fixes is not exactly the culprit, but I thinkpreviously the timer firing would eventually unblock the spinningconntrack.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68770 Severity: Moderate CVSS3 score: 5.9

Description: In the Linux kernel, the following vulnerability has been resolved:bnxt_en: Fix XDP_TX pathFor XDP_TX action in bnxt_rx_xdp(), clearing of the event flags is notcorrect. __bnxt_poll_work() -> bnxt_rx_pkt() -> bnxt_rx_xdp() may belooping within NAPI and some event flags may be set in earlieriterations. In particular, if BNXT_TX_EVENT is set earlier indicatingsome XDP_TX packets are ready and pending, it will be cleared if it isXDP_TX action again. Normally, we will set BNXT_TX_EVENT again when wesuccessfully call __bnxt_xmit_xdp(). But if the TX ring has no moreroom, the flag will not be set. This will cause the TX producer to beahead but the driver will not hit the TX doorbell.For multi-buf XDP_TX, there is no need to clear the event flags and setBNXT_AGG_EVENT. The BNXT_AGG_EVENT flag should have been set earlier inbnxt_rx_pkt().The visible symptom of this is that the RX ring associated with theTX XDP ring will eventually become empty and all packets will be dropped.Because this condition will cause the driver to not refill the RX ringseeing that the TX ring has forever pending XDP_TX packets.The fix is to only clear BNXT_RX_EVENT when we have successfullycalled __bnxt_xmit_xdp().

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68775 Severity: Moderate CVSS3 score: 5.9

Description: In the Linux kernel, the following vulnerability has been resolved:net/handshake: duplicate handshake cancellations leak socketWhen a handshake request is cancelled it is removed from thehandshake_net->hn_requests list, but it is still present in thehandshake_rhashtbl until it is destroyed.If a second cancellation request arrives for the same handshake request,then remove_pending() will return false... and assumingHANDSHAKE_F_REQ_COMPLETED isn't set in req->hr_flags, we'll continueprocessing through the out_true label, where we put another reference onthe sock and a refcount underflow occurs.This can happen for example if a handshake times out - particularly ifthe SUNRPC client sends the AUTH_TLS probe to the server but doesn'tfollow it up with the ClientHello due to a problem with tlshd. When thetimeout is hit on the server, the server will send a FIN, which triggersa cancellation request via xs_reset_transport(). When the timeout ishit on the client, another cancellation request happens viaxs_tls_handshake_sync().Add a test_and_set_bit(HANDSHAKE_F_REQ_COMPLETED) in the pending cancelpath so duplicate cancels can be detected.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68776 Severity: Moderate CVSS3 score: 5.9

Description: In the Linux kernel, the following vulnerability has been resolved:net/hsr: fix NULL pointer dereference in prp_get_untagged_frame()prp_get_untagged_frame() calls __pskb_copy() to create frame->skb_stdbut doesn't check if the allocation failed. If __pskb_copy() returnsNULL, skb_clone() is called with a NULL pointer, causing a crash:Oops: general protection fault, probably for non-canonical address 0xdffffc000000000f: 0000 [#1] SMP KASAN NOPTIKASAN: null-ptr-deref in range [0x0000000000000078-0x000000000000007f]CPU: 0 UID: 0 PID: 5625 Comm: syz.1.18 Not tainted syzkaller #0 PREEMPT(full)Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014RIP: 0010:skb_clone+0xd7/0x3a0 net/core/skbuff.c:2041Code: 03 42 80 3c 20 00 74 08 4c 89 f7 e8 23 29 05 f9 49 83 3e 00 0f 85 a0 01 00 00 e8 94 dd 9d f8 48 8d 6b 7e 49 89 ee 49 c1 ee 03 <43> 0f b6 04 26 84 c0 0f 85 d1 01 00 00 44 0f b6 7d 00 41 83 e7 0cRSP: 0018:ffffc9000d00f200 EFLAGS: 00010207RAX: ffffffff892235a1 RBX: 0000000000000000 RCX: ffff88803372a480RDX: 0000000000000000 RSI: 0000000000000820 RDI: 0000000000000000RBP: 000000000000007e R08: ffffffff8f7d0f77 R09: 1ffffffff1efa1eeR10: dffffc0000000000 R11: fffffbfff1efa1ef R12: dffffc0000000000R13: 0000000000000820 R14: 000000000000000f R15: ffff88805144cc00FS: 0000555557f6d500(0000) GS:ffff88808d72f000(0000) knlGS:0000000000000000CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033CR2: 0000555581d35808 CR3: 000000005040e000 CR4: 0000000000352ef0Call Trace: hsr_forward_do net/hsr/hsr_forward.c:-1 [inline] hsr_forward_skb+0x1013/0x2860 net/hsr/hsr_forward.c:741 hsr_handle_frame+0x6ce/0xa70 net/hsr/hsr_slave.c:84 __netif_receive_skb_core+0x10b9/0x4380 net/core/dev.c:5966 __netif_receive_skb_one_core net/core/dev.c:6077 [inline] __netif_receive_skb+0x72/0x380 net/core/dev.c:6192 netif_receive_skb_internal net/core/dev.c:6278 [inline] netif_receive_skb+0x1cb/0x790 net/core/dev.c:6337 tun_rx_batched+0x1b9/0x730 drivers/net/tun.c:1485 tun_get_user+0x2b65/0x3e90 drivers/net/tun.c:1953 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1999 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x5c9/0xb30 fs/read_write.c:686 ksys_write+0x145/0x250 fs/read_write.c:738 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7fRIP: 0033:0x7f0449f8e1ffCode: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 f9 92 02 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 4c 93 02 00 48RSP: 002b:00007ffd7ad94c90 EFLAGS: 00000293 ORIG_RAX: 0000000000000001RAX: ffffffffffffffda RBX: 00007f044a1e5fa0 RCX: 00007f0449f8e1ffRDX: 000000000000003e RSI: 0000200000000500 RDI: 00000000000000c8RBP: 00007ffd7ad94d20 R08: 0000000000000000 R09: 0000000000000000R10: 000000000000003e R11: 0000000000000293 R12: 0000000000000001R13: 00007f044a1e5fa0 R14: 00007f044a1e5fa0 R15: 0000000000000003 Add a NULL check immediately after __pskb_copy() to handle allocationfailures gracefully.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68972 Severity: Moderate CVSS3 score: 5.9

Description: In GnuPG through 2.4.8, if a signed message has \f at the end of a plaintext line, an adversary can construct a modified message that places additional text after the signed material, such that signature verification of the modified message succeeds (although an "invalid armor" message is printed during verification). This is related to use of \f as a marker to denote truncation of a long plaintext line.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
gpg2 > 0-0 (version in image is 2.4.4-150600.3.12.1).

CVE-2025-71088 Severity: Moderate CVSS3 score: 5.9

Description: In the Linux kernel, the following vulnerability has been resolved:mptcp: fallback earlier on simult connectionSyzkaller reports a simult-connect race leading to inconsistent fallbackstatus: WARNING: CPU: 3 PID: 33 at net/mptcp/subflow.c:1515 subflow_data_ready+0x40b/0x7c0 net/mptcp/subflow.c:1515 Modules linked in: CPU: 3 UID: 0 PID: 33 Comm: ksoftirqd/3 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:subflow_data_ready+0x40b/0x7c0 net/mptcp/subflow.c:1515 Code: 89 ee e8 78 61 3c f6 40 84 ed 75 21 e8 8e 66 3c f6 44 89 fe bf 07 00 00 00 e8 c1 61 3c f6 41 83 ff 07 74 09 e8 76 66 3c f6 90 <0f> 0b 90 e8 6d 66 3c f6 48 89 df e8 e5 ad ff ff 31 ff 89 c5 89 c6 RSP: 0018:ffffc900006cf338 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff888031acd100 RCX: ffffffff8b7f2abf RDX: ffff88801e6ea440 RSI: ffffffff8b7f2aca RDI: 0000000000000005 RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000007 R10: 0000000000000004 R11: 0000000000002c10 R12: ffff88802ba69900 R13: 1ffff920000d9e67 R14: ffff888046f81800 R15: 0000000000000004 FS: 0000000000000000(0000) GS:ffff8880d69bc000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000560fc0ca1670 CR3: 0000000032c3a000 CR4: 0000000000352ef0 Call Trace: tcp_data_queue+0x13b0/0x4f90 net/ipv4/tcp_input.c:5197 tcp_rcv_state_process+0xfdf/0x4ec0 net/ipv4/tcp_input.c:6922 tcp_v6_do_rcv+0x492/0x1740 net/ipv6/tcp_ipv6.c:1672 tcp_v6_rcv+0x2976/0x41e0 net/ipv6/tcp_ipv6.c:1918 ip6_protocol_deliver_rcu+0x188/0x1520 net/ipv6/ip6_input.c:438 ip6_input_finish+0x1e4/0x4b0 net/ipv6/ip6_input.c:489 NF_HOOK include/linux/netfilter.h:318 [inline] NF_HOOK include/linux/netfilter.h:312 [inline] ip6_input+0x105/0x2f0 net/ipv6/ip6_input.c:500 dst_input include/net/dst.h:471 [inline] ip6_rcv_finish net/ipv6/ip6_input.c:79 [inline] NF_HOOK include/linux/netfilter.h:318 [inline] NF_HOOK include/linux/netfilter.h:312 [inline] ipv6_rcv+0x264/0x650 net/ipv6/ip6_input.c:311 __netif_receive_skb_one_core+0x12d/0x1e0 net/core/dev.c:5979 __netif_receive_skb+0x1d/0x160 net/core/dev.c:6092 process_backlog+0x442/0x15e0 net/core/dev.c:6444 __napi_poll.constprop.0+0xba/0x550 net/core/dev.c:7494 napi_poll net/core/dev.c:7557 [inline] net_rx_action+0xa9f/0xfe0 net/core/dev.c:7684 handle_softirqs+0x216/0x8e0 kernel/softirq.c:579 run_ksoftirqd kernel/softirq.c:968 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:960 smpboot_thread_fn+0x3f7/0xae0 kernel/smpboot.c:160 kthread+0x3c2/0x780 kernel/kthread.c:463 ret_from_fork+0x5d7/0x6f0 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 The TCP subflow can process the simult-connect syn-ack packet aftertransitioning to TCP_FIN1 state, bypassing the MPTCP fallback check,as the sk_state_change() callback is not invoked for * -> FIN_WAIT1transitions.That will move the msk socket to an inconsistent status and the nextincoming data will hit the reported splat.Close the race moving the simult-fallback check at the earliest possiblestage - that is at syn-ack generation time.About the fixes tags: [2] was supposed to also fix this issue introducedby [3]. [1] is required as a dependence: it was not explicitly marked asa fix, but it is one and it has already been backported before [3]. Inother words, this commit should be backported up to [3], including [2]and [1] if that's not already there.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-0990 Severity: Moderate CVSS3 score: 5.9

Description: A flaw was found in libxml2, an XML parsing library. This uncontrolled recursion vulnerability occurs in the xmlCatalogXMLResolveURI function when an XML catalog contains a delegate URI entry that references itself. A remote attacker could exploit this configuration-dependent issue by providing a specially crafted XML catalog, leading to infinite recursion and call stack exhaustion. This ultimately results in a segmentation fault, causing a Denial of Service (DoS) by crashing affected applications.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
libxml2-2 > 0-0 (version in image is 2.10.3-150500.5.32.1).

CVE-2026-23089 Severity: Moderate CVSS3 score: 5.9

Description: In the Linux kernel, the following vulnerability has been resolved:ALSA: usb-audio: Fix use-after-free in snd_usb_mixer_free()When snd_usb_create_mixer() fails, snd_usb_mixer_free() freesmixer->id_elems but the controls already added to the card stillreference the freed memory. Later when snd_card_register() runs,the OSS mixer layer calls their callbacks and hits a use-after-free read.Call trace: get_ctl_value+0x63f/0x820 sound/usb/mixer.c:411 get_min_max_with_quirks.isra.0+0x240/0x1f40 sound/usb/mixer.c:1241 mixer_ctl_feature_info+0x26b/0x490 sound/usb/mixer.c:1381 snd_mixer_oss_build_test+0x174/0x3a0 sound/core/oss/mixer_oss.c:887 ... snd_card_register+0x4ed/0x6d0 sound/core/init.c:923 usb_audio_probe+0x5ef/0x2a90 sound/usb/card.c:1025Fix by calling snd_ctl_remove() for all mixer controls before freeingid_elems. We save the next pointer first because snd_ctl_remove()frees the current element.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default < 6.4.0-150600.23.92.1 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23098 Severity: Moderate CVSS3 score: 5.9

Description: In the Linux kernel, the following vulnerability has been resolved:netrom: fix double-free in nr_route_frame()In nr_route_frame(), old_skb is immediately freed without checking ifnr_neigh->ax25 pointer is NULL. Therefore, if nr_neigh->ax25 is NULL,the caller function will free old_skb again, causing a double-free bug.Therefore, to prevent this, we need to modify it to check whethernr_neigh->ax25 is NULL before freeing old_skb.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23277 Severity: Moderate CVSS3 score: 5.9

Description: In the Linux kernel, the following vulnerability has been resolved:net/sched: teql: fix NULL pointer dereference in iptunnel_xmit on TEQL slave xmitteql_master_xmit() calls netdev_start_xmit(skb, slave) to transmitthrough slave devices, but does not update skb->dev to the slave devicebeforehand.When a gretap tunnel is a TEQL slave, the transmit path reachesiptunnel_xmit() which saves dev = skb->dev (still pointing to teql0master) and later calls iptunnel_xmit_stats(dev, pkt_len). Thisfunction does: get_cpu_ptr(dev->tstats)Since teql_master_setup() does not set dev->pcpu_stat_type toNETDEV_PCPU_STAT_TSTATS, the core network stack never allocates tstatsfor teql0, so dev->tstats is NULL. get_cpu_ptr(NULL) computesNULL + __per_cpu_offset[cpu], resulting in a page fault. BUG: unable to handle page fault for address: ffff8880e6659018 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 68bc067 P4D 68bc067 PUD 0 Oops: Oops: 0002 [#1] SMP KASAN PTI RIP: 0010:iptunnel_xmit (./include/net/ip_tunnels.h:664 net/ipv4/ip_tunnel_core.c:89) Call Trace: ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847) __gre_xmit (net/ipv4/ip_gre.c:478) gre_tap_xmit (net/ipv4/ip_gre.c:779) teql_master_xmit (net/sched/sch_teql.c:319) dev_hard_start_xmit (net/core/dev.c:3887) sch_direct_xmit (net/sched/sch_generic.c:347) __dev_queue_xmit (net/core/dev.c:4802) neigh_direct_output (net/core/neighbour.c:1660) ip_finish_output2 (net/ipv4/ip_output.c:237) __ip_finish_output.part.0 (net/ipv4/ip_output.c:315) ip_mc_output (net/ipv4/ip_output.c:369) ip_send_skb (net/ipv4/ip_output.c:1508) udp_send_skb (net/ipv4/udp.c:1195) udp_sendmsg (net/ipv4/udp.c:1485) inet_sendmsg (net/ipv4/af_inet.c:859) __sys_sendto (net/socket.c:2206)Fix this by setting skb->dev = slave before callingnetdev_start_xmit(), so that tunnel xmit functions see the correctslave device with properly allocated tstats.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23293 Severity: Moderate CVSS3 score: 5.9

Description: In the Linux kernel, the following vulnerability has been resolved:net: vxlan: fix nd_tbl NULL dereference when IPv6 is disabledWhen booting with the 'ipv6.disable=1' parameter, the nd_tbl is neverinitialized because inet6_init() exits before ndisc_init() is calledwhich initializes it. If an IPv6 packet is injected into the interface,route_shortcircuit() is called and a NULL pointer dereference happens onneigh_lookup(). BUG: kernel NULL pointer dereference, address: 0000000000000380 Oops: Oops: 0000 [#1] SMP NOPTI [...] RIP: 0010:neigh_lookup+0x20/0x270 [...] Call Trace: vxlan_xmit+0x638/0x1ef0 [vxlan] dev_hard_start_xmit+0x9e/0x2e0 __dev_queue_xmit+0xbee/0x14e0 packet_sendmsg+0x116f/0x1930 __sys_sendto+0x1f5/0x200 __x64_sys_sendto+0x24/0x30 do_syscall_64+0x12f/0x1590 entry_SYSCALL_64_after_hwframe+0x76/0x7eFix this by adding an early check on route_shortcircuit() when protocolis ETH_P_IPV6. Note that ipv6_mod_enabled() cannot be used here becauseVXLAN can be built-in even when IPv6 is built as a module.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23398 Severity: Moderate CVSS3 score: 5.9

Description: In the Linux kernel, the following vulnerability has been resolved:icmp: fix NULL pointer dereference in icmp_tag_validation()icmp_tag_validation() unconditionally dereferences the result ofrcu_dereference(inet_protos[proto]) without checking for NULL.The inet_protos[] array is sparse -- only about 15 of 256 protocolnumbers have registered handlers. When ip_no_pmtu_disc is set to 3(hardened PMTU mode) and the kernel receives an ICMP FragmentationNeeded error with a quoted inner IP header containing an unregisteredprotocol number, the NULL dereference causes a kernel panic insoftirq context. Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] RIP: 0010:icmp_unreach (net/ipv4/icmp.c:1085 net/ipv4/icmp.c:1143) Call Trace: icmp_rcv (net/ipv4/icmp.c:1527) ip_protocol_deliver_rcu (net/ipv4/ip_input.c:207) ip_local_deliver_finish (net/ipv4/ip_input.c:242) ip_local_deliver (net/ipv4/ip_input.c:262) ip_rcv (net/ipv4/ip_input.c:573) __netif_receive_skb_one_core (net/core/dev.c:6164) process_backlog (net/core/dev.c:6628) handle_softirqs (kernel/softirq.c:561) Add a NULL check before accessing icmp_strict_tag_validation. If theprotocol has no registered handler, return false since it cannotperform strict tag validation.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-28390 Severity: Moderate CVSS3 score: 5.9

Description: Issue summary: During processing of a crafted CMS EnvelopedData messagewith KeyTransportRecipientInfo a NULL pointer dereference can happen.Impact summary: Applications that process attacker-controlled CMS data maycrash before authentication or cryptographic operations occur resulting inDenial of Service.When a CMS EnvelopedData message that uses KeyTransportRecipientInfo withRSA-OAEP encryption is processed, the optional parameters field ofRSA-OAEP SourceFunc algorithm identifier is examined without checkingfor its presence. This results in a NULL pointer dereference if the fieldis missing.Applications and services that call CMS_decrypt() on untrusted input(e.g., S/MIME processing or CMS-based protocols) are vulnerable.The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by thisissue, as the affected code is outside the OpenSSL FIPS module boundary.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
libopenssl1_1 < 1.1.1w-150600.5.26.2 (version in image is 1.1.1w-150600.5.18.1).

CVE-2026-32778 Severity: Moderate CVSS3 score: 5.9

Description: libexpat before 2.7.5 allows a NULL pointer dereference in the function setContext on retry after an earlier ouf-of-memory condition.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
libexpat1 < 2.7.1-150400.3.37.1 (version in image is 2.7.1-150400.3.31.1).

CVE-2026-3904 Severity: Moderate CVSS3 score: 5.9

Description: Calling NSS-backed functions that support caching via nscd may call the nscd client side code and in the GNU C Library version 2.36 under high load on x86_64 systems, the client may call memcmp on inputs that are concurrently modified by other processes or threads and crash.The nscd client in the GNU C Library uses the memcmp function with inputs that may be concurrently modified by another thread, potentially resulting in spurious cache misses, which in itself is not a security issue. However in the GNU C Library version 2.36 an optimized implementation of memcmp was introduced for x86_64 which could crash when invoked with such undefined behaviour, turning this into a potential crash of the nscd client and the application that uses it. This implementation was backported to the 2.35 branch, making the nscd client in that branch vulnerable as well. Subsequently, the fix for this issue was backported to all vulnerable branches in the GNU C Library repository.It is advised that distributions that may have cherry-picked the memcpy SSE2 optimization in their copy of the GNU C Library, also apply the fix to avoid the potential crash in the nscd client.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
glibc > 0-0 (version in image is 2.38-150600.14.37.1).

CVE-2026-5450 Severity: Moderate CVSS3 score: 5.9

Description: Calling the scanf family of functions with a %mc (malloc'd character match) in the GNU C Library version 2.7 to version 2.43 with a format width specifier with an explicit width greater than 1024 could result in a one byte heap buffer overflow.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
glibc > 0-0 (version in image is 2.38-150600.14.37.1).

CVE-2025-68263 Severity: Moderate CVSS3 score: 5.8

Description: In the Linux kernel, the following vulnerability has been resolved:ksmbd: ipc: fix use-after-free in ipc_msg_send_requestipc_msg_send_request() waits for a generic netlink reply using anipc_msg_table_entry on the stack. The generic netlink handler(handle_generic_event()/handle_response()) fills entry->response underipc_msg_table_lock, but ipc_msg_send_request() used to validate and freeentry->response without holding the same lock.Under high concurrency this allows a race where handle_response() iscopying data into entry->response while ipc_msg_send_request() has justfreed it, leading to a slab-use-after-free reported by KASAN inhandle_generic_event(): BUG: KASAN: slab-use-after-free in handle_generic_event+0x3c4/0x5f0 [ksmbd] Write of size 12 at addr ffff888198ee6e20 by task pool/109349 ... Freed by task: kvfree ipc_msg_send_request [ksmbd] ksmbd_rpc_open -> ksmbd_session_rpc_open [ksmbd]Fix by:- Taking ipc_msg_table_lock in ipc_msg_send_request() while validating entry->response, freeing it when invalid, and removing the entry from ipc_msg_table.- Returning the final entry->response pointer to the caller only after the hash entry is removed under the lock.- Returning NULL in the error path, preserving the original API semantics.This makes all accesses to entry->response consistent withhandle_response(), which already updates and fills the response bufferunder ipc_msg_table_lock, and closes the race that allowed the UAF.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68265 Severity: Moderate CVSS3 score: 5.8

Description: In the Linux kernel, the following vulnerability has been resolved:nvme: fix admin request_queue lifetimeThe namespaces can access the controller's admin request_queue, andstale references on the namespaces may exist after tearing down thecontroller. Ensure the admin request_queue is active by moving thecontroller's 'put' to after all controller references have been releasedto ensure no one is can access the request_queue. This fixes a reporteduse-after-free bug: BUG: KASAN: slab-use-after-free in blk_queue_enter+0x41c/0x4a0 Read of size 8 at addr ffff88c0a53819f8 by task nvme/3287 CPU: 67 UID: 0 PID: 3287 Comm: nvme Tainted: G E 6.13.2-ga1582f1a031e #15 Tainted: [E]=UNSIGNED_MODULE Hardware name: Jabil /EGS 2S MB1, BIOS 1.00 06/18/2025 Call Trace: dump_stack_lvl+0x4f/0x60 print_report+0xc4/0x620 ? _raw_spin_lock_irqsave+0x70/0xb0 ? _raw_read_unlock_irqrestore+0x30/0x30 ? blk_queue_enter+0x41c/0x4a0 kasan_report+0xab/0xe0 ? blk_queue_enter+0x41c/0x4a0 blk_queue_enter+0x41c/0x4a0 ? __irq_work_queue_local+0x75/0x1d0 ? blk_queue_start_drain+0x70/0x70 ? irq_work_queue+0x18/0x20 ? vprintk_emit.part.0+0x1cc/0x350 ? wake_up_klogd_work_func+0x60/0x60 blk_mq_alloc_request+0x2b7/0x6b0 ? __blk_mq_alloc_requests+0x1060/0x1060 ? __switch_to+0x5b7/0x1060 nvme_submit_user_cmd+0xa9/0x330 nvme_user_cmd.isra.0+0x240/0x3f0 ? force_sigsegv+0xe0/0xe0 ? nvme_user_cmd64+0x400/0x400 ? vfs_fileattr_set+0x9b0/0x9b0 ? cgroup_update_frozen_flag+0x24/0x1c0 ? cgroup_leave_frozen+0x204/0x330 ? nvme_ioctl+0x7c/0x2c0 blkdev_ioctl+0x1a8/0x4d0 ? blkdev_common_ioctl+0x1930/0x1930 ? fdget+0x54/0x380 __x64_sys_ioctl+0x129/0x190 do_syscall_64+0x5b/0x160 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7f765f703b0b Code: ff ff ff 85 c0 79 9b 49 c7 c4 ff ff ff ff 5b 5d 4c 89 e0 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d dd 52 0f 00 f7 d8 64 89 01 48 RSP: 002b:00007ffe2cefe808 EFLAGS: 00000202 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007ffe2cefe860 RCX: 00007f765f703b0b RDX: 00007ffe2cefe860 RSI: 00000000c0484e41 RDI: 0000000000000003 RBP: 0000000000000000 R08: 0000000000000003 R09: 0000000000000000 R10: 00007f765f611d50 R11: 0000000000000202 R12: 0000000000000003 R13: 00000000c0484e41 R14: 0000000000000001 R15: 00007ffe2cefea60

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68310 Severity: Moderate CVSS3 score: 5.8

Description: In the Linux kernel, the following vulnerability has been resolved:s390/pci: Avoid deadlock between PCI error recovery and mlx5 crdumpDo not block PCI config accesses through pci_cfg_access_lock() whenexecuting the s390 variant of PCI error recovery: Acquire justdevice_lock() instead of pci_dev_lock() as powerpc's EEH andgenerig PCI AER processing do.During error recovery testing a pair of tasks was reported to be hung:mlx5_core 0000:00:00.1: mlx5_health_try_recover:338:(pid 5553): health recovery flow aborted, PCI reads still not workingINFO: task kmcheck:72 blocked for more than 122 seconds. Not tainted 5.14.0-570.12.1.bringup7.el9.s390x #1"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.task:kmcheck state:D stack:0 pid:72 tgid:72 ppid:2 flags:0x00000000Call Trace: [<000000065256f030>] __schedule+0x2a0/0x590 [<000000065256f356>] schedule+0x36/0xe0 [<000000065256f572>] schedule_preempt_disabled+0x22/0x30 [<0000000652570a94>] __mutex_lock.constprop.0+0x484/0x8a8 [<000003ff800673a4>] mlx5_unload_one+0x34/0x58 [mlx5_core] [<000003ff8006745c>] mlx5_pci_err_detected+0x94/0x140 [mlx5_core] [<0000000652556c5a>] zpci_event_attempt_error_recovery+0xf2/0x398 [<0000000651b9184a>] __zpci_event_error+0x23a/0x2c0INFO: task kworker/u1664:6:1514 blocked for more than 122 seconds. Not tainted 5.14.0-570.12.1.bringup7.el9.s390x #1"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.task:kworker/u1664:6 state:D stack:0 pid:1514 tgid:1514 ppid:2 flags:0x00000000Workqueue: mlx5_health0000:00:00.0 mlx5_fw_fatal_reporter_err_work [mlx5_core]Call Trace: [<000000065256f030>] __schedule+0x2a0/0x590 [<000000065256f356>] schedule+0x36/0xe0 [<0000000652172e28>] pci_wait_cfg+0x80/0xe8 [<0000000652172f94>] pci_cfg_access_lock+0x74/0x88 [<000003ff800916b6>] mlx5_vsc_gw_lock+0x36/0x178 [mlx5_core] [<000003ff80098824>] mlx5_crdump_collect+0x34/0x1c8 [mlx5_core] [<000003ff80074b62>] mlx5_fw_fatal_reporter_dump+0x6a/0xe8 [mlx5_core] [<0000000652512242>] devlink_health_do_dump.part.0+0x82/0x168 [<0000000652513212>] devlink_health_report+0x19a/0x230 [<000003ff80075a12>] mlx5_fw_fatal_reporter_err_work+0xba/0x1b0 [mlx5_core]No kernel log of the exact same error with an upstream kernel isavailable - but the very same deadlock situation can be constructed there,too:- task: kmcheck mlx5_unload_one() tries to acquire devlink lock while the PCI error recovery code has set pdev->block_cfg_access by way of pci_cfg_access_lock()- task: kworker mlx5_crdump_collect() tries to set block_cfg_access through pci_cfg_access_lock() while devlink_health_report() had acquired the devlink lock.A similar deadlock situation can be reproduced by requesting acrdump with > devlink health dump show pci/ reporter fw_fatalwhile PCI error recovery is executed on the same physical functionby mlx5_core's pci_error_handlers. On s390 this can be injected with > zpcictl --reset-fw Tests with this patch failed to reproduce that second deadlock situation,the devlink command is rejected with "kernel answers: Permission denied" -and we get a kernel log message of:mlx5_core 1ed0:00:00.1: mlx5_crdump_collect:50:(pid 254382): crdump: failed to lock vsc gw err -5because the config read of VSC_SEMAPHORE is rejected by the underlyinghardware.Two prior attempts to address this issue have been discussed andultimately rejected [see link], with the primary argument that s390'simplementation of PCI error recovery is imposing restrictions thatneither powerpc's EEH nor PCI AER handling need. Tests show that PCIerror recovery on s390 is running to completion even without blockingaccess to PCI config space.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68795 Severity: Moderate CVSS3 score: 5.8

Description: In the Linux kernel, the following vulnerability has been resolved:ethtool: Avoid overflowing userspace buffer on stats queryThe ethtool -S command operates across three ioctl calls:ETHTOOL_GSSET_INFO for the size, ETHTOOL_GSTRINGS for the names, andETHTOOL_GSTATS for the values.If the number of stats changes between these calls (e.g., due to devicereconfiguration), userspace's buffer allocation will be incorrect,potentially leading to buffer overflow.Drivers are generally expected to maintain stable stat counts, but somedrivers (e.g., mlx5, bnx2x, bna, ksz884x) use dynamic counters, makingthis scenario possible.Some drivers try to handle this internally:- bnad_get_ethtool_stats() returns early in case stats.n_stats is not equal to the driver's stats count.- micrel/ksz884x also makes sure not to write anything beyond stats.n_stats and overflow the buffer.However, both use stats.n_stats which is already assigned with the valuereturned from get_sset_count(), hence won't solve the issue describedhere.Change ethtool_get_strings(), ethtool_get_stats(),ethtool_get_phy_stats() to not return anything in case of a mismatchbetween userspace's size and get_sset_size(), to prevent bufferoverflow.The returned n_stats value will be equal to zero, to reflect thatnothing has been returned.This could result in one of two cases when using upstream ethtool,depending on when the size change is detected:1. When detected in ethtool_get_strings(): # ethtool -S eth2 no stats available2. When detected in get stats, all stats will be reported as zero.Both cases are presumably transient, and a subsequent ethtool callshould succeed.Other than the overflow avoidance, these two cases are very evident (nooutput/cleared stats), which is arguably better than presentingincorrect/shifted stats.I also considered returning an error instead of a "silent" response, butthat seems more destructive towards userspace apps.Notes:- This patch does not claim to fix the inherent race, it only makes sure that we do not overflow the userspace buffer, and makes for a more predictable behavior.- RTNL lock is held during each ioctl, the race window exists between the separate ioctl calls when the lock is released.- Userspace ethtool always fills stats.n_stats, but it is likely that these stats ioctls are implemented in other userspace applications which might not fill it. The added code checks that it's not zero, to prevent any regressions.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23156 Severity: Moderate CVSS3 score: 5.8

Description: In the Linux kernel, the following vulnerability has been resolved:efivarfs: fix error propagation in efivar_entry_get()efivar_entry_get() always returns success even if the underlying__efivar_entry_get() fails, masking errors.This may result in uninitialized heap memory being copied to userspacein the efivarfs_file_read() path.Fix it by returning the error from __efivar_entry_get().

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23193 Severity: Moderate CVSS3 score: 5.8

Description: In the Linux kernel, the following vulnerability has been resolved:scsi: target: iscsi: Fix use-after-free in iscsit_dec_session_usage_count()In iscsit_dec_session_usage_count(), the function calls complete() whileholding the sess->session_usage_lock. Similar to the connection usage countlogic, the waiter signaled by complete() (e.g., in the session releasepath) may wake up and free the iscsit_session structure immediately.This creates a race condition where the current thread may attempt toexecute spin_unlock_bh() on a session structure that has already beendeallocated, resulting in a KASAN slab-use-after-free.To resolve this, release the session_usage_lock before calling complete()to ensure all dereferences of the sess pointer are finished before thewaiter is allowed to proceed with deallocation.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-31431 Severity: Moderate CVSS3 score: 5.8

Description: In the Linux kernel, the following vulnerability has been resolved:crypto: algif_aead - Revert to operating out-of-placeThis mostly reverts commit 72548b093ee3 except for the copying ofthe associated data.There is no benefit in operating in-place in algif_aead since thesource and destination come from different mappings. Get rid ofall the complexity added for in-place operation and just copy theAD directly.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68736 Severity: Moderate CVSS3 score: 5.7

Description: In the Linux kernel, the following vulnerability has been resolved:landlock: Fix handling of disconnected directoriesDisconnected files or directories can appear when they are visible andopened from a bind mount, but have been renamed or moved from the sourceof the bind mount in a way that makes them inaccessible from the mountpoint (i.e. out of scope).Previously, access rights tied to files or directories opened through adisconnected directory were collected by walking the related hierarchydown to the root of the filesystem, without taking into account themount point because it couldn't be found. This could lead toinconsistent access results, potential access right widening, andhard-to-debug renames, especially since such paths cannot be printed.For a sandboxed task to create a disconnected directory, it needs tohave write access (i.e. FS_MAKE_REG, FS_REMOVE_FILE, and FS_REFER) tothe underlying source of the bind mount, and read access to the relatedmount point. Because a sandboxed task cannot acquire more accessrights than those defined by its Landlock domain, this could lead toinconsistent access rights due to missing permissions that should beinherited from the mount point hierarchy, while inheriting permissionsfrom the filesystem hierarchy hidden by this mount point instead.Landlock now handles files and directories opened from disconnecteddirectories by taking into account the filesystem hierarchy when themount point is not found in the hierarchy walk, and also always takinginto account the mount point from which these disconnected directorieswere opened. This ensures that a rename is not allowed if it wouldwiden access rights [1].The rationale is that, even if disconnected hierarchies might not bevisible or accessible to a sandboxed task, relying on the collectedaccess rights from them improves the guarantee that access rights willnot be widened during a rename because of the access right comparisonbetween the source and the destination (see LANDLOCK_ACCESS_FS_REFER).It may look like this would grant more access on disconnected files anddirectories, but the security policies are always enforced for all theevaluated hierarchies. This new behavior should be less surprising tousers and safer from an access control perspective.Remove a wrong WARN_ON_ONCE() canary in collect_domain_accesses() andfix the related comment.Because opened files have their access rights stored in the related filesecurity properties, there is no impact for disconnected or unlinkedfiles.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68785 Severity: Moderate CVSS3 score: 5.7

Description: In the Linux kernel, the following vulnerability has been resolved:net: openvswitch: fix middle attribute validation in push_nsh() actionThe push_nsh() action structure looks like this: OVS_ACTION_ATTR_PUSH_NSH(OVS_KEY_ATTR_NSH(OVS_NSH_KEY_ATTR_BASE,...))The outermost OVS_ACTION_ATTR_PUSH_NSH attribute is OK'ed by thenla_for_each_nested() inside __ovs_nla_copy_actions(). The innermostOVS_NSH_KEY_ATTR_BASE/MD1/MD2 are OK'ed by the nla_for_each_nested()inside nsh_key_put_from_nlattr(). But nothing checks if the attributein the middle is OK. We don't even check that this attribute is theOVS_KEY_ATTR_NSH. We just do a double unwrap with a pair of nla_data()calls - first time directly while calling validate_push_nsh() and thesecond time as part of the nla_for_each_nested() macro, which isn'tsafe, potentially causing invalid memory access if the size of thisattribute is incorrect. The failure may not be noticed duringvalidation due to larger netlink buffer, but cause trouble later duringaction execution where the buffer is allocated exactly to the size: BUG: KASAN: slab-out-of-bounds in nsh_hdr_from_nlattr+0x1dd/0x6a0 [openvswitch] Read of size 184 at addr ffff88816459a634 by task a.out/22624 CPU: 8 UID: 0 PID: 22624 6.18.0-rc7+ #115 PREEMPT(voluntary) Call Trace: dump_stack_lvl+0x51/0x70 print_address_description.constprop.0+0x2c/0x390 kasan_report+0xdd/0x110 kasan_check_range+0x35/0x1b0 __asan_memcpy+0x20/0x60 nsh_hdr_from_nlattr+0x1dd/0x6a0 [openvswitch] push_nsh+0x82/0x120 [openvswitch] do_execute_actions+0x1405/0x2840 [openvswitch] ovs_execute_actions+0xd5/0x3b0 [openvswitch] ovs_packet_cmd_execute+0x949/0xdb0 [openvswitch] genl_family_rcv_msg_doit+0x1d6/0x2b0 genl_family_rcv_msg+0x336/0x580 genl_rcv_msg+0x9f/0x130 netlink_rcv_skb+0x11f/0x370 genl_rcv+0x24/0x40 netlink_unicast+0x73e/0xaa0 netlink_sendmsg+0x744/0xbf0 __sys_sendto+0x3d6/0x450 do_syscall_64+0x79/0x2c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Let's add some checks that the attribute is properly sized and it'sthe only one attribute inside the action. Technically, there is noreal reason for OVS_KEY_ATTR_NSH to be there, as we know that we'repushing an NSH header already, it just creates extra nesting, butthat's how uAPI works today. So, keeping as it is.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-36903 Severity: Moderate CVSS3 score: 5.6

Description: In the Linux kernel, the following vulnerability has been resolved:ipv6: Fix potential uninit-value access in __ip6_make_skb()As it was done in commit fc1092f51567 ("ipv4: Fix uninit-value access in__ip_make_skb()") for IPv4, check FLOWI_FLAG_KNOWN_NH on fl6->flowi6_flagsinstead of testing HDRINCL on the socket to avoid a race condition whichcauses uninit-value access.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-71087 Severity: Moderate CVSS3 score: 5.6

Description: In the Linux kernel, the following vulnerability has been resolved:iavf: fix off-by-one issues in iavf_config_rss_reg()There are off-by-one bugs when configuring RSS hash key and lookuptable, causing out-of-bounds reads to memory [1] and out-of-boundswrites to device registers.Before commit 43a3d9ba34c9 ("i40evf: Allow PF driver to configure RSS"),the loop upper bounds were: i <= I40E_VFQF_{HKEY,HLUT}_MAX_INDEXwhich is safe since the value is the last valid index.That commit changed the bounds to: i <= adapter->rss_{key,lut}_size / 4where `rss_{key,lut}_size / 4` is the number of dwords, so the lastvalid index is `(rss_{key,lut}_size / 4) - 1`. Therefore, using `<=`accesses one element past the end.Fix the issues by using `<` instead of `<=`, ensuring we do not exceedthe bounds.[1] KASAN splat about rss_key_size off-by-one BUG: KASAN: slab-out-of-bounds in iavf_config_rss+0x619/0x800 Read of size 4 at addr ffff888102c50134 by task kworker/u8:6/63 CPU: 0 UID: 0 PID: 63 Comm: kworker/u8:6 Not tainted 6.18.0-rc2-enjuk-tnguy-00378-g3005f5b77652-dirty #156 PREEMPT(voluntary) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Workqueue: iavf iavf_watchdog_task Call Trace: dump_stack_lvl+0x6f/0xb0 print_report+0x170/0x4f3 kasan_report+0xe1/0x1a0 iavf_config_rss+0x619/0x800 iavf_watchdog_task+0x2be7/0x3230 process_one_work+0x7fd/0x1420 worker_thread+0x4d1/0xd40 kthread+0x344/0x660 ret_from_fork+0x249/0x320 ret_from_fork_asm+0x1a/0x30 Allocated by task 63: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x7f/0x90 __kmalloc_noprof+0x246/0x6f0 iavf_watchdog_task+0x28fc/0x3230 process_one_work+0x7fd/0x1420 worker_thread+0x4d1/0xd40 kthread+0x344/0x660 ret_from_fork+0x249/0x320 ret_from_fork_asm+0x1a/0x30 The buggy address belongs to the object at ffff888102c50100 which belongs to the cache kmalloc-64 of size 64 The buggy address is located 0 bytes to the right of allocated 52-byte region [ffff888102c50100, ffff888102c50134) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102c50 flags: 0x200000000000000(node=0|zone=2) page_type: f5(slab) raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000 raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888102c50000: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc ffff888102c50080: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc >ffff888102c50100: 00 00 00 00 00 00 04 fc fc fc fc fc fc fc fc fc ^ ffff888102c50180: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ffff888102c50200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23169 Severity: Moderate CVSS3 score: 5.6

Description: In the Linux kernel, the following vulnerability has been resolved:mptcp: fix race in mptcp_pm_nl_flush_addrs_doit()syzbot and Eulgyu Kim reported crashes in mptcp_pm_nl_get_local_id()and/or mptcp_pm_nl_is_backup()Root cause is list_splice_init() in mptcp_pm_nl_flush_addrs_doit()which is not RCU ready.list_splice_init_rcu() can not be called here while holding pernet->lockspinlock.Many thanks to Eulgyu Kim for providing a repro and testing our patches.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23359 Severity: Moderate CVSS3 score: 5.6

Description: In the Linux kernel, the following vulnerability has been resolved:bpf: Fix stack-out-of-bounds write in devmapget_upper_ifindexes() iterates over all upper devices and writes theirindices into an array without checking bounds.Also the callers assume that the max number of upper devices isMAX_NEST_DEV and allocate excluded_devices[1+MAX_NEST_DEV] on the stack,but that assumption is not correct and the number of upper devices couldbe larger than MAX_NEST_DEV (e.g., many macvlans), causing astack-out-of-bounds write.Add a max parameter to get_upper_ifindexes() to avoid the issue.When there are too many upper devices, return -EOVERFLOW and abort theredirect.To reproduce, create more than MAX_NEST_DEV(8) macvlans on a device withan XDP program attached using BPF_F_BROADCAST | BPF_F_EXCLUDE_INGRESS.Then send a packet to the device to trigger the XDP redirect path.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-3184 Severity: Moderate CVSS3 score: 5.6

Description: A flaw was found in util-linux. Improper hostname canonicalization in the `login(1)` utility, when invoked with the `-h` option, can modify the supplied remote hostname before setting `PAM_RHOST`. A remote attacker could exploit this by providing a specially crafted hostname, potentially bypassing host-based Pluggable Authentication Modules (PAM) access control rules that rely on fully qualified domain names. This could lead to unauthorized access.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
libblkid1 > 0-0 (version in image is 2.39.3-150600.4.15.1).

CVE-2023-52672 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:pipe: wakeup wr_wait after setting max_usageCommit c73be61cede5 ("pipe: Add general notification queue support") aregression was introduced that would lock up resized pipes under certainconditions. See the reproducer in [1].The commit resizing the pipe ring size was moved to a differentfunction, doing that moved the wakeup for pipe->wr_wait before actuallyraising pipe->max_usage. If a pipe was full before the resize occured itwould result in the wakeup never actually triggering pipe_write.Set @max_usage and @nr_accounted before waking writers if this isn't awatch queue.[Christian Brauner : rewrite to account for watch queues]

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2023-52699 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:sysv: don't call sb_bread() with pointers_lock heldsyzbot is reporting sleep in atomic context in SysV filesystem [1], forsb_bread() is called with rw_spinlock held.A "write_lock(&pointers_lock) => read_lock(&pointers_lock) deadlock" bugand a "sb_bread() with write_lock(&pointers_lock)" bug were introduced by"Replace BKL for chain locking with sysvfs-private rwlock" in Linux 2.5.12.Then, "[PATCH] err1-40: sysvfs locking fix" in Linux 2.6.8 fixed theformer bug by moving pointers_lock lock to the callers, but insteadintroduced a "sb_bread() with read_lock(&pointers_lock)" bug (which madethis problem easier to hit).Al Viro suggested that why not to do like get_branch()/get_block()/find_shared() in Minix filesystem does. And doing like that is almost arevert of "[PATCH] err1-40: sysvfs locking fix" except that get_branch() from with find_shared() is called without write_lock(&pointers_lock).

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2023-52757 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:smb: client: fix potential deadlock when releasing midsAll release_mid() callers seem to hold a reference of @mid so there isno need to call kref_put(&mid->refcount, __release_mid) under@server->mid_lock spinlock. If they don't, then an use-after-free bugwould have occurred anyways.By getting rid of such spinlock also fixes a potential deadlock asshown belowCPU 0 CPU 1------------------------------------------------------------------cifs_demultiplex_thread() cifs_debug_data_proc_show() release_mid() spin_lock(&server->mid_lock); spin_lock(&cifs_tcp_ses_lock) spin_lock(&server->mid_lock) __release_mid() smb2_find_smb_tcon() spin_lock(&cifs_tcp_ses_lock) *deadlock*

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2023-52787 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:blk-mq: make sure active queue usage is held for bio_integrity_prep()blk_integrity_unregister() can come if queue usage counter isn't heldfor one bio with integrity prepared, so this request may be completed withcalling profile->complete_fn, then kernel panic.Another constraint is that bio_integrity_prep() needs to be calledbefore bio merge.Fix the issue by:- call bio_integrity_prep() with one queue usage counter grabbed reliably- call bio_integrity_prep() before bio merge

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2023-52843 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:llc: verify mac len before reading mac headerLLC reads the mac header with eth_hdr without verifying that the skbhas an Ethernet header.Syzbot was able to enter llc_rcv on a tun device. Tun can insertpackets without mac len and with user configurable skb->protocol(passing a tun_pi header when not configuring IFF_NO_PI). BUG: KMSAN: uninit-value in llc_station_ac_send_test_r net/llc/llc_station.c:81 [inline] BUG: KMSAN: uninit-value in llc_station_rcv+0x6fb/0x1290 net/llc/llc_station.c:111 llc_station_ac_send_test_r net/llc/llc_station.c:81 [inline] llc_station_rcv+0x6fb/0x1290 net/llc/llc_station.c:111 llc_rcv+0xc5d/0x14a0 net/llc/llc_input.c:218 __netif_receive_skb_one_core net/core/dev.c:5523 [inline] __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5637 netif_receive_skb_internal net/core/dev.c:5723 [inline] netif_receive_skb+0x58/0x660 net/core/dev.c:5782 tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555 tun_get_user+0x54c5/0x69c0 drivers/net/tun.c:2002Add a mac_len test before all three eth_hdr(skb) calls under net/llc.There are further uses in include/net/llc_pdu.h. All these areprotected by a test skb->protocol == ETH_P_802_2. Which does notprotect against this tun scenario.But the mac_len test added in this patch in llc_fixup_skb willindirectly protect those too. That is called from llc_rcv before anyother LLC code.It is tempting to just add a blanket mac_len check in llc_rcv, butnot sure whether that could break valid LLC paths that do not assumean Ethernet header. 802.2 LLC may be used on top of non-802.3protocols in principle. The below referenced commit shows that usedto, on top of Token Ring.At least one of the three eth_hdr uses goes back to before the startof git history. But the one that syzbot exercises is introduced inthis commit. That commit is old enough (2008), that effectively allstable kernels should receive this.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2023-52845 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:tipc: Change nla_policy for bearer-related names to NLA_NUL_STRINGsyzbot reported the following uninit-value access issue [1]:=====================================================BUG: KMSAN: uninit-value in strlen lib/string.c:418 [inline]BUG: KMSAN: uninit-value in strstr+0xb8/0x2f0 lib/string.c:756 strlen lib/string.c:418 [inline] strstr+0xb8/0x2f0 lib/string.c:756 tipc_nl_node_reset_link_stats+0x3ea/0xb50 net/tipc/node.c:2595 genl_family_rcv_msg_doit net/netlink/genetlink.c:971 [inline] genl_family_rcv_msg net/netlink/genetlink.c:1051 [inline] genl_rcv_msg+0x11ec/0x1290 net/netlink/genetlink.c:1066 netlink_rcv_skb+0x371/0x650 net/netlink/af_netlink.c:2545 genl_rcv+0x40/0x60 net/netlink/genetlink.c:1075 netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline] netlink_unicast+0xf47/0x1250 net/netlink/af_netlink.c:1368 netlink_sendmsg+0x1238/0x13d0 net/netlink/af_netlink.c:1910 sock_sendmsg_nosec net/socket.c:730 [inline] sock_sendmsg net/socket.c:753 [inline] ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2541 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2595 __sys_sendmsg net/socket.c:2624 [inline] __do_sys_sendmsg net/socket.c:2633 [inline] __se_sys_sendmsg net/socket.c:2631 [inline] __x64_sys_sendmsg+0x307/0x490 net/socket.c:2631 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcdUninit was created at: slab_post_alloc_hook+0x12f/0xb70 mm/slab.h:767 slab_alloc_node mm/slub.c:3478 [inline] kmem_cache_alloc_node+0x577/0xa80 mm/slub.c:3523 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:559 __alloc_skb+0x318/0x740 net/core/skbuff.c:650 alloc_skb include/linux/skbuff.h:1286 [inline] netlink_alloc_large_skb net/netlink/af_netlink.c:1214 [inline] netlink_sendmsg+0xb34/0x13d0 net/netlink/af_netlink.c:1885 sock_sendmsg_nosec net/socket.c:730 [inline] sock_sendmsg net/socket.c:753 [inline] ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2541 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2595 __sys_sendmsg net/socket.c:2624 [inline] __do_sys_sendmsg net/socket.c:2633 [inline] __se_sys_sendmsg net/socket.c:2631 [inline] __x64_sys_sendmsg+0x307/0x490 net/socket.c:2631 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcdTIPC bearer-related names including link names must be null-terminatedstrings. If a link name which is not null-terminated is passed throughnetlink, strstr() and similar functions can cause buffer overrun. Thiscauses the above issue.This patch changes the nla_policy for bearer-related names from NLA_STRINGto NLA_NUL_STRING. This resolves the issue by ensuring that onlynull-terminated strings are accepted as bearer-related names.syzbot reported similar uninit-value issue related to bearer names [2]. Theroot cause of this issue is that a non-null-terminated bearer name waspassed. This patch also resolved this issue.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2023-53431 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:scsi: ses: Handle enclosure with just a primary component gracefullyThis reverts commit 3fe97ff3d949 ("scsi: ses: Don't attach if enclosurehas no components") and introduces proper handling of case where there areno detected secondary components, but primary component (enumerated innum_enclosures) does exist. That fix was originally proposed by Ding Hui.Completely ignoring devices that have one primary enclosure and nosecondary one results in ses_intf_add() bailing completely scsi 2:0:0:254: enclosure has no enumerated components scsi 2:0:0:254: Failed to bind enclosure -12ven in valid configurations sucheven on valid configurations with 1 primary and 0 secondary enclosures asbelow: # sg_ses /dev/sg0 3PARdata SES 3321 Supported diagnostic pages: Supported Diagnostic Pages [sdp] [0x0] Configuration (SES) [cf] [0x1] Short Enclosure Status (SES) [ses] [0x8] # sg_ses -p cf /dev/sg0 3PARdata SES 3321 Configuration diagnostic page: number of secondary subenclosures: 0 generation code: 0x0 enclosure descriptor list Subenclosure identifier: 0 [primary] relative ES process id: 0, number of ES processes: 1 number of type descriptor headers: 1 enclosure logical identifier (hex): 20000002ac02068d enclosure vendor: 3PARdata product: VV rev: 3321 type descriptor header and text list Element type: Unspecified, subenclosure id: 0 number of possible elements: 1The changelog for the original fix follows=====We can get a crash when disconnecting the iSCSI session,the call trace like this: [ffff00002a00fb70] kfree at ffff00000830e224 [ffff00002a00fba0] ses_intf_remove at ffff000001f200e4 [ffff00002a00fbd0] device_del at ffff0000086b6a98 [ffff00002a00fc50] device_unregister at ffff0000086b6d58 [ffff00002a00fc70] __scsi_remove_device at ffff00000870608c [ffff00002a00fca0] scsi_remove_device at ffff000008706134 [ffff00002a00fcc0] __scsi_remove_target at ffff0000087062e4 [ffff00002a00fd10] scsi_remove_target at ffff0000087064c0 [ffff00002a00fd70] __iscsi_unbind_session at ffff000001c872c4 [ffff00002a00fdb0] process_one_work at ffff00000810f35c [ffff00002a00fe00] worker_thread at ffff00000810f648 [ffff00002a00fe70] kthread at ffff000008116e98In ses_intf_add, components count could be 0, and kcalloc 0 size scomp,but not saved in edev->component[i].scratchIn this situation, edev->component[0].scratch is an invalid pointer,when kfree it in ses_intf_remove_enclosure, a crash like above would happenThe call trace also could be other random cases when kfree cannot catchthe invalid pointerWe should not use edev->component[] array when the components count is 0We also need check index when use edev->component[] array inses_enclosure_data_process=====

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2023-53712 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ARM: 9317/1: kexec: Make smp stop calls asynchronousIf a panic is triggered by a hrtimer interrupt all online cpus will benotified and set offline. But as highlighted by commit 19dbdcb8039c("smp: Warn on function calls from softirq context") this call shouldnot be made synchronous with disabled interrupts: softdog: Initiating panic Kernel panic - not syncing: Software Watchdog Timer expired WARNING: CPU: 1 PID: 0 at kernel/smp.c:753 smp_call_function_many_cond unwind_backtrace: show_stack dump_stack_lvl __warn warn_slowpath_fmt smp_call_function_many_cond smp_call_function crash_smp_send_stop.part.0 machine_crash_shutdown __crash_kexec panic softdog_fire __hrtimer_run_queues hrtimer_interruptMake the smp call for machine_crash_nonpanic_core() asynchronous.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2023-53714 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:drm/stm: ltdc: fix late dereference checkIn ltdc_crtc_set_crc_source(), struct drm_crtc was dereferenced in acontainer_of() before the pointer check. This could cause a kernel panic.Fix this smatch warning:drivers/gpu/drm/stm/ltdc.c:1124 ltdc_crtc_set_crc_source() warn: variable dereferenced before check 'crtc' (see line 1119)

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default < 6.4.0-150600.23.87.1 (version in image is 6.4.0-150600.23.84.1).

CVE-2023-53817 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:crypto: lib/mpi - avoid null pointer deref in mpi_cmp_ui()During NVMeTCP Authentication a controller can trigger a kerneloops by specifying the 8192 bit Diffie Hellman group and passinga correctly sized, but zeroed Diffie Hellamn value.mpi_cmp_ui() was detecting this if the second parameter was 0,but 1 is passed from dh_is_pubkey_valid(). This causes the nullpointer u->d to be dereferenced towards the end of mpi_cmp_ui()

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2023-53992 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:wifi: cfg80211: ocb: don't leave if not joinedIf there's no OCB state, don't ask the driver/mac80211 toleave, since that's just confusing. Since set/clear thechandef state, that's a simple check.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2023-54088 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:blk-cgroup: hold queue_lock when removing blkg->q_nodeWhen blkg is removed from q->blkg_list from blkg_free_workfn(), queue_lockhas to be held, otherwise, all kinds of bugs(list corruption, hard lockup,..) can be triggered from blkg_destroy_all().

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2023-54171 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:tracing: Fix memory leak of iter->temp when reading trace_pipekmemleak reports: unreferenced object 0xffff88814d14e200 (size 256): comm "cat", pid 336, jiffies 4294871818 (age 779.490s) hex dump (first 32 bytes): 04 00 01 03 00 00 00 00 08 00 00 00 00 00 00 00 ................ 0c d8 c8 9b ff ff ff ff 04 5a ca 9b ff ff ff ff .........Z...... backtrace: [] __kmalloc+0x4f/0x140 [] trace_find_next_entry+0xbb/0x1d0 [] trace_print_lat_context+0xaf/0x4e0 [] print_trace_line+0x3e0/0x950 [] tracing_read_pipe+0x2d9/0x5a0 [] vfs_read+0x143/0x520 [] ksys_read+0xbd/0x160 [] do_syscall_64+0x3f/0x90 [] entry_SYSCALL_64_after_hwframe+0x6e/0xd8when reading file 'trace_pipe', 'iter->temp' is allocated or relocatedin trace_find_next_entry() but not freed before 'trace_pipe' is closed.To fix it, free 'iter->temp' in tracing_release_pipe().

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2023-54172 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:x86/hyperv: Disable IBT when hypercall page lacks ENDBR instructionOn hardware that supports Indirect Branch Tracking (IBT), Hyper-V VMswith ConfigVersion 9.3 or later support IBT in the guest. However,current versions of Hyper-V have a bug in that there's not an ENDBR64instruction at the beginning of the hypercall page. Since hypercalls aremade with an indirect call to the hypercall page, all hypercall attemptsfail with an exception and Linux panics.A Hyper-V fix is in progress to add ENDBR64. But guard against the Linuxpanic by clearing X86_FEATURE_IBT if the hypercall page doesn't startwith ENDBR. The VM will boot and run without IBT.If future Linux 32-bit kernels were to support IBT, additional hypercallpage hackery would be needed to make IBT work for such kernels in aHyper-V VM.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-14027 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:fs/xattr: missing fdput() in fremovexattr error pathIn the Linux kernel, the fremovexattr() syscall calls fdget() to acquire afile reference but returns early without calling fdput() whenstrncpy_from_user() fails on the name argument. In multi-threaded processeswhere fdget() takes the slow path, this permanently leaks onefile reference per call, pinning the struct file and associated kernelobjects in memory. An unprivileged local user can exploit this to causekernel memory exhaustion. The issue was inadvertently fixed by commita71874379ec8 ("xattr: switch to CLASS(fd)").

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-26625 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:llc: call sock_orphan() at release timesyzbot reported an interesting trace [1] caused by a stale sk->sk_wqpointer in a closed llc socket.In commit ff7b11aa481f ("net: socket: set sock->sk to NULL aftercalling proto_ops::release()") Eric Biggers hinted that some protocolsare missing a sock_orphan(), we need to perform a full audit.In net-next, I plan to clear sock->sk from sock_orphan() andamend Eric patch to add a warning.[1] BUG: KASAN: slab-use-after-free in list_empty include/linux/list.h:373 [inline] BUG: KASAN: slab-use-after-free in waitqueue_active include/linux/wait.h:127 [inline] BUG: KASAN: slab-use-after-free in sock_def_write_space_wfree net/core/sock.c:3384 [inline] BUG: KASAN: slab-use-after-free in sock_wfree+0x9a8/0x9d0 net/core/sock.c:2468Read of size 8 at addr ffff88802f4fc880 by task ksoftirqd/1/27CPU: 1 PID: 27 Comm: ksoftirqd/1 Not tainted 6.8.0-rc1-syzkaller-00049-g6098d87eaf31 #0Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:377 [inline] print_report+0xc4/0x620 mm/kasan/report.c:488 kasan_report+0xda/0x110 mm/kasan/report.c:601 list_empty include/linux/list.h:373 [inline] waitqueue_active include/linux/wait.h:127 [inline] sock_def_write_space_wfree net/core/sock.c:3384 [inline] sock_wfree+0x9a8/0x9d0 net/core/sock.c:2468 skb_release_head_state+0xa3/0x2b0 net/core/skbuff.c:1080 skb_release_all net/core/skbuff.c:1092 [inline] napi_consume_skb+0x119/0x2b0 net/core/skbuff.c:1404 e1000_unmap_and_free_tx_resource+0x144/0x200 drivers/net/ethernet/intel/e1000/e1000_main.c:1970 e1000_clean_tx_irq drivers/net/ethernet/intel/e1000/e1000_main.c:3860 [inline] e1000_clean+0x4a1/0x26e0 drivers/net/ethernet/intel/e1000/e1000_main.c:3801 __napi_poll.constprop.0+0xb4/0x540 net/core/dev.c:6576 napi_poll net/core/dev.c:6645 [inline] net_rx_action+0x956/0xe90 net/core/dev.c:6778 __do_softirq+0x21a/0x8de kernel/softirq.c:553 run_ksoftirqd kernel/softirq.c:921 [inline] run_ksoftirqd+0x31/0x60 kernel/softirq.c:913 smpboot_thread_fn+0x660/0xa10 kernel/smpboot.c:164 kthread+0x2c6/0x3a0 kernel/kthread.c:388 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242 Allocated by task 5167: kasan_save_stack+0x33/0x50 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 unpoison_slab_object mm/kasan/common.c:314 [inline] __kasan_slab_alloc+0x81/0x90 mm/kasan/common.c:340 kasan_slab_alloc include/linux/kasan.h:201 [inline] slab_post_alloc_hook mm/slub.c:3813 [inline] slab_alloc_node mm/slub.c:3860 [inline] kmem_cache_alloc_lru+0x142/0x6f0 mm/slub.c:3879 alloc_inode_sb include/linux/fs.h:3019 [inline] sock_alloc_inode+0x25/0x1c0 net/socket.c:308 alloc_inode+0x5d/0x220 fs/inode.c:260 new_inode_pseudo+0x16/0x80 fs/inode.c:1005 sock_alloc+0x40/0x270 net/socket.c:634 __sock_create+0xbc/0x800 net/socket.c:1535 sock_create net/socket.c:1622 [inline] __sys_socket_create net/socket.c:1659 [inline] __sys_socket+0x14c/0x260 net/socket.c:1706 __do_sys_socket net/socket.c:1720 [inline] __se_sys_socket net/socket.c:1718 [inline] __x64_sys_socket+0x72/0xb0 net/socket.c:1718 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6bFreed by task 0: kasan_save_stack+0x33/0x50 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 kasan_save_free_info+0x3f/0x60 mm/kasan/generic.c:640 poison_slab_object mm/kasan/common.c:241 [inline] __kasan_slab_free+0x121/0x1b0 mm/kasan/common.c:257 kasan_slab_free include/linux/kasan.h:184 [inline] slab_free_hook mm/slub.c:2121 [inlin---truncated---

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-26676 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:af_unix: Call kfree_skb() for dead unix_(sk)->oob_skb in GC.syzbot reported a warning [0] in __unix_gc() with a repro, whichcreates a socketpair and sends one socket's fd to itself using thepeer. socketpair(AF_UNIX, SOCK_STREAM, 0, [3, 4]) = 0 sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\360", iov_len=1}], msg_iovlen=1, msg_control=[{cmsg_len=20, cmsg_level=SOL_SOCKET, cmsg_type=SCM_RIGHTS, cmsg_data=[3]}], msg_controllen=24, msg_flags=0}, MSG_OOB|MSG_PROBE|MSG_DONTWAIT|MSG_ZEROCOPY) = 1This forms a self-cyclic reference that GC should finally untanglebut does not due to lack of MSG_OOB handling, resulting in memoryleak.Recently, commit 11498715f266 ("af_unix: Remove io_uring code forGC.") removed io_uring's dead code in GC and revealed the problem.The code was executed at the final stage of GC and unconditionallymoved all GC candidates from gc_candidates to gc_inflight_list.That papered over the reported problem by always making the followingWARN_ON_ONCE(!list_empty(&gc_candidates)) false.The problem has been there since commit 2aab4b969002 ("af_unix: fixstruct pid leaks in OOB support") added full scm support for MSG_OOBwhile fixing another bug.To fix this problem, we must call kfree_skb() for unix_sk(sk)->oob_skbif the socket still exists in gc_candidates after purging collected skb.Then, we need to set NULL to oob_skb before calling kfree_skb() becauseit calls last fput() and triggers unix_release_sock(), where we callduplicate kfree_skb(u->oob_skb) if not NULL.Note that the leaked socket remained being linked to a global list, sokmemleak also could not detect it. We need to check /proc/net/protocolto notice the unfreed socket.[0]:WARNING: CPU: 0 PID: 2863 at net/unix/garbage.c:345 __unix_gc+0xc74/0xe80 net/unix/garbage.c:345Modules linked in:CPU: 0 PID: 2863 Comm: kworker/u4:11 Not tainted 6.8.0-rc1-syzkaller-00583-g1701940b1a02 #0Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024Workqueue: events_unbound __unix_gcRIP: 0010:__unix_gc+0xc74/0xe80 net/unix/garbage.c:345Code: 8b 5c 24 50 e9 86 f8 ff ff e8 f8 e4 22 f8 31 d2 48 c7 c6 30 6a 69 89 4c 89 ef e8 97 ef ff ff e9 80 f9 ff ff e8 dd e4 22 f8 90 <0f> 0b 90 e9 7b fd ff ff 48 89 df e8 5c e7 7c f8 e9 d3 f8 ff ff e8RSP: 0018:ffffc9000b03fba0 EFLAGS: 00010293RAX: 0000000000000000 RBX: ffffc9000b03fc10 RCX: ffffffff816c493eRDX: ffff88802c02d940 RSI: ffffffff896982f3 RDI: ffffc9000b03fb30RBP: ffffc9000b03fce0 R08: 0000000000000001 R09: fffff52001607f66R10: 0000000000000003 R11: 0000000000000002 R12: dffffc0000000000R13: ffffc9000b03fc10 R14: ffffc9000b03fc10 R15: 0000000000000001FS: 0000000000000000(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033CR2: 00005559c8677a60 CR3: 000000000d57a000 CR4: 00000000003506f0DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400Call Trace: process_one_work+0x889/0x15e0 kernel/workqueue.c:2633 process_scheduled_works kernel/workqueue.c:2706 [inline] worker_thread+0x8b9/0x12a0 kernel/workqueue.c:2787 kthread+0x2c6/0x3b0 kernel/kthread.c:388 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:242

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-35247 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:fpga: region: add owner module and take its refcountThe current implementation of the fpga region assumes that the low-levelmodule registers a driver for the parent device and uses its owner pointerto take the module's refcount. This approach is problematic since it canlead to a null pointer dereference while attempting to get the regionduring programming if the parent device does not have a driver.To address this problem, add a module owner pointer to the fpga_regionstruct and use it to take the module's refcount. Modify the functions forregistering a region to take an additional owner module parameter andrename them to avoid conflicts. Use the old function names for helpermacros that automatically set the module that registers the region as theowner. This ensures compatibility with existing low-level control modulesand reduces the chances of registering a region without setting the owner.Also, update the documentation to keep it consistent with the new interfacefor registering an fpga region.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-35807 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ext4: fix corruption during on-line resizeWe observed a corruption during on-line resize of a file system that islarger than 16 TiB with 4k block size. With having more then 2^32 blocksresize_inode is turned off by default by mke2fs. The issue can bereproduced on a smaller file system for convenience by explicitlyturning off resize_inode. An on-line resize across an 8 GiB boundary (thesize of a meta block group in this setup) then leads to a corruption: dev=/dev/ # should be >= 16 GiB mkdir -p /corruption /sbin/mke2fs -t ext4 -b 4096 -O ^resize_inode $dev $((2 * 2**21 - 2**15)) mount -t ext4 $dev /corruption dd if=/dev/zero bs=4096 of=/corruption/test count=$((2*2**21 - 4*2**15)) sha1sum /corruption/test # 79d2658b39dcfd77274e435b0934028adafaab11 /corruption/test /sbin/resize2fs $dev $((2*2**21)) # drop page cache to force reload the block from disk echo 1 > /proc/sys/vm/drop_caches sha1sum /corruption/test # 3c2abc63cbf1a94c9e6977e0fbd72cd832c4d5c3 /corruption/test2^21 = 2^15*2^6 equals 8 GiB whereof 2^15 is the number of blocks perblock group and 2^6 are the number of block groups that make a metablock group.The last checksum might be different depending on how the file is laidout across the physical blocks. The actual corruption occurs at physicalblock 63*2^15 = 2064384 which would be the location of the backup of themeta block group's block descriptor. During the on-line resize the filesystem will be converted to meta_bg starting at s_first_meta_bg which is2 in the example - meaning all block groups after 16 GiB. However, inext4_flex_group_add we might add block groups that are not part of thefirst meta block group yet. In the reproducer we achieved this bysubstracting the size of a whole block group from the point where themeta block group would start. This must be considered when updating thebackup block group descriptors to follow the non-meta_bg layout. The fixis to add a test whether the group to add is already part of the metablock group or not.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-35827 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:io_uring/net: fix overflow check in io_recvmsg_mshot_prep()The "controllen" variable is type size_t (unsigned long). Casting itto int could lead to an integer underflow.The check_add_overflow() function considers the type of the destinationwhich is type int. If we add two positive values and the result cannotfit in an integer then that's counted as an overflow.However, if we cast "controllen" to an int and it turns negative, thennegative values *can* fit into an int type so there is no overflow.Good: 100 + (unsigned long)-4 = 96 <-- overflow Bad: 100 + (int)-4 = 96 <-- no overflowI deleted the cast of the sizeof() as well. That's not a bug but thecast is unnecessary.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-35831 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:io_uring: Fix release of pinned pages when __io_uaddr_map failsLooking at the error path of __io_uaddr_map, if we fail after pinningthe pages for any reasons, ret will be set to -EINVAL and the errorhandler won't properly release the pinned pages.I didn't manage to trigger it without forcing a failure, but it canhappen in real life when memory is heavily fragmented.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-35848 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:eeprom: at24: fix memory corruption race conditionIf the eeprom is not accessible, an nvmem device will be registered, theread will fail, and the device will be torn down. If another driveraccesses the nvmem device after the teardown, it will referenceinvalid memory.Move the failure point before registering the nvmem device.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-35857 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:icmp: prevent possible NULL dereferences from icmp_build_probe()First problem is a double call to __in_dev_get_rcu(), becausethe second one could return NULL.if (__in_dev_get_rcu(dev) && __in_dev_get_rcu(dev)->ifa_list)Second problem is a read from dev->ip6_ptr with no NULL check:if (!list_empty(&rcu_dereference(dev->ip6_ptr)->addr_list))Use the correct RCU API to fix these.v2: add missing include

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-35880 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:io_uring/kbuf: hold io_buffer_list reference over mmapIf we look up the kbuf, ensure that it doesn't get unregistered untilafter we're done with it. Since we're inside mmap, we cannot safely usethe io_uring lock. Rely on the fact that we can lookup the buffer listunder RCU now and grab a reference to it, preventing it from beingunregistered until we're done with it. The lookup returns theio_buffer_list directly with it referenced.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-35884 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:udp: do not accept non-tunnel GSO skbs landing in a tunnelWhen rx-udp-gro-forwarding is enabled UDP packets might be GROed whenbeing forwarded. If such packets might land in a tunnel this can causevarious issues and udp_gro_receive makes sure this isn't the case bylooking for a matching socket. This is performed inudp4/6_gro_lookup_skb but only in the current netns. This is an issuewith tunneled packets when the endpoint is in another netns. In suchcases the packets will be GROed at the UDP level, which leads to variousissues later on. The same thing can happen with rx-gro-list.We saw this with geneve packets being GROed at the UDP level. In suchcase gso_size is set; later the packet goes through the geneve rx path,the geneve header is pulled, the offset are adjusted and frag_list skbsare not adjusted with regard to geneve. When those skbs hitskb_fragment, it will misbehave. Different outcomes are possibledepending on what the GROed skbs look like; from corrupted packets tokernel crashes.One example is a BUG_ON[1] triggered in skb_segment while processing thefrag_list. Because gso_size is wrong (geneve header was pulled)skb_segment thinks there is "geneve header size" of data in frag_list,although it's in fact the next packet. The BUG_ON itself has nothing todo with the issue. This is only one of the potential issues.Looking up for a matching socket in udp_gro_receive is fragile: thelookup could be extended to all netns (not speaking about performances)but nothing prevents those packets from being modified in between and wecould still not find a matching socket. It's OK to keep the currentlogic there as it should cover most cases but we also need to make surewe handle tunnel packets being GROed too early.This is done by extending the checks in udp_unexpected_gso: GSO packetslacking the SKB_GSO_UDP_TUNNEL/_CSUM bits and landing in a tunnel mustbe segmented.[1] kernel BUG at net/core/skbuff.c:4408! RIP: 0010:skb_segment+0xd2a/0xf70 __udp_gso_segment+0xaa/0x560

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-35886 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ipv6: Fix infinite recursion in fib6_dump_done().syzkaller reported infinite recursive calls of fib6_dump_done() duringnetlink socket destruction. [1]From the log, syzkaller sent an AF_UNSPEC RTM_GETROUTE message, and thenthe response was generated. The following recvmmsg() resumed the dumpfor IPv6, but the first call of inet6_dump_fib() failed at kzalloc() dueto the fault injection. [0] 12:01:34 executing program 3: r0 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r0, ... snip ...) recvmmsg(r0, ... snip ...) (fail_nth: 8)Here, fib6_dump_done() was set to nlk_sk(sk)->cb.done, and the next callof inet6_dump_fib() set it to nlk_sk(sk)->cb.args[3]. syzkaller stoppedreceiving the response halfway through, and finally netlink_sock_destruct()called nlk_sk(sk)->cb.done().fib6_dump_done() calls fib6_dump_end() and nlk_sk(sk)->cb.done() if itis still not NULL. fib6_dump_end() rewrites nlk_sk(sk)->cb.done() bynlk_sk(sk)->cb.args[3], but it has the same function, not NULL, callingitself recursively and hitting the stack guard page.To avoid the issue, let's set the destructor after kzalloc().[0]:FAULT_INJECTION: forcing a failure.name failslab, interval 1, probability 0, space 0, times 0CPU: 1 PID: 432110 Comm: syz-executor.3 Not tainted 6.8.0-12821-g537c2e91d354-dirty #11Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014Call Trace: dump_stack_lvl (lib/dump_stack.c:117) should_fail_ex (lib/fault-inject.c:52 lib/fault-inject.c:153) should_failslab (mm/slub.c:3733) kmalloc_trace (mm/slub.c:3748 mm/slub.c:3827 mm/slub.c:3992) inet6_dump_fib (./include/linux/slab.h:628 ./include/linux/slab.h:749 net/ipv6/ip6_fib.c:662) rtnl_dump_all (net/core/rtnetlink.c:4029) netlink_dump (net/netlink/af_netlink.c:2269) netlink_recvmsg (net/netlink/af_netlink.c:1988) ____sys_recvmsg (net/socket.c:1046 net/socket.c:2801) ___sys_recvmsg (net/socket.c:2846) do_recvmmsg (net/socket.c:2943) __x64_sys_recvmmsg (net/socket.c:3041 net/socket.c:3034 net/socket.c:3034)[1]:BUG: TASK stack guard page was hit at 00000000f2fa9af1 (stack is 00000000b7912430..000000009a436beb)stack guard page: 0000 [#1] PREEMPT SMP KASANCPU: 1 PID: 223719 Comm: kworker/1:3 Not tainted 6.8.0-12821-g537c2e91d354-dirty #11Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014Workqueue: events netlink_sock_destruct_workRIP: 0010:fib6_dump_done (net/ipv6/ip6_fib.c:570)Code: 3c 24 e8 f3 e9 51 fd e9 28 fd ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 41 57 41 56 41 55 41 54 55 48 89 fd <53> 48 8d 5d 60 e8 b6 4d 07 fd 48 89 da 48 b8 00 00 00 00 00 fc ffRSP: 0018:ffffc9000d980000 EFLAGS: 00010293RAX: 0000000000000000 RBX: ffffffff84405990 RCX: ffffffff844059d3RDX: ffff8881028e0000 RSI: ffffffff84405ac2 RDI: ffff88810c02f358RBP: ffff88810c02f358 R08: 0000000000000007 R09: 0000000000000000R10: 0000000000000000 R11: 0000000000000224 R12: 0000000000000000R13: ffff888007c82c78 R14: ffff888007c82c68 R15: ffff888007c82c68FS: 0000000000000000(0000) GS:ffff88811b100000(0000) knlGS:0000000000000000CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033CR2: ffffc9000d97fff8 CR3: 0000000102309002 CR4: 0000000000770ef0PKRU: 55555554Call Trace: <#DF> fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1)) fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1)) ... fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1)) fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1)) netlink_sock_destruct (net/netlink/af_netlink.c:401) __sk_destruct (net/core/sock.c:2177 (discriminator 2)) sk_destruct (net/core/sock.c:2224) __sk_free (net/core/sock.c:2235) sk_free (net/core/sock.c:2246) process_one_work (kernel/workqueue.c:3259) worker_thread (kernel/workqueue.c:3329 kernel/workqueue.---truncated---

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-35892 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net/sched: fix lockdep splat in qdisc_tree_reduce_backlog()qdisc_tree_reduce_backlog() is called with the qdisc lock held,not RTNL.We must use qdisc_lookup_rcu() instead of qdisc_lookup()syzbot reported:WARNING: suspicious RCU usage6.1.74-syzkaller #0 Not tainted-----------------------------net/sched/sch_api.c:305 suspicious rcu_dereference_protected() usage!other info that might help us debug this:rcu_scheduler_active = 2, debug_locks = 13 locks held by udevd/1142: #0: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:306 [inline] #0: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:747 [inline] #0: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: net_tx_action+0x64a/0x970 net/core/dev.c:5282 #1: ffff888171861108 (&sch->q.lock){+.-.}-{2:2}, at: spin_lock include/linux/spinlock.h:350 [inline] #1: ffff888171861108 (&sch->q.lock){+.-.}-{2:2}, at: net_tx_action+0x754/0x970 net/core/dev.c:5297 #2: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:306 [inline] #2: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:747 [inline] #2: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: qdisc_tree_reduce_backlog+0x84/0x580 net/sched/sch_api.c:792stack backtrace:CPU: 1 PID: 1142 Comm: udevd Not tainted 6.1.74-syzkaller #0Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024Call Trace: [] __dump_stack lib/dump_stack.c:88 [inline] [] dump_stack_lvl+0x1b1/0x28f lib/dump_stack.c:106 [] dump_stack+0x15/0x1e lib/dump_stack.c:113 [] lockdep_rcu_suspicious+0x1b9/0x260 kernel/locking/lockdep.c:6592 [] qdisc_lookup+0xac/0x6f0 net/sched/sch_api.c:305 [] qdisc_tree_reduce_backlog+0x243/0x580 net/sched/sch_api.c:811 [] pfifo_tail_enqueue+0x32c/0x4b0 net/sched/sch_fifo.c:51 [] qdisc_enqueue include/net/sch_generic.h:833 [inline] [] netem_dequeue+0xeb3/0x15d0 net/sched/sch_netem.c:723 [] dequeue_skb net/sched/sch_generic.c:292 [inline] [] qdisc_restart net/sched/sch_generic.c:397 [inline] [] __qdisc_run+0x249/0x1e60 net/sched/sch_generic.c:415 [] qdisc_run+0xd6/0x260 include/net/pkt_sched.h:125 [] net_tx_action+0x7c9/0x970 net/core/dev.c:5313 [] __do_softirq+0x2bd/0x9bd kernel/softirq.c:616 [] invoke_softirq kernel/softirq.c:447 [inline] [] __irq_exit_rcu+0xca/0x230 kernel/softirq.c:700 [] irq_exit_rcu+0x9/0x20 kernel/softirq.c:712 [] sysvec_apic_timer_interrupt+0x42/0x90 arch/x86/kernel/apic/apic.c:1107 [] asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:656

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-35896 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:netfilter: validate user input for expected lengthI got multiple syzbot reports showing old bugs exposedby BPF after commit 20f2505fb436 ("bpf: Try to avoid kzallocin cgroup/{s,g}etsockopt")setsockopt() @optlen argument should be taken into accountbefore copying data. BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline] BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline] BUG: KASAN: slab-out-of-bounds in do_replace net/ipv4/netfilter/ip_tables.c:1111 [inline] BUG: KASAN: slab-out-of-bounds in do_ipt_set_ctl+0x902/0x3dd0 net/ipv4/netfilter/ip_tables.c:1627Read of size 96 at addr ffff88802cd73da0 by task syz-executor.4/7238CPU: 1 PID: 7238 Comm: syz-executor.4 Not tainted 6.9.0-rc2-next-20240403-syzkaller #0Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 kasan_check_range+0x282/0x290 mm/kasan/generic.c:189 __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105 copy_from_sockptr_offset include/linux/sockptr.h:49 [inline] copy_from_sockptr include/linux/sockptr.h:55 [inline] do_replace net/ipv4/netfilter/ip_tables.c:1111 [inline] do_ipt_set_ctl+0x902/0x3dd0 net/ipv4/netfilter/ip_tables.c:1627 nf_setsockopt+0x295/0x2c0 net/netfilter/nf_sockopt.c:101 do_sock_setsockopt+0x3af/0x720 net/socket.c:2311 __sys_setsockopt+0x1ae/0x250 net/socket.c:2334 __do_sys_setsockopt net/socket.c:2343 [inline] __se_sys_setsockopt net/socket.c:2340 [inline] __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340 do_syscall_64+0xfb/0x240 entry_SYSCALL_64_after_hwframe+0x72/0x7aRIP: 0033:0x7fd22067dde9Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48RSP: 002b:00007fd21f9ff0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036RAX: ffffffffffffffda RBX: 00007fd2207abf80 RCX: 00007fd22067dde9RDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000003RBP: 00007fd2206ca47a R08: 0000000000000001 R09: 0000000000000000R10: 0000000020000880 R11: 0000000000000246 R12: 0000000000000000R13: 000000000000000b R14: 00007fd2207abf80 R15: 00007ffd2d0170d8 Allocated by task 7238: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:370 [inline] __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387 kasan_kmalloc include/linux/kasan.h:211 [inline] __do_kmalloc_node mm/slub.c:4069 [inline] __kmalloc_noprof+0x200/0x410 mm/slub.c:4082 kmalloc_noprof include/linux/slab.h:664 [inline] __cgroup_bpf_run_filter_setsockopt+0xd47/0x1050 kernel/bpf/cgroup.c:1869 do_sock_setsockopt+0x6b4/0x720 net/socket.c:2293 __sys_setsockopt+0x1ae/0x250 net/socket.c:2334 __do_sys_setsockopt net/socket.c:2343 [inline] __se_sys_setsockopt net/socket.c:2340 [inline] __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340 do_syscall_64+0xfb/0x240 entry_SYSCALL_64_after_hwframe+0x72/0x7aThe buggy address belongs to the object at ffff88802cd73da0 which belongs to the cache kmalloc-8 of size 8The buggy address is located 0 bytes inside of allocated 1-byte region [ffff88802cd73da0, ffff88802cd73da1)The buggy address belongs to the physical page:page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88802cd73020 pfn:0x2cd73flags: 0xfff80000000000(node=0|zone=1|lastcpupid=0xfff)page_type: 0xffffefff(slab)raw: 00fff80000000000 ffff888015041280 dead000000000100 dead000000000122raw: ffff88802cd73020 000000008080007f 00000001ffffefff 00---truncated---

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-35898 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:netfilter: nf_tables: Fix potential data-race in __nft_flowtable_type_get()nft_unregister_flowtable_type() within nf_flow_inet_module_exit() canconcurrent with __nft_flowtable_type_get() within nf_tables_newflowtable().And thhere is not any protection when iterate over nf_tables_flowtableslist in __nft_flowtable_type_get(). Therefore, there is pertentialdata-race of nf_tables_flowtables list entry.Use list_for_each_entry_rcu() to iterate over nf_tables_flowtables listin __nft_flowtable_type_get(), and use rcu_read_lock() in the callernft_flowtable_type_get() to protect the entire type query process.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-35900 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:netfilter: nf_tables: reject new basechain after table flag updateWhen dormant flag is toggled, hooks are disabled in the commit phase byiterating over current chains in table (existing and new).The following configuration allows for an inconsistent state: add table x add chain x y { type filter hook input priority 0; } add table x { flags dormant; } add chain x w { type filter hook input priority 1; }which triggers the following warning when trying to unregister chain wwhich is already unregistered.[ 127.322252] WARNING: CPU: 7 PID: 1211 at net/netfilter/core.c:50 1 __nf_unregister_net_hook+0x21a/0x260[...][ 127.322519] Call Trace:[ 127.322521] [ 127.322524] ? __warn+0x9f/0x1a0[ 127.322531] ? __nf_unregister_net_hook+0x21a/0x260[ 127.322537] ? report_bug+0x1b1/0x1e0[ 127.322545] ? handle_bug+0x3c/0x70[ 127.322552] ? exc_invalid_op+0x17/0x40[ 127.322556] ? asm_exc_invalid_op+0x1a/0x20[ 127.322563] ? kasan_save_free_info+0x3b/0x60[ 127.322570] ? __nf_unregister_net_hook+0x6a/0x260[ 127.322577] ? __nf_unregister_net_hook+0x21a/0x260[ 127.322583] ? __nf_unregister_net_hook+0x6a/0x260[ 127.322590] ? __nf_tables_unregister_hook+0x8a/0xe0 [nf_tables][ 127.322655] nft_table_disable+0x75/0xf0 [nf_tables][ 127.322717] nf_tables_commit+0x2571/0x2620 [nf_tables]

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-35925 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:block: prevent division by zero in blk_rq_stat_sum()The expression dst->nr_samples + src->nr_samples mayhave zero value on overflow. It is necessary to adda check to avoid division by zero.Found by Linux Verification Center (linuxtesting.org) with Svace.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-35970 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:af_unix: Clear stale u->oob_skb.syzkaller started to report deadlock of unix_gc_lock after commit4090fa373f0e ("af_unix: Replace garbage collection algorithm."), butit just uncovers the bug that has been there since commit 314001f0bf92("af_unix: Add OOB support").The repro basically does the following. from socket import * from array import array c1, c2 = socketpair(AF_UNIX, SOCK_STREAM) c1.sendmsg([b'a'], [(SOL_SOCKET, SCM_RIGHTS, array("i", [c2.fileno()]))], MSG_OOB) c2.recv(1) # blocked as no normal data in recv queue c2.close() # done async and unblock recv() c1.close() # done async and trigger GCA socket sends its file descriptor to itself as OOB data and tries toreceive normal data, but finally recv() fails due to async close().The problem here is wrong handling of OOB skb in manage_oob(). Whenrecvmsg() is called without MSG_OOB, manage_oob() is called to checkif the peeked skb is OOB skb. In such a case, manage_oob() pops itout of the receive queue but does not clear unix_sock(sk)->oob_skb.This is wrong in terms of uAPI.Let's say we send "hello" with MSG_OOB, and "world" without MSG_OOB.The 'o' is handled as OOB data. When recv() is called twice withoutMSG_OOB, the OOB data should be lost. >>> from socket import * >>> c1, c2 = socketpair(AF_UNIX, SOCK_STREAM, 0) >>> c1.send(b'hello', MSG_OOB) # 'o' is OOB data 5 >>> c1.send(b'world') 5 >>> c2.recv(5) # OOB data is not received b'hell' >>> c2.recv(5) # OOB date is skipped b'world' >>> c2.recv(5, MSG_OOB) # This should return an error b'o'In the same situation, TCP actually returns -EINVAL for the lastrecv().Also, if we do not clear unix_sk(sk)->oob_skb, unix_poll() always setEPOLLPRI even though the data has passed through by previous recv().To avoid these issues, we must clear unix_sk(sk)->oob_skb when dequeuingit from recv queue.The reason why the old GC did not trigger the deadlock is because theold GC relied on the receive queue to detect the loop.When it is triggered, the socket with OOB data is marked as GC candidatebecause file refcount == inflight count (1). However, after traversingall inflight sockets, the socket still has a positive inflight count (1),thus the socket is excluded from candidates. Then, the old GC lose thechance to garbage-collect the socket.With the old GC, the repro continues to create true garbage that willnever be freed nor detected by kmemleak as it's linked to the globalinflight list. That's why we couldn't even notice the issue.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-35976 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:xsk: validate user input for XDP_{UMEM|COMPLETION}_FILL_RINGsyzbot reported an illegal copy in xsk_setsockopt() [1]Make sure to validate setsockopt() @optlen parameter.[1] BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline] BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline] BUG: KASAN: slab-out-of-bounds in xsk_setsockopt+0x909/0xa40 net/xdp/xsk.c:1420Read of size 4 at addr ffff888028c6cde3 by task syz-executor.0/7549CPU: 0 PID: 7549 Comm: syz-executor.0 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 copy_from_sockptr_offset include/linux/sockptr.h:49 [inline] copy_from_sockptr include/linux/sockptr.h:55 [inline] xsk_setsockopt+0x909/0xa40 net/xdp/xsk.c:1420 do_sock_setsockopt+0x3af/0x720 net/socket.c:2311 __sys_setsockopt+0x1ae/0x250 net/socket.c:2334 __do_sys_setsockopt net/socket.c:2343 [inline] __se_sys_setsockopt net/socket.c:2340 [inline] __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340 do_syscall_64+0xfb/0x240 entry_SYSCALL_64_after_hwframe+0x6d/0x75RIP: 0033:0x7fb40587de69Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48RSP: 002b:00007fb40665a0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036RAX: ffffffffffffffda RBX: 00007fb4059abf80 RCX: 00007fb40587de69RDX: 0000000000000005 RSI: 000000000000011b RDI: 0000000000000006RBP: 00007fb4058ca47a R08: 0000000000000002 R09: 0000000000000000R10: 0000000020001980 R11: 0000000000000246 R12: 0000000000000000R13: 000000000000000b R14: 00007fb4059abf80 R15: 00007fff57ee4d08 Allocated by task 7549: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:370 [inline] __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387 kasan_kmalloc include/linux/kasan.h:211 [inline] __do_kmalloc_node mm/slub.c:3966 [inline] __kmalloc+0x233/0x4a0 mm/slub.c:3979 kmalloc include/linux/slab.h:632 [inline] __cgroup_bpf_run_filter_setsockopt+0xd2f/0x1040 kernel/bpf/cgroup.c:1869 do_sock_setsockopt+0x6b4/0x720 net/socket.c:2293 __sys_setsockopt+0x1ae/0x250 net/socket.c:2334 __do_sys_setsockopt net/socket.c:2343 [inline] __se_sys_setsockopt net/socket.c:2340 [inline] __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340 do_syscall_64+0xfb/0x240 entry_SYSCALL_64_after_hwframe+0x6d/0x75The buggy address belongs to the object at ffff888028c6cde0 which belongs to the cache kmalloc-8 of size 8The buggy address is located 1 bytes to the right of allocated 2-byte region [ffff888028c6cde0, ffff888028c6cde2)The buggy address belongs to the physical page:page:ffffea0000a31b00 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888028c6c9c0 pfn:0x28c6canon flags: 0xfff00000000800(slab|node=0|zone=1|lastcpupid=0x7ff)page_type: 0xffffffff()raw: 00fff00000000800 ffff888014c41280 0000000000000000 dead000000000001raw: ffff888028c6c9c0 0000000080800057 00000001ffffffff 0000000000000000page dumped because: kasan: bad access detectedpage_owner tracks the page as allocatedpage last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 6648, tgid 6644 (syz-executor.0), ts 133906047828, free_ts 133859922223 set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook+0x1ea/0x210 mm/page_alloc.c:1533 prep_new_page mm/page_alloc.c:---truncated---

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-36005 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:netfilter: nf_tables: honor table dormant flag from netdev release event pathCheck for table dormant flag otherwise netdev release event path triesto unregister an already unregistered hook.[524854.857999] ------------[ cut here ]------------[524854.858010] WARNING: CPU: 0 PID: 3386599 at net/netfilter/core.c:501 __nf_unregister_net_hook+0x21a/0x260[...][524854.858848] CPU: 0 PID: 3386599 Comm: kworker/u32:2 Not tainted 6.9.0-rc3+ #365[524854.858869] Workqueue: netns cleanup_net[524854.858886] RIP: 0010:__nf_unregister_net_hook+0x21a/0x260[524854.858903] Code: 24 e8 aa 73 83 ff 48 63 43 1c 83 f8 01 0f 85 3d ff ff ff e8 98 d1 f0 ff 48 8b 3c 24 e8 8f 73 83 ff 48 63 43 1c e9 26 ff ff ff <0f> 0b 48 83 c4 18 48 c7 c7 00 68 e9 82 5b 5d 41 5c 41 5d 41 5e 41[524854.858914] RSP: 0018:ffff8881e36d79e0 EFLAGS: 00010246[524854.858926] RAX: 0000000000000000 RBX: ffff8881339ae790 RCX: ffffffff81ba524a[524854.858936] RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff8881c8a16438[524854.858945] RBP: ffff8881c8a16438 R08: 0000000000000001 R09: ffffed103c6daf34[524854.858954] R10: ffff8881e36d79a7 R11: 0000000000000000 R12: 0000000000000005[524854.858962] R13: ffff8881c8a16000 R14: 0000000000000000 R15: ffff8881351b5a00[524854.858971] FS: 0000000000000000(0000) GS:ffff888390800000(0000) knlGS:0000000000000000[524854.858982] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033[524854.858991] CR2: 00007fc9be0f16f4 CR3: 00000001437cc004 CR4: 00000000001706f0[524854.859000] Call Trace:[524854.859006] [524854.859013] ? __warn+0x9f/0x1a0[524854.859027] ? __nf_unregister_net_hook+0x21a/0x260[524854.859044] ? report_bug+0x1b1/0x1e0[524854.859060] ? handle_bug+0x3c/0x70[524854.859071] ? exc_invalid_op+0x17/0x40[524854.859083] ? asm_exc_invalid_op+0x1a/0x20[524854.859100] ? __nf_unregister_net_hook+0x6a/0x260[524854.859116] ? __nf_unregister_net_hook+0x21a/0x260[524854.859135] nf_tables_netdev_event+0x337/0x390 [nf_tables][524854.859304] ? __pfx_nf_tables_netdev_event+0x10/0x10 [nf_tables][524854.859461] ? packet_notifier+0xb3/0x360[524854.859476] ? _raw_spin_unlock_irqrestore+0x11/0x40[524854.859489] ? dcbnl_netdevice_event+0x35/0x140[524854.859507] ? __pfx_nf_tables_netdev_event+0x10/0x10 [nf_tables][524854.859661] notifier_call_chain+0x7d/0x140[524854.859677] unregister_netdevice_many_notify+0x5e1/0xae0

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-36008 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ipv4: check for NULL idev in ip_route_use_hint()syzbot was able to trigger a NULL deref in fib_validate_source()in an old tree [1].It appears the bug exists in latest trees.All calls to __in_dev_get_rcu() must be checked for a NULL result.[1]general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASANKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]CPU: 2 PID: 3257 Comm: syz-executor.3 Not tainted 5.10.0-syzkaller #0Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:fib_validate_source+0xbf/0x15a0 net/ipv4/fib_frontend.c:425Code: 18 f2 f2 f2 f2 42 c7 44 20 23 f3 f3 f3 f3 48 89 44 24 78 42 c6 44 20 27 f3 e8 5d 88 48 fc 4c 89 e8 48 c1 e8 03 48 89 44 24 18 <42> 80 3c 20 00 74 08 4c 89 ef e8 d2 15 98 fc 48 89 5c 24 10 41 bfRSP: 0018:ffffc900015fee40 EFLAGS: 00010246RAX: 0000000000000000 RBX: ffff88800f7a4000 RCX: ffff88800f4f90c0RDX: 0000000000000000 RSI: 0000000004001eac RDI: ffff8880160c64c0RBP: ffffc900015ff060 R08: 0000000000000000 R09: ffff88800f7a4000R10: 0000000000000002 R11: ffff88800f4f90c0 R12: dffffc0000000000R13: 0000000000000000 R14: 0000000000000000 R15: ffff88800f7a4000FS: 00007f938acfe6c0(0000) GS:ffff888058c00000(0000) knlGS:0000000000000000CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033CR2: 00007f938acddd58 CR3: 000000001248e000 CR4: 0000000000352ef0DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400Call Trace: ip_route_use_hint+0x410/0x9b0 net/ipv4/route.c:2231 ip_rcv_finish_core+0x2c4/0x1a30 net/ipv4/ip_input.c:327 ip_list_rcv_finish net/ipv4/ip_input.c:612 [inline] ip_sublist_rcv+0x3ed/0xe50 net/ipv4/ip_input.c:638 ip_list_rcv+0x422/0x470 net/ipv4/ip_input.c:673 __netif_receive_skb_list_ptype net/core/dev.c:5572 [inline] __netif_receive_skb_list_core+0x6b1/0x890 net/core/dev.c:5620 __netif_receive_skb_list net/core/dev.c:5672 [inline] netif_receive_skb_list_internal+0x9f9/0xdc0 net/core/dev.c:5764 netif_receive_skb_list+0x55/0x3e0 net/core/dev.c:5816 xdp_recv_frames net/bpf/test_run.c:257 [inline] xdp_test_run_batch net/bpf/test_run.c:335 [inline] bpf_test_run_xdp_live+0x1818/0x1d00 net/bpf/test_run.c:363 bpf_prog_test_run_xdp+0x81f/0x1170 net/bpf/test_run.c:1376 bpf_prog_test_run+0x349/0x3c0 kernel/bpf/syscall.c:3736 __sys_bpf+0x45c/0x710 kernel/bpf/syscall.c:5115 __do_sys_bpf kernel/bpf/syscall.c:5201 [inline] __se_sys_bpf kernel/bpf/syscall.c:5199 [inline] __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5199

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-36281 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net/mlx5: Use mlx5_ipsec_rx_status_destroy to correctly delete status rulesrx_create no longer allocates a modify_hdr instance that needs to becleaned up. The mlx5_modify_header_dealloc call will lead to a NULL pointerdereference. A leak in the rules also previously occurred since there arenow two rules populated related to status. BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 109907067 P4D 109907067 PUD 116890067 PMD 0 Oops: 0000 [#1] SMP CPU: 1 PID: 484 Comm: ip Not tainted 6.9.0-rc2-rrameshbabu+ #254 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS Arch Linux 1.16.3-1-1 04/01/2014 RIP: 0010:mlx5_modify_header_dealloc+0xd/0x70 Call Trace: ? show_regs+0x60/0x70 ? __die+0x24/0x70 ? page_fault_oops+0x15f/0x430 ? free_to_partial_list.constprop.0+0x79/0x150 ? do_user_addr_fault+0x2c9/0x5c0 ? exc_page_fault+0x63/0x110 ? asm_exc_page_fault+0x27/0x30 ? mlx5_modify_header_dealloc+0xd/0x70 rx_create+0x374/0x590 rx_add_rule+0x3ad/0x500 ? rx_add_rule+0x3ad/0x500 ? mlx5_cmd_exec+0x2c/0x40 ? mlx5_create_ipsec_obj+0xd6/0x200 mlx5e_accel_ipsec_fs_add_rule+0x31/0xf0 mlx5e_xfrm_add_state+0x426/0xc00

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-36479 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:fpga: bridge: add owner module and take its refcountThe current implementation of the fpga bridge assumes that the low-levelmodule registers a driver for the parent device and uses its owner pointerto take the module's refcount. This approach is problematic since it canlead to a null pointer dereference while attempting to get the bridge ifthe parent device does not have a driver.To address this problem, add a module owner pointer to the fpga_bridgestruct and use it to take the module's refcount. Modify the function forregistering a bridge to take an additional owner module parameter andrename it to avoid conflicts. Use the old function name for a helper macrothat automatically sets the module that registers the bridge as the owner.This ensures compatibility with existing low-level control modules andreduces the chances of registering a bridge without setting the owner.Also, update the documentation to keep it consistent with the new interfacefor registering an fpga bridge.Other changes: opportunistically move put_device() from __fpga_bridge_get()to fpga_bridge_get() and of_fpga_bridge_get() to improve code clarity sincethe bridge device is taken in these functions.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-36882 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:mm: use memalloc_nofs_save() in page_cache_ra_order()See commit f2c817bed58d ("mm: use memalloc_nofs_save in readahead path"),ensure that page_cache_ra_order() do not attempt to reclaim file-backedpages too, or it leads to a deadlock, found issue when test ext4 largefolio. INFO: task DataXceiver for:7494 blocked for more than 120 seconds. "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:DataXceiver for state:D stack:0 pid:7494 ppid:1 flags:0x00000200 Call trace: __switch_to+0x14c/0x240 __schedule+0x82c/0xdd0 schedule+0x58/0xf0 io_schedule+0x24/0xa0 __folio_lock+0x130/0x300 migrate_pages_batch+0x378/0x918 migrate_pages+0x350/0x700 compact_zone+0x63c/0xb38 compact_zone_order+0xc0/0x118 try_to_compact_pages+0xb0/0x280 __alloc_pages_direct_compact+0x98/0x248 __alloc_pages+0x510/0x1110 alloc_pages+0x9c/0x130 folio_alloc+0x20/0x78 filemap_alloc_folio+0x8c/0x1b0 page_cache_ra_order+0x174/0x308 ondemand_readahead+0x1c8/0x2b8 page_cache_async_ra+0x68/0xb8 filemap_readahead.isra.0+0x64/0xa8 filemap_get_pages+0x3fc/0x5b0 filemap_splice_read+0xf4/0x280 ext4_file_splice_read+0x2c/0x48 [ext4] vfs_splice_read.part.0+0xa8/0x118 splice_direct_to_actor+0xbc/0x288 do_splice_direct+0x9c/0x108 do_sendfile+0x328/0x468 __arm64_sys_sendfile64+0x8c/0x148 invoke_syscall+0x4c/0x118 el0_svc_common.constprop.0+0xc8/0xf0 do_el0_svc+0x24/0x38 el0_svc+0x4c/0x1f8 el0t_64_sync_handler+0xc0/0xc8 el0t_64_sync+0x188/0x190

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-36887 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:e1000e: change usleep_range to udelay in PHY mdic accessThis is a partial revert of commit 6dbdd4de0362 ("e1000e: Workaroundfor sporadic MDI error on Meteor Lake systems"). The referenced commitused usleep_range inside the PHY access routines, which are sometimescalled from an atomic context. This can lead to a kernel panic in somescenarios, such as cable disconnection and reconnection on vPro systems.Solve this by changing the usleep_range calls back to udelay.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-36919 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:scsi: bnx2fc: Remove spin_lock_bh while releasing resources after uploadThe session resources are used by FW and driver when session is offloaded,once session is uploaded these resources are not used. The lock is notrequired as these fields won't be used any longer. The offload and uploadcalls are sequential, hence lock is not required.This will suppress following BUG_ON():[ 449.843143] ------------[ cut here ]------------[ 449.848302] kernel BUG at mm/vmalloc.c:2727![ 449.853072] invalid opcode: 0000 [#1] PREEMPT SMP PTI[ 449.858712] CPU: 5 PID: 1996 Comm: kworker/u24:2 Not tainted 5.14.0-118.el9.x86_64 #1Rebooting.[ 449.867454] Hardware name: Dell Inc. PowerEdge R730/0WCJNT, BIOS 2.3.4 11/08/2016[ 449.876966] Workqueue: fc_rport_eq fc_rport_work [libfc][ 449.882910] RIP: 0010:vunmap+0x2e/0x30[ 449.887098] Code: 00 65 8b 05 14 a2 f0 4a a9 00 ff ff 00 75 1b 55 48 89 fd e8 34 36 79 00 48 85 ed 74 0b 48 89 ef 31 f6 5d e9 14 fc ff ff 5d c3 <0f> 0b 0f 1f 44 00 00 41 57 41 56 49 89 ce 41 55 49 89 fd 41 54 41[ 449.908054] RSP: 0018:ffffb83d878b3d68 EFLAGS: 00010206[ 449.913887] RAX: 0000000080000201 RBX: ffff8f4355133550 RCX: 000000000d400005[ 449.921843] RDX: 0000000000000001 RSI: 0000000000001000 RDI: ffffb83da53f5000[ 449.929808] RBP: ffff8f4ac6675800 R08: ffffb83d878b3d30 R09: 00000000000efbdf[ 449.937774] R10: 0000000000000003 R11: ffff8f434573e000 R12: 0000000000001000[ 449.945736] R13: 0000000000001000 R14: ffffb83da53f5000 R15: ffff8f43d4ea3ae0[ 449.953701] FS: 0000000000000000(0000) GS:ffff8f529fc80000(0000) knlGS:0000000000000000[ 449.962732] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033[ 449.969138] CR2: 00007f8cf993e150 CR3: 0000000efbe10003 CR4: 00000000003706e0[ 449.977102] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000[ 449.985065] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400[ 449.993028] Call Trace:[ 449.995756] __iommu_dma_free+0x96/0x100[ 450.000139] bnx2fc_free_session_resc+0x67/0x240 [bnx2fc][ 450.006171] bnx2fc_upload_session+0xce/0x100 [bnx2fc][ 450.011910] bnx2fc_rport_event_handler+0x9f/0x240 [bnx2fc][ 450.018136] fc_rport_work+0x103/0x5b0 [libfc][ 450.023103] process_one_work+0x1e8/0x3c0[ 450.027581] worker_thread+0x50/0x3b0[ 450.031669] ? rescuer_thread+0x370/0x370[ 450.036143] kthread+0x149/0x170[ 450.039744] ? set_kthread_struct+0x40/0x40[ 450.044411] ret_from_fork+0x22/0x30[ 450.048404] Modules linked in: vfat msdos fat xfs nfs_layout_nfsv41_files rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver dm_service_time qedf qed crc8 bnx2fc libfcoe libfc scsi_transport_fc intel_rapl_msr intel_rapl_common x86_pkg_temp_thermal intel_powerclamp dcdbas rapl intel_cstate intel_uncore mei_me pcspkr mei ipmi_ssif lpc_ich ipmi_si fuse zram ext4 mbcache jbd2 loop nfsv3 nfs_acl nfs lockd grace fscache netfs irdma ice sd_mod t10_pi sg ib_uverbs ib_core 8021q garp mrp stp llc mgag200 i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt mxm_wmi fb_sys_fops cec crct10dif_pclmul ahci crc32_pclmul bnx2x drm ghash_clmulni_intel libahci rfkill i40e libata megaraid_sas mdio wmi sunrpc lrw dm_crypt dm_round_robin dm_multipath dm_snapshot dm_bufio dm_mirror dm_region_hash dm_log dm_zero dm_mod linear raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid6_pq libcrc32c crc32c_intel raid1 raid0 iscsi_ibft squashfs be2iscsi bnx2i cnic uio cxgb4i cxgb4 tls[ 450.048497] libcxgbi libcxgb qla4xxx iscsi_boot_sysfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi edd ipmi_devintf ipmi_msghandler[ 450.159753] ---[ end trace 712de2c57c64abc8 ]---

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-36967 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:KEYS: trusted: Fix memory leak in tpm2_key_encode()'scratch' is never freed. Fix this by calling kfree() in the success, andin the error case.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-37021 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:fpga: manager: add owner module and take its refcountThe current implementation of the fpga manager assumes that the low-levelmodule registers a driver for the parent device and uses its owner pointerto take the module's refcount. This approach is problematic since it canlead to a null pointer dereference while attempting to get the manager ifthe parent device does not have a driver.To address this problem, add a module owner pointer to the fpga_managerstruct and use it to take the module's refcount. Modify the functions forregistering the manager to take an additional owner module parameter andrename them to avoid conflicts. Use the old function names for helpermacros that automatically set the module that registers the manager as theowner. This ensures compatibility with existing low-level control modulesand reduces the chances of registering a manager without setting the owner.Also, update the documentation to keep it consistent with the new interfacefor registering an fpga manager.Other changes: opportunistically move put_device() from __fpga_mgr_get() tofpga_mgr_get() and of_fpga_mgr_get() to improve code clarity since themanager device is taken in these functions.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-38556 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net/mlx5: Add a timeout to acquire the command queue semaphorePrevent forced completion handling on an entry that has not yet beenassigned an index, causing an out of bounds access on idx = -22.Instead of waiting indefinitely for the sem, blocking flow now waits forindex to be allocated or a sem acquisition timeout before beginning thetimer for FW completion.Kernel log example:mlx5_core 0000:06:00.0: wait_func_handle_exec_timeout:1128:(pid 185911): cmd[-22]: CREATE_UCTX(0xa04) No done completion

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-38560 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:scsi: bfa: Ensure the copied buf is NUL terminatedCurrently, we allocate a nbytes-sized kernel buffer and copy nbytes fromuserspace to that buffer. Later, we use sscanf on this buffer but we don'tensure that the string is terminated inside the buffer, this can lead toOOB read when using sscanf. Fix this issue by using memdup_user_nul insteadof memdup_user.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-38566 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:bpf: Fix verifier assumptions about socket->skThe verifier assumes that 'sk' field in 'struct socket' is validand non-NULL when 'socket' pointer itself is trusted and non-NULL.That may not be the case when socket was just created andpassed to LSM socket_accept hook.Fix this verifier assumption and adjust tests.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-38627 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:stm class: Fix a double free in stm_register_device()The put_device(&stm->dev) call will trigger stm_device_release() whichfrees "stm" so the vfree(stm) on the next line is a double free.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-38628 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:usb: gadget: u_audio: Fix race condition use of controls after free during gadget unbind.Hang on to the control IDs instead of pointers since those are correctlyhandled with locks.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-39296 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:bonding: fix oops during rmmod"rmmod bonding" causes an oops ever since commit cc317ea3d927 ("bonding:remove redundant NULL check in debugfs function"). Here are the relevantfunctions being called:bonding_exit() bond_destroy_debugfs() debugfs_remove_recursive(bonding_debug_root); bonding_debug_root = NULL; <--------- SET TO NULL HERE bond_netlink_fini() rtnl_link_unregister() __rtnl_link_unregister() unregister_netdevice_many_notify() bond_uninit() bond_debug_unregister() (commit removed check for bonding_debug_root == NULL) debugfs_remove() simple_recursive_removal() down_write() -> OOPSHowever, reverting the bad commit does not solve the problem completelybecause the original code contains a race that could cause the sameoops, although it was much less likely to be triggered unintentionally:CPU1 rmmod bonding bonding_exit() bond_destroy_debugfs() debugfs_remove_recursive(bonding_debug_root);CPU2 echo -bond0 > /sys/class/net/bonding_masters bond_uninit() bond_debug_unregister() if (!bonding_debug_root)CPU1 bonding_debug_root = NULL;So do NOT revert the bad commit (since the removed checks were racyanyway), and instead change the order of actions taken during moduleremoval. The same oops can also happen if there is an error duringmodule init, so apply the same fix there.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-39301 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net/9p: fix uninit-value in p9_client_rpc()Syzbot with the help of KMSAN reported the following error:BUG: KMSAN: uninit-value in trace_9p_client_res include/trace/events/9p.h:146 [inline]BUG: KMSAN: uninit-value in p9_client_rpc+0x1314/0x1340 net/9p/client.c:754 trace_9p_client_res include/trace/events/9p.h:146 [inline] p9_client_rpc+0x1314/0x1340 net/9p/client.c:754 p9_client_create+0x1551/0x1ff0 net/9p/client.c:1031 v9fs_session_init+0x1b9/0x28e0 fs/9p/v9fs.c:410 v9fs_mount+0xe2/0x12b0 fs/9p/vfs_super.c:122 legacy_get_tree+0x114/0x290 fs/fs_context.c:662 vfs_get_tree+0xa7/0x570 fs/super.c:1797 do_new_mount+0x71f/0x15e0 fs/namespace.c:3352 path_mount+0x742/0x1f20 fs/namespace.c:3679 do_mount fs/namespace.c:3692 [inline] __do_sys_mount fs/namespace.c:3898 [inline] __se_sys_mount+0x725/0x810 fs/namespace.c:3875 __x64_sys_mount+0xe4/0x150 fs/namespace.c:3875 do_syscall_64+0xd5/0x1f0 entry_SYSCALL_64_after_hwframe+0x6d/0x75Uninit was created at: __alloc_pages+0x9d6/0xe70 mm/page_alloc.c:4598 __alloc_pages_node include/linux/gfp.h:238 [inline] alloc_pages_node include/linux/gfp.h:261 [inline] alloc_slab_page mm/slub.c:2175 [inline] allocate_slab mm/slub.c:2338 [inline] new_slab+0x2de/0x1400 mm/slub.c:2391 ___slab_alloc+0x1184/0x33d0 mm/slub.c:3525 __slab_alloc mm/slub.c:3610 [inline] __slab_alloc_node mm/slub.c:3663 [inline] slab_alloc_node mm/slub.c:3835 [inline] kmem_cache_alloc+0x6d3/0xbe0 mm/slub.c:3852 p9_tag_alloc net/9p/client.c:278 [inline] p9_client_prepare_req+0x20a/0x1770 net/9p/client.c:641 p9_client_rpc+0x27e/0x1340 net/9p/client.c:688 p9_client_create+0x1551/0x1ff0 net/9p/client.c:1031 v9fs_session_init+0x1b9/0x28e0 fs/9p/v9fs.c:410 v9fs_mount+0xe2/0x12b0 fs/9p/vfs_super.c:122 legacy_get_tree+0x114/0x290 fs/fs_context.c:662 vfs_get_tree+0xa7/0x570 fs/super.c:1797 do_new_mount+0x71f/0x15e0 fs/namespace.c:3352 path_mount+0x742/0x1f20 fs/namespace.c:3679 do_mount fs/namespace.c:3692 [inline] __do_sys_mount fs/namespace.c:3898 [inline] __se_sys_mount+0x725/0x810 fs/namespace.c:3875 __x64_sys_mount+0xe4/0x150 fs/namespace.c:3875 do_syscall_64+0xd5/0x1f0 entry_SYSCALL_64_after_hwframe+0x6d/0x75If p9_check_errors() fails early in p9_client_rpc(), req->rc.tagwill not be properly initialized. However, trace_9p_client_res()ends up trying to print it out anyway before p9_client_rpc()finishes.Fix this issue by assigning default values to p9_fcall fieldssuch as 'tag' and (just in case KMSAN unearths something new) 'id'during the tag allocation stage.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-39371 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:io_uring: check for non-NULL file pointer in io_file_can_poll()In earlier kernels, it was possible to trigger a NULL pointerdereference off the forced async preparation path, if no file hadbeen assigned. The trace leading to that looks as follows:BUG: kernel NULL pointer dereference, address: 00000000000000b0PGD 0 P4D 0Oops: 0000 [#1] PREEMPT SMPCPU: 67 PID: 1633 Comm: buf-ring-invali Not tainted 6.8.0-rc3+ #1Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS unknown 2/2/2022RIP: 0010:io_buffer_select+0xc3/0x210Code: 00 00 48 39 d1 0f 82 ae 00 00 00 48 81 4b 48 00 00 01 00 48 89 73 70 0f b7 50 0c 66 89 53 42 85 ed 0f 85 d2 00 00 00 48 8b 13 <48> 8b 92 b0 00 00 00 48 83 7a 40 00 0f 84 21 01 00 00 4c 8b 20 5bRSP: 0018:ffffb7bec38c7d88 EFLAGS: 00010246RAX: ffff97af2be61000 RBX: ffff97af234f1700 RCX: 0000000000000040RDX: 0000000000000000 RSI: ffff97aecfb04820 RDI: ffff97af234f1700RBP: 0000000000000000 R08: 0000000000200030 R09: 0000000000000020R10: ffffb7bec38c7dc8 R11: 000000000000c000 R12: ffffb7bec38c7db8R13: ffff97aecfb05800 R14: ffff97aecfb05800 R15: ffff97af2be5e000FS: 00007f852f74b740(0000) GS:ffff97b1eeec0000(0000) knlGS:0000000000000000CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033CR2: 00000000000000b0 CR3: 000000016deab005 CR4: 0000000000370ef0Call Trace: ? __die+0x1f/0x60 ? page_fault_oops+0x14d/0x420 ? do_user_addr_fault+0x61/0x6a0 ? exc_page_fault+0x6c/0x150 ? asm_exc_page_fault+0x22/0x30 ? io_buffer_select+0xc3/0x210 __io_import_iovec+0xb5/0x120 io_readv_prep_async+0x36/0x70 io_queue_sqe_fallback+0x20/0x260 io_submit_sqes+0x314/0x630 __do_sys_io_uring_enter+0x339/0xbc0 ? __do_sys_io_uring_register+0x11b/0xc50 ? vm_mmap_pgoff+0xce/0x160 do_syscall_64+0x5f/0x180 entry_SYSCALL_64_after_hwframe+0x46/0x4eRIP: 0033:0x55e0a110a67eCode: ba cc 00 00 00 45 31 c0 44 0f b6 92 d0 00 00 00 31 d2 41 b9 08 00 00 00 41 83 e2 01 41 c1 e2 04 41 09 c2 b8 aa 01 00 00 0f 05 90 89 30 eb a9 0f 1f 40 00 48 8b 42 20 8b 00 a8 06 75 af 85 f6because the request is marked forced ASYNC and has a bad file fd, andhence takes the forced async prep path.Current kernels with the request async prep cleaned up can no longer hitthis issue, but for ease of backporting, let's add this safety check inhere too as it really doesn't hurt. For both cases, this will inevitablyend with a CQE posted with -EBADF.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-42103 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:btrfs: fix adding block group to a reclaim list and the unused list during reclaimThere is a potential parallel list adding for retrying inbtrfs_reclaim_bgs_work and adding to the unused list. Since the blockgroup is removed from the reclaim list and it is on a relocation work,it can be added into the unused list in parallel. When that happens,adding it to the reclaim list will corrupt the list head and triggerlist corruption like below.Fix it by taking fs_info->unused_bgs_lock. [177.504][T2585409] BTRFS error (device nullb1): error relocating ch= unk 2415919104 [177.514][T2585409] list_del corruption. next->prev should be ff1100= 0344b119c0, but was ff11000377e87c70. (next=3Dff110002390cd9c0) [177.529][T2585409] ------------[ cut here ]------------ [177.537][T2585409] kernel BUG at lib/list_debug.c:65! [177.545][T2585409] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI [177.555][T2585409] CPU: 9 PID: 2585409 Comm: kworker/u128:2 Tainted: G W 6.10.0-rc5-kts #1 [177.568][T2585409] Hardware name: Supermicro SYS-520P-WTR/X12SPW-TF, BIOS 1.2 02/14/2022 [177.579][T2585409] Workqueue: events_unbound btrfs_reclaim_bgs_work[btrfs] [177.589][T2585409] RIP: 0010:__list_del_entry_valid_or_report.cold+0x70/0x72 [177.624][T2585409] RSP: 0018:ff11000377e87a70 EFLAGS: 00010286 [177.633][T2585409] RAX: 000000000000006d RBX: ff11000344b119c0 RCX:0000000000000000 [177.644][T2585409] RDX: 000000000000006d RSI: 0000000000000008 RDI:ffe21c006efd0f40 [177.655][T2585409] RBP: ff110002e0509f78 R08: 0000000000000001 R09:ffe21c006efd0f08 [177.665][T2585409] R10: ff11000377e87847 R11: 0000000000000000 R12:ff110002390cd9c0 [177.676][T2585409] R13: ff11000344b119c0 R14: ff110002e0508000 R15:dffffc0000000000 [177.687][T2585409] FS: 0000000000000000(0000) GS:ff11000fec880000(0000) knlGS:0000000000000000 [177.700][T2585409] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [177.709][T2585409] CR2: 00007f06bc7b1978 CR3: 0000001021e86005 CR4:0000000000771ef0 [177.720][T2585409] DR0: 0000000000000000 DR1: 0000000000000000 DR2:0000000000000000 [177.731][T2585409] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:0000000000000400 [177.742][T2585409] PKRU: 55555554 [177.748][T2585409] Call Trace: [177.753][T2585409] [177.759][T2585409] ? __die_body.cold+0x19/0x27 [177.766][T2585409] ? die+0x2e/0x50 [177.772][T2585409] ? do_trap+0x1ea/0x2d0 [177.779][T2585409] ? __list_del_entry_valid_or_report.cold+0x70/0x72 [177.788][T2585409] ? do_error_trap+0xa3/0x160 [177.795][T2585409] ? __list_del_entry_valid_or_report.cold+0x70/0x72 [177.805][T2585409] ? handle_invalid_op+0x2c/0x40 [177.812][T2585409] ? __list_del_entry_valid_or_report.cold+0x70/0x72 [177.820][T2585409] ? exc_invalid_op+0x2d/0x40 [177.827][T2585409] ? asm_exc_invalid_op+0x1a/0x20 [177.834][T2585409] ? __list_del_entry_valid_or_report.cold+0x70/0x72 [177.843][T2585409] btrfs_delete_unused_bgs+0x3d9/0x14c0 [btrfs]There is a similar retry_list code in btrfs_delete_unused_bgs(), but it issafe, AFAICS. Since the block group was in the unused list, the used bytesshould be 0 when it was added to the unused list. Then, it checksblock_group->{used,reserved,pinned} are still 0 under theblock_group->lock. So, they should be still eligible for the unused list,not the reclaim list.The reason it is safe there it's because because we're holdingspace_info->groups_sem in write mode.That means no other task can allocate from the block group, so while weare at deleted_unused_bgs() it's not possible for other tasks toallocate and deallocate extents from the block group, so it can't beadded to the unused list or the reclaim list by anyone else.The bug can be reproduced by btrfs/166 after a few rounds. In practicethis can be hit when relocation cannot find more chunk space and endswith ENOSPC.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default < 6.4.0-150600.23.87.1 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-53070 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:usb: dwc3: fix fault at system suspend if device was already runtime suspendedIf the device was already runtime suspended then during system suspendwe cannot access the device registers else it will crash.Also we cannot access any registers after dwc3_core_exit() on someplatforms so move the dwc3_enable_susphy() call to the top.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default < 6.4.0-150600.23.87.1 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-53219 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:virtiofs: use pages instead of pointer for kernel direct IOWhen trying to insert a 10MB kernel module kept in a virtio-fs with cachedisabled, the following warning was reported: ------------[ cut here ]------------ WARNING: CPU: 1 PID: 404 at mm/page_alloc.c:4551 ...... Modules linked in: CPU: 1 PID: 404 Comm: insmod Not tainted 6.9.0-rc5+ #123 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) ...... RIP: 0010:__alloc_pages+0x2bf/0x380 ...... Call Trace: ? __warn+0x8e/0x150 ? __alloc_pages+0x2bf/0x380 __kmalloc_large_node+0x86/0x160 __kmalloc+0x33c/0x480 virtio_fs_enqueue_req+0x240/0x6d0 virtio_fs_wake_pending_and_unlock+0x7f/0x190 queue_request_and_unlock+0x55/0x60 fuse_simple_request+0x152/0x2b0 fuse_direct_io+0x5d2/0x8c0 fuse_file_read_iter+0x121/0x160 __kernel_read+0x151/0x2d0 kernel_read+0x45/0x50 kernel_read_file+0x1a9/0x2a0 init_module_from_file+0x6a/0xe0 idempotent_init_module+0x175/0x230 __x64_sys_finit_module+0x5d/0xb0 x64_sys_call+0x1c3/0x9e0 do_syscall_64+0x3d/0xc0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 ...... ---[ end trace 0000000000000000 ]---The warning is triggered as follows:1) syscall finit_module() handles the module insertion and it invokeskernel_read_file() to read the content of the module first.2) kernel_read_file() allocates a 10MB buffer by using vmalloc() andpasses it to kernel_read(). kernel_read() constructs a kvec iter byusing iov_iter_kvec() and passes it to fuse_file_read_iter().3) virtio-fs disables the cache, so fuse_file_read_iter() invokesfuse_direct_io(). As for now, the maximal read size for kvec iter isonly limited by fc->max_read. For virtio-fs, max_read is UINT_MAX, sofuse_direct_io() doesn't split the 10MB buffer. It saves the address andthe size of the 10MB-sized buffer in out_args[0] of a fuse request andpasses the fuse request to virtio_fs_wake_pending_and_unlock().4) virtio_fs_wake_pending_and_unlock() uses virtio_fs_enqueue_req() toqueue the request. Because virtiofs need DMA-able address, sovirtio_fs_enqueue_req() uses kmalloc() to allocate a bounce buffer forall fuse args, copies these args into the bounce buffer and passed thephysical address of the bounce buffer to virtiofsd. The total length ofthese fuse args for the passed fuse request is about 10MB, socopy_args_to_argbuf() invokes kmalloc() with a 10MB size parameter andit triggers the warning in __alloc_pages(): if (WARN_ON_ONCE_GFP(order > MAX_PAGE_ORDER, gfp)) return NULL;5) virtio_fs_enqueue_req() will retry the memory allocation in akworker, but it won't help, because kmalloc() will always return NULLdue to the abnormal size and finit_module() will hang forever.A feasible solution is to limit the value of max_read for virtio-fs, sothe length passed to kmalloc() will be limited. However it will affectthe maximal read size for normal read. And for virtio-fs write initiatedfrom kernel, it has the similar problem but now there is no way to limitfc->max_write in kernel.So instead of limiting both the values of max_read and max_write inkernel, introducing use_pages_for_kvec_io in fuse_conn and setting it astrue in virtiofs. When use_pages_for_kvec_io is enabled, fuse will usepages instead of pointer to pass the KVEC_IO data.After switching to pages for KVEC_IO data, these pages will be used forDMA through virtio-fs. If these pages are backed by vmalloc(),{flush|invalidate}_kernel_vmap_range() are necessary to flush orinvalidate the cache before the DMA operation. So add two new fields infuse_args_pages to record the base address of vmalloc area and thecondition indicating whether invalidation is needed. Perform the flushin fuse_get_user_pages() for write operations and the invalidation infuse_release_user_pages() for read operations.It may seem necessary to introduce another fie---truncated---

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-58015 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:wifi: ath12k: Fix for out-of bound access errorSelfgen stats are placed in a buffer using print_array_to_buf_index() function.Array length parameter passed to the function is too big, resulting in possibleout-of bound memory error.Decreasing buffer size by one fixes faulty upper bound of passed array.Discovered in coverity scan, CID 1600742 and CID 1600758

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-58241 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:Bluetooth: hci_core: Disable works on hci_unregister_devThis make use of disable_work_* on hci_unregister_dev since the hci_dev isabout to be freed new submissions are not disarable.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-14876 Severity: Moderate CVSS3 score: 5.5

Description: A flaw was found in the virtio-crypto device of QEMU. A malicious guest operating system can exploit a missing length limit in the AKCIPHER path, leading to uncontrolled memory allocation. This can result in a denial of service (DoS) on the host system by causing the QEMU process to terminate unexpectedly.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
qemu-img > 0-0 (version in image is 8.2.10-150600.3.43.1).

CVE-2025-15281 Severity: Moderate CVSS3 score: 5.5

Description: Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the GNU C Library version 2.0 to version 2.42 may cause the interface to return uninitialized memory in the we_wordv member, which on subsequent calls to wordfree may abort the process.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
glibc < 2.38-150600.14.40.1 (version in image is 2.38-150600.14.37.1).

CVE-2025-21712 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:md/md-bitmap: Synchronize bitmap_get_stats() with bitmap lifetimeAfter commit ec6bb299c7c3 ("md/md-bitmap: add 'sync_size' into structmd_bitmap_stats"), following panic is reported:Oops: general protection fault, probably for non-canonical addressRIP: 0010:bitmap_get_stats+0x2b/0xa0Call Trace: md_seq_show+0x2d2/0x5b0 seq_read_iter+0x2b9/0x470 seq_read+0x12f/0x180 proc_reg_read+0x57/0xb0 vfs_read+0xf6/0x380 ksys_read+0x6c/0xf0 do_syscall_64+0x82/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7eRoot cause is that bitmap_get_stats() can be called at anytime if mddevis still there, even if bitmap is destroyed, or not fully initialized.Deferenceing bitmap in this case can crash the kernel. Meanwhile, theabove commit start to deferencing bitmap->storage, make the problemeasier to trigger.Fix the problem by protecting bitmap_get_stats() with bitmap_info.mutex.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-22047 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:x86/microcode/AMD: Fix __apply_microcode_amd()'s return valueWhen verify_sha256_digest() fails, __apply_microcode_amd() should propagatethe failure by returning false (and not -1 which is promoted to true).

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default < 6.4.0-150600.23.87.1 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-37813 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:usb: xhci: Fix invalid pointer dereference in Etron workaroundThis check is performed before prepare_transfer() and prepare_ring(), soenqueue can already point at the final link TRB of a segment. And indeedit will, some 0.4% of times this code is called.Then enqueue + 1 is an invalid pointer. It will crash the kernel rightaway or load some junk which may look like a link TRB and cause the reallink TRB to be replaced with a NOOP. This wouldn't end well.Use a functionally equivalent test which doesn't dereference the pointerand always gives correct result.Something has crashed my machine twice in recent days while playing withan Etron HC, and a control transfer stress test ran for confirmation hasjust crashed it again. The same test passes with this patch applied.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default < 6.4.0-150600.23.87.1 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-38379 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:smb: client: fix warning when reconnecting channelWhen reconnecting a channel in smb2_reconnect_server(), a dummy tconis passed down to smb2_reconnect() with ->query_interfaceuninitialized, so we can't call queue_delayed_work() on it.Fix the following warning by ensuring that we're queueing the delayedworker from correct tcon.WARNING: CPU: 4 PID: 1126 at kernel/workqueue.c:2498 __queue_delayed_work+0x1d2/0x200Modules linked in: cifs cifs_arc4 nls_ucs2_utils cifs_md4 [last unloaded: cifs]CPU: 4 UID: 0 PID: 1126 Comm: kworker/4:0 Not tainted 6.16.0-rc3 #5 PREEMPT(voluntary)Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-4.fc42 04/01/2014Workqueue: cifsiod smb2_reconnect_server [cifs]RIP: 0010:__queue_delayed_work+0x1d2/0x200Code: 41 5e 41 5f e9 7f ee ff ff 90 0f 0b 90 e9 5d ff ff ff bf 02 0000 00 e8 6c f3 07 00 89 c3 eb bd 90 0f 0b 90 e9 57 f> 0b 90 e9 65 feff ff 90 0f 0b 90 e9 72 fe ff ff 90 0f 0b 90 e9RSP: 0018:ffffc900014afad8 EFLAGS: 00010003RAX: 0000000000000000 RBX: ffff888124d99988 RCX: ffffffff81399cc1RDX: dffffc0000000000 RSI: ffff888114326e00 RDI: ffff888124d999f0RBP: 000000000000ea60 R08: 0000000000000001 R09: ffffed10249b3331R10: ffff888124d9998f R11: 0000000000000004 R12: 0000000000000040R13: ffff888114326e00 R14: ffff888124d999d8 R15: ffff888114939020FS: 0000000000000000(0000) GS:ffff88829f7fe000(0000) knlGS:0000000000000000CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033CR2: 00007ffe7a2b4038 CR3: 0000000120a6f000 CR4: 0000000000750ef0PKRU: 55555554Call Trace: queue_delayed_work_on+0xb4/0xc0 smb2_reconnect+0xb22/0xf50 [cifs] smb2_reconnect_server+0x413/0xd40 [cifs] ? __pfx_smb2_reconnect_server+0x10/0x10 [cifs] ? local_clock_noinstr+0xd/0xd0 ? local_clock+0x15/0x30 ? lock_release+0x29b/0x390 process_one_work+0x4c5/0xa10 ? __pfx_process_one_work+0x10/0x10 ? __list_add_valid_or_report+0x37/0x120 worker_thread+0x2f1/0x5a0 ? __kthread_parkme+0xde/0x100 ? __pfx_worker_thread+0x10/0x10 kthread+0x1fe/0x380 ? kthread+0x10f/0x380 ? __pfx_kthread+0x10/0x10 ? local_clock_noinstr+0xd/0xd0 ? ret_from_fork+0x1b/0x1f0 ? local_clock+0x15/0x30 ? lock_release+0x29b/0x390 ? rcu_is_watching+0x20/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x15b/0x1f0 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 irq event stamp: 1116206hardirqs last enabled at (1116205): [] __up_console_sem+0x52/0x60hardirqs last disabled at (1116206): [] queue_delayed_work_on+0x6e/0xc0softirqs last enabled at (1116138): [] __smb_send_rqst+0x42d/0x950 [cifs]softirqs last disabled at (1116136): [] release_sock+0x21/0xf0

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default < 6.4.0-150600.23.87.1 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-38509 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:wifi: mac80211: reject VHT opmode for unsupported channel widthsVHT operating mode notifications are not defined for channel widthsbelow 20 MHz. In particular, 5 MHz and 10 MHz are not valid under theVHT specification and must be rejected.Without this check, malformed notifications using these widths mayreach ieee80211_chan_width_to_rx_bw(), leading to a WARN_ON due toinvalid input. This issue was reported by syzbot.Reject these unsupported widths early in sta_link_apply_parameters()when opmode_notif is used. The accepted set includes 20, 40, 80, 160,and 80+80 MHz, which are valid for VHT. While 320 MHz is not definedfor VHT, it is allowed to avoid rejecting HE or EHT clients that maystill send a VHT opmode notification.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-38675 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:xfrm: state: initialize state_ptrs earlier in xfrm_state_findIn case of preemption, xfrm_state_look_at will find a differentpcpu_id and look up states for that other CPU. If we matched a statefor CPU2 in the state_cache while the lookup started on CPU1, we willjump to "found", but the "best" state that we got will be ignored andwe will enter the "acquire" block. This block uses state_ptrs, whichisn't initialized at this point.Let's initialize state_ptrs just after taking rcu_read_lock. This willalso prevent a possible misuse in the future, if someone adjusts thisfunction.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-38688 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:iommufd: Prevent ALIGN() overflowWhen allocating IOVA the candidate range gets aligned to the targetalignment. If the range is close to ULONG_MAX then the ALIGN() canwrap resulting in a corrupted iova.Open code the ALIGN() using get_add_overflow() to prevent this.This simplifies the checks as we don't need to check for length earliereither.Consolidate the two copies of this code under a single helper.This bug would allow userspace to create a mapping that overlaps with someother mapping or a reserved range.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-38717 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net: kcm: Fix race condition in kcm_unattach()syzbot found a race condition when kcm_unattach(psock)and kcm_release(kcm) are executed at the same time.kcm_unattach() is missing a check of the flagkcm->tx_stopped before calling queue_work().If the kcm has a reserved psock, kcm_unattach() might get executedbetween cancel_work_sync() and unreserve_psock() in kcm_release(),requeuing kcm->tx_work right before kcm gets freed in kcm_done().Remove kcm->tx_stopped and replace it by the lesserror-prone disable_work_sync().

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-38723 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:LoongArch: BPF: Fix jump offset calculation in tailcallThe extra pass of bpf_int_jit_compile() skips JIT context initializationwhich essentially skips offset calculation leaving out_offset = -1, sothe jmp_offset in emit_bpf_tail_call is calculated by"#define jmp_offset (out_offset - (cur_offset))"is a negative number, which is wrong. The final generated assembly areas follow.54: bgeu $a2, $t1, -8 # 0x0000004c58: addi.d $a6, $s5, -15c: bltz $a6, -16 # 0x0000004c60: alsl.d $t2, $a2, $a1, 0x364: ld.d $t2, $t2, 26468: beq $t2, $zero, -28 # 0x0000004cBefore apply this patch, the follow test case will reveal soft lock issues.cd tools/testing/selftests/bpf/./test_progs --allow=tailcalls/tailcall_bpf2bpf_1dmesg:watchdog: BUG: soft lockup - CPU#2 stuck for 26s! [test_progs:25056]

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-38728 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:smb3: fix for slab out of bounds on mount to ksmbdWith KASAN enabled, it is possible to get a slab out of boundsduring mount to ksmbd due to missing check in parse_server_interfaces()(see below): BUG: KASAN: slab-out-of-bounds in parse_server_interfaces+0x14ee/0x1880 [cifs] Read of size 4 at addr ffff8881433dba98 by task mount/9827 CPU: 5 UID: 0 PID: 9827 Comm: mount Tainted: G OE 6.16.0-rc2-kasan #2 PREEMPT(voluntary) Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE Hardware name: Dell Inc. Precision Tower 3620/0MWYPT, BIOS 2.13.1 06/14/2019 Call Trace: dump_stack_lvl+0x9f/0xf0 print_report+0xd1/0x670 __virt_addr_valid+0x22c/0x430 ? parse_server_interfaces+0x14ee/0x1880 [cifs] ? kasan_complete_mode_report_info+0x2a/0x1f0 ? parse_server_interfaces+0x14ee/0x1880 [cifs] kasan_report+0xd6/0x110 parse_server_interfaces+0x14ee/0x1880 [cifs] __asan_report_load_n_noabort+0x13/0x20 parse_server_interfaces+0x14ee/0x1880 [cifs] ? __pfx_parse_server_interfaces+0x10/0x10 [cifs] ? trace_hardirqs_on+0x51/0x60 SMB3_request_interfaces+0x1ad/0x3f0 [cifs] ? __pfx_SMB3_request_interfaces+0x10/0x10 [cifs] ? SMB2_tcon+0x23c/0x15d0 [cifs] smb3_qfs_tcon+0x173/0x2b0 [cifs] ? __pfx_smb3_qfs_tcon+0x10/0x10 [cifs] ? cifs_get_tcon+0x105d/0x2120 [cifs] ? do_raw_spin_unlock+0x5d/0x200 ? cifs_get_tcon+0x105d/0x2120 [cifs] ? __pfx_smb3_qfs_tcon+0x10/0x10 [cifs] cifs_mount_get_tcon+0x369/0xb90 [cifs] ? dfs_cache_find+0xe7/0x150 [cifs] dfs_mount_share+0x985/0x2970 [cifs] ? check_path.constprop.0+0x28/0x50 ? save_trace+0x54/0x370 ? __pfx_dfs_mount_share+0x10/0x10 [cifs] ? __lock_acquire+0xb82/0x2ba0 ? __kasan_check_write+0x18/0x20 cifs_mount+0xbc/0x9e0 [cifs] ? __pfx_cifs_mount+0x10/0x10 [cifs] ? do_raw_spin_unlock+0x5d/0x200 ? cifs_setup_cifs_sb+0x29d/0x810 [cifs] cifs_smb3_do_mount+0x263/0x1990 [cifs]

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-39687 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:iio: light: as73211: Ensure buffer holes are zeroedGiven that the buffer is copied to a kfifo that ultimately user spacecan read, ensure we zero it.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-39689 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ftrace: Also allocate and copy hash for reading of filter filesCurrently the reader of set_ftrace_filter and set_ftrace_notrace just addsthe pointer to the global tracer hash to its iterator. Unlike the writerthat allocates a copy of the hash, the reader keeps the pointer to thefilter hashes. This is problematic because this pointer is static acrossfunction calls that release the locks that can update the global tracerhashes. This can cause UAF and similar bugs.Allocate and copy the hash for reading the filter files like it is donefor the writers. This not only fixes UAF bugs, but also makes the code abit simpler as it doesn't have to differentiate when to free theiterator's hash between writers and readers.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-39748 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:bpf: Forget ranges when refining tnum after JSETSyzbot reported a kernel warning due to a range invariant violation onthe following BPF program. 0: call bpf_get_netns_cookie 1: if r0 == 0 goto 2: if r0 & Oxffffffff goto The issue is on the path where we fall through both jumps.That path is unreachable at runtime: after insn 1, we know r0 != 0, butwith the sign extension on the jset, we would only fallthrough insn 2if r0 == 0. Unfortunately, is_branch_taken() isn't currently able tofigure this out, so the verifier walks all branches. The verifier thenrefines the register bounds using the second condition and we endup with inconsistent bounds on this unreachable path: 1: if r0 == 0 goto r0: u64=[0x1, 0xffffffffffffffff] var_off=(0, 0xffffffffffffffff) 2: if r0 & 0xffffffff goto r0 before reg_bounds_sync: u64=[0x1, 0xffffffffffffffff] var_off=(0, 0) r0 after reg_bounds_sync: u64=[0x1, 0] var_off=(0, 0)Improving the range refinement for JSET to cover all cases is tricky. Wealso don't expect many users to rely on JSET given LLVM doesn't generatethose instructions. So instead of improving the range refinement forJSETs, Eduard suggested we forget the ranges whenever we're narrowingtnums after a JSET. This patch implements that approach.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-39775 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:mm/mremap: fix WARN with uffd that has remap events disabledRegistering userfaultd on a VMA that spans at least one PMD and thenmremap()'ing that VMA can trigger a WARN when recovering from a failedpage table move due to a page table allocation error.The code ends up doing the right thing (recurse, avoiding moving actualpage tables), but triggering that WARN is unpleasant:WARNING: CPU: 2 PID: 6133 at mm/mremap.c:357 move_normal_pmd mm/mremap.c:357 [inline]WARNING: CPU: 2 PID: 6133 at mm/mremap.c:357 move_pgt_entry mm/mremap.c:595 [inline]WARNING: CPU: 2 PID: 6133 at mm/mremap.c:357 move_page_tables+0x3832/0x44a0 mm/mremap.c:852Modules linked in:CPU: 2 UID: 0 PID: 6133 Comm: syz.0.19 Not tainted 6.17.0-rc1-syzkaller-00004-g53e760d89498 #0 PREEMPT(full)Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014RIP: 0010:move_normal_pmd mm/mremap.c:357 [inline]RIP: 0010:move_pgt_entry mm/mremap.c:595 [inline]RIP: 0010:move_page_tables+0x3832/0x44a0 mm/mremap.c:852Code: ...RSP: 0018:ffffc900037a76d8 EFLAGS: 00010293RAX: 0000000000000000 RBX: 0000000032930007 RCX: ffffffff820c6645RDX: ffff88802e56a440 RSI: ffffffff820c7201 RDI: 0000000000000007RBP: ffff888037728fc0 R08: 0000000000000007 R09: 0000000000000000R10: 0000000032930007 R11: 0000000000000000 R12: 0000000000000000R13: ffffc900037a79a8 R14: 0000000000000001 R15: dffffc0000000000FS: 000055556316a500(0000) GS:ffff8880d68bc000(0000) knlGS:0000000000000000CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033CR2: 0000001b30863fff CR3: 0000000050171000 CR4: 0000000000352ef0Call Trace: copy_vma_and_data+0x468/0x790 mm/mremap.c:1215 move_vma+0x548/0x1780 mm/mremap.c:1282 mremap_to+0x1b7/0x450 mm/mremap.c:1406 do_mremap+0xfad/0x1f80 mm/mremap.c:1921 __do_sys_mremap+0x119/0x170 mm/mremap.c:1977 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7fRIP: 0033:0x7f00d0b8ebe9Code: ...RSP: 002b:00007ffe5ea5ee98 EFLAGS: 00000246 ORIG_RAX: 0000000000000019RAX: ffffffffffffffda RBX: 00007f00d0db5fa0 RCX: 00007f00d0b8ebe9RDX: 0000000000400000 RSI: 0000000000c00000 RDI: 0000200000000000RBP: 00007ffe5ea5eef0 R08: 0000200000c00000 R09: 0000000000000000R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000000002R13: 00007f00d0db5fa0 R14: 00007f00d0db5fa0 R15: 0000000000000005 The underlying issue is that we recurse during the original page tablemove, but not during the recovery move.Fix it by checking for both VMAs and performing the check before thepmd_none() sanity check.Add a new helper where we perform+document that check for the PMD and PUDlevel.Thanks to Harry for bisecting.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-39776 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:mm/debug_vm_pgtable: clear page table entries at destroy_args()The mm/debug_vm_pagetable test allocates manually page table entries forthe tests it runs, using also its manually allocated mm_struct. That initself is ok, but when it exits, at destroy_args() it fails to clear thoseentries with the *_clear functions.The problem is that leaves stale entries. If another process allocates anmm_struct with a pgd at the same address, it may end up running into thestale entry. This is happening in practice on a debug kernel withCONFIG_DEBUG_VM_PGTABLE=y, for example this is the output with some extradebugging I added (it prints a warning trace if pgtables_bytes goesnegative, in addition to the warning at check_mm() function):[ 2.539353] debug_vm_pgtable: [get_random_vaddr ]: random_vaddr is 0x7ea247140000[ 2.539366] kmem_cache info[ 2.539374] kmem_cachep 0x000000002ce82385 - freelist 0x0000000000000000 - offset 0x508[ 2.539447] debug_vm_pgtable: [init_args ]: args->mm is 0x000000002267cc9e(...)[ 2.552800] WARNING: CPU: 5 PID: 116 at include/linux/mm.h:2841 free_pud_range+0x8bc/0x8d0[ 2.552816] Modules linked in:[ 2.552843] CPU: 5 UID: 0 PID: 116 Comm: modprobe Not tainted 6.12.0-105.debug_vm2.el10.ppc64le+debug #1 VOLUNTARY[ 2.552859] Hardware name: IBM,9009-41A POWER9 (architected) 0x4e0202 0xf000005 of:IBM,FW910.00 (VL910_062) hv:phyp pSeries[ 2.552872] NIP: c0000000007eef3c LR: c0000000007eef30 CTR: c0000000003d8c90[ 2.552885] REGS: c0000000622e73b0 TRAP: 0700 Not tainted (6.12.0-105.debug_vm2.el10.ppc64le+debug)[ 2.552899] MSR: 800000000282b033 CR: 24002822 XER: 0000000a[ 2.552954] CFAR: c0000000008f03f0 IRQMASK: 0[ 2.552954] GPR00: c0000000007eef30 c0000000622e7650 c000000002b1ac00 0000000000000001[ 2.552954] GPR04: 0000000000000008 0000000000000000 c0000000007eef30 ffffffffffffffff[ 2.552954] GPR08: 00000000ffff00f5 0000000000000001 0000000000000048 0000000000004000[ 2.552954] GPR12: 00000003fa440000 c000000017ffa300 c0000000051d9f80 ffffffffffffffdb[ 2.552954] GPR16: 0000000000000000 0000000000000008 000000000000000a 60000000000000e0[ 2.552954] GPR20: 4080000000000000 c0000000113af038 00007fffcf130000 0000700000000000[ 2.552954] GPR24: c000000062a6a000 0000000000000001 8000000062a68000 0000000000000001[ 2.552954] GPR28: 000000000000000a c000000062ebc600 0000000000002000 c000000062ebc760[ 2.553170] NIP [c0000000007eef3c] free_pud_range+0x8bc/0x8d0[ 2.553185] LR [c0000000007eef30] free_pud_range+0x8b0/0x8d0[ 2.553199] Call Trace:[ 2.553207] [c0000000622e7650] [c0000000007eef30] free_pud_range+0x8b0/0x8d0 (unreliable)[ 2.553229] [c0000000622e7750] [c0000000007f40b4] free_pgd_range+0x284/0x3b0[ 2.553248] [c0000000622e7800] [c0000000007f4630] free_pgtables+0x450/0x570[ 2.553274] [c0000000622e78e0] [c0000000008161c0] exit_mmap+0x250/0x650[ 2.553292] [c0000000622e7a30] [c0000000001b95b8] __mmput+0x98/0x290[ 2.558344] [c0000000622e7a80] [c0000000001d1018] exit_mm+0x118/0x1b0[ 2.558361] [c0000000622e7ac0] [c0000000001d141c] do_exit+0x2ec/0x870[ 2.558376] [c0000000622e7b60] [c0000000001d1ca8] do_group_exit+0x88/0x150[ 2.558391] [c0000000622e7bb0] [c0000000001d1db8] sys_exit_group+0x48/0x50[ 2.558407] [c0000000622e7be0] [c00000000003d810] system_call_exception+0x1e0/0x4c0[ 2.558423] [c0000000622e7e50] [c00000000000d05c] system_call_vectored_common+0x15c/0x2ec(...)[ 2.558892] ---[ end trace 0000000000000000 ]---[ 2.559022] BUG: Bad rss-counter state mm:000000002267cc9e type:MM_ANONPAGES val:1[ 2.559037] BUG: non-zero pgtables_bytes on freeing mm: -6144Here the modprobe process ended up with an allocated mm_struct from themm_struct slab that was used before by the debug_vm_pgtable test. That isnot a problem, since the mm_stru---truncated---

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-39789 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:crypto: x86/aegis - Add missing error checksThe skcipher_walk functions can allocate memory and can fail, sochecking for errors is necessary.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-39813 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ftrace: Fix potential warning in trace_printk_seq during ftrace_dumpWhen calling ftrace_dump_one() concurrently with reading trace_pipe,a WARN_ON_ONCE() in trace_printk_seq() can be triggered due to a racecondition.The issue occurs because:CPU0 (ftrace_dump) CPU1 (reader)echo z > /proc/sysrq-trigger!trace_empty(&iter)trace_iterator_reset(&iter) <- len = size = 0 cat /sys/kernel/tracing/trace_pipetrace_find_next_entry_inc(&iter) __find_next_entry ring_buffer_empty_cpu <- all empty return NULLtrace_printk_seq(&iter.seq) WARN_ON_ONCE(s->seq.len >= s->seq.size)In the context between trace_empty() and trace_find_next_entry_inc()during ftrace_dump, the ring buffer data was consumed by other readers.This caused trace_find_next_entry_inc to return NULL, failing to populate`iter.seq`. At this point, due to the prior trace_iterator_reset, both`iter.seq.len` and `iter.seq.size` were set to 0. Since they are equal,the WARN_ON_ONCE condition is triggered.Move the trace_printk_seq() into the if block that checks to make sure thereturn value of trace_find_next_entry_inc() is non-NULL inftrace_dump_one(), ensuring the 'iter.seq' is properly populated beforesubsequent operations.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default < 6.4.0-150600.23.87.1 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-39817 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:efivarfs: Fix slab-out-of-bounds in efivarfs_d_compareObserved on kernel 6.6 (present on master as well): BUG: KASAN: slab-out-of-bounds in memcmp+0x98/0xd0 Call trace: kasan_check_range+0xe8/0x190 __asan_loadN+0x1c/0x28 memcmp+0x98/0xd0 efivarfs_d_compare+0x68/0xd8 __d_lookup_rcu_op_compare+0x178/0x218 __d_lookup_rcu+0x1f8/0x228 d_alloc_parallel+0x150/0x648 lookup_open.isra.0+0x5f0/0x8d0 open_last_lookups+0x264/0x828 path_openat+0x130/0x3f8 do_filp_open+0x114/0x248 do_sys_openat2+0x340/0x3c0 __arm64_sys_openat+0x120/0x1a0If dentry->d_name.len < EFI_VARIABLE_GUID_LEN , 'guid' can becomenegative, leadings to oob. The issue can be triggered by parallellookups using invalid filename: T1 T2 lookup_open ->lookup simple_lookup d_add // invalid dentry is added to hash list lookup_open d_alloc_parallel __d_lookup_rcu __d_lookup_rcu_op_compare hlist_bl_for_each_entry_rcu // invalid dentry can be retrieved ->d_compare efivarfs_d_compare // oobFix it by checking 'guid' before cmp.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-39829 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:trace/fgraph: Fix the warning caused by missing unregister notifierThis warning was triggered during testing on v6.16:notifier callback ftrace_suspend_notifier_call already registeredWARNING: CPU: 2 PID: 86 at kernel/notifier.c:23 notifier_chain_register+0x44/0xb0...Call Trace: blocking_notifier_chain_register+0x34/0x60 register_ftrace_graph+0x330/0x410 ftrace_profile_write+0x1e9/0x340 vfs_write+0xf8/0x420 ? filp_flush+0x8a/0xa0 ? filp_close+0x1f/0x30 ? do_dup2+0xaf/0x160 ksys_write+0x65/0xe0 do_syscall_64+0xa4/0x260 entry_SYSCALL_64_after_hwframe+0x77/0x7fWhen writing to the function_profile_enabled interface, the notifier wasnot unregistered after start_graph_tracing failed, causing a warning thenext time function_profile_enabled was written.Fixed by adding unregister_pm_notifier in the exception path.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-39880 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:libceph: fix invalid accesses to ceph_connection_v1_infoThere is a place where generic code in messenger.c is reading andanother place where it is writing to con->v1 union member withoutchecking that the union member is active (i.e. msgr1 is in use).On 64-bit systems, con->v1.auth_retry overlaps with con->v2.out_iter,so such a read is almost guaranteed to return a bogus value instead of0 when msgr2 is in use. This ends up being fairly benign because theside effect is just the invalidation of the authorizer and successivefetching of new tickets.con->v1.connect_seq overlaps with con->v2.conn_bufs and the fact thatit's being written to can cause more serious consequences, but luckilyit's not something that happens often.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-39913 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:tcp_bpf: Call sk_msg_free() when tcp_bpf_send_verdict() fails to allocate psock->cork.syzbot reported the splat below. [0]The repro does the following: 1. Load a sk_msg prog that calls bpf_msg_cork_bytes(msg, cork_bytes) 2. Attach the prog to a SOCKMAP 3. Add a socket to the SOCKMAP 4. Activate fault injection 5. Send data less than cork_bytesAt 5., the data is carried over to the next sendmsg() as it issmaller than the cork_bytes specified by bpf_msg_cork_bytes().Then, tcp_bpf_send_verdict() tries to allocate psock->cork to holdthe data, but this fails silently due to fault injection + __GFP_NOWARN.If the allocation fails, we need to revert the sk->sk_forward_allocchange done by sk_msg_alloc().Let's call sk_msg_free() when tcp_bpf_send_verdict fails to allocatepsock->cork.The "*copied" also needs to be updated such that a proper error canbe returned to the caller, sendmsg. It fails to allocate psock->cork.Nothing has been corked so far, so this patch simply sets "*copied"to 0.[0]:WARNING: net/ipv4/af_inet.c:156 at inet_sock_destruct+0x623/0x730 net/ipv4/af_inet.c:156, CPU#1: syz-executor/5983Modules linked in:CPU: 1 UID: 0 PID: 5983 Comm: syz-executor Not tainted syzkaller #0 PREEMPT(full)Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025RIP: 0010:inet_sock_destruct+0x623/0x730 net/ipv4/af_inet.c:156Code: 0f 0b 90 e9 62 fe ff ff e8 7a db b5 f7 90 0f 0b 90 e9 95 fe ff ff e8 6c db b5 f7 90 0f 0b 90 e9 bb fe ff ff e8 5e db b5 f7 90 <0f> 0b 90 e9 e1 fe ff ff 89 f9 80 e1 07 80 c1 03 38 c1 0f 8c 9f fcRSP: 0018:ffffc90000a08b48 EFLAGS: 00010246RAX: ffffffff8a09d0b2 RBX: dffffc0000000000 RCX: ffff888024a23c80RDX: 0000000000000100 RSI: 0000000000000fff RDI: 0000000000000000RBP: 0000000000000fff R08: ffff88807e07c627 R09: 1ffff1100fc0f8c4R10: dffffc0000000000 R11: ffffed100fc0f8c5 R12: ffff88807e07c380R13: dffffc0000000000 R14: ffff88807e07c60c R15: 1ffff1100fc0f872FS: 00005555604c4500(0000) GS:ffff888125af1000(0000) knlGS:0000000000000000CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033CR2: 00005555604df5c8 CR3: 0000000032b06000 CR4: 00000000003526f0Call Trace: __sk_destruct+0x86/0x660 net/core/sock.c:2339 rcu_do_batch kernel/rcu/tree.c:2605 [inline] rcu_core+0xca8/0x1770 kernel/rcu/tree.c:2861 handle_softirqs+0x286/0x870 kernel/softirq.c:579 __do_softirq kernel/softirq.c:613 [inline] invoke_softirq kernel/softirq.c:453 [inline] __irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680 irq_exit_rcu+0x9/0x30 kernel/softirq.c:696 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1052 [inline] sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1052

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default < 6.4.0-150600.23.87.1 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-40024 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:vhost: Take a reference on the task in struct vhost_task.vhost_task_create() creates a task and keeps a reference to itstask_struct. That task may exit early via a signal and its task_structwill be released.A pending vhost_task_wake() will then attempt to wake the task andaccess a task_struct which is no longer there.Acquire a reference on the task_struct while creating the thread andrelease the reference while the struct vhost_task itself is removed.If the task exits early due to a signal, then the vhost_task_wake() willstill access a valid task_struct. The wake is safe and will be skippedin this case.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-40033 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:remoteproc: pru: Fix potential NULL pointer dereference in pru_rproc_set_ctable()pru_rproc_set_ctable() accessed rproc->priv before the IS_ERR_OR_NULLcheck, which could lead to a null pointer dereference. Move the pruassignment, ensuring we never dereference a NULL rproc pointer.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-40042 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:tracing: Fix race condition in kprobe initialization causing NULL pointer dereferenceThere is a critical race condition in kprobe initialization that can lead toNULL pointer dereference and kernel crash.[1135630.084782] Unable to handle kernel paging request at virtual address 0000710a04630000...[1135630.260314] pstate: 404003c9 (nZcv DAIF +PAN -UAO)[1135630.269239] pc : kprobe_perf_func+0x30/0x260[1135630.277643] lr : kprobe_dispatcher+0x44/0x60[1135630.286041] sp : ffffaeff4977fa40[1135630.293441] x29: ffffaeff4977fa40 x28: ffffaf015340e400[1135630.302837] x27: 0000000000000000 x26: 0000000000000000[1135630.312257] x25: ffffaf029ed108a8 x24: ffffaf015340e528[1135630.321705] x23: ffffaeff4977fc50 x22: ffffaeff4977fc50[1135630.331154] x21: 0000000000000000 x20: ffffaeff4977fc50[1135630.340586] x19: ffffaf015340e400 x18: 0000000000000000[1135630.349985] x17: 0000000000000000 x16: 0000000000000000[1135630.359285] x15: 0000000000000000 x14: 0000000000000000[1135630.368445] x13: 0000000000000000 x12: 0000000000000000[1135630.377473] x11: 0000000000000000 x10: 0000000000000000[1135630.386411] x9 : 0000000000000000 x8 : 0000000000000000[1135630.395252] x7 : 0000000000000000 x6 : 0000000000000000[1135630.403963] x5 : 0000000000000000 x4 : 0000000000000000[1135630.412545] x3 : 0000710a04630000 x2 : 0000000000000006[1135630.421021] x1 : ffffaeff4977fc50 x0 : 0000710a04630000[1135630.429410] Call trace:[1135630.434828] kprobe_perf_func+0x30/0x260[1135630.441661] kprobe_dispatcher+0x44/0x60[1135630.448396] aggr_pre_handler+0x70/0xc8[1135630.454959] kprobe_breakpoint_handler+0x140/0x1e0[1135630.462435] brk_handler+0xbc/0xd8[1135630.468437] do_debug_exception+0x84/0x138[1135630.475074] el1_dbg+0x18/0x8c[1135630.480582] security_file_permission+0x0/0xd0[1135630.487426] vfs_write+0x70/0x1c0[1135630.493059] ksys_write+0x5c/0xc8[1135630.498638] __arm64_sys_write+0x24/0x30[1135630.504821] el0_svc_common+0x78/0x130[1135630.510838] el0_svc_handler+0x38/0x78[1135630.516834] el0_svc+0x8/0x1b0kernel/trace/trace_kprobe.c: 13080xffff3df8995039ec : ldr x21, [x24,#120]include/linux/compiler.h: 2940xffff3df8995039f0 : ldr x1, [x21,x0]kernel/trace/trace_kprobe.c1308: head = this_cpu_ptr(call->perf_events);1309: if (hlist_empty(head))1310: return 0;crash> struct trace_event_call -ostruct trace_event_call { ... [120] struct hlist_head *perf_events; //(call->perf_event) ...}crash> struct trace_event_call ffffaf015340e528struct trace_event_call { ... perf_events = 0xffff0ad5fa89f088, //this value is correct, but x21 = 0 ...}Race Condition Analysis:The race occurs between kprobe activation and perf_events initialization: CPU0 CPU1 ==== ==== perf_kprobe_init perf_trace_event_init tp_event->perf_events = list;(1) tp_event->class->reg (2)<- KPROBE ACTIVE Debug exception triggers ... kprobe_dispatcher kprobe_perf_func (tk->tp.flags & TP_FLAG_PROFILE) head = this_cpu_ptr(call->perf_events)(3) (perf_events is still NULL)Problem:1. CPU0 executes (1) assigning tp_event->perf_events = list2. CPU0 executes (2) enabling kprobe functionality via class->reg()3. CPU1 triggers and reaches kprobe_dispatcher4. CPU1 checks TP_FLAG_PROFILE - condition passes (step 2 completed)5. CPU1 calls kprobe_perf_func() and crashes at (3) because call->perf_events is still NULLCPU1 sees that kprobe functionality is enabled but does not see thatperf_events has been assigned.Add pairing read an---truncated---

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-40053 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net: dlink: handle copy_thresh allocation failureThe driver did not handle failure of `netdev_alloc_skb_ip_align()`.If the allocation failed, dereferencing `skb->protocol` could lead toa NULL pointer dereference.This patch tries to allocate `skb`. If the allocation fails, it fallsback to the normal path.Tested-on: D-Link DGE-550T Rev-A3

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-40081 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:perf: arm_spe: Prevent overflow in PERF_IDX2OFF()Cast nr_pages to unsigned long to avoid overflow when handling largeAUX buffer sizes (>= 2 GiB).

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-40097 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ALSA: hda: Fix missing pointer check in hda_component_manager_init functionThe __component_match_add function may assign the 'matchptr' pointerthe value ERR_PTR(-ENOMEM), which will subsequently be dereferenced.The call stack leading to the error looks like this:hda_component_manager_init|-> component_match_add |-> component_match_add_release |-> __component_match_add ( ... ,**matchptr, ... ) |-> *matchptr = ERR_PTR(-ENOMEM); // assign|-> component_master_add_with_match( ... match) |-> component_match_realloc(match, match->num); // dereferenceAdd IS_ERR() check to prevent the crash.Found by Linux Verification Center (linuxtesting.org) with SVACE.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-40106 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:comedi: fix divide-by-zero in comedi_buf_munge()The comedi_buf_munge() function performs a modulo operation`async->munge_chan %= async->cmd.chanlist_len` without firstchecking if chanlist_len is zero. If a user program submits a command withchanlist_len set to zero, this causes a divide-by-zero error when the deviceprocesses data in the interrupt handler path.Add a check for zero chanlist_len at the beginning of thefunction, similar to the existing checks for !map andCMDF_RAWDATA flag. When chanlist_len is zero, updatemunge_count and return early, indicating the data washandled without munging.This prevents potential kernel panics from malformed user commands.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-40123 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:bpf: Enforce expected_attach_type for tailcall compatibilityYinhao et al. recently reported: Our fuzzer tool discovered an uninitialized pointer issue in the bpf_prog_test_run_xdp() function within the Linux kernel's BPF subsystem. This leads to a NULL pointer dereference when a BPF program attempts to deference the txq member of struct xdp_buff object.The test initializes two programs of BPF_PROG_TYPE_XDP: progA acts as theentry point for bpf_prog_test_run_xdp() and its expected_attach_type canneither be of be BPF_XDP_DEVMAP nor BPF_XDP_CPUMAP. progA calls into a slotof a tailcall map it owns. progB's expected_attach_type must be BPF_XDP_DEVMAPto pass xdp_is_valid_access() validation. The program returns struct xdp_md'segress_ifindex, and the latter is only allowed to be accessed under mentionedexpected_attach_type. progB is then inserted into the tailcall which progAcalls.The underlying issue goes beyond XDP though. Another example are programsof type BPF_PROG_TYPE_CGROUP_SOCK_ADDR. sock_addr_is_valid_access() as wellas sock_addr_func_proto() have different logic depending on the programs'expected_attach_type. Similarly, a program attached to BPF_CGROUP_INET4_GETPEERNAMEshould not be allowed doing a tailcall into a program which calls bpf_bind()out of BPF which is only enabled for BPF_CGROUP_INET4_CONNECT.In short, specifying expected_attach_type allows to open up additionalfunctionality or restrictions beyond what the basic bpf_prog_type enables.The use of tailcalls must not violate these constraints. Fix it by enforcingexpected_attach_type in __bpf_prog_map_compatible().Note that we only enforce this for tailcall maps, but not for BPF devmaps orcpumaps: There, the programs are invoked through dev_map_bpf_prog_run*() andcpu_map_bpf_prog_run*() which set up a new environment / context and thereforethese situations are not prone to this issue.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-40155 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:iommu/vt-d: debugfs: Fix legacy mode page table dump logicIn legacy mode, SSPTPTR is ignored if TT is not 00b or 01b. SSPTPTRmaybe uninitialized or zero in that case and may cause oops like: Oops: general protection fault, probably for non-canonical address 0xf00087d3f000f000: 0000 [#1] SMP NOPTI CPU: 2 UID: 0 PID: 786 Comm: cat Not tainted 6.16.0 #191 PREEMPT(voluntary) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-5.fc42 04/01/2014 RIP: 0010:pgtable_walk_level+0x98/0x150 RSP: 0018:ffffc90000f279c0 EFLAGS: 00010206 RAX: 0000000040000000 RBX: ffffc90000f27ab0 RCX: 000000000000001e RDX: 0000000000000003 RSI: f00087d3f000f000 RDI: f00087d3f0010000 RBP: ffffc90000f27a00 R08: ffffc90000f27a98 R09: 0000000000000002 R10: 0000000000000000 R11: 0000000000000000 R12: f00087d3f000f000 R13: 0000000000000000 R14: 0000000040000000 R15: ffffc90000f27a98 FS: 0000764566dcb740(0000) GS:ffff8881f812c000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000764566d44000 CR3: 0000000109d81003 CR4: 0000000000772ef0 PKRU: 55555554 Call Trace: pgtable_walk_level+0x88/0x150 domain_translation_struct_show.isra.0+0x2d9/0x300 dev_domain_translation_struct_show+0x20/0x40 seq_read_iter+0x12d/0x490...Avoid walking the page table if TT is not 00b or 01b.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-40167 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ext4: detect invalid INLINE_DATA + EXTENTS flag combinationsyzbot reported a BUG_ON in ext4_es_cache_extent() when opening a verityfile on a corrupted ext4 filesystem mounted without a journal.The issue is that the filesystem has an inode with both the INLINE_DATAand EXTENTS flags set: EXT4-fs error (device loop0): ext4_cache_extents:545: inode #15: comm syz.0.17: corrupted extent tree: lblk 0 < prev 66Investigation revealed that the inode has both flags set: DEBUG: inode 15 - flag=1, i_inline_off=164, has_inline=1, extents_flag=1This is an invalid combination since an inode should have either:- INLINE_DATA: data stored directly in the inode- EXTENTS: data stored in extent-mapped blocksHaving both flags causes ext4_has_inline_data() to return true, skippingextent tree validation in __ext4_iget(). The unvalidated out-of-orderextents then trigger a BUG_ON in ext4_es_cache_extent() due to integerunderflow when calculating hole sizes.Fix this by detecting this invalid flag combination early in ext4_iget()and rejecting the corrupted inode.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-40192 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:Revert "ipmi: fix msg stack when IPMI is disconnected"This reverts commit c608966f3f9c2dca596967501d00753282b395fc.This patch has a subtle bug that can cause the IPMI driver to go into aninfinite loop if the BMC misbehaves in a certain way. Apparentlycertain BMCs do misbehave this way because several reports have come inrecently about this.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-40201 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:kernel/sys.c: fix the racy usage of task_lock(tsk->group_leader) in sys_prlimit64() pathsThe usage of task_lock(tsk->group_leader) in sys_prlimit64()->do_prlimit()path is very broken.sys_prlimit64() does get_task_struct(tsk) but this only protects task_structitself. If tsk != current and tsk is not a leader, this process can exit/execand task_lock(tsk->group_leader) may use the already freed task_struct.Another problem is that sys_prlimit64() can race with mt-exec which changes->group_leader. In this case do_prlimit() may take the wrong lock, or (worse)->group_leader may change between task_lock() and task_unlock().Change sys_prlimit64() to take tasklist_lock when necessary. This is notnice, but I don't see a better fix for -stable.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-40202 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ipmi: Rework user message limit handlingThe limit on the number of user messages had a number of issues,improper counting in some cases and a use after free.Restructure how this is all done to handle more in the receive messageallocation routine, so all refcouting and user message limit countsare done in that routine. It's a lot cleaner and safer.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-40233 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ocfs2: clear extent cache after moving/defragmenting extentsThe extent map cache can become stale when extents are moved ordefragmented, causing subsequent operations to see outdated extent flags. This triggers a BUG_ON in ocfs2_refcount_cal_cow_clusters().The problem occurs when:1. copy_file_range() creates a reflinked extent with OCFS2_EXT_REFCOUNTED2. ioctl(FITRIM) triggers ocfs2_move_extents()3. __ocfs2_move_extents_range() reads and caches the extent (flags=0x2)4. ocfs2_move_extent()/ocfs2_defrag_extent() calls __ocfs2_move_extent() which clears OCFS2_EXT_REFCOUNTED flag on disk (flags=0x0)5. The extent map cache is not invalidated after the move6. Later write() operations read stale cached flags (0x2) but disk has updated flags (0x0), causing a mismatch7. BUG_ON(!(rec->e_flags & OCFS2_EXT_REFCOUNTED)) triggersFix by clearing the extent map cache after each extent move/defragoperation in __ocfs2_move_extents_range(). This ensures subsequentoperations read fresh extent data from disk.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-40238 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net/mlx5: Fix IPsec cleanup over MPV deviceWhen we do mlx5e_detach_netdev() we eventually disable blocking eventsnotifier, among those events are IPsec MPV events from IB to core.So before disabling those blocking events, make sure to also unregisterthe devcom device and mark all this device operations as complete,in order to prevent the other device from using invalid netdevduring future devcom events which could cause the trace below.BUG: kernel NULL pointer dereference, address: 0000000000000010PGD 146427067 P4D 146427067 PUD 146488067 PMD 0Oops: Oops: 0000 [#1] SMPCPU: 1 UID: 0 PID: 7735 Comm: devlink Tainted: GW 6.12.0-rc6_for_upstream_min_debug_2024_11_08_00_46 #1Tainted: [W]=WARNHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014RIP: 0010:mlx5_devcom_comp_set_ready+0x5/0x40 [mlx5_core]Code: 00 01 48 83 05 23 32 1e 00 01 41 b8 ed ff ff ff e9 60 ff ff ff 48 83 05 00 32 1e 00 01 eb e3 66 0f 1f 44 00 00 0f 1f 44 00 00 <48> 8b 47 10 48 83 05 5f 32 1e 00 01 48 8b 50 40 48 85 d2 74 05 40RSP: 0018:ffff88811a5c35f8 EFLAGS: 00010206RAX: ffff888106e8ab80 RBX: ffff888107d7e200 RCX: ffff88810d6f0a00RDX: ffff88810d6f0a00 RSI: 0000000000000001 RDI: 0000000000000000RBP: ffff88811a17e620 R08: 0000000000000040 R09: 0000000000000000R10: ffff88811a5c3618 R11: 0000000de85d51bd R12: ffff88811a17e600R13: ffff88810d6f0a00 R14: 0000000000000000 R15: ffff8881034bda80FS: 00007f27bdf89180(0000) GS:ffff88852c880000(0000) knlGS:0000000000000000CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033CR2: 0000000000000010 CR3: 000000010f159005 CR4: 0000000000372eb0DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400Call Trace: ? __die+0x20/0x60 ? page_fault_oops+0x150/0x3e0 ? exc_page_fault+0x74/0x130 ? asm_exc_page_fault+0x22/0x30 ? mlx5_devcom_comp_set_ready+0x5/0x40 [mlx5_core] mlx5e_devcom_event_mpv+0x42/0x60 [mlx5_core] mlx5_devcom_send_event+0x8c/0x170 [mlx5_core] blocking_event+0x17b/0x230 [mlx5_core] notifier_call_chain+0x35/0xa0 blocking_notifier_call_chain+0x3d/0x60 mlx5_blocking_notifier_call_chain+0x22/0x30 [mlx5_core] mlx5_core_mp_event_replay+0x12/0x20 [mlx5_core] mlx5_ib_bind_slave_port+0x228/0x2c0 [mlx5_ib] mlx5_ib_stage_init_init+0x664/0x9d0 [mlx5_ib] ? idr_alloc_cyclic+0x50/0xb0 ? __kmalloc_cache_noprof+0x167/0x340 ? __kmalloc_noprof+0x1a7/0x430 __mlx5_ib_add+0x34/0xd0 [mlx5_ib] mlx5r_probe+0xe9/0x310 [mlx5_ib] ? kernfs_add_one+0x107/0x150 ? __mlx5_ib_add+0xd0/0xd0 [mlx5_ib] auxiliary_bus_probe+0x3e/0x90 really_probe+0xc5/0x3a0 ? driver_probe_device+0x90/0x90 __driver_probe_device+0x80/0x160 driver_probe_device+0x1e/0x90 __device_attach_driver+0x7d/0x100 bus_for_each_drv+0x80/0xd0 __device_attach+0xbc/0x1f0 bus_probe_device+0x86/0xa0 device_add+0x62d/0x830 __auxiliary_device_add+0x3b/0xa0 ? auxiliary_device_init+0x41/0x90 add_adev+0xd1/0x150 [mlx5_core] mlx5_rescan_drivers_locked+0x21c/0x300 [mlx5_core] esw_mode_change+0x6c/0xc0 [mlx5_core] mlx5_devlink_eswitch_mode_set+0x21e/0x640 [mlx5_core] devlink_nl_eswitch_set_doit+0x60/0xe0 genl_family_rcv_msg_doit+0xd0/0x120 genl_rcv_msg+0x180/0x2b0 ? devlink_get_from_attrs_lock+0x170/0x170 ? devlink_nl_eswitch_get_doit+0x290/0x290 ? devlink_nl_pre_doit_port_optional+0x50/0x50 ? genl_family_rcv_msg_dumpit+0xf0/0xf0 netlink_rcv_skb+0x54/0x100 genl_rcv+0x24/0x40 netlink_unicast+0x1fc/0x2d0 netlink_sendmsg+0x1e4/0x410 __sock_sendmsg+0x38/0x60 ? sockfd_lookup_light+0x12/0x60 __sys_sendto+0x105/0x160 ? __sys_recvmsg+0x4e/0x90 __x64_sys_sendto+0x20/0x30 do_syscall_64+0x4c/0x100 entry_SYSCALL_64_after_hwframe+0x4b/0x53RIP: 0033:0x7f27bc91b13aCode: bb 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 8b 05 fa 96 2c 00 45 89 c9 4c 63 d1 48 63 ff 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff ---truncated---

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-40240 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:sctp: avoid NULL dereference when chunk data buffer is missingchunk->skb pointer is dereferenced in the if-block where it's supposedto be NULL only.chunk->skb can only be NULL if chunk->head_skb is not. Check for frag_listinstead and do it just before replacing chunk->skb. We're sure thatotherwise chunk->skb is non-NULL because of outer if() condition.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-40248 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:vsock: Ignore signal/timeout on connect() if already establishedDuring connect(), acting on a signal/timeout by disconnecting an alreadyestablished socket leads to several issues:1. connect() invoking vsock_transport_cancel_pkt() -> virtio_transport_purge_skbs() may race with sendmsg() invoking virtio_transport_get_credit(). This results in a permanently elevated `vvs->bytes_unsent`. Which, in turn, confuses the SOCK_LINGER handling.2. connect() resetting a connected socket's state may race with socket being placed in a sockmap. A disconnected socket remaining in a sockmap breaks sockmap's assumptions. And gives rise to WARNs.3. connect() transitioning SS_CONNECTED -> SS_UNCONNECTED allows for a transport change/drop after TCP_ESTABLISHED. Which poses a problem for any simultaneous sendmsg() or connect() and may result in a use-after-free/null-ptr-deref.Do not disconnect socket on signal/timeout. Keep the logic for unconnectedsockets: they don't linger, can't be placed in a sockmap, are rejected bysendmsg().[1]: https://lore.kernel.org/netdev/e07fd95c-9a38-4eea-9638-133e38c2ec9b@rbox.co/[2]: https://lore.kernel.org/netdev/20250317-vsock-trans-signal-race-v4-0-fc8837f3f1d4@rbox.co/[3]: https://lore.kernel.org/netdev/60f1b7db-3099-4f6a-875e-af9f6ef194f6@rbox.co/

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-40250 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net/mlx5: Clean up only new IRQ glue on request_irq() failureThe mlx5_irq_alloc() function can inadvertently free the entire rmapand end up in a crash[1] when the other threads tries to access this,when request_irq() fails due to exhausted IRQ vectors. This commitmodifies the cleanup to remove only the specific IRQ mapping that wasjust added.This prevents removal of other valid mappings and ensures precisecleanup of the failed IRQ allocation's associated glue object.Note: This error is observed when both fwctl and rds configs are enabled.[1]mlx5_core 0000:05:00.0: Successfully registered panic handler for port 1mlx5_core 0000:05:00.0: mlx5_irq_alloc:293:(pid 66740): Failed torequest irq. err = -28infiniband mlx5_0: mlx5_ib_test_wc:290:(pid 66740): Error -28 whiletrying to test write-combining supportmlx5_core 0000:05:00.0: Successfully unregistered panic handler for port 1mlx5_core 0000:06:00.0: Successfully registered panic handler for port 1mlx5_core 0000:06:00.0: mlx5_irq_alloc:293:(pid 66740): Failed torequest irq. err = -28infiniband mlx5_0: mlx5_ib_test_wc:290:(pid 66740): Error -28 whiletrying to test write-combining supportmlx5_core 0000:06:00.0: Successfully unregistered panic handler for port 1mlx5_core 0000:03:00.0: mlx5_irq_alloc:293:(pid 28895): Failed torequest irq. err = -28mlx5_core 0000:05:00.0: mlx5_irq_alloc:293:(pid 28895): Failed torequest irq. err = -28general protection fault, probably for non-canonical address0xe277a58fde16f291: 0000 [#1] SMP NOPTIRIP: 0010:free_irq_cpu_rmap+0x23/0x7dCall Trace: ? show_trace_log_lvl+0x1d6/0x2f9 ? show_trace_log_lvl+0x1d6/0x2f9 ? mlx5_irq_alloc.cold+0x5d/0xf3 [mlx5_core] ? __die_body.cold+0x8/0xa ? die_addr+0x39/0x53 ? exc_general_protection+0x1c4/0x3e9 ? dev_vprintk_emit+0x5f/0x90 ? asm_exc_general_protection+0x22/0x27 ? free_irq_cpu_rmap+0x23/0x7d mlx5_irq_alloc.cold+0x5d/0xf3 [mlx5_core] irq_pool_request_vector+0x7d/0x90 [mlx5_core] mlx5_irq_request+0x2e/0xe0 [mlx5_core] mlx5_irq_request_vector+0xad/0xf7 [mlx5_core] comp_irq_request_pci+0x64/0xf0 [mlx5_core] create_comp_eq+0x71/0x385 [mlx5_core] ? mlx5e_open_xdpsq+0x11c/0x230 [mlx5_core] mlx5_comp_eqn_get+0x72/0x90 [mlx5_core] ? xas_load+0x8/0x91 mlx5_comp_irqn_get+0x40/0x90 [mlx5_core] mlx5e_open_channel+0x7d/0x3c7 [mlx5_core] mlx5e_open_channels+0xad/0x250 [mlx5_core] mlx5e_open_locked+0x3e/0x110 [mlx5_core] mlx5e_open+0x23/0x70 [mlx5_core] __dev_open+0xf1/0x1a5 __dev_change_flags+0x1e1/0x249 dev_change_flags+0x21/0x5c do_setlink+0x28b/0xcc4 ? __nla_parse+0x22/0x3d ? inet6_validate_link_af+0x6b/0x108 ? cpumask_next+0x1f/0x35 ? __snmp6_fill_stats64.constprop.0+0x66/0x107 ? __nla_validate_parse+0x48/0x1e6 __rtnl_newlink+0x5ff/0xa57 ? kmem_cache_alloc_trace+0x164/0x2ce rtnl_newlink+0x44/0x6e rtnetlink_rcv_msg+0x2bb/0x362 ? __netlink_sendskb+0x4c/0x6c ? netlink_unicast+0x28f/0x2ce ? rtnl_calcit.isra.0+0x150/0x146 netlink_rcv_skb+0x5f/0x112 netlink_unicast+0x213/0x2ce netlink_sendmsg+0x24f/0x4d9 __sock_sendmsg+0x65/0x6a ____sys_sendmsg+0x28f/0x2c9 ? import_iovec+0x17/0x2b ___sys_sendmsg+0x97/0xe0 __sys_sendmsg+0x81/0xd8 do_syscall_64+0x35/0x87 entry_SYSCALL_64_after_hwframe+0x6e/0x0RIP: 0033:0x7fc328603727Code: c3 66 90 41 54 41 89 d4 55 48 89 f5 53 89 fb 48 83 ec 10 e8 0b edff ff 44 89 e2 48 89 ee 89 df 41 89 c0 b8 2e 00 00 00 0f 05 <48> 3d 00f0 ff ff 77 35 44 89 c7 48 89 44 24 08 e8 44 ed ff ff 48RSP: 002b:00007ffe8eb3f1a0 EFLAGS: 00000293 ORIG_RAX: 000000000000002eRAX: ffffffffffffffda RBX: 000000000000000d RCX: 00007fc328603727RDX: 0000000000000000 RSI: 00007ffe8eb3f1f0 RDI: 000000000000000dRBP: 00007ffe8eb3f1f0 R08: 0000000000000000 R09: 0000000000000000R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000R13: 00000000000---truncated---

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-40251 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:devlink: rate: Unset parent pointer in devl_rate_nodes_destroyThe function devl_rate_nodes_destroy is documented to "Unset parent forall rate objects". However, it was only calling the driver-specific`rate_leaf_parent_set` or `rate_node_parent_set` ops and decrementingthe parent's refcount, without actually setting the`devlink_rate->parent` pointer to NULL.This leaves a dangling pointer in the `devlink_rate` struct, which causerefcount error in netdevsim[1] and mlx5[2]. In addition, this isinconsistent with the behavior of `devlink_nl_rate_parent_node_set`,where the parent pointer is correctly cleared.This patch fixes the issue by explicitly setting `devlink_rate->parent`to NULL after notifying the driver, thus fulfilling the function'sdocumented behavior for all rate objects.[1]repro steps:echo 1 > /sys/bus/netdevsim/new_devicedevlink dev eswitch set netdevsim/netdevsim1 mode switchdevecho 1 > /sys/bus/netdevsim/devices/netdevsim1/sriov_numvfsdevlink port function rate add netdevsim/netdevsim1/test_nodedevlink port function rate set netdevsim/netdevsim1/128 parent test_nodeecho 1 > /sys/bus/netdevsim/del_devicedmesg:refcount_t: decrement hit 0; leaking memory.WARNING: CPU: 8 PID: 1530 at lib/refcount.c:31 refcount_warn_saturate+0x42/0xe0CPU: 8 UID: 0 PID: 1530 Comm: bash Not tainted 6.18.0-rc4+ #1 NONEHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014RIP: 0010:refcount_warn_saturate+0x42/0xe0Call Trace: devl_rate_leaf_destroy+0x8d/0x90 __nsim_dev_port_del+0x6c/0x70 [netdevsim] nsim_dev_reload_destroy+0x11c/0x140 [netdevsim] nsim_drv_remove+0x2b/0xb0 [netdevsim] device_release_driver_internal+0x194/0x1f0 bus_remove_device+0xc6/0x130 device_del+0x159/0x3c0 device_unregister+0x1a/0x60 del_device_store+0x111/0x170 [netdevsim] kernfs_fop_write_iter+0x12e/0x1e0 vfs_write+0x215/0x3d0 ksys_write+0x5f/0xd0 do_syscall_64+0x55/0x10f0 entry_SYSCALL_64_after_hwframe+0x4b/0x53[2]devlink dev eswitch set pci/0000:08:00.0 mode switchdevdevlink port add pci/0000:08:00.0 flavour pcisf pfnum 0 sfnum 1000devlink port function rate add pci/0000:08:00.0/group1devlink port function rate set pci/0000:08:00.0/32768 parent group1modprobe -r mlx5_ib mlx5_fwctl mlx5_coredmesg:refcount_t: decrement hit 0; leaking memory.WARNING: CPU: 7 PID: 16151 at lib/refcount.c:31 refcount_warn_saturate+0x42/0xe0CPU: 7 UID: 0 PID: 16151 Comm: bash Not tainted 6.17.0-rc7_for_upstream_min_debug_2025_10_02_12_44 #1 NONEHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014RIP: 0010:refcount_warn_saturate+0x42/0xe0Call Trace: devl_rate_leaf_destroy+0x8d/0x90 mlx5_esw_offloads_devlink_port_unregister+0x33/0x60 [mlx5_core] mlx5_esw_offloads_unload_rep+0x3f/0x50 [mlx5_core] mlx5_eswitch_unload_sf_vport+0x40/0x90 [mlx5_core] mlx5_sf_esw_event+0xc4/0x120 [mlx5_core] notifier_call_chain+0x33/0xa0 blocking_notifier_call_chain+0x3b/0x50 mlx5_eswitch_disable_locked+0x50/0x110 [mlx5_core] mlx5_eswitch_disable+0x63/0x90 [mlx5_core] mlx5_unload+0x1d/0x170 [mlx5_core] mlx5_uninit_one+0xa2/0x130 [mlx5_core] remove_one+0x78/0xd0 [mlx5_core] pci_device_remove+0x39/0xa0 device_release_driver_internal+0x194/0x1f0 unbind_store+0x99/0xa0 kernfs_fop_write_iter+0x12e/0x1e0 vfs_write+0x215/0x3d0 ksys_write+0x5f/0xd0 do_syscall_64+0x53/0x1f0 entry_SYSCALL_64_after_hwframe+0x4b/0x53

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-40252 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net: qlogic/qede: fix potential out-of-bounds read in qede_tpa_cont() and qede_tpa_end()The loops in 'qede_tpa_cont()' and 'qede_tpa_end()', iterateover 'cqe->len_list[]' using only a zero-length terminator asthe stopping condition. If the terminator was missing ormalformed, the loop could run past the end of the fixed-size array.Add an explicit bound check using ARRAY_SIZE() in both loops to preventa potential out-of-bounds access.Found by Linux Verification Center (linuxtesting.org) with SVACE.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-40253 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:s390/ctcm: Fix double-kfreeThe function 'mpc_rcvd_sweep_req(mpcginfo)' is called conditionallyfrom function 'ctcmpc_unpack_skb'. It frees passed mpcginfo.After that a call to function 'kfree' in function 'ctcmpc_unpack_skb'frees it again.Remove 'kfree' call in function 'mpc_rcvd_sweep_req(mpcginfo)'.Bug detected by the clang static analyzer.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-40254 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net: openvswitch: remove never-working support for setting nsh fieldsThe validation of the set(nsh(...)) action is completely wrong.It runs through the nsh_key_put_from_nlattr() function that is thesame function that validates NSH keys for the flow match and thepush_nsh() action. However, the set(nsh(...)) has a very differentmemory layout. Nested attributes in there are doubled in size incase of the masked set(). That makes proper validation impossible.There is also confusion in the code between the 'masked' flag, thatsays that the nested attributes are doubled in size containing boththe value and the mask, and the 'is_mask' that says that the valuewe're parsing is the mask. This is causing kernel crash on trying towrite into mask part of the match with SW_FLOW_KEY_PUT() duringvalidation, while validate_nsh() doesn't allocate any memory for it: BUG: kernel NULL pointer dereference, address: 0000000000000018 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 1c2383067 P4D 1c2383067 PUD 20b703067 PMD 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 8 UID: 0 Kdump: loaded Not tainted 6.17.0-rc4+ #107 PREEMPT(voluntary) RIP: 0010:nsh_key_put_from_nlattr+0x19d/0x610 [openvswitch] Call Trace: validate_nsh+0x60/0x90 [openvswitch] validate_set.constprop.0+0x270/0x3c0 [openvswitch] __ovs_nla_copy_actions+0x477/0x860 [openvswitch] ovs_nla_copy_actions+0x8d/0x100 [openvswitch] ovs_packet_cmd_execute+0x1cc/0x310 [openvswitch] genl_family_rcv_msg_doit+0xdb/0x130 genl_family_rcv_msg+0x14b/0x220 genl_rcv_msg+0x47/0xa0 netlink_rcv_skb+0x53/0x100 genl_rcv+0x24/0x40 netlink_unicast+0x280/0x3b0 netlink_sendmsg+0x1f7/0x430 ____sys_sendmsg+0x36b/0x3a0 ___sys_sendmsg+0x87/0xd0 __sys_sendmsg+0x6d/0xd0 do_syscall_64+0x7b/0x2c0 entry_SYSCALL_64_after_hwframe+0x76/0x7eThe third issue with this process is that while trying to convertthe non-masked set into masked one, validate_set() copies and doublesthe size of the OVS_KEY_ATTR_NSH as if it didn't have any nestedattributes. It should be copying each nested attribute and doublingthem in size independently. And the process must be properly reversedduring the conversion back from masked to a non-masked variant duringthe flow dump.In the end, the only two outcomes of trying to use this action areeither validation failure or a kernel crash. And if somehow someonemanages to install a flow with such an action, it will most definitelynot do what it is supposed to, since all the keys and the masks aremixed up.Fixing all the issues is a complex task as it requires re-writingmost of the validation code.Given that and the fact that this functionality never worked sinceintroduction, let's just remove it altogether. It's better tore-introduce it later with a proper implementation instead of tryingto fix it in stable releases.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-40259 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:scsi: sg: Do not sleep in atomic contextsg_finish_rem_req() calls blk_rq_unmap_user(). The latter function maysleep. Hence, call sg_finish_rem_req() with interrupts enabled insteadof disabled.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-40261 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:nvme: nvme-fc: Ensure ->ioerr_work is cancelled in nvme_fc_delete_ctrl()nvme_fc_delete_assocation() waits for pending I/O to complete beforereturning, and an error can cause ->ioerr_work to be queued aftercancel_work_sync() had been called. Move the call to cancel_work_sync() tobe after nvme_fc_delete_association() to ensure ->ioerr_work is not runningwhen the nvme_fc_ctrl object is freed. Otherwise the following can occur:[ 1135.911754] list_del corruption, ff2d24c8093f31f8->next is NULL[ 1135.917705] ------------[ cut here ]------------[ 1135.922336] kernel BUG at lib/list_debug.c:52![ 1135.926784] Oops: invalid opcode: 0000 [#1] SMP NOPTI[ 1135.931851] CPU: 48 UID: 0 PID: 726 Comm: kworker/u449:23 Kdump: loaded Not tainted 6.12.0 #1 PREEMPT(voluntary)[ 1135.943490] Hardware name: Dell Inc. PowerEdge R660/0HGTK9, BIOS 2.5.4 01/16/2025[ 1135.950969] Workqueue: 0x0 (nvme-wq)[ 1135.954673] RIP: 0010:__list_del_entry_valid_or_report.cold+0xf/0x6f[ 1135.961041] Code: c7 c7 98 68 72 94 e8 26 45 fe ff 0f 0b 48 c7 c7 70 68 72 94 e8 18 45 fe ff 0f 0b 48 89 fe 48 c7 c7 80 69 72 94 e8 07 45 fe ff <0f> 0b 48 89 d1 48 c7 c7 a0 6a 72 94 48 89 c2 e8 f3 44 fe ff 0f 0b[ 1135.979788] RSP: 0018:ff579b19482d3e50 EFLAGS: 00010046[ 1135.985015] RAX: 0000000000000033 RBX: ff2d24c8093f31f0 RCX: 0000000000000000[ 1135.992148] RDX: 0000000000000000 RSI: ff2d24d6bfa1d0c0 RDI: ff2d24d6bfa1d0c0[ 1135.999278] RBP: ff2d24c8093f31f8 R08: 0000000000000000 R09: ffffffff951e2b08[ 1136.006413] R10: ffffffff95122ac8 R11: 0000000000000003 R12: ff2d24c78697c100[ 1136.013546] R13: fffffffffffffff8 R14: 0000000000000000 R15: ff2d24c78697c0c0[ 1136.020677] FS: 0000000000000000(0000) GS:ff2d24d6bfa00000(0000) knlGS:0000000000000000[ 1136.028765] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033[ 1136.034510] CR2: 00007fd207f90b80 CR3: 000000163ea22003 CR4: 0000000000f73ef0[ 1136.041641] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000[ 1136.048776] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400[ 1136.055910] PKRU: 55555554[ 1136.058623] Call Trace:[ 1136.061074] [ 1136.063179] ? show_trace_log_lvl+0x1b0/0x2f0[ 1136.067540] ? show_trace_log_lvl+0x1b0/0x2f0[ 1136.071898] ? move_linked_works+0x4a/0xa0[ 1136.075998] ? __list_del_entry_valid_or_report.cold+0xf/0x6f[ 1136.081744] ? __die_body.cold+0x8/0x12[ 1136.085584] ? die+0x2e/0x50[ 1136.088469] ? do_trap+0xca/0x110[ 1136.091789] ? do_error_trap+0x65/0x80[ 1136.095543] ? __list_del_entry_valid_or_report.cold+0xf/0x6f[ 1136.101289] ? exc_invalid_op+0x50/0x70[ 1136.105127] ? __list_del_entry_valid_or_report.cold+0xf/0x6f[ 1136.110874] ? asm_exc_invalid_op+0x1a/0x20[ 1136.115059] ? __list_del_entry_valid_or_report.cold+0xf/0x6f[ 1136.120806] move_linked_works+0x4a/0xa0[ 1136.124733] worker_thread+0x216/0x3a0[ 1136.128485] ? __pfx_worker_thread+0x10/0x10[ 1136.132758] kthread+0xfa/0x240[ 1136.135904] ? __pfx_kthread+0x10/0x10[ 1136.139657] ret_from_fork+0x31/0x50[ 1136.143236] ? __pfx_kthread+0x10/0x10[ 1136.146988] ret_from_fork_asm+0x1a/0x30[ 1136.150915]

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-40264 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:be2net: pass wrb_params in case of OS2BMCbe_insert_vlan_in_pkt() is called with the wrb_params argument being NULLat be_send_pkt_to_bmc() call site. This may lead to dereferencing a NULLpointer when processing a workaround for specific packet, as commitbc0c3405abbb ("be2net: fix a Tx stall bug caused by a specific ipv6packet") states.The correct way would be to pass the wrb_params from be_xmit().

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-40274 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:KVM: guest_memfd: Remove bindings on memslot deletion when gmem is dyingWhen unbinding a memslot from a guest_memfd instance, remove the bindingseven if the guest_memfd file is dying, i.e. even if its file refcount hasgone to zero. If the memslot is freed before the file is fully released,nullifying the memslot side of the binding in kvm_gmem_release() willwrite to freed memory, as detected by syzbot+KASAN: ================================================================== BUG: KASAN: slab-use-after-free in kvm_gmem_release+0x176/0x440 virt/kvm/guest_memfd.c:353 Write of size 8 at addr ffff88807befa508 by task syz.0.17/6022 CPU: 0 UID: 0 PID: 6022 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 Call Trace: dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 kvm_gmem_release+0x176/0x440 virt/kvm/guest_memfd.c:353 __fput+0x44c/0xa70 fs/file_table.c:468 task_work_run+0x1d4/0x260 kernel/task_work.c:227 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] exit_to_user_mode_loop+0xe9/0x130 kernel/entry/common.c:43 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline] syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline] do_syscall_64+0x2bd/0xfa0 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fbeeff8efc9 Allocated by task 6023: kasan_save_stack mm/kasan/common.c:56 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:77 poison_kmalloc_redzone mm/kasan/common.c:397 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:414 kasan_kmalloc include/linux/kasan.h:262 [inline] __kmalloc_cache_noprof+0x3e2/0x700 mm/slub.c:5758 kmalloc_noprof include/linux/slab.h:957 [inline] kzalloc_noprof include/linux/slab.h:1094 [inline] kvm_set_memory_region+0x747/0xb90 virt/kvm/kvm_main.c:2104 kvm_vm_ioctl_set_memory_region+0x6f/0xd0 virt/kvm/kvm_main.c:2154 kvm_vm_ioctl+0x957/0xc60 virt/kvm/kvm_main.c:5201 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 6023: kasan_save_stack mm/kasan/common.c:56 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:77 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584 poison_slab_object mm/kasan/common.c:252 [inline] __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:284 kasan_slab_free include/linux/kasan.h:234 [inline] slab_free_hook mm/slub.c:2533 [inline] slab_free mm/slub.c:6622 [inline] kfree+0x19a/0x6d0 mm/slub.c:6829 kvm_set_memory_region+0x9c4/0xb90 virt/kvm/kvm_main.c:2130 kvm_vm_ioctl_set_memory_region+0x6f/0xd0 virt/kvm/kvm_main.c:2154 kvm_vm_ioctl+0x957/0xc60 virt/kvm/kvm_main.c:5201 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7fDeliberately don't acquire filemap invalid lock when the file is dying asthe lifecycle of f_mapping is outside the purview of KVM. Dereferencingthe mapping is *probably* fine, but there's no need to invalidate anythingas memslot deletion is responsible for zapping SPTEs, and the only codethat can access the dying file is kvm_gmem_release(), whose core code ismutual---truncated---

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-40278 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-infoleakFix a KMSAN kernel-infoleak detected by the syzbot .[net?] KMSAN: kernel-infoleak in __skb_datagram_iterIn tcf_ife_dump(), the variable 'opt' was partially initialized using adesignatied initializer. While the padding bytes are reamineduninitialized. nla_put() copies the entire structure into anetlink message, these uninitialized bytes leaked to userspace.Initialize the structure with memset before assigning its fieldsto ensure all members and padding are cleared prior to beign copied.This change silences the KMSAN report and prevents potential informationleaks from the kernel memory.This fix has been tested and validated by syzbot. This patch closes thebug reported at the following syzkaller link and ensures no infoleak.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-40287 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:exfat: fix improper check of dentry.stream.valid_sizeWe found an infinite loop bug in the exFAT file system that can lead to aDenial-of-Service (DoS) condition. When a dentry in an exFAT filesystem ismalformed, the following system calls - SYS_openat, SYS_ftruncate, andSYS_pwrite64 - can cause the kernel to hang.Root cause analysis shows that the size validation code in exfat_find()does not check whether dentry.stream.valid_size is negative. As a result,the system calls mentioned above can succeed and eventually trigger the DoSissue.This patch adds a check for negative dentry.stream.valid_size to preventthis vulnerability.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-40289 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:drm/amdgpu: hide VRAM sysfs attributes on GPUs without VRAMOtherwise accessing them can cause a crash.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-40307 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:exfat: validate cluster allocation bits of the allocation bitmapsyzbot created an exfat image with cluster bits not set for the allocationbitmap. exfat-fs reads and uses the allocation bitmap without checkingthis. The problem is that if the start cluster of the allocation bitmapis 6, cluster 6 can be allocated when creating a directory with mkdir.exfat zeros out this cluster in exfat_mkdir, which can delete existingentries. This can reallocate the allocated entries. In addition,the allocation bitmap is also zeroed out, so cluster 6 can be reallocated.This patch adds exfat_test_bitmap_range to validate that clusters used forthe allocation bitmap are correctly marked as in-use.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-40319 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:bpf: Sync pending IRQ work before freeing ring bufferFix a race where irq_work can be queued in bpf_ringbuf_commit()but the ring buffer is freed before the work executes.In the syzbot reproducer, a BPF program attached to sched_switchtriggers bpf_ringbuf_commit(), queuing an irq_work. If the ring bufferis freed before this work executes, the irq_work thread may accessesfreed memory.Calling `irq_work_sync(&rb->work)` ensures that all pending irq_workcomplete before freeing the buffer.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-40328 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:smb: client: fix potential UAF in smb2_close_cached_fid()find_or_create_cached_dir() could grab a new reference after kref_put()had seen the refcount drop to zero but before cfid_list_lock is acquiredin smb2_close_cached_fid(), leading to use-after-free.Switch to kref_put_lock() so cfid_release() is called withcfid_list_lock held, closing that gap.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-40331 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:sctp: Prevent TOCTOU out-of-bounds writeFor the following path not holding the sock lock, sctp_diag_dump() -> sctp_for_each_endpoint() -> sctp_ep_dump()make sure not to exceed bounds in case the address list has grownbetween buffer allocation (time-of-check) and write (time-of-use).

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-40337 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net: stmmac: Correctly handle Rx checksum offload errorsThe stmmac_rx function would previously set skb->ip_summed toCHECKSUM_UNNECESSARY if hardware checksum offload (CoE) was enabledand the packet was of a known IP ethertype.However, this logic failed to check if the hardware had actuallyreported a checksum error. The hardware status, indicating a header orpayload checksum failure, was being ignored at this stage. This couldcause corrupt packets to be passed up the network stack as valid.This patch corrects the logic by checking the `csum_none` status flag,which is set when the hardware reports a checksum error. If this flagis set, skb->ip_summed is now correctly set to CHECKSUM_NONE,ensuring the kernel's network stack will perform its own validation andproperly handle the corrupt packet.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-40341 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:futex: Don't leak robust_list pointer on exec racesys_get_robust_list() and compat_get_robust_list() use ptrace_may_access()to check if the calling task is allowed to access another task'srobust_list pointer. This check is racy against a concurrent exec() in thetarget process.During exec(), a task may transition from a non-privileged binary to aprivileged one (e.g., setuid binary) and its credentials/memory mappingsmay change. If get_robust_list() performs ptrace_may_access() beforethis transition, it may erroneously allow access to sensitive informationafter the target becomes privileged.A racy access allows an attacker to exploit a window during whichptrace_may_access() passes before a target process transitions to aprivileged state via exec().For example, consider a non-privileged task T that is about to execute asetuid-root binary. An attacker task A calls get_robust_list(T) while Tis still unprivileged. Since ptrace_may_access() checks permissionsbased on current credentials, it succeeds. However, if T begins execimmediately afterwards, it becomes privileged and may change its memorymappings. Because get_robust_list() proceeds to access T->robust_listwithout synchronizing with exec() it may read user-space pointers from anow-privileged process.This violates the intended post-exec access restrictions and couldexpose sensitive memory addresses or be used as a primitive in a largerexploit chain. Consequently, the race can lead to unauthorizeddisclosure of information across privilege boundaries and poses apotential security risk.Take a read lock on signal->exec_update_lock prior to invokingptrace_may_access() and accessing the robust_list/compat_robust_list.This ensures that the target task's exec state remains stable during thecheck, allowing for consistent and synchronized validation ofcredentials.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-40346 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:arch_topology: Fix incorrect error check in topology_parse_cpu_capacity()Fix incorrect use of PTR_ERR_OR_ZERO() in topology_parse_cpu_capacity()which causes the code to proceed with NULL clock pointers. The currentlogic uses !PTR_ERR_OR_ZERO(cpu_clk) which evaluates to true for bothvalid pointers and NULL, leading to potential NULL pointer dereferencein clk_get_rate().Per include/linux/err.h documentation, PTR_ERR_OR_ZERO(ptr) returns:"The error code within @ptr if it is an error pointer; 0 otherwise."This means PTR_ERR_OR_ZERO() returns 0 for both valid pointers AND NULLpointers. Therefore !PTR_ERR_OR_ZERO(cpu_clk) evaluates to true (proceed)when cpu_clk is either valid or NULL, causing clk_get_rate(NULL) to becalled when of_clk_get() returns NULL.Replace with !IS_ERR_OR_NULL(cpu_clk) which only proceeds for validpointers, preventing potential NULL pointer dereference in clk_get_rate().

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-40347 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net: enetc: fix the deadlock of enetc_mdio_lockAfter applying the workaround for err050089, the LS1028A platformexperiences RCU stalls on RT kernel. This issue is caused by therecursive acquisition of the read lock enetc_mdio_lock. Here list someof the call stacks identified under the enetc_poll path that may lead toa deadlock:enetc_poll -> enetc_lock_mdio -> enetc_clean_rx_ring OR napi_complete_done -> napi_gro_receive -> enetc_start_xmit -> enetc_lock_mdio -> enetc_map_tx_buffs -> enetc_unlock_mdio -> enetc_unlock_mdioAfter enetc_poll acquires the read lock, a higher-priority writer attemptsto acquire the lock, causing preemption. The writer detects that aread lock is already held and is scheduled out. However, readers underenetc_poll cannot acquire the read lock again because a writer is alreadywaiting, leading to a thread hang.Currently, the deadlock is avoided by adjusting enetc_lock_mdio to preventrecursive lock acquisition.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-40350 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net/mlx5e: RX, Fix generating skb from non-linear xdp_buff for striding RQXDP programs can change the layout of an xdp_buff throughbpf_xdp_adjust_tail() and bpf_xdp_adjust_head(). Therefore, the drivercannot assume the size of the linear data area nor fragments. Fix thebug in mlx5 by generating skb according to xdp_buff after XDP programsrun.Currently, when handling multi-buf XDP, the mlx5 driver assumes thelayout of an xdp_buff to be unchanged. That is, the linear data areacontinues to be empty and fragments remain the same. This may causethe driver to generate erroneous skb or triggering a kernelwarning. When an XDP program added linear data throughbpf_xdp_adjust_head(), the linear data will be ignored asmlx5e_build_linear_skb() builds an skb without linear data and thenpull data from fragments to fill the linear data area. When an XDPprogram has shrunk the non-linear data through bpf_xdp_adjust_tail(),the delta passed to __pskb_pull_tail() may exceed the actual nonlineardata size and trigger the BUG_ON in it.To fix the issue, first record the original number of fragments. If thenumber of fragments changes after the XDP program runs, rewind the endfragment pointer by the difference and recalculate the truesize. Then,build the skb with the linear data area matching the xdp_buff. Finally,only pull data in if there is non-linear data and fill the linear partup to 256 bytes.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-40355 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:sysfs: check visibility before changing group attribute ownershipSince commit 0c17270f9b92 ("net: sysfs: Implement is_visible forphys_(port_id, port_name, switch_id)"), __dev_change_net_namespace() canhit WARN_ON() when trying to change owner of a file that isn't visible.See the trace below: WARNING: CPU: 6 PID: 2938 at net/core/dev.c:12410 __dev_change_net_namespace+0xb89/0xc30 CPU: 6 UID: 0 PID: 2938 Comm: incusd Not tainted 6.17.1-1-mainline #1 PREEMPT(full) 4b783b4a638669fb644857f484487d17cb45ed1f Hardware name: Framework Laptop 13 (AMD Ryzen 7040Series)/FRANMDCP07, BIOS 03.07 02/19/2025 RIP: 0010:__dev_change_net_namespace+0xb89/0xc30 [...] Call Trace: ? if6_seq_show+0x30/0x50 do_setlink.isra.0+0xc7/0x1270 ? __nla_validate_parse+0x5c/0xcc0 ? security_capable+0x94/0x1a0 rtnl_newlink+0x858/0xc20 ? update_curr+0x8e/0x1c0 ? update_entity_lag+0x71/0x80 ? sched_balance_newidle+0x358/0x450 ? psi_task_switch+0x113/0x2a0 ? __pfx_rtnl_newlink+0x10/0x10 rtnetlink_rcv_msg+0x346/0x3e0 ? sched_clock+0x10/0x30 ? __pfx_rtnetlink_rcv_msg+0x10/0x10 netlink_rcv_skb+0x59/0x110 netlink_unicast+0x285/0x3c0 ? __alloc_skb+0xdb/0x1a0 netlink_sendmsg+0x20d/0x430 ____sys_sendmsg+0x39f/0x3d0 ? import_iovec+0x2f/0x40 ___sys_sendmsg+0x99/0xe0 __sys_sendmsg+0x8a/0xf0 do_syscall_64+0x81/0x970 ? __sys_bind+0xe3/0x110 ? syscall_exit_work+0x143/0x1b0 ? do_syscall_64+0x244/0x970 ? sock_alloc_file+0x63/0xc0 ? syscall_exit_work+0x143/0x1b0 ? do_syscall_64+0x244/0x970 ? alloc_fd+0x12e/0x190 ? put_unused_fd+0x2a/0x70 ? do_sys_openat2+0xa2/0xe0 ? syscall_exit_work+0x143/0x1b0 ? do_syscall_64+0x244/0x970 ? exc_page_fault+0x7e/0x1a0 entry_SYSCALL_64_after_hwframe+0x76/0x7e [...] Fix this by checking is_visible() before trying to touch the attribute.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-40360 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:drm/sysfb: Do not dereference NULL pointer in plane resetThe plane state in __drm_gem_reset_shadow_plane() can be NULL. Do notderef that pointer, but forward NULL to the other plane-reset helpers.Clears plane->state to NULL.v2:- fix typo in commit description (Javier)

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68171 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:x86/fpu: Ensure XFD state on signal deliverySean reported [1] the following splat when running KVM tests: WARNING: CPU: 232 PID: 15391 at xfd_validate_state+0x65/0x70 Call Trace: fpu__clear_user_states+0x9c/0x100 arch_do_signal_or_restart+0x142/0x210 exit_to_user_mode_loop+0x55/0x100 do_syscall_64+0x205/0x2c0 entry_SYSCALL_64_after_hwframe+0x4b/0x53Chao further identified [2] a reproducible scenario involving signaldelivery: a non-AMX task is preempted by an AMX-enabled task whichmodifies the XFD MSR.When the non-AMX task resumes and reloads XSTATE with init values,a warning is triggered due to a mismatch between fpstate::xfd and theCPU's current XFD state. fpu__clear_user_states() does not currentlyre-synchronize the XFD state after such preemption.Invoke xfd_update_state() which detects and corrects the mismatch ifthere is a dynamic feature.This also benefits the sigreturn path, as fpu__restore_sig() may callfpu__clear_user_states() when the sigframe is inaccessible.[ dhansen: minor changelog munging ]

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68173 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ftrace: Fix softlockup in ftrace_module_enableA soft lockup was observed when loading amdgpu module.If a module has a lot of tracable functions, multiple callsto kallsyms_lookup can spend too much time in RCU criticalsection and with disabled preemption, causing kernel panic.This is the same issue that was fixed incommit d0b24b4e91fc ("ftrace: Prevent RCU stall on PREEMPT_VOLUNTARYkernels") and commit 42ea22e754ba ("ftrace: Add cond_resched() toftrace_graph_set_hash()").Fix it the same way by adding cond_resched() in ftrace_module_enable.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68174 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:amd/amdkfd: enhance kfd process check in switch partitioncurrent switch partition only check if kfd_processes_table is empty.kfd_prcesses_table entry is deleted in kfd_process_notifier_release, butkfd_process tear down is in kfd_process_wq_release.consider two processes:Process A (workqueue) -> kfd_process_wq_release -> Access kfd_node memberProcess B switch partition -> amdgpu_xcp_pre_partition_switch -> amdgpu_amdkfd_device_fini_sw-> kfd_node tear down.Process A and B may trigger a race as shown in dmesg log.This patch is to resolve the race by adding an atomic kfd_process counterkfd_processes_count, it increment as create kfd process, decrement asfinish kfd_process_wq_release.v2: Put kfd_processes_count per kfd_dev, move decrement to kfd_process_destroy_pddsand bug fix. (Philip Yang)[3966658.307702] divide error: 0000 [#1] SMP NOPTI[3966658.350818] i10nm_edac[3966658.356318] CPU: 124 PID: 38435 Comm: kworker/124:0 Kdump: loaded Tainted[3966658.356890] Workqueue: kfd_process_wq kfd_process_wq_release [amdgpu][3966658.362839] nfit[3966658.366457] RIP: 0010:kfd_get_num_sdma_engines+0x17/0x40 [amdgpu][3966658.366460] Code: 00 00 e9 ac 81 02 00 66 66 2e 0f 1f 84 00 00 00 00 00 90 0f 1f 44 00 00 48 8b 4f 08 48 8b b7 00 01 00 00 8b 81 58 26 03 00 99 be b8 01 00 00 80 b9 70 2e 00 00 00 74 0b 83 f8 02 ba 02 00 00[3966658.380967] x86_pkg_temp_thermal[3966658.391529] RSP: 0018:ffffc900a0edfdd8 EFLAGS: 00010246[3966658.391531] RAX: 0000000000000008 RBX: ffff8974e593b800 RCX: ffff888645900000[3966658.391531] RDX: 0000000000000000 RSI: ffff888129154400 RDI: ffff888129151c00[3966658.391532] RBP: ffff8883ad79d400 R08: 0000000000000000 R09: ffff8890d2750af4[3966658.391532] R10: 0000000000000018 R11: 0000000000000018 R12: 0000000000000000[3966658.391533] R13: ffff8883ad79d400 R14: ffffe87ff662ba00 R15: ffff8974e593b800[3966658.391533] FS: 0000000000000000(0000) GS:ffff88fe7f600000(0000) knlGS:0000000000000000[3966658.391534] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033[3966658.391534] CR2: 0000000000d71000 CR3: 000000dd0e970004 CR4: 0000000002770ee0[3966658.391535] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000[3966658.391535] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400[3966658.391536] PKRU: 55555554[3966658.391536] Call Trace:[3966658.391674] deallocate_sdma_queue+0x38/0xa0 [amdgpu][3966658.391762] process_termination_cpsch+0x1ed/0x480 [amdgpu][3966658.399754] intel_powerclamp[3966658.402831] kfd_process_dequeue_from_all_devices+0x5b/0xc0 [amdgpu][3966658.402908] kfd_process_wq_release+0x1a/0x1a0 [amdgpu][3966658.410516] coretemp[3966658.434016] process_one_work+0x1ad/0x380[3966658.434021] worker_thread+0x49/0x310[3966658.438963] kvm_intel[3966658.446041] ? process_one_work+0x380/0x380[3966658.446045] kthread+0x118/0x140[3966658.446047] ? __kthread_bind_mask+0x60/0x60[3966658.446050] ret_from_fork+0x1f/0x30[3966658.446053] Modules linked in: kpatch_20765354(OEK)[3966658.455310] kvm[3966658.464534] mptcp_diag xsk_diag raw_diag unix_diag af_packet_diag netlink_diag udp_diag act_pedit act_mirred act_vlan cls_flower kpatch_21951273(OEK) kpatch_18424469(OEK) kpatch_19749756(OEK)[3966658.473462] idxd_mdev[3966658.482306] kpatch_17971294(OEK) sch_ingress xt_conntrack amdgpu(OE) amdxcp(OE) amddrm_buddy(OE) amd_sched(OE) amdttm(OE) amdkcl(OE) intel_ifs iptable_mangle tcm_loop target_core_pscsi tcp_diag target_core_file inet_diag target_core_iblock target_core_user target_core_mod coldpgs kpatch_18383292(OEK) ip6table_nat ip6table_filter ip6_tables ip_set_hash_ipportip ip_set_hash_ipportnet ip_set_hash_ipport ip_set_bitmap_port xt_comment iptable_nat nf_nat iptable_filter ip_tables ip_set ip_vs_sh ip_vs_wrr ip_vs_rr ip_vs nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 sn_core_odd(OE) i40e overlay binfmt_misc tun bonding(OE) aisqos(OE) aisqo---truncated---

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68175 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:media: nxp: imx8-isi: Fix streaming cleanup on releaseThe current implementation unconditionally callsmxc_isi_video_cleanup_streaming() in mxc_isi_video_release(). This canlead to situations where any release call (like from a simple"v4l2-ctl -l") may release a currently streaming queue when called onsuch a device.This is reproducible on an i.MX8MP board by streaming from an ISIcapture device using gstreamer: gst-launch-1.0 -v v4l2src device=/dev/videoX ! \ video/x-raw,format=GRAY8,width=1280,height=800,framerate=1/120 ! \ fakesinkWhile this stream is running, querying the caps of the same deviceprovokes the error state: v4l2-ctl -l -d /dev/videoXThis results in the following trace:[ 155.452152] ------------[ cut here ]------------[ 155.452163] WARNING: CPU: 0 PID: 1708 at drivers/media/platform/nxp/imx8-isi/imx8-isi-pipe.c:713 mxc_isi_pipe_irq_handler+0x19c/0x1b0 [imx8_isi][ 157.004248] Modules linked in: cfg80211 rpmsg_ctrl rpmsg_char rpmsg_tty virtio_rpmsg_bus rpmsg_ns rpmsg_core rfkill nft_ct nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables mcp251x6[ 157.053499] CPU: 0 UID: 0 PID: 1708 Comm: python3 Not tainted 6.15.4-00114-g1f61ca5cad76 #1 PREEMPT[ 157.064369] Hardware name: imx8mp_board_01 (DT)[ 157.068205] pstate: 400000c5 (nZcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)[ 157.075169] pc : mxc_isi_pipe_irq_handler+0x19c/0x1b0 [imx8_isi][ 157.081195] lr : mxc_isi_pipe_irq_handler+0x38/0x1b0 [imx8_isi][ 157.087126] sp : ffff800080003ee0[ 157.090438] x29: ffff800080003ee0 x28: ffff0000c3688000 x27: 0000000000000000[ 157.097580] x26: 0000000000000000 x25: ffff0000c1e7ac00 x24: ffff800081b5ad50[ 157.104723] x23: 00000000000000d1 x22: 0000000000000000 x21: ffff0000c25e4000[ 157.111866] x20: 0000000060000200 x19: ffff80007a0608d0 x18: 0000000000000000[ 157.119008] x17: ffff80006a4e3000 x16: ffff800080000000 x15: 0000000000000000[ 157.126146] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000[ 157.133287] x11: 0000000000000040 x10: ffff0000c01445f0 x9 : ffff80007a053a38[ 157.140425] x8 : ffff0000c04004b8 x7 : 0000000000000000 x6 : 0000000000000000[ 157.147567] x5 : ffff0000c0400490 x4 : ffff80006a4e3000 x3 : ffff0000c25e4000[ 157.154706] x2 : 0000000000000000 x1 : ffff8000825c0014 x0 : 0000000060000200[ 157.161850] Call trace:[ 157.164296] mxc_isi_pipe_irq_handler+0x19c/0x1b0 [imx8_isi] (P)[ 157.170319] __handle_irq_event_percpu+0x58/0x218[ 157.175029] handle_irq_event+0x54/0xb8[ 157.178867] handle_fasteoi_irq+0xac/0x248[ 157.182968] handle_irq_desc+0x48/0x68[ 157.186723] generic_handle_domain_irq+0x24/0x38[ 157.191346] gic_handle_irq+0x54/0x120[ 157.195098] call_on_irq_stack+0x24/0x30[ 157.199027] do_interrupt_handler+0x88/0x98[ 157.203212] el0_interrupt+0x44/0xc0[ 157.206792] __el0_irq_handler_common+0x18/0x28[ 157.211328] el0t_64_irq_handler+0x10/0x20[ 157.215429] el0t_64_irq+0x198/0x1a0[ 157.219009] ---[ end trace 0000000000000000 ]---Address this issue by moving the streaming preparation and cleanup tothe vb2 .prepare_streaming() and .unprepare_streaming() operations. Thisalso simplifies the driver by allowing direct usage of thevb2_ioctl_streamon() and vb2_ioctl_streamoff() helpers, and removal ofthe manual cleanup from mxc_isi_video_release().

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68178 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:blk-cgroup: fix possible deadlock while configuring policyFollowing deadlock can be triggered easily by lockdep:WARNING: possible circular locking dependency detected6.17.0-rc3-00124-ga12c2658ced0 #1665 Not tainted------------------------------------------------------check/1334 is trying to acquire lock:ff1100011d9d0678 (&q->sysfs_lock){+.+.}-{4:4}, at: blk_unregister_queue+0x53/0x180but task is already holding lock:ff1100011d9d00e0 (&q->q_usage_counter(queue)#3){++++}-{0:0}, at: del_gendisk+0xba/0x110which lock already depends on the new lock.the existing dependency chain (in reverse order) is:-> #2 (&q->q_usage_counter(queue)#3){++++}-{0:0}: blk_queue_enter+0x40b/0x470 blkg_conf_prep+0x7b/0x3c0 tg_set_limit+0x10a/0x3e0 cgroup_file_write+0xc6/0x420 kernfs_fop_write_iter+0x189/0x280 vfs_write+0x256/0x490 ksys_write+0x83/0x190 __x64_sys_write+0x21/0x30 x64_sys_call+0x4608/0x4630 do_syscall_64+0xdb/0x6b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e-> #1 (&q->rq_qos_mutex){+.+.}-{4:4}: __mutex_lock+0xd8/0xf50 mutex_lock_nested+0x2b/0x40 wbt_init+0x17e/0x280 wbt_enable_default+0xe9/0x140 blk_register_queue+0x1da/0x2e0 __add_disk+0x38c/0x5d0 add_disk_fwnode+0x89/0x250 device_add_disk+0x18/0x30 virtblk_probe+0x13a3/0x1800 virtio_dev_probe+0x389/0x610 really_probe+0x136/0x620 __driver_probe_device+0xb3/0x230 driver_probe_device+0x2f/0xe0 __driver_attach+0x158/0x250 bus_for_each_dev+0xa9/0x130 driver_attach+0x26/0x40 bus_add_driver+0x178/0x3d0 driver_register+0x7d/0x1c0 __register_virtio_driver+0x2c/0x60 virtio_blk_init+0x6f/0xe0 do_one_initcall+0x94/0x540 kernel_init_freeable+0x56a/0x7b0 kernel_init+0x2b/0x270 ret_from_fork+0x268/0x4c0 ret_from_fork_asm+0x1a/0x30-> #0 (&q->sysfs_lock){+.+.}-{4:4}: __lock_acquire+0x1835/0x2940 lock_acquire+0xf9/0x450 __mutex_lock+0xd8/0xf50 mutex_lock_nested+0x2b/0x40 blk_unregister_queue+0x53/0x180 __del_gendisk+0x226/0x690 del_gendisk+0xba/0x110 sd_remove+0x49/0xb0 [sd_mod] device_remove+0x87/0xb0 device_release_driver_internal+0x11e/0x230 device_release_driver+0x1a/0x30 bus_remove_device+0x14d/0x220 device_del+0x1e1/0x5a0 __scsi_remove_device+0x1ff/0x2f0 scsi_remove_device+0x37/0x60 sdev_store_delete+0x77/0x100 dev_attr_store+0x1f/0x40 sysfs_kf_write+0x65/0x90 kernfs_fop_write_iter+0x189/0x280 vfs_write+0x256/0x490 ksys_write+0x83/0x190 __x64_sys_write+0x21/0x30 x64_sys_call+0x4608/0x4630 do_syscall_64+0xdb/0x6b0 entry_SYSCALL_64_after_hwframe+0x76/0x7eother info that might help us debug this:Chain exists of: &q->sysfs_lock --> &q->rq_qos_mutex --> &q->q_usage_counter(queue)#3 Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&q->q_usage_counter(queue)#3); lock(&q->rq_qos_mutex); lock(&q->q_usage_counter(queue)#3); lock(&q->sysfs_lock);Root cause is that queue_usage_counter is grabbed with rq_qos_mutexheld in blkg_conf_prep(), while queue should be freezed beforerq_qos_mutex from other context.The blk_queue_enter() from blkg_conf_prep() is used to protect againstpolicy deactivation, which is already protected with blkcg_mutex, henceconvert blk_queue_enter() to blkcg_mutex to fix this problem. Meanwhile,consider that blkcg_mutex is held after queue is freezed from policydeactivation, also convert blkg_alloc() to use GFP_NOIO.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68179 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:s390: Disable ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAPAs reported by Luiz Capitulino enabling HVO on s390 leads to reproduciblecrashes. The problem is that kernel page tables are modified withoutflushing corresponding TLB entries.Even if it looks like the empty flush_tlb_all() implementation on s390 isthe problem, it is actually a different problem: on s390 it is not allowedto replace an active/valid page table entry with another valid page tableentry without the detour over an invalid entry. A direct replacement maylead to random crashes and/or data corruption.In order to invalidate an entry special instructions have to be used(e.g. ipte or idte). Alternatively there are also special instructionsavailable which allow to replace a valid entry with a different validentry (e.g. crdte or cspg).Given that the HVO code currently does not provide the hooks to allow foran implementation which is compliant with the s390 architecturerequirements, disable ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP again, which isbasically a revert of the original patch which enabled it.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68184 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:drm/mediatek: Disable AFBC support on Mediatek DRM driverCommit c410fa9b07c3 ("drm/mediatek: Add AFBC support to Mediatek DRMdriver") added AFBC support to Mediatek DRM and enabled the32x8/split/sparse modifier.However, this is currently broken on Mediatek MT8188 (Genio 700 EVKplatform); tested using upstream Kernel and Mesa (v25.2.1), AFBC is used bydefault since Mesa v25.0.Kernel trace reports vblank timeouts constantly, and the render is garbled:```[CRTC:62:crtc-0] vblank wait timed outWARNING: CPU: 7 PID: 70 at drivers/gpu/drm/drm_atomic_helper.c:1835 drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c[...]Hardware name: MediaTek Genio-700 EVK (DT)Workqueue: events_unbound commit_workpstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)pc : drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27clr : drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27csp : ffff80008337bca0x29: ffff80008337bcd0 x28: 0000000000000061 x27: 0000000000000000x26: 0000000000000001 x25: 0000000000000000 x24: ffff0000c9dcc000x23: 0000000000000001 x22: 0000000000000000 x21: ffff0000c66f2f80x20: ffff0000c0d7d880 x19: 0000000000000000 x18: 000000000000000ax17: 000000040044ffff x16: 005000f2b5503510 x15: 0000000000000000x14: 0000000000000000 x13: 74756f2064656d69 x12: 742074696177206bx11: 0000000000000058 x10: 0000000000000018 x9 : ffff800082396a70x8 : 0000000000057fa8 x7 : 0000000000000cce x6 : ffff8000823eea70x5 : ffff0001fef5f408 x4 : ffff80017ccee000 x3 : ffff0000c12cb480x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0000c12cb480Call trace: drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c (P) drm_atomic_helper_commit_tail_rpm+0x64/0x80 commit_tail+0xa4/0x1a4 commit_work+0x14/0x20 process_one_work+0x150/0x290 worker_thread+0x2d0/0x3ec kthread+0x12c/0x210 ret_from_fork+0x10/0x20---[ end trace 0000000000000000 ]---```Until this gets fixed upstream, disable AFBC support on this platform, asit's currently broken with upstream Mesa.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68191 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:udp_tunnel: use netdev_warn() instead of netdev_WARN()netdev_WARN() uses WARN/WARN_ON to print a backtrace along withfile and line information. In this case, udp_tunnel_nic_register()returning an error is just a failed operation, not a kernel bug.udp_tunnel_nic_register() can fail due to a memory allocationfailure (kzalloc() or udp_tunnel_nic_alloc()).This is a normal runtime error and not a kernel bug.Replace netdev_WARN() with netdev_warn() accordingly.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68200 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:bpf: Add bpf_prog_run_data_pointers()syzbot found that cls_bpf_classify() is able to changetc_skb_cb(skb)->drop_reason triggering a warning in sk_skb_reason_drop().WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 __sk_skb_reason_drop net/core/skbuff.c:1189 [inline]WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 sk_skb_reason_drop+0x76/0x170 net/core/skbuff.c:1214struct tc_skb_cb has been added in commit ec624fe740b4 ("net/sched:Extend qdisc control block with tc control block"), which added a wronginteraction with db58ba459202 ("bpf: wire in data and data_end forcls_act_bpf").drop_reason was added later.Add bpf_prog_run_data_pointers() helper to save/restore the net_schedstorage colliding with BPF data_meta/data_end.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68204 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:pmdomain: arm: scmi: Fix genpd leak on provider registration failureIf of_genpd_add_provider_onecell() fails during probe, the previouslycreated generic power domains are not removed, leading to a memory leakand potential kernel crash later in genpd_debug_add().Add proper error handling to unwind the initialized domains beforereturning from probe to ensure all resources are correctly released onfailure.Example crash trace observed without this fix: | Unable to handle kernel paging request at virtual address fffffffffffffc70 | CPU: 1 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.18.0-rc1 #405 PREEMPT | Hardware name: ARM LTD ARM Juno Development Platform/ARM Juno Development Platform | pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) | pc : genpd_debug_add+0x2c/0x160 | lr : genpd_debug_init+0x74/0x98 | Call trace: | genpd_debug_add+0x2c/0x160 (P) | genpd_debug_init+0x74/0x98 | do_one_initcall+0xd0/0x2d8 | do_initcall_level+0xa0/0x140 | do_initcalls+0x60/0xa8 | do_basic_setup+0x28/0x40 | kernel_init_freeable+0xe8/0x170 | kernel_init+0x2c/0x140 | ret_from_fork+0x10/0x20

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68206 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:netfilter: nft_ct: add seqadj extension for natted connectionsSequence adjustment may be required for FTP traffic with PASV/EPSV modes.due to need to re-write packet payload (IP, port) on the ftp controlconnection. This can require changes to the TCP length and expectedseq / ack_seq.The easiest way to reproduce this issue is with PASV mode.Example ruleset:table inet ftp_nat { ct helper ftp_helper { type "ftp" protocol tcp l3proto inet } chain prerouting { type filter hook prerouting priority 0; policy accept; tcp dport 21 ct state new ct helper set "ftp_helper" }}table ip nat { chain prerouting { type nat hook prerouting priority -100; policy accept; tcp dport 21 dnat ip prefix to ip daddr map { 192.168.100.1 : 192.168.13.2/32 } } chain postrouting { type nat hook postrouting priority 100 ; policy accept; tcp sport 21 snat ip prefix to ip saddr map { 192.168.13.2 : 192.168.100.1/32 } }}Note that the ftp helper gets assigned *after* the dnat setup.The inverse (nat after helper assign) is handled by an existingcheck in nf_nat_setup_info() and will not show the problem.Topoloy: +-------------------+ +----------------------------------+ | FTP: 192.168.13.2 | <-> | NAT: 192.168.13.3, 192.168.100.1 | +-------------------+ +----------------------------------+ | +-----------------------+ | Client: 192.168.100.2 | +-----------------------+ftp nat changes do not work as expected in this case:Connected to 192.168.100.1.[..]ftp> epsvEPSV/EPRT on IPv4 off.ftp> ls227 Entering passive mode (192,168,100,1,209,129).421 Service not available, remote server has closed connection.Kernel logs:Missing nfct_seqadj_ext_add() setup callWARNING: CPU: 1 PID: 0 at net/netfilter/nf_conntrack_seqadj.c:41[..] __nf_nat_mangle_tcp_packet+0x100/0x160 [nf_nat] nf_nat_ftp+0x142/0x280 [nf_nat_ftp] help+0x4d1/0x880 [nf_conntrack_ftp] nf_confirm+0x122/0x2e0 [nf_conntrack] nf_hook_slow+0x3c/0xb0 ..Fix this by adding the required extension when a conntrack helper is assignedto a connection that has a nat binding.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68209 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:mlx5: Fix default values in create CQCurrently, CQs without a completion function are assigned themlx5_add_cq_to_tasklet function by default. This is problematic sinceonly user CQs created through the mlx5_ib driver are intended to usethis function.Additionally, all CQs that will use doorbells instead of polling forcompletions must call mlx5_cq_arm. However, the default CQ creation flowleaves a valid value in the CQ's arm_db field, allowing FW to sendinterrupts to polling-only CQs in certain corner cases.These two factors would allow a polling-only kernel CQ to be triggeredby an EQ interrupt and call a completion function intended only for userCQs, causing a null pointer exception.Some areas in the driver have prevented this issue with one-off fixesbut did not address the root cause.This patch fixes the described issue by adding defaults to the create CQflow. It adds a default dummy completion function to protect againstnull pointer exceptions, and it sets an invalid command sequence numberby default in kernel CQs to prevent the FW from sending an interrupt tothe CQ until it is armed. User CQs are responsible for their owninitialization values.Callers of mlx5_core_create_cq are responsible for changing thecompletion function and arming the CQ per their needs.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68211 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ksm: use range-walk function to jump over holes in scan_get_next_rmap_itemCurrently, scan_get_next_rmap_item() walks every page address in a VMA tolocate mergeable pages. This becomes highly inefficient when scanninglarge virtual memory areas that contain mostly unmapped regions, causingksmd to use large amount of cpu without deduplicating much pages.This patch replaces the per-address lookup with a range walk usingwalk_page_range(). The range walker allows KSM to skip over entireunmapped holes in a VMA, avoiding unnecessary lookups. This problem waspreviously discussed in [1].Consider the following test program which creates a 32 TiB mapping in thevirtual address space but only populates a single page:#include #include #include /* 32 TiB */const size_t size = 32ul * 1024 * 1024 * 1024 * 1024;int main() { char *area = mmap(NULL, size, PROT_READ | PROT_WRITE, MAP_NORESERVE | MAP_PRIVATE | MAP_ANON, -1, 0); if (area == MAP_FAILED) { perror("mmap() failed\n"); return -1; } /* Populate a single page such that we get an anon_vma. */ *area = 0; /* Enable KSM. */ madvise(area, size, MADV_MERGEABLE); pause(); return 0;}$ ./ksm-sparse &$ echo 1 > /sys/kernel/mm/ksm/run Without this patch ksmd uses 100% of the cpu for a long time (more then 1hour in my test machine) scanning all the 32 TiB virtual address spacethat contain only one mapped page. This makes ksmd essentially deadlockednot able to deduplicate anything of value. With this patch ksmd walksonly the one mapped page and skips the rest of the 32 TiB virtual addressspace, making the scan fast using little cpu.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68214 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:timers: Fix NULL function pointer race in timer_shutdown_sync()There is a race condition between timer_shutdown_sync() and timerexpiration that can lead to hitting a WARN_ON in expire_timers().The issue occurs when timer_shutdown_sync() clears the timer functionto NULL while the timer is still running on another CPU. The racescenario looks like this:CPU0 CPU1 lock_timer_base() expire_timers() base->running_timer = timer; unlock_timer_base() [call_timer_fn enter] mod_timer() ...timer_shutdown_sync()lock_timer_base()// For now, will not detach the timer but only clear its function to NULLif (base->running_timer != timer) ret = detach_if_pending(timer, base, true);if (shutdown) timer->function = NULL;unlock_timer_base() [call_timer_fn exit] lock_timer_base() base->running_timer = NULL; unlock_timer_base() ... // Now timer is pending while its function set to NULL. // next timer trigger expire_timers() WARN_ON_ONCE(!fn) // hit ...lock_timer_base()// Now timer will detachif (base->running_timer != timer) ret = detach_if_pending(timer, base, true);if (shutdown) timer->function = NULL;unlock_timer_base()The problem is that timer_shutdown_sync() clears the timer functionregardless of whether the timer is currently running. This can leave apending timer with a NULL function pointer, which triggers theWARN_ON_ONCE(!fn) check in expire_timers().Fix this by only clearing the timer function when actually detaching thetimer. If the timer is running, leave the function pointer intact, which issafe because the timer will be properly detached when it finishes running.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68219 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:cifs: fix memory leak in smb3_fs_context_parse_param error pathAdd proper cleanup of ctx->source and fc->source to thecifs_parse_mount_err error handler. This ensures that memory allocatedfor the source strings is correctly freed on all error paths, matchingthe cleanup already performed in the success path bysmb3_cleanup_fs_context_contents().Pointers are also set to NULL after freeing to prevent potentialdouble-free issues.This change fixes a memory leak originally detected by syzbot. Theleak occurred when processing Opt_source mount options if an errorhappened after ctx->source and fc->source were successfullyallocated but before the function completed.The specific leak sequence was:1. ctx->source = smb3_fs_context_fullpath(ctx, '/') allocates memory2. fc->source = kstrdup(ctx->source, GFP_KERNEL) allocates more memory3. A subsequent error jumps to cifs_parse_mount_err4. The old error handler freed passwords but not the source strings,causing the memory to leak.This issue was not addressed by commit e8c73eb7db0a ("cifs: client:fix memory leak in smb3_fs_context_parse_param"), which only fixedleaks from repeated fsconfig() calls but not this error path.Patch updated with minor change suggested by kernel test robot

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68227 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:mptcp: Fix proto fallback detection with BPFThe sockmap feature allows bpf syscall from userspace, or basedon bpf sockops, replacing the sk_prot of sockets during protocol stackprocessing with sockmap's custom read/write interfaces.'''tcp_rcv_state_process() syn_recv_sock()/subflow_syn_recv_sock() tcp_init_transfer(BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB) bpf_skops_established <== sockops bpf_sock_map_update(sk) <== call bpf helper tcp_bpf_update_proto() <== update sk_prot'''When the server has MPTCP enabled but the client sends a TCP SYNwithout MPTCP, subflow_syn_recv_sock() performs a fallback on thesubflow, replacing the subflow sk's sk_prot with the native sk_prot.'''subflow_syn_recv_sock() subflow_ulp_fallback() subflow_drop_ctx() mptcp_subflow_ops_undo_override()'''Then, this subflow can be normally used by sockmap, which replaces thenative sk_prot with sockmap's custom sk_prot. The issue occurs when theuser executes accept::mptcp_stream_accept::mptcp_fallback_tcp_ops().Here, it uses sk->sk_prot to compare with the native sk_prot, but thisis incorrect when sockmap is used, as we may incorrectly setsk->sk_socket->ops.This fix uses the more generic sk_family for the comparison instead.Additionally, this also prevents a WARNING from occurring:result from ./scripts/decode_stacktrace.sh:------------[ cut here ]------------WARNING: CPU: 0 PID: 337 at net/mptcp/protocol.c:68 mptcp_stream_accept \(net/mptcp/protocol.c:4005)Modules linked in:...PKRU: 55555554Call Trace:do_accept (net/socket.c:1989)__sys_accept4 (net/socket.c:2028 net/socket.c:2057)__x64_sys_accept (net/socket.c:2067)x64_sys_call (arch/x86/entry/syscall_64.c:41)do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)RIP: 0033:0x7f87ac92b83d---[ end trace 0000000000000000 ]---

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68229 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:scsi: target: tcm_loop: Fix segfault in tcm_loop_tpg_address_show()If the allocation of tl_hba->sh fails in tcm_loop_driver_probe() and weattempt to dereference it in tcm_loop_tpg_address_show() we will get asegfault, see below for an example. So, check tl_hba->sh beforedereferencing it. Unable to allocate struct scsi_host BUG: kernel NULL pointer dereference, address: 0000000000000194 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 1 PID: 8356 Comm: tokio-runtime-w Not tainted 6.6.104.2-4.azl3 #1 Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 09/28/2024 RIP: 0010:tcm_loop_tpg_address_show+0x2e/0x50 [tcm_loop]... Call Trace: configfs_read_iter+0x12d/0x1d0 [configfs] vfs_read+0x1b5/0x300 ksys_read+0x6f/0xf0...

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68230 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:drm/amdgpu: fix gpu page fault after hibernation on PF passthroughOn PF passthrough environment, after hibernate and then resume, coralgemmwill cause gpu page fault.Mode1 reset happens during hibernate, but partition mode is not restoredon resume, register mmCP_HYP_XCP_CTL and mmCP_PSP_XCP_CTL is not rightafter resume. When CP access the MQD BO, wrong stride size is used,this will cause out of bound access on the MQD BO, resulting page fault.The fix is to ensure gfx_v9_4_3_switch_compute_partition() is calledwhen resume from a hibernation.KFD resume is called separately during a reset recovery or resume fromsuspend sequence. Hence it's not required to be called as part ofpartition switch.(cherry picked from commit 5d1b32cfe4a676fe552416cb5ae847b215463a1a)

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68231 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:mm/mempool: fix poisoning order>0 pages with HIGHMEMThe kernel test has reported: BUG: unable to handle page fault for address: fffba000 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page *pde = 03171067 *pte = 00000000 Oops: Oops: 0002 [#1] CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Tainted: G T 6.18.0-rc2-00031-gec7f31b2a2d3 #1 NONE a1d066dfe789f54bc7645c7989957d2bdee593ca Tainted: [T]=RANDSTRUCT Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 EIP: memset (arch/x86/include/asm/string_32.h:168 arch/x86/lib/memcpy_32.c:17) Code: a5 8b 4d f4 83 e1 03 74 02 f3 a4 83 c4 04 5e 5f 5d 2e e9 73 41 01 00 90 90 90 3e 8d 74 26 00 55 89 e5 57 56 89 c6 89 d0 89 f7 aa 89 f0 5e 5f 5d 2e e9 53 41 01 00 cc cc cc 55 89 e5 53 57 56 EAX: 0000006b EBX: 00000015 ECX: 001fefff EDX: 0000006b ESI: fffb9000 EDI: fffba000 EBP: c611fbf0 ESP: c611fbe8 DS: 007b ES: 007b FS: 0000 GS: 0000 SS: 0068 EFLAGS: 00010287 CR0: 80050033 CR2: fffba000 CR3: 0316e000 CR4: 00040690 Call Trace: poison_element (mm/mempool.c:83 mm/mempool.c:102) mempool_init_node (mm/mempool.c:142 mm/mempool.c:226) mempool_init_noprof (mm/mempool.c:250 (discriminator 1)) ? mempool_alloc_pages (mm/mempool.c:640) bio_integrity_initfn (block/bio-integrity.c:483 (discriminator 8)) ? mempool_alloc_pages (mm/mempool.c:640) do_one_initcall (init/main.c:1283)Christoph found out this is due to the poisoning code not dealingproperly with CONFIG_HIGHMEM because only the first page is mapped butthen the whole potentially high-order page is accessed.We could give up on HIGHMEM here, but it's straightforward to fix thiswith a loop that's mapping, poisoning or checking and unmappingindividual pages.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68239 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:binfmt_misc: restore write access before closing files opened by open_exec()bm_register_write() opens an executable file using open_exec(), whichinternally calls do_open_execat() and denies write access on the file toavoid modification while it is being executed.However, when an error occurs, bm_register_write() closes the file usingfilp_close() directly. This does not restore the write permission, whichmay cause subsequent write operations on the same file to fail.Fix this by calling exe_file_allow_write_access() before filp_close() torestore the write permission properly.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68241 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ipv4: route: Prevent rt_bind_exception() from rebinding stale fnheThe sit driver's packet transmission path calls: sit_tunnel_xmit() ->update_or_create_fnhe(), which lead to fnhe_remove_oldest() being calledto delete entries exceeding FNHE_RECLAIM_DEPTH+random.The race window is between fnhe_remove_oldest() selecting fnheX fordeletion and the subsequent kfree_rcu(). During this time, theconcurrent path's __mkroute_output() -> find_exception() can fetch thesoon-to-be-deleted fnheX, and rt_bind_exception() then binds it with anew dst using a dst_hold(). When the original fnheX is freed via RCU,the dst reference remains permanently leaked.CPU 0 CPU 1__mkroute_output() find_exception() [fnheX] update_or_create_fnhe() fnhe_remove_oldest() [fnheX] rt_bind_exception() [bind dst] RCU callback [fnheX freed, dst leak]This issue manifests as a device reference count leak and a warning indmesg when unregistering the net device: unregister_netdevice: waiting for sitX to become free. Usage count = NIdo Schimmel provided the simple test validation method [1].The fix clears 'oldest->fnhe_daddr' before calling fnhe_flush_routes().Since rt_bind_exception() checks this field, setting it to zero preventsthe stale fnhe from being reused and bound to a new dst just before itis freed.[1]ip netns add ns1ip -n ns1 link set dev lo upip -n ns1 address add 192.0.2.1/32 dev loip -n ns1 link add name dummy1 up type dummyip -n ns1 route add 192.0.2.2/32 dev dummy1ip -n ns1 link add name gretap1 up arp off type gretap \ local 192.0.2.1 remote 192.0.2.2ip -n ns1 route add 198.51.0.0/16 dev gretap1taskset -c 0 ip netns exec ns1 mausezahn gretap1 \ -A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q &taskset -c 2 ip netns exec ns1 mausezahn gretap1 \ -A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q &sleep 10ip netns pids ns1 | xargs killip netns del ns1

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68245 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net: netpoll: fix incorrect refcount handling causing incorrect cleanupcommit efa95b01da18 ("netpoll: fix use after free") incorrectlyignored the refcount and prematurely set dev->npinfo to NULL duringnetpoll cleanup, leading to improper behavior and memory leaks.Scenario causing lack of proper cleanup:1) A netpoll is associated with a NIC (e.g., eth0) and netdev->npinfo is allocated, and refcnt = 1 - Keep in mind that npinfo is shared among all netpoll instances. In this case, there is just one.2) Another netpoll is also associated with the same NIC and npinfo->refcnt += 1. - Now dev->npinfo->refcnt = 2; - There is just one npinfo associated to the netdev.3) When the first netpolls goes to clean up: - The first cleanup succeeds and clears np->dev->npinfo, ignoring refcnt. - It basically calls `RCU_INIT_POINTER(np->dev->npinfo, NULL);` - Set dev->npinfo = NULL, without proper cleanup - No ->ndo_netpoll_cleanup() is either called4) Now the second target tries to clean up - The second cleanup fails because np->dev->npinfo is already NULL. * In this case, ops->ndo_netpoll_cleanup() was never called, and the skb pool is not cleaned as well (for the second netpoll instance) - This leaks npinfo and skbpool skbs, which is clearly reported by kmemleak.Revert commit efa95b01da18 ("netpoll: fix use after free") and addsclarifying comments emphasizing that npinfo cleanup should only happenonce the refcount reaches zero, ensuring stable and correct netpollbehavior.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68251 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:erofs: avoid infinite loops due to corrupted subpage compact indexesRobert reported an infinite loop observed by two crafted images.The root cause is that `clusterofs` can be larger than `lclustersize`for !NONHEAD `lclusters` in corrupted subpage compact indexes, e.g.: blocksize = lclustersize = 512 lcn = 6 clusterofs = 515Move the corresponding check for full compress indexes to`z_erofs_load_lcluster_from_disk()` to also cover subpage compactcompress indexes.It also fixes the position of `m->type >= Z_EROFS_LCLUSTER_TYPE_MAX`check, since it should be placed right after`z_erofs_load_{compact,full}_lcluster()`.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68259 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:KVM: SVM: Don't skip unrelated instruction if INT3/INTO is replacedWhen re-injecting a soft interrupt from an INT3, INT0, or (select) INTninstruction, discard the exception and retry the instruction if the codestream is changed (e.g. by a different vCPU) between when the CPUexecutes the instruction and when KVM decodes the instruction to get thenext RIP.As effectively predicted by commit 6ef88d6e36c2 ("KVM: SVM: Re-injectINT3/INTO instead of retrying the instruction"), failure to verify thatthe correct INTn instruction was decoded can effectively clobber gueststate due to decoding the wrong instruction and thus specifying thewrong next RIP.The bug most often manifests as "Oops: int3" panics on static branchchecks in Linux guests. Enabling or disabling a static branch in Linuxuses the kernel's "text poke" code patching mechanism. To modify codewhile other CPUs may be executing that code, Linux (temporarily)replaces the first byte of the original instruction with an int3 (opcode0xcc), then patches in the new code stream except for the first byte,and finally replaces the int3 with the first byte of the new codestream. If a CPU hits the int3, i.e. executes the code while it's beingmodified, then the guest kernel must look up the RIP to determine how tohandle the #BP, e.g. by emulating the new instruction. If the RIP isincorrect, then this lookup fails and the guest kernel panics.The bug reproduces almost instantly by hacking the guest kernel torepeatedly check a static branch[1] while running a drgn script[2] onthe host to constantly swap out the memory containing the guest's TSS.[1]: https://gist.github.com/osandov/44d17c51c28c0ac998ea0334edf90b5a[2]: https://gist.github.com/osandov/10e45e45afa29b11e0c7209247afc00b

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68261 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ext4: add i_data_sem protection in ext4_destroy_inline_data_nolock()Fix a race between inline data destruction and block mapping.The function ext4_destroy_inline_data_nolock() changes the inode datalayout by clearing EXT4_INODE_INLINE_DATA and setting EXT4_INODE_EXTENTS.At the same time, another thread may execute ext4_map_blocks(), whichtests EXT4_INODE_EXTENTS to decide whether to call ext4_ext_map_blocks()or ext4_ind_map_blocks().Without i_data_sem protection, ext4_ind_map_blocks() may receive inodewith EXT4_INODE_EXTENTS flag and triggering assert.kernel BUG at fs/ext4/indirect.c:546!EXT4-fs (loop2): unmounting filesystem.invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTIHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014RIP: 0010:ext4_ind_map_blocks.cold+0x2b/0x5a fs/ext4/indirect.c:546Call Trace: ext4_map_blocks+0xb9b/0x16f0 fs/ext4/inode.c:681 _ext4_get_block+0x242/0x590 fs/ext4/inode.c:822 ext4_block_write_begin+0x48b/0x12c0 fs/ext4/inode.c:1124 ext4_write_begin+0x598/0xef0 fs/ext4/inode.c:1255 ext4_da_write_begin+0x21e/0x9c0 fs/ext4/inode.c:3000 generic_perform_write+0x259/0x5d0 mm/filemap.c:3846 ext4_buffered_write_iter+0x15b/0x470 fs/ext4/file.c:285 ext4_file_write_iter+0x8e0/0x17f0 fs/ext4/file.c:679 call_write_iter include/linux/fs.h:2271 [inline] do_iter_readv_writev+0x212/0x3c0 fs/read_write.c:735 do_iter_write+0x186/0x710 fs/read_write.c:861 vfs_iter_write+0x70/0xa0 fs/read_write.c:902 iter_file_splice_write+0x73b/0xc90 fs/splice.c:685 do_splice_from fs/splice.c:763 [inline] direct_splice_actor+0x10f/0x170 fs/splice.c:950 splice_direct_to_actor+0x33a/0xa10 fs/splice.c:896 do_splice_direct+0x1a9/0x280 fs/splice.c:1002 do_sendfile+0xb13/0x12c0 fs/read_write.c:1255 __do_sys_sendfile64 fs/read_write.c:1323 [inline] __se_sys_sendfile64 fs/read_write.c:1309 [inline] __x64_sys_sendfile64+0x1cf/0x210 fs/read_write.c:1309 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x6e/0xd8

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68276 Severity: Moderate CVSS3 score: 5.5

Description: Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, an unprivileged local users can crash avahi-daemon (with wide-area disabled) by creating record browsers with the AVAHI_LOOKUP_USE_WIDE_AREA flag set via D-Bus. This can be done by either callingthe RecordBrowserNew method directly or creating hostname/address/service resolvers/browsers that create those browsers internally themselves.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
libavahi-client3 > 0-0 (version in image is 0.8-150600.15.12.1).

CVE-2025-68282 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:usb: gadget: udc: fix use-after-free in usb_gadget_state_workA race condition during gadget teardown can lead to a use-after-freein usb_gadget_state_work(), as reported by KASAN: BUG: KASAN: invalid-access in sysfs_notify+0x2c/0xd0 Workqueue: events usb_gadget_state_workThe fundamental race occurs because a concurrent event (e.g., aninterrupt) can call usb_gadget_set_state() and schedule gadget->workat any time during the cleanup process in usb_del_gadget().Commit 399a45e5237c ("usb: gadget: core: flush gadget workqueue afterdevice removal") attempted to fix this by moving flush_work() to afterdevice_del(). However, this does not fully solve the race, as a newwork item can still be scheduled *after* flush_work() completes butbefore the gadget's memory is freed, leading to the same use-after-free.This patch fixes the race condition robustly by introducing a 'teardown'flag and a 'state_lock' spinlock to the usb_gadget struct. The flag isset during cleanup in usb_del_gadget() *before* calling flush_work() toprevent any new work from being scheduled once cleanup has commenced.The scheduling site, usb_gadget_set_state(), now checks this flag underthe lock before queueing the work, thus safely closing the race window.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68295 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:smb: client: fix memory leak in cifs_construct_tcon()When having a multiuser mount with domain= specified and usingcifscreds, cifs_set_cifscreds() will end up setting @ctx->domainname,so it needs to be freed before leaving cifs_construct_tcon().This fixes the following memory leak reported by kmemleak: mount.cifs //srv/share /mnt -o domain=ZELDA,multiuser,... su - testuser cifscreds add -d ZELDA -u testuser ... ls /mnt/1 ... umount /mnt echo scan > /sys/kernel/debug/kmemleak cat /sys/kernel/debug/kmemleak unreferenced object 0xffff8881203c3f08 (size 8): comm "ls", pid 5060, jiffies 4307222943 hex dump (first 8 bytes): 5a 45 4c 44 41 00 cc cc ZELDA... backtrace (crc d109a8cf): __kmalloc_node_track_caller_noprof+0x572/0x710 kstrdup+0x3a/0x70 cifs_sb_tlink+0x1209/0x1770 [cifs] cifs_get_fattr+0xe1/0xf50 [cifs] cifs_get_inode_info+0xb5/0x240 [cifs] cifs_revalidate_dentry_attr+0x2d1/0x470 [cifs] cifs_getattr+0x28e/0x450 [cifs] vfs_getattr_nosec+0x126/0x180 vfs_statx+0xf6/0x220 do_statx+0xab/0x110 __x64_sys_statx+0xd5/0x130 do_syscall_64+0xbb/0x380 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68296 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:drm, fbcon, vga_switcheroo: Avoid race condition in fbcon setupProtect vga_switcheroo_client_fb_set() with console lock. Avoids OOBaccess in fbcon_remap_all(). Without holding the console lock the callraces with switching outputs.VGA switcheroo calls fbcon_remap_all() when switching clients. The fbconfunction uses struct fb_info.node, which is set by register_framebuffer().As the fb-helper code currently sets up VGA switcheroo before registeringthe framebuffer, the value of node is -1 and therefore not a legal value.For example, fbcon uses the value within set_con2fb_map() [1] as an indexinto an array.Moving vga_switcheroo_client_fb_set() after register_framebuffer() canresult in VGA switching that does not switch fbcon correctly.Therefore move vga_switcheroo_client_fb_set() under fbcon_fb_registered(),which already holds the console lock. Fbdev calls fbcon_fb_registered()from within register_framebuffer(). Serializes the helper with VGAswitcheroo's call to fbcon_remap_all().Although vga_switcheroo_client_fb_set() takes an instance of struct fb_infoas parameter, it really only needs the contained fbcon state. Moving thecall to fbcon initialization is therefore cleaner than before. Only amdgpu,i915, nouveau and radeon support vga_switcheroo. For all other drivers,this change does nothing.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68297 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ceph: fix crash in process_v2_sparse_read() for encrypted directoriesThe crash in process_v2_sparse_read() for fscrypt-encrypted directorieshas been reported. Issue takes place for Ceph msgr2 protocol in securemode. It can be reproduced by the steps:sudo mount -t ceph :/ /mnt/cephfs/ -o name=admin,fs=cephfs,ms_mode=secure(1) mkdir /mnt/cephfs/fscrypt-test-3(2) cp area_decrypted.tar /mnt/cephfs/fscrypt-test-3(3) fscrypt encrypt --source=raw_key --key=./my.key /mnt/cephfs/fscrypt-test-3(4) fscrypt lock /mnt/cephfs/fscrypt-test-3(5) fscrypt unlock --key=my.key /mnt/cephfs/fscrypt-test-3(6) cat /mnt/cephfs/fscrypt-test-3/area_decrypted.tar(7) Issue has been triggered[ 408.072247] ------------[ cut here ]------------[ 408.072251] WARNING: CPU: 1 PID: 392 at net/ceph/messenger_v2.c:865ceph_con_v2_try_read+0x4b39/0x72f0[ 408.072267] Modules linked in: intel_rapl_msr intel_rapl_commonintel_uncore_frequency_common intel_pmc_core pmt_telemetry pmt_discoverypmt_class intel_pmc_ssram_telemetry intel_vsec kvm_intel joydev kvm irqbypasspolyval_clmulni ghash_clmulni_intel aesni_intel rapl input_leds psmouseserio_raw i2c_piix4 vga16fb bochs vgastate i2c_smbus floppy mac_hid qemu_fw_cfgpata_acpi sch_fq_codel rbd msr parport_pc ppdev lp parport efi_pstore[ 408.072304] CPU: 1 UID: 0 PID: 392 Comm: kworker/1:3 Not tainted 6.17.0-rc7+[ 408.072307] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS1.17.0-5.fc42 04/01/2014[ 408.072310] Workqueue: ceph-msgr ceph_con_workfn[ 408.072314] RIP: 0010:ceph_con_v2_try_read+0x4b39/0x72f0[ 408.072317] Code: c7 c1 20 f0 d4 ae 50 31 d2 48 c7 c6 60 27 d5 ae 48 c7 c7 f88e 6f b0 68 60 38 d5 ae e8 00 47 61 fe 48 83 c4 18 e9 ac fc ff ff <0f> 0b e9 06fe ff ff 4c 8b 9d 98 fd ff ff 0f 84 64 e7 ff ff 89 85[ 408.072319] RSP: 0018:ffff88811c3e7a30 EFLAGS: 00010246[ 408.072322] RAX: ffffed1024874c6f RBX: ffffea00042c2b40 RCX: 0000000000000f38[ 408.072324] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000[ 408.072325] RBP: ffff88811c3e7ca8 R08: 0000000000000000 R09: 00000000000000c8[ 408.072326] R10: 00000000000000c8 R11: 0000000000000000 R12: 00000000000000c8[ 408.072327] R13: dffffc0000000000 R14: ffff8881243a6030 R15: 0000000000003000[ 408.072329] FS: 0000000000000000(0000) GS:ffff88823eadf000(0000)knlGS:0000000000000000[ 408.072331] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033[ 408.072332] CR2: 000000c0003c6000 CR3: 000000010c106005 CR4: 0000000000772ef0[ 408.072336] PKRU: 55555554[ 408.072337] Call Trace:[ 408.072338] [ 408.072340] ? sched_clock_noinstr+0x9/0x10[ 408.072344] ? __pfx_ceph_con_v2_try_read+0x10/0x10[ 408.072347] ? _raw_spin_unlock+0xe/0x40[ 408.072349] ? finish_task_switch.isra.0+0x15d/0x830[ 408.072353] ? __kasan_check_write+0x14/0x30[ 408.072357] ? mutex_lock+0x84/0xe0[ 408.072359] ? __pfx_mutex_lock+0x10/0x10[ 408.072361] ceph_con_workfn+0x27e/0x10e0[ 408.072364] ? metric_delayed_work+0x311/0x2c50[ 408.072367] process_one_work+0x611/0xe20[ 408.072371] ? __kasan_check_write+0x14/0x30[ 408.072373] worker_thread+0x7e3/0x1580[ 408.072375] ? __pfx__raw_spin_lock_irqsave+0x10/0x10[ 408.072378] ? __pfx_worker_thread+0x10/0x10[ 408.072381] kthread+0x381/0x7a0[ 408.072383] ? __pfx__raw_spin_lock_irq+0x10/0x10[ 408.072385] ? __pfx_kthread+0x10/0x10[ 408.072387] ? __kasan_check_write+0x14/0x30[ 408.072389] ? recalc_sigpending+0x160/0x220[ 408.072392] ? _raw_spin_unlock_irq+0xe/0x50[ 408.072394] ? calculate_sigpending+0x78/0xb0[ 408.072395] ? __pfx_kthread+0x10/0x10[ 408.072397] ret_from_fork+0x2b6/0x380[ 408.072400] ? __pfx_kthread+0x10/0x10[ 408.072402] ret_from_fork_asm+0x1a/0x30[ 408.072406] [ 408.072407] ---[ end trace 0000000000000000 ]---[ 408.072418] Oops: general protection fault, probably for non-canonicaladdress 0xdffffc00000000---truncated---

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68301 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net: atlantic: fix fragment overflow handling in RX pathThe atlantic driver can receive packets with more than MAX_SKB_FRAGS (17)fragments when handling large multi-descriptor packets. This causes anout-of-bounds write in skb_add_rx_frag_netmem() leading to kernel panic.The issue occurs because the driver doesn't check the total number offragments before calling skb_add_rx_frag(). When a packet requires morethan MAX_SKB_FRAGS fragments, the fragment index exceeds the array bounds.Fix by assuming there will be an extra frag if buff->len > AQ_CFG_RX_HDR_SIZE,then all fragments are accounted for. And reusing the existing check toprevent the overflow earlier in the code path.This crash occurred in production with an Aquantia AQC113 10G NIC.Stack trace from production environment:```RIP: 0010:skb_add_rx_frag_netmem+0x29/0xd0Code: 90 f3 0f 1e fa 0f 1f 44 00 00 48 89 f8 41 89ca 48 89 d7 48 63 ce 8b 90 c0 00 00 00 48 c1 e1 04 48 01 ca 48 03 90c8 00 00 00 <48> 89 7a 30 44 89 52 3c 44 89 42 38 40 f6 c7 01 75 74 4889 fa 83RSP: 0018:ffffa9bec02a8d50 EFLAGS: 00010287RAX: ffff925b22e80a00 RBX: ffff925ad38d2700 RCX:fffffffe0a0c8000RDX: ffff9258ea95bac0 RSI: ffff925ae0a0c800 RDI:0000000000037a40RBP: 0000000000000024 R08: 0000000000000000 R09:0000000000000021R10: 0000000000000848 R11: 0000000000000000 R12:ffffa9bec02a8e24R13: ffff925ad8615570 R14: 0000000000000000 R15:ffff925b22e80a00FS: 0000000000000000(0000)GS:ffff925e47880000(0000) knlGS:0000000000000000CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033CR2: ffff9258ea95baf0 CR3: 0000000166022004 CR4:0000000000f72ef0PKRU: 55555554Call Trace:aq_ring_rx_clean+0x175/0xe60 [atlantic]? aq_ring_rx_clean+0x14d/0xe60 [atlantic]? aq_ring_tx_clean+0xdf/0x190 [atlantic]? kmem_cache_free+0x348/0x450? aq_vec_poll+0x81/0x1d0 [atlantic]? __napi_poll+0x28/0x1c0? net_rx_action+0x337/0x420```Changes in v4:- Add Fixes: tag to satisfy patch validation requirements.Changes in v3:- Fix by assuming there will be an extra frag if buff->len > AQ_CFG_RX_HDR_SIZE, then all fragments are accounted for.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68302 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net: sxgbe: fix potential NULL dereference in sxgbe_rx()Currently, when skb is null, the driver prints an error and thendereferences skb on the next line.To fix this, let's add a 'break' after the error message to switchto sxgbe_rx_refill(), which is similar to the approach taken by theother drivers in this particular case, e.g. calxeda with xgmac_rx().Found during a code review.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68304 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:Bluetooth: hci_core: lookup hci_conn on RX path on protocol sideThe hdev lock/lookup/unlock/use pattern in the packet RX path doesn'tensure hci_conn* is not concurrently modified/deleted. This lockingappears to be leftover from before conn_hash started using RCUcommit bf4c63252490b ("Bluetooth: convert conn hash to RCU")and not clear if it had purpose since then.Currently, there are code paths that delete hci_conn* from elsewherethan the ordered hdev->workqueue where the RX work runs in. E.g.commit 5af1f84ed13a ("Bluetooth: hci_sync: Fix UAF on hci_abort_conn_sync")introduced some of these, and there probably were a few others beforeit. It's better to do the locking so that even if these runconcurrently no UAF is possible.Move the lookup of hci_conn and associated socket-specific conn toprotocol recv handlers, and do them within a single critical sectionto cover hci_conn* usage and lookup.syzkaller has reported a crash that appears to be this issue: [Task hdev->workqueue] [Task 2] hci_disconnect_all_sync l2cap_recv_acldata(hcon) hci_conn_get(hcon) hci_abort_conn_sync(hcon) hci_dev_lock hci_dev_lock hci_conn_del(hcon) v-------------------------------- hci_dev_unlock hci_conn_put(hcon) conn = hcon->l2cap_data (UAF)

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68320 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:lan966x: Fix sleeping in atomic contextThe following warning was seen when we try to connect using ssh to the device.BUG: sleeping function called from invalid context at kernel/locking/mutex.c:575in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 104, name: dropbearpreempt_count: 1, expected: 0INFO: lockdep is turned off.CPU: 0 UID: 0 PID: 104 Comm: dropbear Tainted: G W 6.18.0-rc2-00399-g6f1ab1b109b9-dirty #530 NONETainted: [W]=WARNHardware name: Generic DT based systemCall trace: unwind_backtrace from show_stack+0x10/0x14 show_stack from dump_stack_lvl+0x7c/0xac dump_stack_lvl from __might_resched+0x16c/0x2b0 __might_resched from __mutex_lock+0x64/0xd34 __mutex_lock from mutex_lock_nested+0x1c/0x24 mutex_lock_nested from lan966x_stats_get+0x5c/0x558 lan966x_stats_get from dev_get_stats+0x40/0x43c dev_get_stats from dev_seq_printf_stats+0x3c/0x184 dev_seq_printf_stats from dev_seq_show+0x10/0x30 dev_seq_show from seq_read_iter+0x350/0x4ec seq_read_iter from seq_read+0xfc/0x194 seq_read from proc_reg_read+0xac/0x100 proc_reg_read from vfs_read+0xb0/0x2b0 vfs_read from ksys_read+0x6c/0xec ksys_read from ret_fast_syscall+0x0/0x1cException stack(0xf0b11fa8 to 0xf0b11ff0)1fa0: 00000001 00001000 00000008 be9048d8 00001000 000000011fc0: 00000001 00001000 00000008 00000003 be905920 0000001e 00000000 000000011fe0: 0005404c be9048c0 00018684 b6ec2cd8It seems that we are using a mutex in a atomic context which is wrong.Change the mutex with a spinlock.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68325 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net/sched: sch_cake: Fix incorrect qlen reduction in cake_dropIn cake_drop(), qdisc_tree_reduce_backlog() is used to update the qlenand backlog of the qdisc hierarchy. Its caller, cake_enqueue(), assumesthat the parent qdisc will enqueue the current packet. However, thisassumption breaks when cake_enqueue() returns NET_XMIT_CN: the parentqdisc stops enqueuing current packet, leaving the tree qlen/backlogaccounting inconsistent. This mismatch can lead to a NULL dereference(e.g., when the parent Qdisc is qfq_qdisc).This patch computes the qlen/backlog delta in a more robust way byobserving the difference before and after the series of cake_drop()calls, and then compensates the qdisc tree accounting if cake_enqueue()returns NET_XMIT_CN.To ensure correct compensation when ACK thinning is enabled, a newvariable is introduced to keep qlen unchanged.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68336 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:locking/spinlock/debug: Fix data-race in do_raw_write_lockKCSAN reports:BUG: KCSAN: data-race in do_raw_write_lock / do_raw_write_lockwrite (marked) to 0xffff800009cf504c of 4 bytes by task 1102 on cpu 1: do_raw_write_lock+0x120/0x204 _raw_write_lock_irq do_exit call_usermodehelper_exec_async ret_from_forkread to 0xffff800009cf504c of 4 bytes by task 1103 on cpu 0: do_raw_write_lock+0x88/0x204 _raw_write_lock_irq do_exit call_usermodehelper_exec_async ret_from_forkvalue changed: 0xffffffff -> 0x00000001Reported by Kernel Concurrency Sanitizer on:CPU: 0 PID: 1103 Comm: kworker/u4:1 6.1.111Commit 1a365e822372 ("locking/spinlock/debug: Fix various data races") hasadressed most of these races, but seems to be not consistent/not complete.>From do_raw_write_lock() only debug_write_lock_after() part has beenconverted to WRITE_ONCE(), but not debug_write_lock_before() part.Do it now.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68337 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:jbd2: avoid bug_on in jbd2_journal_get_create_access() when file system corruptedThere's issue when file system corrupted:------------[ cut here ]------------kernel BUG at fs/jbd2/transaction.c:1289!Oops: invalid opcode: 0000 [#1] SMP KASAN PTICPU: 5 UID: 0 PID: 2031 Comm: mkdir Not tainted 6.18.0-rc1-nextRIP: 0010:jbd2_journal_get_create_access+0x3b6/0x4d0RSP: 0018:ffff888117aafa30 EFLAGS: 00010202RAX: 0000000000000000 RBX: ffff88811a86b000 RCX: ffffffff89a63534RDX: 1ffff110200ec602 RSI: 0000000000000004 RDI: ffff888100763010RBP: ffff888100763000 R08: 0000000000000001 R09: ffff888100763028R10: 0000000000000003 R11: 0000000000000000 R12: 0000000000000000R13: ffff88812c432000 R14: ffff88812c608000 R15: ffff888120bfc000CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033CR2: 00007f91d6970c99 CR3: 00000001159c4000 CR4: 00000000000006f0Call Trace: __ext4_journal_get_create_access+0x42/0x170 ext4_getblk+0x319/0x6f0 ext4_bread+0x11/0x100 ext4_append+0x1e6/0x4a0 ext4_init_new_dir+0x145/0x1d0 ext4_mkdir+0x326/0x920 vfs_mkdir+0x45c/0x740 do_mkdirat+0x234/0x2f0 __x64_sys_mkdir+0xd6/0x120 do_syscall_64+0x5f/0xfa0 entry_SYSCALL_64_after_hwframe+0x76/0x7eThe above issue occurs with us in errors=continue mode when accompanied bystorage failures. There have been many inconsistencies in the file systemdata.In the case of file system data inconsistency, for example, if the blockbitmap of a referenced block is not set, it can lead to the situation wherea block being committed is allocated and used again. As a result, thefollowing condition will not be satisfied then trigger BUG_ON. Of course,it is entirely possible to construct a problematic image that can triggerthis BUG_ON through specific operations. In fact, I have constructed suchan image and easily reproduced this issue.Therefore, J_ASSERT() holds true only under ideal conditions, but it maynot necessarily be satisfied in exceptional scenarios. Using J_ASSERT()directly in abnormal situations would cause the system to crash, which isclearly not what we want. So here we directly trigger a JBD abort insteadof immediately invoking BUG_ON.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68349 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:NFSv4/pNFS: Clear NFS_INO_LAYOUTCOMMIT in pnfs_mark_layout_stateid_invalidFixes a crash when layout is null during this call stack:write_inode -> nfs4_write_inode -> pnfs_layoutcommit_inodepnfs_set_layoutcommit relies on the lseg refcount to keep the layoutaround. Need to clear NFS_INO_LAYOUTCOMMIT otherwise we might attemptto reference a null layout.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68358 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:btrfs: fix racy bitfield write in btrfs_clear_space_info_full()From the memory-barriers.txt document regarding memory barrier orderingguarantees: (*) These guarantees do not apply to bitfields, because compilers often generate code to modify these using non-atomic read-modify-write sequences. Do not attempt to use bitfields to synchronize parallel algorithms. (*) Even in cases where bitfields are protected by locks, all fields in a given bitfield must be protected by one lock. If two fields in a given bitfield are protected by different locks, the compiler's non-atomic read-modify-write sequences can cause an update to one field to corrupt the value of an adjacent field.btrfs_space_info has a bitfield sharing an underlying word consisting ofthe fields full, chunk_alloc, and flush:struct btrfs_space_info { struct btrfs_fs_info * fs_info; /* 0 8 */ struct btrfs_space_info * parent; /* 8 8 */ ... int clamp; /* 172 4 */ unsigned int full:1; /* 176: 0 4 */ unsigned int chunk_alloc:1; /* 176: 1 4 */ unsigned int flush:1; /* 176: 2 4 */ ...Therefore, to be safe from parallel read-modify-writes losing a write toone of the bitfield members protected by a lock, all writes to all thebitfields must use the lock. They almost universally do, except forbtrfs_clear_space_info_full() which iterates over the space_infos andwrites out found->full = 0 without a lock.Imagine that we have one thread completing a transaction in which wefinished deleting a block_group and are thus callingbtrfs_clear_space_info_full() while simultaneously the data reclaimticket infrastructure is running do_async_reclaim_data_space(): T1 T2btrfs_commit_transaction btrfs_clear_space_info_full data_sinfo->full = 0 READ: full:0, chunk_alloc:0, flush:1 do_async_reclaim_data_space(data_sinfo) spin_lock(&space_info->lock); if(list_empty(tickets)) space_info->flush = 0; READ: full: 0, chunk_alloc:0, flush:1 MOD/WRITE: full: 0, chunk_alloc:0, flush:0 spin_unlock(&space_info->lock); return; MOD/WRITE: full:0, chunk_alloc:0, flush:1and now data_sinfo->flush is 1 but the reclaim worker has exited. Thisbreaks the invariant that flush is 0 iff there is no work queued orrunning. Once this invariant is violated, future allocations that gointo __reserve_bytes() will add tickets to space_info->tickets but willsee space_info->flush is set to 1 and not queue the work. After this,they will block forever on the resulting ticket, as it is now impossibleto kick the worker again.I also confirmed by looking at the assembly of the affected kernel thatit is doing RMW operations. For example, to set the flush (3rd) bit to 0,the assembly is: andb $0xfb,0x60(%rbx)and similarly for setting the full (1st) bit to 0: andb $0xfe,-0x20(%rax)So I think this is really a bug on practical systems. I have observeda number of systems in this exact state, but am currently unable toreproduce it.Rather than leaving this footgun lying around for the future, takeadvantage of the fact that there is room in the struct anyway, and thatit is already quite large and simply change the three bitfield members tobools. This avoids writes to space_info->full having any effect on---truncated---

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68363 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:bpf: Check skb->transport_header is set in bpf_skb_check_mtuThe bpf_skb_check_mtu helper needs to use skb->transport_header whenthe BPF_MTU_CHK_SEGS flag is used: bpf_skb_check_mtu(skb, ifindex, &mtu_len, 0, BPF_MTU_CHK_SEGS)The transport_header is not always set. There is a WARN_ON_ONCEreport when CONFIG_DEBUG_NET is enabled + skb->gso_size is set +bpf_prog_test_run is used:WARNING: CPU: 1 PID: 2216 at ./include/linux/skbuff.h:3071 skb_gso_validate_network_len bpf_skb_check_mtu bpf_prog_3920e25740a41171_tc_chk_segs_flag # A test in the next patch bpf_test_run bpf_prog_test_run_skbFor a normal ingress skb (not test_run), skb_reset_transport_headeris performed but there is plan to avoid setting it as described incommit 2170a1f09148 ("net: no longer reset transport_header in __netif_receive_skb_core()").This patch fixes the bpf helper by checkingskb_transport_header_was_set(). The check is done just beforeskb->transport_header is used, to avoid breaking the existing bpf prog.The WARN_ON_ONCE is limited to bpf_prog_test_run, so targeting bpf-next.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68364 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ocfs2: relax BUG() to ocfs2_error() in __ocfs2_move_extent()In '__ocfs2_move_extent()', relax 'BUG()' to 'ocfs2_error()' justto avoid crashing the whole kernel due to a filesystem corruption.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68365 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:fs/ntfs3: Initialize allocated memory before useKMSAN reports: Multiple uninitialized values detected:- KMSAN: uninit-value in ntfs_read_hdr (3)- KMSAN: uninit-value in bcmp (3)Memory is allocated by __getname(), which is a wrapper forkmem_cache_alloc(). This memory is used before being properlycleared. Change kmem_cache_alloc() to kmem_cache_zalloc() toproperly allocate and clear memory before use.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68366 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:nbd: defer config unlock in nbd_genl_connectThere is one use-after-free warning when running NBD_CMD_CONNECT andNBD_CLEAR_SOCK:nbd_genl_connect nbd_alloc_and_init_config // config_refs=1 nbd_start_device // config_refs=2 set NBD_RT_HAS_CONFIG_REF open nbd // config_refs=3 recv_work done // config_refs=2 NBD_CLEAR_SOCK // config_refs=1 close nbd // config_refs=0 refcount_inc -> uaf------------[ cut here ]------------refcount_t: addition on 0; use-after-free.WARNING: CPU: 24 PID: 1014 at lib/refcount.c:25 refcount_warn_saturate+0x12e/0x290 nbd_genl_connect+0x16d0/0x1ab0 genl_family_rcv_msg_doit+0x1f3/0x310 genl_rcv_msg+0x44a/0x790The issue can be easily reproduced by adding a small delay beforerefcount_inc(&nbd->config_refs) in nbd_genl_connect(): mutex_unlock(&nbd->config_lock); if (!ret) { set_bit(NBD_RT_HAS_CONFIG_REF, &config->runtime_flags);+ printk("before sleep\n");+ mdelay(5 * 1000);+ printk("after sleep\n"); refcount_inc(&nbd->config_refs); nbd_connect_reply(info, nbd->index); }

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68367 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:macintosh/mac_hid: fix race condition in mac_hid_toggle_emumouseThe following warning appears when running syzkaller, and this issue alsoexists in the mainline code. ------------[ cut here ]------------ list_add double add: new=ffffffffa57eee28, prev=ffffffffa57eee28, next=ffffffffa5e63100. WARNING: CPU: 0 PID: 1491 at lib/list_debug.c:35 __list_add_valid_or_report+0xf7/0x130 Modules linked in: CPU: 0 PID: 1491 Comm: syz.1.28 Not tainted 6.6.0+ #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:__list_add_valid_or_report+0xf7/0x130 RSP: 0018:ff1100010dfb7b78 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffffffffa57eee18 RCX: ffffffff97fc9817 RDX: 0000000000040000 RSI: ffa0000002383000 RDI: 0000000000000001 RBP: ffffffffa57eee28 R08: 0000000000000001 R09: ffe21c0021bf6f2c R10: 0000000000000001 R11: 6464615f7473696c R12: ffffffffa5e63100 R13: ffffffffa57eee28 R14: ffffffffa57eee28 R15: ff1100010dfb7d48 FS: 00007fb14398b640(0000) GS:ff11000119600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 000000010d096005 CR4: 0000000000773ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 80000000 Call Trace: input_register_handler+0xb3/0x210 mac_hid_start_emulation+0x1c5/0x290 mac_hid_toggle_emumouse+0x20a/0x240 proc_sys_call_handler+0x4c2/0x6e0 new_sync_write+0x1b1/0x2d0 vfs_write+0x709/0x950 ksys_write+0x12a/0x250 do_syscall_64+0x5a/0x110 entry_SYSCALL_64_after_hwframe+0x78/0xe2The WARNING occurs when two processes concurrently write to the mac-hidemulation sysctl, causing a race condition in mac_hid_toggle_emumouse().Both processes read old_val=0, then both try to register the input handler,leading to a double list_add of the same handler. CPU0 CPU1 ------------------------- ------------------------- vfs_write() //write 1 vfs_write() //write 1 proc_sys_write() proc_sys_write() mac_hid_toggle_emumouse() mac_hid_toggle_emumouse() old_val = *valp // old_val=0 old_val = *valp // old_val=0 mutex_lock_killable() proc_dointvec() // *valp=1 mac_hid_start_emulation() input_register_handler() mutex_unlock() mutex_lock_killable() proc_dointvec() mac_hid_start_emulation() input_register_handler() //Trigger Warning mutex_unlock()Fix this by moving the old_val read inside the mutex lock region.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68371 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:scsi: smartpqi: Fix device resources accessed after device removalCorrect possible race conditions during device removal.Previously, a scheduled work item to reset a LUN could still executeafter the device was removed, leading to use-after-free and otherresource access issues.This race condition occurs because the abort handler may schedule a LUNreset concurrently with device removal via sdev_destroy(), leading touse-after-free and improper access to freed resources. - Check in the device reset handler if the device is still present in the controller's SCSI device list before running; if not, the reset is skipped. - Cancel any pending TMF work that has not started in sdev_destroy(). - Ensure device freeing in sdev_destroy() is done while holding the LUN reset mutex to avoid races with ongoing resets.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68372 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:nbd: defer config put in recv_workThere is one uaf issue in recv_work when running NBD_CLEAR_SOCK andNBD_CMD_RECONFIGURE: nbd_genl_connect // conf_ref=2 (connect and recv_work A) nbd_open // conf_ref=3 recv_work A done // conf_ref=2 NBD_CLEAR_SOCK // conf_ref=1 nbd_genl_reconfigure // conf_ref=2 (trigger recv_work B) close nbd // conf_ref=1 recv_work B config_put // conf_ref=0 atomic_dec(&config->recv_threads); -> UAFOr only running NBD_CLEAR_SOCK: nbd_genl_connect // conf_ref=2 nbd_open // conf_ref=3 NBD_CLEAR_SOCK // conf_ref=2 close nbd nbd_release config_put // conf_ref=1 recv_work config_put // conf_ref=0 atomic_dec(&config->recv_threads); -> UAFCommit 87aac3a80af5 ("nbd: call nbd_config_put() before notifying thewaiter") moved nbd_config_put() to run before waking up the waiter inrecv_work, in order to ensure that nbd_start_device_ioctl() would notbe woken up while nbd->task_recv was still uncleared.However, in nbd_start_device_ioctl(), after being woken up it explicitlycalls flush_workqueue() to make sure all current works are finished.Therefore, there is no need to move the config put ahead of the wakeup.Move nbd_config_put() to the end of recv_work, so that the reference isheld for the whole lifetime of the worker thread. This makes sure theconfig cannot be freed while recv_work is still running, even if clear+ reconfigure interleave.In addition, we don't need to worry about recv_work dropping the lastnbd_put (which causes deadlock):path A (netlink with NBD_CFLAG_DESTROY_ON_DISCONNECT): connect // nbd_refs=1 (trigger recv_work) open nbd // nbd_refs=2 NBD_CLEAR_SOCK close nbd nbd_release nbd_disconnect_and_put flush_workqueue // recv_work done nbd_config_put nbd_put // nbd_refs=1 nbd_put // nbd_refs=0 queue_workpath B (netlink without NBD_CFLAG_DESTROY_ON_DISCONNECT): connect // nbd_refs=2 (trigger recv_work) open nbd // nbd_refs=3 NBD_CLEAR_SOCK // conf_refs=2 close nbd nbd_release nbd_config_put // conf_refs=1 nbd_put // nbd_refs=2 recv_work done // conf_refs=0, nbd_refs=1 rmmod // nbd_refs=0Depends-on: e2daec488c57 ("nbd: Fix hungtask when nbd_config_put")

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68374 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:md: fix rcu protection in md_wakeup_threadWe attempted to use RCU to protect the pointer 'thread', but directlypassed the value when calling md_wakeup_thread(). This means that theRCU pointer has been acquired before rcu_read_lock(), which rendersrcu_read_lock() ineffective and could lead to a use-after-free.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68378 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:bpf: Fix stackmap overflow check in __bpf_get_stackid()Syzkaller reported a KASAN slab-out-of-bounds write in __bpf_get_stackid()when copying stack trace data. The issue occurs when the perf trace contains more stack entries than the stack map bucket can hold, leading to an out-of-bounds write in the bucket's data array.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68379 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:RDMA/rxe: Fix null deref on srq->rq.queue after resize failureA NULL pointer dereference can occur in rxe_srq_chk_attr() whenibv_modify_srq() is invoked twice in succession under certain errorconditions. The first call may fail in rxe_queue_resize(), which leadsrxe_srq_from_attr() to set srq->rq.queue = NULL. The second call thentriggers a crash (null deref) when accessingsrq->rq.queue->buf->index_mask.Call Trace:rxe_modify_srq+0x170/0x480 [rdma_rxe]? __pfx_rxe_modify_srq+0x10/0x10 [rdma_rxe]? uverbs_try_lock_object+0x4f/0xa0 [ib_uverbs]? rdma_lookup_get_uobject+0x1f0/0x380 [ib_uverbs]ib_uverbs_modify_srq+0x204/0x290 [ib_uverbs]? __pfx_ib_uverbs_modify_srq+0x10/0x10 [ib_uverbs]? tryinc_node_nr_active+0xe6/0x150? uverbs_fill_udata+0xed/0x4f0 [ib_uverbs]ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x2c0/0x470 [ib_uverbs]? __pfx_ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x10/0x10 [ib_uverbs]? uverbs_fill_udata+0xed/0x4f0 [ib_uverbs]ib_uverbs_run_method+0x55a/0x6e0 [ib_uverbs]? __pfx_ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x10/0x10 [ib_uverbs]ib_uverbs_cmd_verbs+0x54d/0x800 [ib_uverbs]? __pfx_ib_uverbs_cmd_verbs+0x10/0x10 [ib_uverbs]? __pfx___raw_spin_lock_irqsave+0x10/0x10? __pfx_do_vfs_ioctl+0x10/0x10? ioctl_has_perm.constprop.0.isra.0+0x2c7/0x4c0? __pfx_ioctl_has_perm.constprop.0.isra.0+0x10/0x10ib_uverbs_ioctl+0x13e/0x220 [ib_uverbs]? __pfx_ib_uverbs_ioctl+0x10/0x10 [ib_uverbs]__x64_sys_ioctl+0x138/0x1c0do_syscall_64+0x82/0x250? fdget_pos+0x58/0x4c0? ksys_write+0xf3/0x1c0? __pfx_ksys_write+0x10/0x10? do_syscall_64+0xc8/0x250? __pfx_vm_mmap_pgoff+0x10/0x10? fget+0x173/0x230? fput+0x2a/0x80? ksys_mmap_pgoff+0x224/0x4c0? do_syscall_64+0xc8/0x250? do_user_addr_fault+0x37b/0xfe0? clear_bhb_loop+0x50/0xa0? clear_bhb_loop+0x50/0xa0? clear_bhb_loop+0x50/0xa0entry_SYSCALL_64_after_hwframe+0x76/0x7e

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68725 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:bpf: Do not let BPF test infra emit invalid GSO types to stackYinhao et al. reported that their fuzzer tool was able to trigger askb_warn_bad_offload() from netif_skb_features() -> gso_features_check().When a BPF program - triggered via BPF test infra - pushes the packetto the loopback device via bpf_clone_redirect() then mentioned offloadwarning can be seen. GSO-related features are then rightfully disabled.We get into this situation due to convert___skb_to_skb() settinggso_segs and gso_size but not gso_type. Technically, it makes sensethat this warning triggers since the GSO properties are malformed dueto the gso_type. Potentially, the gso_type could be marked non-trustworthythrough setting it at least to SKB_GSO_DODGY without any other specificassumptions, but that also feels wrong given we should not go furtherinto the GSO engine in the first place.The checks were added in 121d57af308d ("gso: validate gso_type in GSOhandlers") because there were malicious (syzbot) senders that combinea protocol with a non-matching gso_type. If we would want to drop suchpackets, gso_features_check() currently only returns feature flags vianetif_skb_features(), so one location for potentially dropping such skbscould be validate_xmit_unreadable_skb(), but then otoh it would bean additional check in the fast-path for a very corner case. Givenbpf_clone_redirect() is the only place where BPF test infra could emitsuch packets, lets reject them right there.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68727 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ntfs3: Fix uninit buffer allocated by __getname()Fix uninit errors caused after buffer allocation given to 'de'; byinitializing the buffer with zeroes. The fix was found by using KMSAN.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68728 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ntfs3: fix uninit memory after failed mi_read in mi_format_newFix a KMSAN un-init bug found by syzkaller.ntfs_get_bh() expects a buffer from sb_getblk(), that buffer may not beuptodate. We do not bring the buffer uptodate before setting it asuptodate. If the buffer were to not be uptodate, it could mean adding abuffer with un-init data to the mi record. Attempting to load that recordwill trigger KMSAN.Avoid this by setting the buffer as uptodate, if it's not already, byoverwriting it.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68733 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:smack: fix bug: unprivileged task can create labelsIf an unprivileged task is allowed to relabel itself(/smack/relabel-self is not empty),it can freely create new labels by writing theirnames into own /proc/PID/attr/smack/currentThis occurs because do_setattr() importsthe provided label in advance,before checking "relabel-self" list.This change ensures that the "relabel-self" listis checked before importing the label.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68771 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ocfs2: fix kernel BUG in ocfs2_find_victim_chainsyzbot reported a kernel BUG in ocfs2_find_victim_chain() because the`cl_next_free_rec` field of the allocation chain list (next free slot inthe chain list) is 0, triggring the BUG_ON(!cl->cl_next_free_rec)condition in ocfs2_find_victim_chain() and panicking the kernel.To fix this, an if condition is introduced in ocfs2_claim_suballoc_bits(),just before calling ocfs2_find_victim_chain(), the code block in it beingexecuted when either of the following conditions is true:1. `cl_next_free_rec` is equal to 0, indicating that there are no freechains in the allocation chain list2. `cl_next_free_rec` is greater than `cl_count` (the total number ofchains in the allocation chain list)Either of them being true is indicative of the fact that there are nochains left for usage.This is addressed using ocfs2_error(), which printsthe error log for debugging purposes, rather than panicking the kernel.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68773 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:spi: fsl-cpm: Check length parity before switching to 16 bit modeCommit fc96ec826bce ("spi: fsl-cpm: Use 16 bit mode for large transferswith even size") failed to make sure that the size is really evenbefore switching to 16 bit mode. Until recently the problem wentunnoticed because kernfs uses a pre-allocated bounce buffer of sizePAGE_SIZE for reading EEPROM.But commit 8ad6249c51d0 ("eeprom: at25: convert to spi-mem API")introduced an additional dynamically allocated bounce buffer whose sizeis exactly the size of the transfer, leading to a buffer overrun inthe fsl-cpm driver when that size is odd.Add the missing length parity verification and remain in 8 bit modewhen the length is not even.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68780 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:sched/deadline: only set free_cpus for online runqueuesCommit 16b269436b72 ("sched/deadline: Modify cpudl::free_cpusto reflect rd->online") introduced the cpudl_set/clear_freecpufunctions to allow the cpu_dl::free_cpus mask to be manipulatedby the deadline scheduler class rq_on/offline callbacks so themask would also reflect this state.Commit 9659e1eeee28 ("sched/deadline: Remove cpu_active_maskfrom cpudl_find()") removed the check of the cpu_active_mask tosave some processing on the premise that the cpudl::free_cpusmask already reflected the runqueue online state.Unfortunately, there are cases where it is possible for thecpudl_clear function to set the free_cpus bit for a CPU when thedeadline runqueue is offline. When this occurs while a CPU isconnected to the default root domain the flag may retain the badstate after the CPU has been unplugged. Later, a different CPUthat is transitioning through the default root domain may push adeadline task to the powered down CPU when cpudl_find sees itsfree_cpus bit is set. If this happens the task will not have theopportunity to run.One example is outlined here:https://lore.kernel.org/lkml/20250110233010.2339521-1-opendmb@gmail.comAnother occurs when the last deadline task is migrated from aCPU that has an offlined runqueue. The dequeue_task member ofthe deadline scheduler class will eventually call cpudl_clearand set the free_cpus bit for the CPU.This commit modifies the cpudl_clear function to be aware of theonline state of the deadline runqueue so that the free_cpus maskcan be updated appropriately.It is no longer necessary to manage the mask outside of thecpudl_set/clear functions so the cpudl_set/clear_freecpufunctions are removed. In addition, since the free_cpus mask isnow only updated under the cpudl lock the code was changed touse the non-atomic __cpumask functions.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68782 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:scsi: target: Reset t_task_cdb pointer in error caseIf allocation of cmd->t_task_cdb fails, it remains NULL but is laterdereferenced in the 'err' path.In case of error, reset NULL t_task_cdb value to point at the defaultfixed-size buffer.Found by Linux Verification Center (linuxtesting.org) with SVACE.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68783 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ALSA: usb-mixer: us16x08: validate meter packet indicesget_meter_levels_from_urb() parses the 64-byte meter packets sent bythe device and fills the per-channel arrays meter_level[],comp_level[] and master_level[] in struct snd_us16x08_meter_store.Currently the function derives the channel index directly from themeter packet (MUB2(meter_urb, s) - 1) and uses it to index thosearrays without validating the range. If the packet contains anegative or out-of-range channel number, the driver may write pastthe end of these arrays.Introduce a local channel variable and validate it before updating thearrays. We reject negative indices, limit meter_level[] andcomp_level[] to SND_US16X08_MAX_CHANNELS, and guard master_level[]updates with ARRAY_SIZE(master_level).

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68797 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:char: applicom: fix NULL pointer dereference in ac_ioctlDiscovered by Atuin - Automated Vulnerability Discovery Engine.In ac_ioctl, the validation of IndexCard and the check for a validRamIO pointer are skipped when cmd is 6. However, the functionunconditionally executes readb(apbs[IndexCard].RamIO + VERS) at theend.If cmd is 6, IndexCard may reference a board that does not exist(where RamIO is NULL), leading to a NULL pointer dereference.Fix this by skipping the readb access when cmd is 6, as thiscommand is a global information query and does not target a specificboard context.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68808 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:media: vidtv: initialize local pointers upon transfer of memory ownershipvidtv_channel_si_init() creates a temporary list (program, service, event)and ownership of the memory itself is transferred to the PAT/SDT/EITtables through vidtv_psi_pat_program_assign(),vidtv_psi_sdt_service_assign(), vidtv_psi_eit_event_assign().The problem here is that the local pointer where the memory ownershiptransfer was completed is not initialized to NULL. This causes thevidtv_psi_pmt_create_sec_for_each_pat_entry() function to fail, andin the flow that jumps to free_eit, the memory that was freed byvidtv_psi_*_table_destroy() can be accessed again byvidtv_psi_*_event_destroy() due to the uninitialized local pointer, so itis freed once again.Therefore, to prevent use-after-free and double-free vulnerability,local pointers must be initialized to NULL when transferring memoryownership.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default < 6.4.0-150600.23.87.1 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68810 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:KVM: Disallow toggling KVM_MEM_GUEST_MEMFD on an existing memslotReject attempts to disable KVM_MEM_GUEST_MEMFD on a memslot that wasinitially created with a guest_memfd binding, as KVM doesn't supporttoggling KVM_MEM_GUEST_MEMFD on existing memslots. KVM prevents enablingKVM_MEM_GUEST_MEMFD, but doesn't prevent clearing the flag.Failure to reject the new memslot results in a use-after-free due to KVMnot unbinding from the guest_memfd instance. Unbinding on a FLAGS_ONLYchange is easy enough, and can/will be done as a hardening measure (inanticipation of KVM supporting dirty logging on guest_memfd at some point),but fixing the use-after-free would only address the immediate symptom. ================================================================== BUG: KASAN: slab-use-after-free in kvm_gmem_release+0x362/0x400 [kvm] Write of size 8 at addr ffff8881111ae908 by task repro/745 CPU: 7 UID: 1000 PID: 745 Comm: repro Not tainted 6.18.0-rc6-115d5de2eef3-next-kasan #3 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 Call Trace: dump_stack_lvl+0x51/0x60 print_report+0xcb/0x5c0 kasan_report+0xb4/0xe0 kvm_gmem_release+0x362/0x400 [kvm] __fput+0x2fa/0x9d0 task_work_run+0x12c/0x200 do_exit+0x6ae/0x2100 do_group_exit+0xa8/0x230 __x64_sys_exit_group+0x3a/0x50 x64_sys_call+0x737/0x740 do_syscall_64+0x5b/0x900 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7f581f2eac31 Allocated by task 745 on cpu 6 at 9.746971s: kasan_save_stack+0x20/0x40 kasan_save_track+0x13/0x50 __kasan_kmalloc+0x77/0x90 kvm_set_memory_region.part.0+0x652/0x1110 [kvm] kvm_vm_ioctl+0x14b0/0x3290 [kvm] __x64_sys_ioctl+0x129/0x1a0 do_syscall_64+0x5b/0x900 entry_SYSCALL_64_after_hwframe+0x4b/0x53 Freed by task 745 on cpu 6 at 9.747467s: kasan_save_stack+0x20/0x40 kasan_save_track+0x13/0x50 __kasan_save_free_info+0x37/0x50 __kasan_slab_free+0x3b/0x60 kfree+0xf5/0x440 kvm_set_memslot+0x3c2/0x1160 [kvm] kvm_set_memory_region.part.0+0x86a/0x1110 [kvm] kvm_vm_ioctl+0x14b0/0x3290 [kvm] __x64_sys_ioctl+0x129/0x1a0 do_syscall_64+0x5b/0x900 entry_SYSCALL_64_after_hwframe+0x4b/0x53

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68814 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:io_uring: fix filename leak in __io_openat_prep() __io_openat_prep() allocates a struct filename using getname(). However,for the condition of the file being installed in the fixed file table aswell as having O_CLOEXEC flag set, the function returns early. At thatpoint, the request doesn't have REQ_F_NEED_CLEANUP flag set. Due to this,the memory for the newly allocated struct filename is not cleaned up,causing a memory leak.Fix this by setting the REQ_F_NEED_CLEANUP for the request just after thesuccessful getname() call, so that when the request is torn down, thefilename will be cleaned up, along with other resources needing cleanup.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68815 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net/sched: ets: Remove drr class from the active list if it changes to strictWhenever a user issues an ets qdisc change command, transforming adrr class into a strict one, the ets code isn't checking whether thatclass was in the active list and removing it. This means that, if auser changes a strict class (which was in the active list) back to a drrone, that class will be added twice to the active list [1].Doing so with the following commands:tc qdisc add dev lo root handle 1: ets bands 2 strict 1tc qdisc add dev lo parent 1:2 handle 20: \ tbf rate 8bit burst 100b latency 1stc filter add dev lo parent 1: basic classid 1:2ping -c1 -W0.01 -s 56 127.0.0.1tc qdisc change dev lo root handle 1: ets bands 2 strict 2tc qdisc change dev lo root handle 1: ets bands 2 strict 1ping -c1 -W0.01 -s 56 127.0.0.1Will trigger the following splat with list debug turned on:[ 59.279014][ T365] ------------[ cut here ]------------[ 59.279452][ T365] list_add double add: new=ffff88801d60e350, prev=ffff88801d60e350, next=ffff88801d60e2c0.[ 59.280153][ T365] WARNING: CPU: 3 PID: 365 at lib/list_debug.c:35 __list_add_valid_or_report+0x17f/0x220[ 59.280860][ T365] Modules linked in:[ 59.281165][ T365] CPU: 3 UID: 0 PID: 365 Comm: tc Not tainted 6.18.0-rc7-00105-g7e9f13163c13-dirty #239 PREEMPT(voluntary)[ 59.281977][ T365] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011[ 59.282391][ T365] RIP: 0010:__list_add_valid_or_report+0x17f/0x220[ 59.282842][ T365] Code: 89 c6 e8 d4 b7 0d ff 90 0f 0b 90 90 31 c0 e9 31 ff ff ff 90 48 c7 c7 e0 a0 22 9f 48 89 f2 48 89 c1 4c 89 c6 e8 b2 b7 0d ff 90 <0f> 0b 90 90 31 c0 e9 0f ff ff ff 48 89 f7 48 89 44 24 10 4c 89 44...[ 59.288812][ T365] Call Trace:[ 59.289056][ T365] [ 59.289224][ T365] ? srso_alias_return_thunk+0x5/0xfbef5[ 59.289546][ T365] ets_qdisc_change+0xd2b/0x1e80[ 59.289891][ T365] ? __lock_acquire+0x7e7/0x1be0[ 59.290223][ T365] ? __pfx_ets_qdisc_change+0x10/0x10[ 59.290546][ T365] ? srso_alias_return_thunk+0x5/0xfbef5[ 59.290898][ T365] ? __mutex_trylock_common+0xda/0x240[ 59.291228][ T365] ? __pfx___mutex_trylock_common+0x10/0x10[ 59.291655][ T365] ? srso_alias_return_thunk+0x5/0xfbef5[ 59.291993][ T365] ? srso_alias_return_thunk+0x5/0xfbef5[ 59.292313][ T365] ? trace_contention_end+0xc8/0x110[ 59.292656][ T365] ? srso_alias_return_thunk+0x5/0xfbef5[ 59.293022][ T365] ? srso_alias_return_thunk+0x5/0xfbef5[ 59.293351][ T365] tc_modify_qdisc+0x63a/0x1cf0Fix this by always checking and removing an ets class from the active listwhen changing it to strict.[1] https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/tree/net/sched/sch_ets.c?id=ce052b9402e461a9aded599f5b47e76bc727f7de#n663

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68816 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net/mlx5: fw_tracer, Validate format string parametersAdd validation for format string parameters in the firmware tracer toprevent potential security vulnerabilities and crashes from malformedformat strings received from firmware.The firmware tracer receives format strings from the device firmware anduses them to format trace messages. Without proper validation, badfirmware could provide format strings with invalid format specifiers(e.g., %s, %p, %n) that could lead to crashes, or other undefinedbehavior.Add mlx5_tracer_validate_params() to validate that all format specifiersin trace strings are limited to safe integer/hex formats (%x, %d, %i,%u, %llx, %lx, etc.). Reject strings containing other format types thatcould be used to access arbitrary memory or cause crashes.Invalid format strings are added to the trace output for visibility with"BAD_FORMAT: " prefix.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68818 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:scsi: Revert "scsi: qla2xxx: Perform lockless command completion in abort path"This reverts commit 0367076b0817d5c75dfb83001ce7ce5c64d803a9.The commit being reverted added code to __qla2x00_abort_all_cmds() tocall sp->done() without holding a spinlock. But unlike the older codebelow it, this new code failed to check sp->cmd_type and just assumedTYPE_SRB, which results in a jump to an invalid pointer in target-modewith TYPE_TGT_CMD:qla2xxx [0000:65:00.0]-d034:8: qla24xx_do_nack_work create sess success 0000000009f7a79bqla2xxx [0000:65:00.0]-5003:8: ISP System Error - mbx1=1ff5h mbx2=10h mbx3=0h mbx4=0h mbx5=191h mbx6=0h mbx7=0h.qla2xxx [0000:65:00.0]-d01e:8: -> fwdump no bufferqla2xxx [0000:65:00.0]-f03a:8: qla_target(0): System error async event 0x8002 occurredqla2xxx [0000:65:00.0]-00af:8: Performing ISP error recovery - ha=0000000058183fda.BUG: kernel NULL pointer dereference, address: 0000000000000000PF: supervisor instruction fetch in kernel modePF: error_code(0x0010) - not-present pagePGD 0 P4D 0Oops: 0010 [#1] SMPCPU: 2 PID: 9446 Comm: qla2xxx_8_dpc Tainted: G O 6.1.133 #1Hardware name: Supermicro Super Server/X11SPL-F, BIOS 4.2 12/15/2023RIP: 0010:0x0Code: Unable to access opcode bytes at 0xffffffffffffffd6.RSP: 0018:ffffc90001f93dc8 EFLAGS: 00010206RAX: 0000000000000282 RBX: 0000000000000355 RCX: ffff88810d16a000RDX: ffff88810dbadaa8 RSI: 0000000000080000 RDI: ffff888169dc38c0RBP: ffff888169dc38c0 R08: 0000000000000001 R09: 0000000000000045R10: ffffffffa034bdf0 R11: 0000000000000000 R12: ffff88810800bb40R13: 0000000000001aa8 R14: ffff888100136610 R15: ffff8881070f7400FS: 0000000000000000(0000) GS:ffff88bf80080000(0000) knlGS:0000000000000000CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033CR2: ffffffffffffffd6 CR3: 000000010c8ff006 CR4: 00000000003706e0DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400Call Trace: ? __die+0x4d/0x8b ? page_fault_oops+0x91/0x180 ? trace_buffer_unlock_commit_regs+0x38/0x1a0 ? exc_page_fault+0x391/0x5e0 ? asm_exc_page_fault+0x22/0x30 __qla2x00_abort_all_cmds+0xcb/0x3e0 [qla2xxx_scst] qla2x00_abort_all_cmds+0x50/0x70 [qla2xxx_scst] qla2x00_abort_isp_cleanup+0x3b7/0x4b0 [qla2xxx_scst] qla2x00_abort_isp+0xfd/0x860 [qla2xxx_scst] qla2x00_do_dpc+0x581/0xa40 [qla2xxx_scst] kthread+0xa8/0xd0 Then commit 4475afa2646d ("scsi: qla2xxx: Complete command early withinlock") added the spinlock back, because not having the lock caused arace and a crash. But qla2x00_abort_srb() in the switch below alreadychecks for qla2x00_chip_is_down() and handles it the same way, so thecode above the switch is now redundant and still buggy in target-mode.Remove it.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68819 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:media: dvb-usb: dtv5100: fix out-of-bounds in dtv5100_i2c_msg()rlen value is a user-controlled value, but dtv5100_i2c_msg() does notcheck the size of the rlen value. Therefore, if it is set to a valuelarger than sizeof(st->data), an out-of-bounds vuln occurs for st->data.Therefore, we need to add proper range checking to prevent this vuln.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default < 6.4.0-150600.23.87.1 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68822 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:Input: alps - fix use-after-free bugs caused by dev3_register_workThe dev3_register_work delayed work item is initialized withinalps_reconnect() and scheduled upon receipt of the first barePS/2 packet from an external PS/2 device connected to the ALPStouchpad. During device detachment, the original implementationcalls flush_workqueue() in psmouse_disconnect() to ensurecompletion of dev3_register_work. However, the flush_workqueue()in psmouse_disconnect() only blocks and waits for work items thatwere already queued to the workqueue prior to its invocation. Anywork items submitted after flush_workqueue() is called are notincluded in the set of tasks that the flush operation awaits.This means that after flush_workqueue() has finished executing,the dev3_register_work could still be scheduled. Although thepsmouse state is set to PSMOUSE_CMD_MODE in psmouse_disconnect(),the scheduling of dev3_register_work remains unaffected.The race condition can occur as follows:CPU 0 (cleanup path) | CPU 1 (delayed work)psmouse_disconnect() | psmouse_set_state() | flush_workqueue() | alps_report_bare_ps2_packet() alps_disconnect() | psmouse_queue_work() kfree(priv); // FREE | alps_register_bare_ps2_mouse() | priv = container_of(work...); // USE | priv->dev3 // USEAdd disable_delayed_work_sync() in alps_disconnect() to ensurethat dev3_register_work is properly canceled and prevented fromexecuting after the alps_data structure has been deallocated.This bug is identified by static analysis.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-69644 Severity: Moderate CVSS3 score: 5.5

Description: An issue was discovered in Binutils before 2.46. The objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed debug information. A logic flaw in the handling of DWARF location list headers can cause objdump to enter an unbounded loop and produce endless output until manually interrupted. This issue affects versions prior to the upstream fix and allows a local attacker to cause excessive resource consumption by supplying a malicious input file.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
binutils > 0-0 (version in image is 2.45-150100.7.57.1).

CVE-2025-69646 Severity: Moderate CVSS3 score: 5.5

Description: Binutils objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF debug_rnglists data. A logic error in the handling of the debug_rnglists header can cause objdump to repeatedly print the same warning message and fail to terminate, resulting in an unbounded logging loop until the process is interrupted. The issue was observed in binutils 2.44. A local attacker can exploit this vulnerability by supplying a malicious input file, leading to excessive CPU and I/O usage and preventing completion of the objdump analysis.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
binutils > 0-0 (version in image is 2.45-150100.7.57.1).

CVE-2025-69647 Severity: Moderate CVSS3 score: 5.5

Description: GNU Binutils thru 2.45.1 readelf contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF loclists data. A logic flaw in the DWARF parsing code can cause readelf to repeatedly print the same table output without making forward progress, resulting in an unbounded output loop that never terminates unless externally interrupted. A local attacker can trigger this behavior by supplying a malicious input file, causing excessive CPU and I/O usage and preventing readelf from completing its analysis.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
binutils > 0-0 (version in image is 2.45-150100.7.57.1).

CVE-2025-69648 Severity: Moderate CVSS3 score: 5.5

Description: GNU Binutils thru 2.45.1 readelf contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF .debug_rnglists data. A logic flaw in the DWARF parsing path causes readelf to repeatedly print the same warning message without making forward progress, resulting in a non-terminating output loop that requires manual interruption. No evidence of memory corruption or code execution was observed.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
binutils > 0-0 (version in image is 2.45-150100.7.57.1).

CVE-2025-71064 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net: hns3: using the num_tqps in the vf driver to apply for resourcesCurrently, hdev->htqp is allocated using hdev->num_tqps, and kinfo->tqpis allocated using kinfo->num_tqps. However, kinfo->num_tqps is set tomin(new_tqps, hdev->num_tqps); Therefore, kinfo->num_tqps may be smallerthan hdev->num_tqps, which causes some hdev->htqp[i] to remainuninitialized in hclgevf_knic_setup().Thus, this patch allocates hdev->htqp and kinfo->tqp using hdev->num_tqps,ensuring that the lengths of hdev->htqp and kinfo->tqp are consistentand that all elements are properly initialized.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-71068 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:svcrdma: bound check rq_pages index in inline pathsvc_rdma_copy_inline_range indexed rqstp->rq_pages[rc_curpage] withoutverifying rc_curpage stays within the allocated page array. Add guardsbefore the first use and after advancing to a new page.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-71074 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:functionfs: fix the open/removal racesffs_epfile_open() can race with removal, ending up with file->private_datapointing to freed object.There is a total count of opened files on functionfs (both ep0 anddynamic ones) and when it hits zero, dynamic files get removed.Unfortunately, that removal can happen while another thread isin ffs_epfile_open(), but has not incremented the count yet.In that case open will succeed, leaving us with UAF on any subsequentread() or write().The root cause is that ffs->opened is misused; atomic_dec_and_test() vs.atomic_add_return() is not a good idea, when object remains visible allalong.To untangle that * serialize openers on ffs->mutex (both for ep0 and for dynamic files) * have dynamic ones use atomic_inc_not_zero() and fail if we hadzero ->opened; in that case the file we are opening is doomed. * have the inodes of dynamic files marked on removal (from thecallback of simple_recursive_removal()) - clear ->i_private there. * have open of dynamic ones verify they hadn't been already removed,along with checking that state is FFS_ACTIVE.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-71075 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:scsi: aic94xx: fix use-after-free in device removal pathThe asd_pci_remove() function fails to synchronize with pending taskletsbefore freeing the asd_ha structure, leading to a potentialuse-after-free vulnerability.When a device removal is triggered (via hot-unplug or module unload),race condition can occur.The fix adds tasklet_kill() before freeing the asd_ha structure,ensuring all scheduled tasklets complete before cleanup proceeds.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-71078 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:powerpc/64s/slb: Fix SLB multihit issue during SLB preloadOn systems using the hash MMU, there is a software SLB preload cache thatmirrors the entries loaded into the hardware SLB buffer. This preloadcache is subject to periodic eviction - typically after every 256 contextswitches - to remove old entry.To optimize performance, the kernel skips switch_mmu_context() inswitch_mm_irqs_off() when the prev and next mm_struct are the same.However, on hash MMU systems, this can lead to inconsistencies betweenthe hardware SLB and the software preload cache.If an SLB entry for a process is evicted from the software cache on oneCPU, and the same process later runs on another CPU without executingswitch_mmu_context(), the hardware SLB may retain stale entries. If thekernel then attempts to reload that entry, it can trigger an SLBmulti-hit error.The following timeline shows how stale SLB entries are created and cancause a multi-hit error when a process moves between CPUs without aMMU context switch.CPU 0 CPU 1----- -----Process Pexec swapper/1 load_elf_binary begin_new_exc activate_mm switch_mm_irqs_off switch_mmu_context switch_slb /* * This invalidates all * the entries in the HW * and setup the new HW * SLB entries as per the * preload cache. */context_switchsched_migrate_task migrates process P to cpu-1Process swapper/0 context switch (to process P)(uses mm_struct of Process P) switch_mm_irqs_off() switch_slb load_slb++ /* * load_slb becomes 0 here * and we evict an entry from * the preload cache with * preload_age(). We still * keep HW SLB and preload * cache in sync, that is * because all HW SLB entries * anyways gets evicted in * switch_slb during SLBIA. * We then only add those * entries back in HW SLB, * which are currently * present in preload_cache * (after eviction). */ load_elf_binary continues... setup_new_exec() slb_setup_new_exec() sched_switch event sched_migrate_task migrates process P to cpu-0context_switch from swapper/0 to Process P switch_mm_irqs_off() /* * Since both prev and next mm struct are same we don't call * switch_mmu_context(). This will cause the HW SLB and SW preload * cache to go out of sync in preload_new_slb_context. Because there * was an SLB entry which was evicted from both HW and preload cache * on cpu-1. Now later in preload_new_slb_context(), when we will try * to add the same preload entry again, we will add this to the SW * preload cache and then will add it to the HW SLB. Since on cpu-0 * this entry was never invalidated, hence adding this entry to the HW * SLB will cause a SLB multi-hit error. */load_elf_binary cont---truncated---

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default < 6.4.0-150600.23.87.1 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-71082 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:Bluetooth: btusb: revert use of devm_kzalloc in btusbThis reverts commit 98921dbd00c4e ("Bluetooth: Use devm_kzalloc inbtusb.c file").In btusb_probe(), we use devm_kzalloc() to allocate the btusb data. Thisties the lifetime of all the btusb data to the binding of a driver toone interface, INTF. In a driver that binds to other interfaces, ISOCand DIAG, this is an accident waiting to happen.The issue is revealed in btusb_disconnect(), where callingusb_driver_release_interface(&btusb_driver, data->intf) will have devmfree the data that is also being used by the other interfaces of thedriver that may not be released yet.To fix this, revert the use of devm and go back to freeing memoryexplicitly.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-71083 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:drm/ttm: Avoid NULL pointer deref for evicted BOsIt is possible for a BO to exist that is not currently associated with aresource, e.g. because it has been evicted.When devcoredump tries to read the contents of all BOs for dumping, we needto expect this as well -- in this case, ENODATA is recorded instead of thebuffer contents.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default < 6.4.0-150600.23.87.1 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-71108 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:usb: typec: ucsi: Handle incorrect num_connectors capabilityThe UCSI spec states that the num_connectors field is 7 bits, and the8th bit is reserved and should be set to zero.Some buggy FW has been known to set this bit, and it can lead to asystem not booting.Flag that the FW is not behaving correctly, and auto-fix the valueso that the system boots correctly.Found on Lenovo P1 G8 during Linux enablement program. The FW willbe fixed, but seemed worth addressing in case it hit platforms thataren't officially Linux supported.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-71111 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:hwmon: (w83791d) Convert macros to functions to avoid TOCTOUThe macro FAN_FROM_REG evaluates its arguments multiple times. When usedin lockless contexts involving shared driver data, this leads toTime-of-Check to Time-of-Use (TOCTOU) race conditions, potentiallycausing divide-by-zero errors.Convert the macro to a static function. This guarantees that argumentsare evaluated only once (pass-by-value), preventing the raceconditions.Additionally, in store_fan_div, move the calculation of the minimumlimit inside the update lock. This ensures that the read-modify-writesequence operates on consistent data.Adhere to the principle of minimal changes by only converting macrosthat evaluate arguments multiple times and are used in locklesscontexts.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default < 6.4.0-150600.23.87.1 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-71118 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ACPICA: Avoid walking the Namespace if start_node is NULLAlthough commit 0c9992315e73 ("ACPICA: Avoid walking the ACPI Namespaceif it is not there") fixed the situation when both start_node andacpi_gbl_root_node are NULL, the Linux kernel mainline now still crashedon Honor Magicbook 14 Pro [1].That happens due to the access to the member of parent_node inacpi_ns_get_next_node(). The NULL pointer dereference will alwayshappen, no matter whether or not the start_node is equal toACPI_ROOT_OBJECT, so move the check of start_node being NULLout of the if block.Unfortunately, all the attempts to contact Honor have failed, theyrefused to provide any technical support for Linux.The bad DSDT table's dump could be found on GitHub [2].DMI: HONOR FMB-P/FMB-P-PCB, BIOS 1.13 05/08/2025[ rjw: Subject adjustment, changelog edits ]

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-71126 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:mptcp: avoid deadlock on fallback while reinjectingJakub reported an MPTCP deadlock at fallback time: WARNING: possible recursive locking detected 6.18.0-rc7-virtme #1 Not tainted -------------------------------------------- mptcp_connect/20858 is trying to acquire lock: ff1100001da18b60 (&msk->fallback_lock){+.-.}-{3:3}, at: __mptcp_try_fallback+0xd8/0x280 but task is already holding lock: ff1100001da18b60 (&msk->fallback_lock){+.-.}-{3:3}, at: __mptcp_retrans+0x352/0xaa0 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&msk->fallback_lock); lock(&msk->fallback_lock); *** DEADLOCK *** May be due to missing lock nesting notation 3 locks held by mptcp_connect/20858: #0: ff1100001da18290 (sk_lock-AF_INET){+.+.}-{0:0}, at: mptcp_sendmsg+0x114/0x1bc0 #1: ff1100001db40fd0 (k-sk_lock-AF_INET#2){+.+.}-{0:0}, at: __mptcp_retrans+0x2cb/0xaa0 #2: ff1100001da18b60 (&msk->fallback_lock){+.-.}-{3:3}, at: __mptcp_retrans+0x352/0xaa0 stack backtrace: CPU: 0 UID: 0 PID: 20858 Comm: mptcp_connect Not tainted 6.18.0-rc7-virtme #1 PREEMPT(full) Hardware name: Bochs, BIOS Bochs 01/01/2011 Call Trace: dump_stack_lvl+0x6f/0xa0 print_deadlock_bug.cold+0xc0/0xcd validate_chain+0x2ff/0x5f0 __lock_acquire+0x34c/0x740 lock_acquire.part.0+0xbc/0x260 _raw_spin_lock_bh+0x38/0x50 __mptcp_try_fallback+0xd8/0x280 mptcp_sendmsg_frag+0x16c2/0x3050 __mptcp_retrans+0x421/0xaa0 mptcp_release_cb+0x5aa/0xa70 release_sock+0xab/0x1d0 mptcp_sendmsg+0xd5b/0x1bc0 sock_write_iter+0x281/0x4d0 new_sync_write+0x3c5/0x6f0 vfs_write+0x65e/0xbb0 ksys_write+0x17e/0x200 do_syscall_64+0xbb/0xfd0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7fa5627cbc5e Code: 4d 89 d8 e8 14 bd 00 00 4c 8b 5d f8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 11 c9 c3 0f 1f 80 00 00 00 00 48 8b 45 10 0f 05 c3 83 e2 39 83 fa 08 75 e7 e8 13 ff ff ff 0f 1f 00 f3 0f 1e fa RSP: 002b:00007fff1fe14700 EFLAGS: 00000202 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00007fa5627cbc5e RDX: 0000000000001f9c RSI: 00007fff1fe16984 RDI: 0000000000000005 RBP: 00007fff1fe14710 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000202 R12: 00007fff1fe16920 R13: 0000000000002000 R14: 0000000000001f9c R15: 0000000000001f9cThe packet scheduler could attempt a reinjection after receiving anMP_FAIL and before the infinite map has been transmitted, causing adeadlock since MPTCP needs to do the reinjection atomically from WRTfallback.Address the issue explicitly avoiding the reinjection in the criticalscenario. Note that this is the only fallback critical section thatcould potentially send packets and hit the double-lock.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-71127 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:wifi: mac80211: Discard Beacon frames to non-broadcast addressBeacon frames are required to be sent to the broadcast address, see IEEEStd 802.11-2020, 11.1.3.1 ("The Address 1 field of the Beacon .. frameshall be set to the broadcast address"). A unicast Beacon frame might beused as a targeted attack to get one of the associated STAs to dosomething (e.g., using CSA to move it to another channel). As such, itis better have strict filtering for this on the received side anddiscard all Beacon frames that are sent to an unexpected address.This is even more important for cases where beacon protection is used.The current implementation in mac80211 is correctly discarding unicastBeacon frames if the Protected Frame bit in the Frame Control field isset to 0. However, if that bit is set to 1, the logic used for checkingfor configured BIGTK(s) does not actually work. If the driver does nothave logic for dropping unicast Beacon frames with Protected Frame bit1, these frames would be accepted in mac80211 processing as valid Beaconframes even though they are not protected. This would allow beaconprotection to be bypassed. While the logic for checking beaconprotection could be extended to cover this corner case, a more genericcheck for discard all Beacon frames based on A1=unicast address coversthis without needing additional changes.Address all these issues by dropping received Beacon frames if they aresent to a non-broadcast address.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-71130 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:drm/i915/gem: Zero-initialize the eb.vma array in i915_gem_do_execbufferInitialize the eb.vma array with values of 0 when the eb structure isfirst set up. In particular, this sets the eb->vma[i].vma pointers toNULL, simplifying cleanup and getting rid of the bug described below.During the execution of eb_lookup_vmas(), the eb->vma array issuccessively filled up with struct eb_vma objects. This process includescalling eb_add_vma(), which might fail; however, even in the event offailure, eb->vma[i].vma is set for the currently processed buffer.If eb_add_vma() fails, eb_lookup_vmas() returns with an error, whichprompts a call to eb_release_vmas() to clean up the mess. Sinceeb_lookup_vmas() might fail during processing any (possibly not first)buffer, eb_release_vmas() checks whether a buffer's vma is NULL to knowat what point did the lookup function fail.In eb_lookup_vmas(), eb->vma[i].vma is set to NULL if either the helperfunction eb_lookup_vma() or eb_validate_vma() fails. eb->vma[i+1].vma isset to NULL in case i915_gem_object_userptr_submit_init() fails; thecurrent one needs to be cleaned up by eb_release_vmas() at this point,so the next one is set. If eb_add_vma() fails, neither the current northe next vma is set to NULL, which is a source of a NULL deref bugdescribed in the issue linked in the Closes tag.When entering eb_lookup_vmas(), the vma pointers are set to the slabpoison value, instead of NULL. This doesn't matter for the actuallookup, since it gets overwritten anyway, however the eb_release_vmas()function only recognizes NULL as the stopping value, hence the pointersare being set to NULL as they go in case of intermediate failure. Thispatch changes the approach to filling them all with NULL at the startinstead, rather than handling that manually during failure.(cherry picked from commit 08889b706d4f0b8d2352b7ca29c2d8df4d0787cd)

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-71131 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:crypto: seqiv - Do not use req->iv after crypto_aead_encryptAs soon as crypto_aead_encrypt is called, the underlying requestmay be freed by an asynchronous completion. Thus dereferencingreq->iv after it returns is invalid.Instead of checking req->iv against info, create a new variableunaligned_info and use it for that purpose instead.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-71132 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:smc91x: fix broken irq-context in PREEMPT_RTWhen smc91x.c is built with PREEMPT_RT, the following splat occursin FVP_RevC:[ 13.055000] smc91x LNRO0003:00 eth0: link up, 10Mbps, half-duplex, lpa 0x0000[ 13.062137] BUG: workqueue leaked atomic, lock or RCU: kworker/2:1[106][ 13.062137] preempt=0x00000000 lock=0->0 RCU=0->1 workfn=mld_ifc_work[ 13.062266] C** replaying previous printk message **[ 13.062266] CPU: 2 UID: 0 PID: 106 Comm: kworker/2:1 Not tainted 6.18.0-dirty #179 PREEMPT_{RT,(full)}[ 13.062353] Hardware name: , BIOS[ 13.062382] Workqueue: mld mld_ifc_work[ 13.062469] Call trace:[ 13.062494] show_stack+0x24/0x40 (C)[ 13.062602] __dump_stack+0x28/0x48[ 13.062710] dump_stack_lvl+0x7c/0xb0[ 13.062818] dump_stack+0x18/0x34[ 13.062926] process_scheduled_works+0x294/0x450[ 13.063043] worker_thread+0x260/0x3d8[ 13.063124] kthread+0x1c4/0x228[ 13.063235] ret_from_fork+0x10/0x20This happens because smc_special_trylock() disables IRQs even on PREEMPT_RT,but smc_special_unlock() does not restore IRQs on PREEMPT_RT.The reason is that smc_special_unlock() calls spin_unlock_irqrestore(),and rcu_read_unlock_bh() in __dev_queue_xmit() cannot invokercu_read_unlock() through __local_bh_enable_ip() when current->softirq_disable_cnt becomes zero.To address this issue, replace smc_special_trylock() with spin_trylock_irqsave().

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-71133 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:RDMA/irdma: avoid invalid read in irdma_net_eventirdma_net_event() should not dereference anything from "neigh" (alias"ptr") until it has checked that the event is NETEVENT_NEIGH_UPDATE.Other events come with different structures pointed to by "ptr" and theymay be smaller than struct neighbour.Move the read of neigh->dev under the NETEVENT_NEIGH_UPDATE case.The bug is mostly harmless, but it triggers KASAN on debug kernels: BUG: KASAN: stack-out-of-bounds in irdma_net_event+0x32e/0x3b0 [irdma] Read of size 8 at addr ffffc900075e07f0 by task kworker/27:2/542554 CPU: 27 PID: 542554 Comm: kworker/27:2 Kdump: loaded Not tainted 5.14.0-630.el9.x86_64+debug #1 Hardware name: [...] Workqueue: events rt6_probe_deferred Call Trace: dump_stack_lvl+0x60/0xb0 print_address_description.constprop.0+0x2c/0x3f0 print_report+0xb4/0x270 kasan_report+0x92/0xc0 irdma_net_event+0x32e/0x3b0 [irdma] notifier_call_chain+0x9e/0x180 atomic_notifier_call_chain+0x5c/0x110 rt6_do_redirect+0xb91/0x1080 tcp_v6_err+0xe9b/0x13e0 icmpv6_notify+0x2b2/0x630 ndisc_redirect_rcv+0x328/0x530 icmpv6_rcv+0xc16/0x1360 ip6_protocol_deliver_rcu+0xb84/0x12e0 ip6_input_finish+0x117/0x240 ip6_input+0xc4/0x370 ipv6_rcv+0x420/0x7d0 __netif_receive_skb_one_core+0x118/0x1b0 process_backlog+0xd1/0x5d0 __napi_poll.constprop.0+0xa3/0x440 net_rx_action+0x78a/0xba0 handle_softirqs+0x2d4/0x9c0 do_softirq+0xad/0xe0

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-71135 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:md/raid5: fix possible null-pointer dereferences in raid5_store_group_thread_cnt()The variable mddev->private is first assigned to conf and then checked: conf = mddev->private; if (!conf) ...If conf is NULL, then mddev->private is also NULL. In this case,null-pointer dereferences can occur when calling raid5_quiesce(): raid5_quiesce(mddev, true); raid5_quiesce(mddev, false);since mddev->private is assigned to conf again in raid5_quiesce(), and confis dereferenced in several places, for example: conf->quiesce = 0; wake_up(&conf->wait_for_quiescent);To fix this issue, the function should unlock mddev and return beforeinvoking raid5_quiesce() when conf is NULL, following the existing patternin raid5_change_consistency_policy().

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-71136 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:media: adv7842: Avoid possible out-of-bounds array accesses in adv7842_cp_log_status()It's possible for cp_read() and hdmi_read() to return -EIO. Thosevalues are further used as indexes for accessing arrays.Fix that by checking return values where it's needed.Found by Linux Verification Center (linuxtesting.org) with SVACE.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default < 6.4.0-150600.23.87.1 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-71137 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:octeontx2-pf: fix "UBSAN: shift-out-of-bounds error"This patch ensures that the RX ring size (rx_pending) is notset below the permitted length. This avoids UBSANshift-out-of-bounds errors when users passes small or zeroring sizes via ethtool -G.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-71138 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:drm/msm/dpu: Add missing NULL pointer check for pingpong interfaceIt is checked almost always in dpu_encoder_phys_wb_setup_ctl(), but in asingle place the check is missing.Also use convenient locals instead of phys_enc->* where available.Patchwork: https://patchwork.freedesktop.org/patch/693860/

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-71141 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:drm/tilcdc: Fix removal actions in case of failed probeThe drm_kms_helper_poll_fini() and drm_atomic_helper_shutdown() helpersshould only be called when the device has been successfully registered.Currently, these functions are called unconditionally in tilcdc_fini(),which causes warnings during probe deferral scenarios.[ 7.972317] WARNING: CPU: 0 PID: 23 at drivers/gpu/drm/drm_atomic_state_helper.c:175 drm_atomic_helper_crtc_duplicate_state+0x60/0x68...[ 8.005820] drm_atomic_helper_crtc_duplicate_state from drm_atomic_get_crtc_state+0x68/0x108[ 8.005858] drm_atomic_get_crtc_state from drm_atomic_helper_disable_all+0x90/0x1c8[ 8.005885] drm_atomic_helper_disable_all from drm_atomic_helper_shutdown+0x90/0x144[ 8.005911] drm_atomic_helper_shutdown from tilcdc_fini+0x68/0xf8 [tilcdc][ 8.005957] tilcdc_fini [tilcdc] from tilcdc_pdev_probe+0xb0/0x6d4 [tilcdc]Fix this by rewriting the failed probe cleanup path using the standardgoto error handling pattern, which ensures that cleanup functions areonly called on successfully initialized resources. Additionally, removethe now-unnecessary is_registered flag.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-71161 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:dm-verity: disable recursive forward error correctionThere are two problems with the recursive correction:1. It may cause denial-of-service. In fec_read_bufs, there is a loop thathas 253 iterations. For each iteration, we may call verity_hash_for_blockrecursively. There is a limit of 4 nested recursions - that means thatthere may be at most 253^4 (4 billion) iterations. Red Hat QE teamactually created an image that pushes dm-verity to this limit - and thisimage just makes the udev-worker process get stuck in the 'D' state.2. It doesn't work. In fec_read_bufs we store data into the variable"fio->bufs", but fio bufs is shared between recursive invocations, if"verity_hash_for_block" invoked correction recursively, it wouldoverwrite partially filled fio->bufs.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-71162 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:dmaengine: tegra-adma: Fix use-after-freeA use-after-free bug exists in the Tegra ADMA driver when audio streamsare terminated, particularly during XRUN conditions. The issue occurswhen the DMA buffer is freed by tegra_adma_terminate_all() before thevchan completion tasklet finishes accessing it.The race condition follows this sequence: 1. DMA transfer completes, triggering an interrupt that schedules the completion tasklet (tasklet has not executed yet) 2. Audio playback stops, calling tegra_adma_terminate_all() which frees the DMA buffer memory via kfree() 3. The scheduled tasklet finally executes, calling vchan_complete() which attempts to access the already-freed memorySince tasklets can execute at any time after being scheduled, there isno guarantee that the buffer will remain valid when vchan_complete()runs.Fix this by properly synchronizing the virtual channel completion: - Calling vchan_terminate_vdesc() in tegra_adma_stop() to mark the descriptors as terminated instead of freeing the descriptor. - Add the callback tegra_adma_synchronize() that calls vchan_synchronize() which kills any pending tasklets and frees any terminated descriptors.Crash logs:[ 337.427523] BUG: KASAN: use-after-free in vchan_complete+0x124/0x3b0[ 337.427544] Read of size 8 at addr ffff000132055428 by task swapper/0/0[ 337.427562] Call trace:[ 337.427564] dump_backtrace+0x0/0x320[ 337.427571] show_stack+0x20/0x30[ 337.427575] dump_stack_lvl+0x68/0x84[ 337.427584] print_address_description.constprop.0+0x74/0x2b8[ 337.427590] kasan_report+0x1f4/0x210[ 337.427598] __asan_load8+0xa0/0xd0[ 337.427603] vchan_complete+0x124/0x3b0[ 337.427609] tasklet_action_common.constprop.0+0x190/0x1d0[ 337.427617] tasklet_action+0x30/0x40[ 337.427623] __do_softirq+0x1a0/0x5c4[ 337.427628] irq_exit+0x110/0x140[ 337.427633] handle_domain_irq+0xa4/0xe0[ 337.427640] gic_handle_irq+0x64/0x160[ 337.427644] call_on_irq_stack+0x20/0x4c[ 337.427649] do_interrupt_handler+0x7c/0x90[ 337.427654] el1_interrupt+0x30/0x80[ 337.427659] el1h_64_irq_handler+0x18/0x30[ 337.427663] el1h_64_irq+0x7c/0x80[ 337.427667] cpuidle_enter_state+0xe4/0x540[ 337.427674] cpuidle_enter+0x54/0x80[ 337.427679] do_idle+0x2e0/0x380[ 337.427685] cpu_startup_entry+0x2c/0x70[ 337.427690] rest_init+0x114/0x130[ 337.427695] arch_call_rest_init+0x18/0x24[ 337.427702] start_kernel+0x380/0x3b4[ 337.427706] __primary_switched+0xc0/0xc8

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-71180 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:counter: interrupt-cnt: Drop IRQF_NO_THREAD flagAn IRQ handler can either be IRQF_NO_THREAD or acquire spinlock_t, asCONFIG_PROVE_RAW_LOCK_NESTING warns:=============================[ BUG: Invalid wait context ]6.18.0-rc1+git... #1-----------------------------some-user-space-process/1251 is trying to lock:(&counter->events_list_lock){....}-{3:3}, at: counter_push_event [counter]other info that might help us debug this:context-{2:2}no locks held by some-user-space-process/....stack backtrace:CPU: 0 UID: 0 PID: 1251 Comm: some-user-space-process 6.18.0-rc1+git... #1 PREEMPTCall trace: show_stack (C) dump_stack_lvl dump_stack __lock_acquire lock_acquire _raw_spin_lock_irqsave counter_push_event [counter] interrupt_cnt_isr [interrupt_cnt] __handle_irq_event_percpu handle_irq_event handle_simple_irq handle_irq_desc generic_handle_domain_irq gpio_irq_handler handle_irq_desc generic_handle_domain_irq gic_handle_irq call_on_irq_stack do_interrupt_handler el0_interrupt __el0_irq_handler_common el0t_64_irq_handler el0t_64_irq... and Sebastian correctly points out. Remove IRQF_NO_THREAD as analternative to switching to raw_spinlock_t, because the latter would limitall potential nested locks to raw_spinlock_t only.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-71183 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:btrfs: always detect conflicting inodes when logging inode refsAfter rename exchanging (either with the rename exchange operation orregular renames in multiple non-atomic steps) two inodes and at leastone of them is a directory, we can end up with a log tree that containsonly of the inodes and after a power failure that can result in an attemptto delete the other inode when it should not because it was not deletedbefore the power failure. In some case that delete attempt fails whenthe target inode is a directory that contains a subvolume inside it, sincethe log replay code is not prepared to deal with directory entries thatpoint to root items (only inode items).1) We have directories "dir1" (inode A) and "dir2" (inode B) under the same parent directory;2) We have a file (inode C) under directory "dir1" (inode A);3) We have a subvolume inside directory "dir2" (inode B);4) All these inodes were persisted in a past transaction and we are currently at transaction N;5) We rename the file (inode C), so at btrfs_log_new_name() we update inode C's last_unlink_trans to N;6) We get a rename exchange for "dir1" (inode A) and "dir2" (inode B), so after the exchange "dir1" is inode B and "dir2" is inode A. During the rename exchange we call btrfs_log_new_name() for inodes A and B, but because they are directories, we don't update their last_unlink_trans to N;7) An fsync against the file (inode C) is done, and because its inode has a last_unlink_trans with a value of N we log its parent directory (inode A) (through btrfs_log_all_parents(), called from btrfs_log_inode_parent()).8) So we end up with inode B not logged, which now has the old name of inode A. At copy_inode_items_to_log(), when logging inode A, we did not check if we had any conflicting inode to log because inode A has a generation lower than the current transaction (created in a past transaction);9) After a power failure, when replaying the log tree, since we find that inode A has a new name that conflicts with the name of inode B in the fs tree, we attempt to delete inode B... this is wrong since that directory was never deleted before the power failure, and because there is a subvolume inside that directory, attempting to delete it will fail since replay_dir_deletes() and btrfs_unlink_inode() are not prepared to deal with dir items that point to roots instead of inodes. When that happens the mount fails and we get a stack trace like the following: [87.2314] BTRFS info (device dm-0): start tree-log replay [87.2318] BTRFS critical (device dm-0): failed to delete reference to subvol, root 5 inode 256 parent 259 [87.2332] ------------[ cut here ]------------ [87.2338] BTRFS: Transaction aborted (error -2) [87.2346] WARNING: CPU: 1 PID: 638968 at fs/btrfs/inode.c:4345 __btrfs_unlink_inode+0x416/0x440 [btrfs] [87.2368] Modules linked in: btrfs loop dm_thin_pool (...) [87.2470] CPU: 1 UID: 0 PID: 638968 Comm: mount Tainted: G W 6.18.0-rc7-btrfs-next-218+ #2 PREEMPT(full) [87.2489] Tainted: [W]=WARN [87.2494] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014 [87.2514] RIP: 0010:__btrfs_unlink_inode+0x416/0x440 [btrfs] [87.2538] Code: c0 89 04 24 (...) [87.2568] RSP: 0018:ffffc0e741f4b9b8 EFLAGS: 00010286 [87.2574] RAX: 0000000000000000 RBX: ffff9d3ec8a6cf60 RCX: 0000000000000000 [87.2582] RDX: 0000000000000002 RSI: ffffffff84ab45a1 RDI: 00000000ffffffff [87.2591] RBP: ffff9d3ec8a6ef20 R08: 0000000000000000 R09: ffffc0e741f4b840 [87.2599] R10: ffff9d45dc1fffa8 R11: 0000000000000003 R12: ffff9d3ee26d77e0 [87.2608] R13: ffffc0e741f4ba98 R14: ffff9d4458040800 R15: ffff9d44b6b7ca10 [87.2618] FS: 00007f7b9603a840(0000) GS:ffff9d4658982000(0000) knlGS:0000000000000000 [87.---truncated---

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-71184 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:btrfs: fix NULL dereference on root when tracing inode evictionWhen evicting an inode the first thing we do is to setup tracing for it,which implies fetching the root's id. But in btrfs_evict_inode() theroot might be NULL, as implied in the next check that we do inbtrfs_evict_inode().Hence, we either should set the ->root_objectid to 0 in case the root isNULL, or we move tracing setup after checking that the root is notNULL. Setting the rootid to 0 at least gives us the possibility to tracethis call even in the case when the root is NULL, so that's the solutiontaken here.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-71195 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:dmaengine: xilinx: xdma: Fix regmap max_registerThe max_register field is assigned the size of the register memoryregion instead of the offset of the last register.The result is that reading from the regmap via debugfs can causea segmentation fault:tail /sys/kernel/debug/regmap/xdma.1.auto/registersUnable to handle kernel paging request at virtual address ffff800082f70000Mem abort info: ESR = 0x0000000096000007 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x07: level 3 translation fault[...]Call trace: regmap_mmio_read32le+0x10/0x30 _regmap_bus_reg_read+0x74/0xc0 _regmap_read+0x68/0x198 regmap_read+0x54/0x88 regmap_read_debugfs+0x140/0x380 regmap_map_read_file+0x30/0x48 full_proxy_read+0x68/0xc8 vfs_read+0xcc/0x310 ksys_read+0x7c/0x120 __arm64_sys_read+0x24/0x40 invoke_syscall.constprop.0+0x64/0x108 do_el0_svc+0xb0/0xd8 el0_svc+0x38/0x130 el0t_64_sync_handler+0x120/0x138 el0t_64_sync+0x194/0x198Code: aa1e03e9 d503201f f9400000 8b214000 (b9400000)---[ end trace 0000000000000000 ]---note: tail[1217] exited with irqs disablednote: tail[1217] exited with preempt_count 1Segmentation fault

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-71200 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:mmc: sdhci-of-dwcmshc: Prevent illegal clock reduction in HS200/HS400 modeWhen operating in HS200 or HS400 timing modes, reducing the clock frequencybelow 52MHz will lead to link broken as the Rockchip DWC MSHC controllerrequires maintaining a minimum clock of 52MHz in these modes.Add a check to prevent illegal clock reduction through debugfs:root@debian:/# echo 50000000 > /sys/kernel/debug/mmc0/clockroot@debian:/# [ 30.090146] mmc0: running CQE recoverymmc0: cqhci: Failed to haltmmc0: cqhci: spurious TCN for tag 0WARNING: drivers/mmc/host/cqhci-core.c:797 at cqhci_irq+0x254/0x818, CPU#1: kworker/1:0H/24Modules linked in:CPU: 1 UID: 0 PID: 24 Comm: kworker/1:0H Not tainted 6.19.0-rc1-00001-g09db0998649d-dirty #204 PREEMPTHardware name: Rockchip RK3588 EVB1 V10 Board (DT)Workqueue: kblockd blk_mq_run_work_fnpstate: 604000c9 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)pc : cqhci_irq+0x254/0x818lr : cqhci_irq+0x254/0x818...

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-71236 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:scsi: qla2xxx: Validate sp before freeing associated memorySystem crash with the following signature[154563.214890] nvme nvme2: NVME-FC{1}: controller connect complete[154564.169363] qla2xxx [0000:b0:00.1]-3002:2: nvme: Sched: Set ZIO exchange threshold to 3.[154564.169405] qla2xxx [0000:b0:00.1]-ffffff:2: SET ZIO Activity exchange threshold to 5.[154565.539974] qla2xxx [0000:b0:00.1]-5013:2: RSCN database changed - 0078 0080 0000.[154565.545744] qla2xxx [0000:b0:00.1]-5013:2: RSCN database changed - 0078 00a0 0000.[154565.545857] qla2xxx [0000:b0:00.1]-11a2:2: FEC=enabled (data rate).[154565.552760] qla2xxx [0000:b0:00.1]-11a2:2: FEC=enabled (data rate).[154565.553079] BUG: kernel NULL pointer dereference, address: 00000000000000f8[154565.553080] #PF: supervisor read access in kernel mode[154565.553082] #PF: error_code(0x0000) - not-present page[154565.553084] PGD 80000010488ab067 P4D 80000010488ab067 PUD 104978a067 PMD 0[154565.553089] Oops: 0000 1 PREEMPT SMP PTI[154565.553092] CPU: 10 PID: 858 Comm: qla2xxx_2_dpc Kdump: loaded Tainted: G OE ------- --- 5.14.0-503.11.1.el9_5.x86_64 #1[154565.553096] Hardware name: HPE Synergy 660 Gen10/Synergy 660 Gen10 Compute Module, BIOS I43 09/30/2024[154565.553097] RIP: 0010:qla_fab_async_scan.part.0+0x40b/0x870 [qla2xxx][154565.553141] Code: 00 00 e8 58 a3 ec d4 49 89 e9 ba 12 20 00 00 4c 89 e6 49 c7 c0 00 ee a8 c0 48 c7 c1 66 c0 a9 c0 bf 00 80 00 10 e8 15 69 00 00 <4c> 8b 8d f8 00 00 00 4d 85 c9 74 35 49 8b 84 24 00 19 00 00 48 8b[154565.553143] RSP: 0018:ffffb4dbc8aebdd0 EFLAGS: 00010286[154565.553145] RAX: 0000000000000000 RBX: ffff8ec2cf0908d0 RCX: 0000000000000002[154565.553147] RDX: 0000000000000000 RSI: ffffffffc0a9c896 RDI: ffffb4dbc8aebd47[154565.553148] RBP: 0000000000000000 R08: ffffb4dbc8aebd45 R09: 0000000000ffff0a[154565.553150] R10: 0000000000000000 R11: 000000000000000f R12: ffff8ec2cf0908d0[154565.553151] R13: ffff8ec2cf090900 R14: 0000000000000102 R15: ffff8ec2cf084000[154565.553152] FS: 0000000000000000(0000) GS:ffff8ed27f800000(0000) knlGS:0000000000000000[154565.553154] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033[154565.553155] CR2: 00000000000000f8 CR3: 000000113ae0a005 CR4: 00000000007706f0[154565.553157] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000[154565.553158] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400[154565.553159] PKRU: 55555554[154565.553160] Call Trace:[154565.553162] [154565.553165] ? show_trace_log_lvl+0x1c4/0x2df[154565.553172] ? show_trace_log_lvl+0x1c4/0x2df[154565.553177] ? qla_fab_async_scan.part.0+0x40b/0x870 [qla2xxx][154565.553215] ? __die_body.cold+0x8/0xd[154565.553218] ? page_fault_oops+0x134/0x170[154565.553223] ? snprintf+0x49/0x70[154565.553229] ? exc_page_fault+0x62/0x150[154565.553238] ? asm_exc_page_fault+0x22/0x30Check for sp being non NULL before freeing any associated memory

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-71268 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:btrfs: fix reservation leak in some error paths when inserting inline extentIf we fail to allocate a path or join a transaction, we return from__cow_file_range_inline() without freeing the reserved qgroup data,resulting in a leak. Fix this by ensuring we call btrfs_qgroup_free_data()in such cases.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-2297 Severity: Moderate CVSS3 score: 5.5

Description: The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
libpython3_11-1_0 < 3.11.15-150600.3.53.1 (version in image is 3.11.14-150600.3.41.2).

CVE-2026-22982 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net: mscc: ocelot: Fix crash when adding interface under a lagCommit 15faa1f67ab4 ("lan966x: Fix crash when adding interface under a lag")fixed a similar issue in the lan966x driver caused by a NULL pointer dereference.The ocelot_set_aggr_pgids() function in the ocelot driver has similar logicand is susceptible to the same crash.This issue specifically affects the ocelot_vsc7514.c frontend, which leavesunused ports as NULL pointers. The felix_vsc9959.c frontend is unaffected asit uses the DSA framework which registers all ports.Fix this by checking if the port pointer is valid before accessing it.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-22989 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:nfsd: check that server is running in unlock_filesystemIf we are trying to unlock the filesystem via an administrativeinterface and nfsd isn't running, it crashes the server. Thishappens currently because nfsd4_revoke_states() access statestructures (eg., conf_id_hashtbl) that has been freed as a partof the server shutdown.[ 59.465072] Call trace:[ 59.465308] nfsd4_revoke_states+0x1b4/0x898 [nfsd] (P)[ 59.465830] write_unlock_fs+0x258/0x440 [nfsd][ 59.466278] nfsctl_transaction_write+0xb0/0x120 [nfsd][ 59.466780] vfs_write+0x1f0/0x938[ 59.467088] ksys_write+0xfc/0x1f8[ 59.467395] __arm64_sys_write+0x74/0xb8[ 59.467746] invoke_syscall.constprop.0+0xdc/0x1e8[ 59.468177] do_el0_svc+0x154/0x1d8[ 59.468489] el0_svc+0x40/0xe0[ 59.468767] el0t_64_sync_handler+0xa0/0xe8[ 59.469138] el0t_64_sync+0x1ac/0x1b0Ensure this can't happen by taking the nfsd_mutex and checking thatthe server is still up, and then holding the mutex across the call tonfsd4_revoke_states().

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-22991 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:libceph: make free_choose_arg_map() resilient to partial allocationfree_choose_arg_map() may dereference a NULL pointer if its caller failsafter a partial allocation.For example, in decode_choose_args(), if allocation of arg_map->argsfails, execution jumps to the fail label and free_choose_arg_map() iscalled. Since arg_map->size is updated to a non-zero value before memoryallocation, free_choose_arg_map() will iterate over arg_map->args anddereference a NULL pointer.To prevent this potential NULL pointer dereference and makefree_choose_arg_map() more resilient, add checks for pointers beforeiterating.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-22997 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net: can: j1939: j1939_xtp_rx_rts_session_active(): deactivate session upon receiving the second rtsSince j1939_session_deactivate_activate_next() in j1939_tp_rxtimer() iscalled only when the timer is enabled, we need to callj1939_session_deactivate_activate_next() if we cancelled the timer.Otherwise, refcount for j1939_session leaks, which will later appear as| unregister_netdevice: waiting for vcan0 to become free. Usage count = 2.problem.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-22998 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovecCommit efa56305908b ("nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length")added ttag bounds checking and data_offsetvalidation in nvmet_tcp_handle_h2c_data_pdu(), but it did not validatewhether the command's data structures (cmd->req.sg and cmd->iov) havebeen properly initialized before processing H2C_DATA PDUs.The nvmet_tcp_build_pdu_iovec() function dereferences these pointerswithout NULL checks. This can be triggered by sending H2C_DATA PDUimmediately after the ICREQ/ICRESP handshake, beforesending a CONNECT command or NVMe write command.Attack vectors that trigger NULL pointer dereferences:1. H2C_DATA PDU sent before CONNECT -> both pointers NULL2. H2C_DATA PDU for READ command -> cmd->req.sg allocated, cmd->iov NULL3. H2C_DATA PDU for uninitialized command slot -> both pointers NULLThe fix validates both cmd->req.sg and cmd->iov before callingnvmet_tcp_build_pdu_iovec(). Both checks are required because:- Uninitialized commands: both NULL- READ commands: cmd->req.sg allocated, cmd->iov NULL- WRITE commands: both allocated

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23006 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ASoC: tlv320adcx140: fix null pointerThe "snd_soc_component" in "adcx140_priv" was only used once but neverset. It was only used for reaching "dev" which is already present in"adcx140_priv".

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23011 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ipv4: ip_gre: make ipgre_header() robustAnalog to commit db5b4e39c4e6 ("ip6_gre: make ip6gre_header() robust")Over the years, syzbot found many ways to crash the kernelin ipgre_header() [1].This involves team or bonding drivers ability to dynamicallychange their dev->needed_headroom and/or dev->hard_header_lenIn this particular crash mld_newpack() allocated an skbwith a too small reserve/headroom, and by the time mld_sendpack()was called, syzbot managed to attach an ipgre device.[1]skbuff: skb_under_panic: text:ffffffff89ea3cb7 len:2030915468 put:2030915372 head:ffff888058b43000 data:ffff887fdfa6e194 tail:0x120 end:0x6c0 dev:team0 kernel BUG at net/core/skbuff.c:213 !Oops: invalid opcode: 0000 [#1] SMP KASAN PTICPU: 1 UID: 0 PID: 1322 Comm: kworker/1:9 Not tainted syzkaller #0 PREEMPT(full)Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025Workqueue: mld mld_ifc_work RIP: 0010:skb_panic+0x157/0x160 net/core/skbuff.c:213Call Trace: skb_under_panic net/core/skbuff.c:223 [inline] skb_push+0xc3/0xe0 net/core/skbuff.c:2641 ipgre_header+0x67/0x290 net/ipv4/ip_gre.c:897 dev_hard_header include/linux/netdevice.h:3436 [inline] neigh_connected_output+0x286/0x460 net/core/neighbour.c:1618 NF_HOOK_COND include/linux/netfilter.h:307 [inline] ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247 NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318 mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855 mld_send_cr net/ipv6/mcast.c:2154 [inline] mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693 process_one_work kernel/workqueue.c:3257 [inline] process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23017 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:idpf: fix error handling in the init_task on loadIf the init_task fails during a driver load, we end up without vports andnetdevs, effectively failing the entire process. In that state asubsequent reset will result in a crash as the service task attempts toaccess uninitialized resources. Following trace is from an error in theinit_task where the CREATE_VPORT (op 501) is rejected by the FW:[40922.763136] idpf 0000:83:00.0: Device HW Reset initiated[40924.449797] idpf 0000:83:00.0: Transaction failed (op 501)[40958.148190] idpf 0000:83:00.0: HW reset detected[40958.161202] BUG: kernel NULL pointer dereference, address: 00000000000000a8...[40958.168094] Workqueue: idpf-0000:83:00.0-vc_event idpf_vc_event_task [idpf][40958.168865] RIP: 0010:idpf_vc_event_task+0x9b/0x350 [idpf]...[40958.177932] Call Trace:[40958.178491] [40958.179040] process_one_work+0x226/0x6d0[40958.179609] worker_thread+0x19e/0x340[40958.180158] ? __pfx_worker_thread+0x10/0x10[40958.180702] kthread+0x10f/0x250[40958.181238] ? __pfx_kthread+0x10/0x10[40958.181774] ret_from_fork+0x251/0x2b0[40958.182307] ? __pfx_kthread+0x10/0x10[40958.182834] ret_from_fork_asm+0x1a/0x30[40958.183370] Fix the error handling in the init_task to make sure the service andmailbox tasks are disabled if the error happens during load. These arestarted in idpf_vc_core_init(), which spawns the init_task and has no wayof knowing if it failed. If the error happens on reset, followingsuccessful driver load, the tasks can still run, as that will allow thenetdevs to attempt recovery through another reset. Stop the PTP callbackseither way as those will be restarted by the call to idpf_vc_core_init()during a successful reset.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23020 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net: 3com: 3c59x: fix possible null dereference in vortex_probe1()pdev can be null and free_ring: can be called in 1297 with a nullpdev.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23035 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net/mlx5e: Pass netdev to mlx5e_destroy_netdev instead of privmlx5e_priv is an unstable structure that can be memset(0) if profileattaching fails.Pass netdev to mlx5e_destroy_netdev() to guarantee it will work on avalid netdev.On mlx5e_remove: Check validity of priv->profile, before attemptingto cleanup any resources that might be not there.This fixes a kernel oops in mlx5e_remove when switchdev mode fails dueto change profile failure.$ devlink dev eswitch set pci/0000:00:03.0 mode switchdevError: mlx5_core: Failed setting eswitch to offloads.dmesg:workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTRmlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: new profile init failed, -12workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTRmlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: failed to rollback to orig profile, -12$ devlink dev reload pci/0000:00:03.0 ==> oopsBUG: kernel NULL pointer dereference, address: 0000000000000370PGD 0 P4D 0Oops: Oops: 0000 [#1] SMP NOPTICPU: 15 UID: 0 PID: 520 Comm: devlink Not tainted 6.18.0-rc5+ #115 PREEMPT(voluntary)Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014RIP: 0010:mlx5e_dcbnl_dscp_app+0x23/0x100RSP: 0018:ffffc9000083f8b8 EFLAGS: 00010286RAX: ffff8881126fc380 RBX: ffff8881015ac400 RCX: ffffffff826ffc45RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8881035109c0RBP: ffff8881035109c0 R08: ffff888101e3e838 R09: ffff888100264e10R10: ffffc9000083f898 R11: ffffc9000083f8a0 R12: ffff888101b921a0R13: ffff888101b921a0 R14: ffff8881015ac9a0 R15: ffff8881015ac400FS: 00007f789a3c8740(0000) GS:ffff88856aa59000(0000) knlGS:0000000000000000CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033CR2: 0000000000000370 CR3: 000000010b6c0001 CR4: 0000000000370ef0Call Trace: mlx5e_remove+0x57/0x110 device_release_driver_internal+0x19c/0x200 bus_remove_device+0xc6/0x130 device_del+0x160/0x3d0 ? devl_param_driverinit_value_get+0x2d/0x90 mlx5_detach_device+0x89/0xe0 mlx5_unload_one_devl_locked+0x3a/0x70 mlx5_devlink_reload_down+0xc8/0x220 devlink_reload+0x7d/0x260 devlink_nl_reload_doit+0x45b/0x5a0 genl_family_rcv_msg_doit+0xe8/0x140

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23047 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:libceph: make calc_target() set t->paused, not just clear itCurrently calc_target() clears t->paused if the request shouldn't bepaused anymore, but doesn't ever set t->paused even though it's able todetermine when the request should be paused. Setting t->paused is leftto __submit_request() which is fine for regular requests but doesn'twork for linger requests -- since __submit_request() doesn't operateon linger requests, there is nowhere for lreq->t.paused to be set.One consequence of this is that watches don't get reestablished onpaused -> unpaused transitions in cases where requests have been pausedlong enough for the (paused) unwatch request to time out and for thesubsequent (re)watch request to enter the paused state. On top of thewatch not getting reestablished, rbd_reregister_watch() gets stuck withrbd_dev->watch_mutex held: rbd_register_watch __rbd_register_watch ceph_osdc_watch linger_reg_commit_waitIt's waiting for lreq->reg_commit_wait to be completed, but for that tohappen the respective request needs to end up on need_resend_linger listand be kicked when requests are unpaused. There is no chance for thatif the request in question is never marked paused in the first place.The fact that rbd_dev->watch_mutex remains taken out forever thenprevents the image from getting unmapped -- "rbd unmap" would inevitablyhang in D state on an attempt to grab the mutex.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23049 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:drm/panel-simple: fix connector type for DataImage SCF0700C48GGU18 panelThe connector type for the DataImage SCF0700C48GGU18 panel is missing anddevm_drm_panel_bridge_add() requires connector type to be set. This leadsto a warning and a backtrace in the kernel log and panel does not work:"WARNING: CPU: 3 PID: 38 at drivers/gpu/drm/bridge/panel.c:379 devm_drm_of_get_bridge+0xac/0xb8"The warning is triggered by a check for valid connector type indevm_drm_panel_bridge_add(). If there is no valid connector typeset for a panel, the warning is printed and panel is not added.Fill in the missing connector type to fix the warning and makethe panel operational once again.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23054 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net: hv_netvsc: reject RSS hash key programming without RX indirection tableRSS configuration requires a valid RX indirection table. When the devicereports a single receive queue, rndis_filter_device_add() does notallocate an indirection table, accepting RSS hash key updates in thisstate leads to a hang.Fix this by gating netvsc_set_rxfh() on ndc->rx_table_sz and return-EOPNOTSUPP when the table is absent. This aligns set_rxfh with the devicecapabilities and prevents incorrect behavior.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default < 6.4.0-150600.23.92.1 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23075 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:can: esd_usb: esd_usb_read_bulk_callback(): fix URB memory leakFix similar memory leak as in commit 7352e1d5932a ("can: gs_usb:gs_usb_receive_bulk_callback(): fix URB memory leak").In esd_usb_open(), the URBs for USB-in transfers are allocated, added tothe dev->rx_submitted anchor and submitted. In the complete callbackesd_usb_read_bulk_callback(), the URBs are processed and resubmitted. Inesd_usb_close() the URBs are freed by callingusb_kill_anchored_urbs(&dev->rx_submitted).However, this does not take into account that the USB framework unanchorsthe URB before the complete function is called. This means that once anin-URB has been completed, it is no longer anchored and is ultimately notreleased in esd_usb_close().Fix the memory leak by anchoring the URB in theesd_usb_read_bulk_callback() to the dev->rx_submitted anchor.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23085 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:irqchip/gic-v3-its: Avoid truncating memory addressesOn 32-bit machines with CONFIG_ARM_LPAE, it is possible for lowmemallocations to be backed by addresses physical memory above the 32-bitaddress limit, as found while experimenting with larger VMSPLITconfigurations.This caused the qemu virt model to crash in the GICv3 driver, whichallocates the 'itt' object using GFP_KERNEL. Since all memory belowthe 4GB physical address limit is in ZONE_DMA in this configuration,kmalloc() defaults to higher addresses for ZONE_NORMAL, and theITS driver stores the physical address in a 32-bit 'unsigned long'variable.Change the itt_addr variable to the correct phys_addr_t type instead,along with all other variables in this driver that hold a physicaladdress.The gicv5 driver correctly uses u64 variables, while all other irqchipdrivers don't call virt_to_phys or similar interfaces. It's expected thatother device drivers have similar issues, but fixing this one issufficient for booting a virtio based guest.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23087 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:scsi: xen: scsiback: Fix potential memory leak in scsiback_remove()Memory allocated for struct vscsiblk_info in scsiback_probe() is notfreed in scsiback_remove() leading to potential memory leaks on remove,as well as in the scsiback_probe() error paths. Fix that by freeing itin scsiback_remove().

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23088 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:tracing: Fix crash on synthetic stacktrace field usageWhen creating a synthetic event based on an existing synthetic event thathad a stacktrace field and the new synthetic event used that field akernel crash occurred: ~# cd /sys/kernel/tracing ~# echo 's:stack unsigned long stack[];' > dynamic_events ~# echo 'hist:keys=prev_pid:s0=common_stacktrace if prev_state & 3' >> events/sched/sched_switch/trigger ~# echo 'hist:keys=next_pid:s1=$s0:onmatch(sched.sched_switch).trace(stack,$s1)' >> events/sched/sched_switch/triggerThe above creates a synthetic event that takes a stacktrace when a taskschedules out in a non-running state and passes that stacktrace to thesched_switch event when that task schedules back in. It triggers the"stack" synthetic event that has a stacktrace as its field (called "stack"). ~# echo 's:syscall_stack s64 id; unsigned long stack[];' >> dynamic_events ~# echo 'hist:keys=common_pid:s2=stack' >> events/synthetic/stack/trigger ~# echo 'hist:keys=common_pid:s3=$s2,i0=id:onmatch(synthetic.stack).trace(syscall_stack,$i0,$s3)' >> events/raw_syscalls/sys_exit/triggerThe above makes another synthetic event called "syscall_stack" thatattaches the first synthetic event (stack) to the sys_exit trace event andrecords the stacktrace from the stack event with the id of the system callthat is exiting.When enabling this event (or using it in a historgram): ~# echo 1 > events/synthetic/syscall_stack/enableProduces a kernel crash! BUG: unable to handle page fault for address: 0000000000400010 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP PTI CPU: 6 UID: 0 PID: 1257 Comm: bash Not tainted 6.16.3+deb14-amd64 #1 PREEMPT(lazy) Debian 6.16.3-1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-debian-1.17.0-1 04/01/2014 RIP: 0010:trace_event_raw_event_synth+0x90/0x380 Code: c5 00 00 00 00 85 d2 0f 84 e1 00 00 00 31 db eb 34 0f 1f 00 66 66 2e 0f 1f 84 00 00 00 00 00 66 66 2e 0f 1f 84 00 00 00 00 00 <49> 8b 04 24 48 83 c3 01 8d 0c c5 08 00 00 00 01 cd 41 3b 5d 40 0f RSP: 0018:ffffd2670388f958 EFLAGS: 00010202 RAX: ffff8ba1065cc100 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000001 RSI: fffff266ffda7b90 RDI: ffffd2670388f9b0 RBP: 0000000000000010 R08: ffff8ba104e76000 R09: ffffd2670388fa50 R10: ffff8ba102dd42e0 R11: ffffffff9a908970 R12: 0000000000400010 R13: ffff8ba10a246400 R14: ffff8ba10a710220 R15: fffff266ffda7b90 FS: 00007fa3bc63f740(0000) GS:ffff8ba2e0f48000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000400010 CR3: 0000000107f9e003 CR4: 0000000000172ef0 Call Trace: ? __tracing_map_insert+0x208/0x3a0 action_trace+0x67/0x70 event_hist_trigger+0x633/0x6d0 event_triggers_call+0x82/0x130 trace_event_buffer_commit+0x19d/0x250 trace_event_raw_event_sys_exit+0x62/0xb0 syscall_exit_work+0x9d/0x140 do_syscall_64+0x20a/0x2f0 ? trace_event_raw_event_sched_switch+0x12b/0x170 ? save_fpregs_to_fpstate+0x3e/0x90 ? _raw_spin_unlock+0xe/0x30 ? finish_task_switch.isra.0+0x97/0x2c0 ? __rseq_handle_notify_resume+0xad/0x4c0 ? __schedule+0x4b8/0xd00 ? restore_fpregs_from_fpstate+0x3c/0x90 ? switch_fpu_return+0x5b/0xe0 ? do_syscall_64+0x1ef/0x2f0 ? do_fault+0x2e9/0x540 ? __handle_mm_fault+0x7d1/0xf70 ? count_memcg_events+0x167/0x1d0 ? handle_mm_fault+0x1d7/0x2e0 ? do_user_addr_fault+0x2c3/0x7f0 entry_SYSCALL_64_after_hwframe+0x76/0x7eThe reason is that the stacktrace field is not labeled as such, and istreated as a normal field and not as a dynamic event that it is.In trace_event_raw_event_synth() the event is field is still treated as adynamic array, but the retrieval of the data is considered a normal field,and the reference is just the meta data:// Meta data is retrieved instead of a dynamic array---truncated---

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23091 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:intel_th: fix device leak on output open()Make sure to drop the reference taken when looking up the th deviceduring output device open() on errors and on close().Note that a recent commit fixed the leak in a couple of open() errorpaths but not all of them, and the reference is still leaking onsuccessful open().

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23095 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:gue: Fix skb memleak with inner IP protocol 0.syzbot reported skb memleak below. [0]The repro generated a GUE packet with its inner protocol 0.gue_udp_recv() returns -guehdr->proto_ctype for "resubmit"in ip_protocol_deliver_rcu(), but this only works withnon-zero protocol number.Let's drop such packets.Note that 0 is a valid number (IPv6 Hop-by-Hop Option).I think it is not practical to encap HOPOPT in GUE, so oncesomeone starts to complain, we could pass down a resubmitflag pointer to distinguish two zeros from the upper layer: * no error * resubmit HOPOPT[0]BUG: memory leakunreferenced object 0xffff888109695a00 (size 240): comm "syz.0.17", pid 6088, jiffies 4294943096 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 40 c2 10 81 88 ff ff 00 00 00 00 00 00 00 00 .@.............. backtrace (crc a84b336f): kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline] slab_post_alloc_hook mm/slub.c:4958 [inline] slab_alloc_node mm/slub.c:5263 [inline] kmem_cache_alloc_noprof+0x3b4/0x590 mm/slub.c:5270 __build_skb+0x23/0x60 net/core/skbuff.c:474 build_skb+0x20/0x190 net/core/skbuff.c:490 __tun_build_skb drivers/net/tun.c:1541 [inline] tun_build_skb+0x4a1/0xa40 drivers/net/tun.c:1636 tun_get_user+0xc12/0x2030 drivers/net/tun.c:1770 tun_chr_write_iter+0x71/0x120 drivers/net/tun.c:1999 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x45d/0x710 fs/read_write.c:686 ksys_write+0xa7/0x170 fs/read_write.c:738 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23097 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:migrate: correct lock ordering for hugetlb file foliosSyzbot has found a deadlock (analyzed by Lance Yang):1) Task (5749): Holds folio_lock, then tries to acquire i_mmap_rwsem(read lock).2) Task (5754): Holds i_mmap_rwsem(write lock), then tries to acquirefolio_lock.migrate_pages() -> migrate_hugetlbs() -> unmap_and_move_huge_page() <- Takes folio_lock! -> remove_migration_ptes() -> __rmap_walk_file() -> i_mmap_lock_read() <- Waits for i_mmap_rwsem(read lock)!hugetlbfs_fallocate() -> hugetlbfs_punch_hole() <- Takes i_mmap_rwsem(write lock)! -> hugetlbfs_zero_partial_page() -> filemap_lock_hugetlb_folio() -> filemap_lock_folio() -> __filemap_get_folio <- Waits for folio_lock!The migration path is the one taking locks in the wrong order according tothe documentation at the top of mm/rmap.c. So expand the scope of theexisting i_mmap_lock to cover the calls to remove_migration_ptes() too.This is (mostly) how it used to be after commit c0d0381ade79. That wasremoved by 336bf30eb765 for both file & anon hugetlb pages when it shouldonly have been removed for anon hugetlb pages.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23099 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:bonding: limit BOND_MODE_8023AD to Ethernet devicesBOND_MODE_8023AD makes sense for ARPHRD_ETHER only.syzbot reported: BUG: KASAN: global-out-of-bounds in __hw_addr_create net/core/dev_addr_lists.c:63 [inline] BUG: KASAN: global-out-of-bounds in __hw_addr_add_ex+0x25d/0x760 net/core/dev_addr_lists.c:118Read of size 16 at addr ffffffff8bf94040 by task syz.1.3580/19497CPU: 1 UID: 0 PID: 19497 Comm: syz.1.3580 Tainted: G L syzkaller #0 PREEMPT(full)Tainted: [L]=SOFTLOCKUPHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025Call Trace: dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 check_region_inline mm/kasan/generic.c:-1 [inline] kasan_check_range+0x2b0/0x2c0 mm/kasan/generic.c:200 __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105 __hw_addr_create net/core/dev_addr_lists.c:63 [inline] __hw_addr_add_ex+0x25d/0x760 net/core/dev_addr_lists.c:118 __dev_mc_add net/core/dev_addr_lists.c:868 [inline] dev_mc_add+0xa1/0x120 net/core/dev_addr_lists.c:886 bond_enslave+0x2b8b/0x3ac0 drivers/net/bonding/bond_main.c:2180 do_set_master+0x533/0x6d0 net/core/rtnetlink.c:2963 do_setlink+0xcf0/0x41c0 net/core/rtnetlink.c:3165 rtnl_changelink net/core/rtnetlink.c:3776 [inline] __rtnl_newlink net/core/rtnetlink.c:3935 [inline] rtnl_newlink+0x161c/0x1c90 net/core/rtnetlink.c:4072 rtnetlink_rcv_msg+0x7cf/0xb70 net/core/rtnetlink.c:6958 netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2550 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x82f/0x9e0 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1894 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg+0x21c/0x270 net/socket.c:742 ____sys_sendmsg+0x505/0x820 net/socket.c:2592 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2646 __sys_sendmsg+0x164/0x220 net/socket.c:2678 do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline] __do_fast_syscall_32+0x1dc/0x560 arch/x86/entry/syscall_32.c:307 do_fast_syscall_32+0x34/0x80 arch/x86/entry/syscall_32.c:332 entry_SYSENTER_compat_after_hwframe+0x84/0x8e The buggy address belongs to the variable: lacpdu_mcast_addr+0x0/0x40

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23102 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:arm64/fpsimd: signal: Fix restoration of SVE contextWhen SME is supported, Restoring SVE signal context can go wrong in afew ways, including placing the task into an invalid state where thekernel may read from out-of-bounds memory (and may potentially take afatal fault) and/or may kill the task with a SIGKILL.(1) Restoring a context with SVE_SIG_FLAG_SM set can place the task into an invalid state where SVCR.SM is set (and sve_state is non-NULL) but TIF_SME is clear, consequently resuting in out-of-bounds memory reads and/or killing the task with SIGKILL. This can only occur in unusual (but legitimate) cases where the SVE signal context has either been modified by userspace or was saved in the context of another task (e.g. as with CRIU), as otherwise the presence of an SVE signal context with SVE_SIG_FLAG_SM implies that TIF_SME is already set. While in this state, task_fpsimd_load() will NOT configure SMCR_ELx (leaving some arbitrary value configured in hardware) before restoring SVCR and attempting to restore the streaming mode SVE registers from memory via sve_load_state(). As the value of SMCR_ELx.LEN may be larger than the task's streaming SVE vector length, this may read memory outside of the task's allocated sve_state, reading unrelated data and/or triggering a fault. While this can result in secrets being loaded into streaming SVE registers, these values are never exposed. As TIF_SME is clear, fpsimd_bind_task_to_cpu() will configure CPACR_ELx.SMEN to trap EL0 accesses to streaming mode SVE registers, so these cannot be accessed directly at EL0. As fpsimd_save_user_state() verifies the live vector length before saving (S)SVE state to memory, no secret values can be saved back to memory (and hence cannot be observed via ptrace, signals, etc). When the live vector length doesn't match the expected vector length for the task, fpsimd_save_user_state() will send a fatal SIGKILL signal to the task. Hence the task may be killed after executing userspace for some period of time.(2) Restoring a context with SVE_SIG_FLAG_SM clear does not clear the task's SVCR.SM. If SVCR.SM was set prior to restoring the context, then the task will be left in streaming mode unexpectedly, and some register state will be combined inconsistently, though the task will be left in legitimate state from the kernel's PoV. This can only occur in unusual (but legitimate) cases where ptrace has been used to set SVCR.SM after entry to the sigreturn syscall, as syscall entry clears SVCR.SM. In these cases, the the provided SVE register data will be loaded into the task's sve_state using the non-streaming SVE vector length and the FPSIMD registers will be merged into this using the streaming SVE vector length.Fix (1) by setting TIF_SME when setting SVCR.SM. This also requiresensuring that the task's sme_state has been allocated, but as this couldcontain live ZA state, it should not be zeroed. Fix (2) by clearingSVCR.SM when restoring a SVE signal context with SVE_SIG_FLAG_SM clear.For consistency, I've pulled the manipulation of SVCR, TIF_SVE, TIF_SME,and fp_type earlier, immediately after the allocation ofsve_state/sme_state, before the restore of the actual register state.This makes it easier to ensure that these are always modifiedconsistently, even if a fault is taken while reading the register datafrom the signal context. I do not expect any software to depend on theexact state restored when a fault is taken while reading the context.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23103 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ipvlan: Make the addrs_lock be per portMake the addrs_lock be per port, not per ipvlan dev.Initial code seems to be written in the assumption,that any address change must occur under RTNL.But it is not so for the case of IPv6. So1) Introduce per-port addrs_lock.2) It was needed to fix places where it was forgottento take lock (ipvlan_open/ipvlan_close)This appears to be a very minor problem though.Since it's highly unlikely that ipvlan_add_addr() willbe called on 2 CPU simultaneously. But nevertheless,this could cause:1) False-negative of ipvlan_addr_busy(): one interfaceiterated through all port->ipvlans + ipvlan->addrsunder some ipvlan spinlock, and another added IPunder its own lock. Though this is only possiblefor IPv6, since looks like only ipvlan_addr6_event() can becalled without rtnl_lock.2) Race since ipvlan_ht_addr_add(port) is called underdifferent ipvlan->addrs_lock locksThis should not affect performance, since add/remove IPis a rare situation and spinlock is not taken on fastpaths.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23113 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:io_uring/io-wq: check IO_WQ_BIT_EXIT inside work run loopCurrently this is checked before running the pending work. Normally thisis quite fine, as work items either end up blocking (which will create anew worker for other items), or they complete fairly quickly. But syzbotreports an issue where io-wq takes seemingly forever to exit, and with abit of debugging, this turns out to be because it queues a bunch of big(2GB - 4096b) reads with a /dev/msr* file. Since this file type doesn'tsupport ->read_iter(), loop_rw_iter() ends up handling them. Each readreturns 16MB of data read, which takes 20 (!!) seconds. With a bunch ofthese pending, processing the whole chain can take a long time. Easilylonger than the syzbot uninterruptible sleep timeout of 140 seconds.This then triggers a complaint off the io-wq exit path:INFO: task syz.4.135:6326 blocked for more than 143 seconds. Not tainted syzkaller #0 Blocked by coredump."echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.task:syz.4.135 state:D stack:26824 pid:6326 tgid:6324 ppid:5957 task_flags:0x400548 flags:0x00080000Call Trace: context_switch kernel/sched/core.c:5256 [inline] __schedule+0x1139/0x6150 kernel/sched/core.c:6863 __schedule_loop kernel/sched/core.c:6945 [inline] schedule+0xe7/0x3a0 kernel/sched/core.c:6960 schedule_timeout+0x257/0x290 kernel/time/sleep_timeout.c:75 do_wait_for_common kernel/sched/completion.c:100 [inline] __wait_for_common+0x2fc/0x4e0 kernel/sched/completion.c:121 io_wq_exit_workers io_uring/io-wq.c:1328 [inline] io_wq_put_and_exit+0x271/0x8a0 io_uring/io-wq.c:1356 io_uring_clean_tctx+0x10d/0x190 io_uring/tctx.c:203 io_uring_cancel_generic+0x69c/0x9a0 io_uring/cancel.c:651 io_uring_files_cancel include/linux/io_uring.h:19 [inline] do_exit+0x2ce/0x2bd0 kernel/exit.c:911 do_group_exit+0xd3/0x2a0 kernel/exit.c:1112 get_signal+0x2671/0x26d0 kernel/signal.c:3034 arch_do_signal_or_restart+0x8f/0x7e0 arch/x86/kernel/signal.c:337 __exit_to_user_mode_loop kernel/entry/common.c:41 [inline] exit_to_user_mode_loop+0x8c/0x540 kernel/entry/common.c:75 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline] syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline] syscall_exit_to_user_mode_work include/linux/entry-common.h:159 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:194 [inline] do_syscall_64+0x4ee/0xf80 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7fRIP: 0033:0x7fa02738f749RSP: 002b:00007fa0281ae0e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000caRAX: fffffffffffffe00 RBX: 00007fa0275e6098 RCX: 00007fa02738f749RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007fa0275e6098RBP: 00007fa0275e6090 R08: 0000000000000000 R09: 0000000000000000R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000R13: 00007fa0275e6128 R14: 00007fff14e4fcb0 R15: 00007fff14e4fd98There's really nothing wrong here, outside of processing these readswill take a LONG time. However, we can speed up the exit by checking theIO_WQ_BIT_EXIT inside the io_worker_handle_work() loop, as syzbot willexit the ring after queueing up all of these reads. Then once the firstitem is processed, io-wq will simply cancel the rest. That should avoidsyzbot running into this complaint again.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23116 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:pmdomain: imx8m-blk-ctrl: Remove separate rst and clk mask for 8mq vpuFor i.MX8MQ platform, the ADB in the VPUMIX domain has no separate resetand clock enable bits, but is ungated and reset together with the VPUs.So we can't reset G1 or G2 separately, it may led to the system hang.Remove rst_mask and clk_mask of imx8mq_vpu_blk_ctl_domain_data.Let imx8mq_vpu_power_notifier() do really vpu reset.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23118 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:rxrpc: Fix data-race warning and potential load/store tearingFix the following: BUG: KCSAN: data-race in rxrpc_peer_keepalive_worker / rxrpc_send_data_packetwhich is reporting an issue with the reads and writes to ->last_tx_at in: conn->peer->last_tx_at = ktime_get_seconds();and: keepalive_at = peer->last_tx_at + RXRPC_KEEPALIVE_TIME;The lockless accesses to these to values aren't actually a problem as theread only needs an approximate time of last transmission for the purposesof deciding whether or not the transmission of a keepalive packet iswarranted yet.Also, as ->last_tx_at is a 64-bit value, tearing can occur on a 32-bitarch.Fix both of these by switching to an unsigned int for ->last_tx_at and onlystoring the LSW of the time64_t. It can then be reconstructed at needprovided no more than 68 years has elapsed since the last transmission.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23119 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:bonding: provide a net pointer to __skb_flow_dissect()After 3cbf4ffba5ee ("net: plumb network namespace into __skb_flow_dissect")we have to provide a net pointer to __skb_flow_dissect(),either via skb->dev, skb->sk, or a user provided pointer.In the following case, syzbot was able to cook a bare skb.WARNING: net/core/flow_dissector.c:1131 at __skb_flow_dissect+0xb57/0x68b0 net/core/flow_dissector.c:1131, CPU#1: syz.2.1418/11053Call Trace: bond_flow_dissect drivers/net/bonding/bond_main.c:4093 [inline] __bond_xmit_hash+0x2d7/0xba0 drivers/net/bonding/bond_main.c:4157 bond_xmit_hash_xdp drivers/net/bonding/bond_main.c:4208 [inline] bond_xdp_xmit_3ad_xor_slave_get drivers/net/bonding/bond_main.c:5139 [inline] bond_xdp_get_xmit_slave+0x1fd/0x710 drivers/net/bonding/bond_main.c:5515 xdp_master_redirect+0x13f/0x2c0 net/core/filter.c:4388 bpf_prog_run_xdp include/net/xdp.h:700 [inline] bpf_test_run+0x6b2/0x7d0 net/bpf/test_run.c:421 bpf_prog_test_run_xdp+0x795/0x10e0 net/bpf/test_run.c:1390 bpf_prog_test_run+0x2c7/0x340 kernel/bpf/syscall.c:4703 __sys_bpf+0x562/0x860 kernel/bpf/syscall.c:6182 __do_sys_bpf kernel/bpf/syscall.c:6274 [inline] __se_sys_bpf kernel/bpf/syscall.c:6272 [inline] __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:6272 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xec/0xf80 arch/x86/entry/syscall_64.c:94

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23120 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:l2tp: avoid one data-race in l2tp_tunnel_del_work()We should read sk->sk_socket only when dealing with kernel sockets.syzbot reported the following data-race:BUG: KCSAN: data-race in l2tp_tunnel_del_work / sk_common_releasewrite to 0xffff88811c182b20 of 8 bytes by task 5365 on cpu 0: sk_set_socket include/net/sock.h:2092 [inline] sock_orphan include/net/sock.h:2118 [inline] sk_common_release+0xae/0x230 net/core/sock.c:4003 udp_lib_close+0x15/0x20 include/net/udp.h:325 inet_release+0xce/0xf0 net/ipv4/af_inet.c:437 __sock_release net/socket.c:662 [inline] sock_close+0x6b/0x150 net/socket.c:1455 __fput+0x29b/0x650 fs/file_table.c:468 ____fput+0x1c/0x30 fs/file_table.c:496 task_work_run+0x131/0x1a0 kernel/task_work.c:233 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] __exit_to_user_mode_loop kernel/entry/common.c:44 [inline] exit_to_user_mode_loop+0x1fe/0x740 kernel/entry/common.c:75 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline] syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline] syscall_exit_to_user_mode_work include/linux/entry-common.h:159 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:194 [inline] do_syscall_64+0x1e1/0x2b0 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7fread to 0xffff88811c182b20 of 8 bytes by task 827 on cpu 1: l2tp_tunnel_del_work+0x2f/0x1a0 net/l2tp/l2tp_core.c:1418 process_one_work kernel/workqueue.c:3257 [inline] process_scheduled_works+0x4ce/0x9d0 kernel/workqueue.c:3340 worker_thread+0x582/0x770 kernel/workqueue.c:3421 kthread+0x489/0x510 kernel/kthread.c:463 ret_from_fork+0x149/0x290 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246value changed: 0xffff88811b818000 -> 0x0000000000000000

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23124 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ipv6: annotate data-race in ndisc_router_discovery()syzbot found that ndisc_router_discovery() could read and writein6_dev->ra_mtu without holding a lock [1]This looks fine, IFLA_INET6_RA_MTU is best effort.Add READ_ONCE()/WRITE_ONCE() to document the race.Note that we might also reject illegal MTU values(mtu < IPV6_MIN_MTU || mtu > skb->dev->mtu) in a future patch.[1]BUG: KCSAN: data-race in ndisc_router_discovery / ndisc_router_discoveryread to 0xffff888119809c20 of 4 bytes by task 25817 on cpu 1: ndisc_router_discovery+0x151d/0x1c90 net/ipv6/ndisc.c:1558 ndisc_rcv+0x2ad/0x3d0 net/ipv6/ndisc.c:1841 icmpv6_rcv+0xe5a/0x12f0 net/ipv6/icmp.c:989 ip6_protocol_deliver_rcu+0xb2a/0x10d0 net/ipv6/ip6_input.c:438 ip6_input_finish+0xf0/0x1d0 net/ipv6/ip6_input.c:489 NF_HOOK include/linux/netfilter.h:318 [inline] ip6_input+0x5e/0x140 net/ipv6/ip6_input.c:500 ip6_mc_input+0x27c/0x470 net/ipv6/ip6_input.c:590 dst_input include/net/dst.h:474 [inline] ip6_rcv_finish+0x336/0x340 net/ipv6/ip6_input.c:79...write to 0xffff888119809c20 of 4 bytes by task 25816 on cpu 0: ndisc_router_discovery+0x155a/0x1c90 net/ipv6/ndisc.c:1559 ndisc_rcv+0x2ad/0x3d0 net/ipv6/ndisc.c:1841 icmpv6_rcv+0xe5a/0x12f0 net/ipv6/icmp.c:989 ip6_protocol_deliver_rcu+0xb2a/0x10d0 net/ipv6/ip6_input.c:438 ip6_input_finish+0xf0/0x1d0 net/ipv6/ip6_input.c:489 NF_HOOK include/linux/netfilter.h:318 [inline] ip6_input+0x5e/0x140 net/ipv6/ip6_input.c:500 ip6_mc_input+0x27c/0x470 net/ipv6/ip6_input.c:590 dst_input include/net/dst.h:474 [inline] ip6_rcv_finish+0x336/0x340 net/ipv6/ip6_input.c:79...value changed: 0x00000000 -> 0xe5400659

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23125 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:sctp: move SCTP_CMD_ASSOC_SHKEY right after SCTP_CMD_PEER_INITA null-ptr-deref was reported in the SCTP transmit path when SCTP-AUTH keyinitialization fails: ================================================================== KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f] CPU: 0 PID: 16 Comm: ksoftirqd/0 Tainted: G W 6.6.0 #2 RIP: 0010:sctp_packet_bundle_auth net/sctp/output.c:264 [inline] RIP: 0010:sctp_packet_append_chunk+0xb36/0x1260 net/sctp/output.c:401 Call Trace: sctp_packet_transmit_chunk+0x31/0x250 net/sctp/output.c:189 sctp_outq_flush_data+0xa29/0x26d0 net/sctp/outqueue.c:1111 sctp_outq_flush+0xc80/0x1240 net/sctp/outqueue.c:1217 sctp_cmd_interpreter.isra.0+0x19a5/0x62c0 net/sctp/sm_sideeffect.c:1787 sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline] sctp_do_sm+0x1a3/0x670 net/sctp/sm_sideeffect.c:1169 sctp_assoc_bh_rcv+0x33e/0x640 net/sctp/associola.c:1052 sctp_inq_push+0x1dd/0x280 net/sctp/inqueue.c:88 sctp_rcv+0x11ae/0x3100 net/sctp/input.c:243 sctp6_rcv+0x3d/0x60 net/sctp/ipv6.c:1127The issue is triggered when sctp_auth_asoc_init_active_key() fails insctp_sf_do_5_1C_ack() while processing an INIT_ACK. In this case, thecommand sequence is currently:- SCTP_CMD_PEER_INIT- SCTP_CMD_TIMER_STOP (T1_INIT)- SCTP_CMD_TIMER_START (T1_COOKIE)- SCTP_CMD_NEW_STATE (COOKIE_ECHOED)- SCTP_CMD_ASSOC_SHKEY- SCTP_CMD_GEN_COOKIE_ECHOIf SCTP_CMD_ASSOC_SHKEY fails, asoc->shkey remains NULL, whileasoc->peer.auth_capable and asoc->peer.peer_chunks have already been set bySCTP_CMD_PEER_INIT. This allows a DATA chunk with auth = 1 and shkey = NULLto be queued by sctp_datamsg_from_user().Since command interpretation stops on failure, no COOKIE_ECHO should beensent via SCTP_CMD_GEN_COOKIE_ECHO. However, the T1_COOKIE timer has alreadybeen started, and it may enqueue a COOKIE_ECHO into the outqueue later. Asa result, the DATA chunk can be transmitted together with the COOKIE_ECHOin sctp_outq_flush_data(), leading to the observed issue.Similar to the other places where it calls sctp_auth_asoc_init_active_key()right after sctp_process_init(), this patch moves the SCTP_CMD_ASSOC_SHKEYimmediately after SCTP_CMD_PEER_INIT, before stopping T1_INIT and startingT1_COOKIE. This ensures that if shared key generation fails, authenticatedDATA cannot be sent. It also allows the T1_INIT timer to retransmit INIT,giving the client another chance to process INIT_ACK and retry key setup.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23126 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:netdevsim: fix a race issue related to the operation on bpf_bound_progs listThe netdevsim driver lacks a protection mechanism for operations on thebpf_bound_progs list. When the nsim_bpf_create_prog() performslist_add_tail, it is possible that nsim_bpf_destroy_prog() issimultaneously performs list_del. Concurrent operations on the list maylead to list corruption and trigger a kernel crash as follows:[ 417.290971] kernel BUG at lib/list_debug.c:62![ 417.290983] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI[ 417.290992] CPU: 10 PID: 168 Comm: kworker/10:1 Kdump: loaded Not tainted 6.19.0-rc5 #1[ 417.291003] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014[ 417.291007] Workqueue: events bpf_prog_free_deferred[ 417.291021] RIP: 0010:__list_del_entry_valid_or_report+0xa7/0xc0[ 417.291034] Code: a8 ff 0f 0b 48 89 fe 48 89 ca 48 c7 c7 48 a1 eb ae e8 ed fb a8 ff 0f 0b 48 89 fe 48 89 c2 48 c7 c7 80 a1 eb ae e8 d9 fb a8 ff <0f> 0b 48 89 d1 48 c7 c7 d0 a1 eb ae 48 89 f2 48 89 c6 e8 c2 fb a8[ 417.291040] RSP: 0018:ffffb16a40807df8 EFLAGS: 00010246[ 417.291046] RAX: 000000000000006d RBX: ffff8e589866f500 RCX: 0000000000000000[ 417.291051] RDX: 0000000000000000 RSI: ffff8e59f7b23180 RDI: ffff8e59f7b23180[ 417.291055] RBP: ffffb16a412c9000 R08: 0000000000000000 R09: 0000000000000003[ 417.291059] R10: ffffb16a40807c80 R11: ffffffffaf9edce8 R12: ffff8e594427ac20[ 417.291063] R13: ffff8e59f7b44780 R14: ffff8e58800b7a05 R15: 0000000000000000[ 417.291074] FS: 0000000000000000(0000) GS:ffff8e59f7b00000(0000) knlGS:0000000000000000[ 417.291079] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033[ 417.291083] CR2: 00007fc4083efe08 CR3: 00000001c3626006 CR4: 0000000000770ee0[ 417.291088] PKRU: 55555554[ 417.291091] Call Trace:[ 417.291096] [ 417.291103] nsim_bpf_destroy_prog+0x31/0x80 [netdevsim][ 417.291154] __bpf_prog_offload_destroy+0x2a/0x80[ 417.291163] bpf_prog_dev_bound_destroy+0x6f/0xb0[ 417.291171] bpf_prog_free_deferred+0x18e/0x1a0[ 417.291178] process_one_work+0x18a/0x3a0[ 417.291188] worker_thread+0x27b/0x3a0[ 417.291197] ? __pfx_worker_thread+0x10/0x10[ 417.291207] kthread+0xe5/0x120[ 417.291214] ? __pfx_kthread+0x10/0x10[ 417.291221] ret_from_fork+0x31/0x50[ 417.291230] ? __pfx_kthread+0x10/0x10[ 417.291236] ret_from_fork_asm+0x1a/0x30[ 417.291246] Add a mutex lock, to prevent simultaneous addition and deletion operationson the list.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23128 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:arm64: Set __nocfi on swsusp_arch_resume()A DABT is reported[1] on an android based system when resume from hiberate.This happens because swsusp_arch_suspend_exit() is marked with SYM_CODE_*()and does not have a CFI hash, but swsusp_arch_resume() will attempt toverify the CFI hash when calling a copy of swsusp_arch_suspend_exit().Given that there's an existing requirement that the entrypoint toswsusp_arch_suspend_exit() is the first byte of the .hibernate_exit.textsection, we cannot fix this by marking swsusp_arch_suspend_exit() withSYM_FUNC_*(). The simplest fix for now is to disable the CFI check inswsusp_arch_resume().Mark swsusp_arch_resume() as __nocfi to disable the CFI check.[1][ 22.991934][ T1] Unable to handle kernel paging request at virtual address 0000000109170ffc[ 22.991934][ T1] Mem abort info:[ 22.991934][ T1] ESR = 0x0000000096000007[ 22.991934][ T1] EC = 0x25: DABT (current EL), IL = 32 bits[ 22.991934][ T1] SET = 0, FnV = 0[ 22.991934][ T1] EA = 0, S1PTW = 0[ 22.991934][ T1] FSC = 0x07: level 3 translation fault[ 22.991934][ T1] Data abort info:[ 22.991934][ T1] ISV = 0, ISS = 0x00000007, ISS2 = 0x00000000[ 22.991934][ T1] CM = 0, WnR = 0, TnD = 0, TagAccess = 0[ 22.991934][ T1] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0[ 22.991934][ T1] [0000000109170ffc] user address but active_mm is swapper[ 22.991934][ T1] Internal error: Oops: 0000000096000007 [#1] PREEMPT SMP[ 22.991934][ T1] Dumping ftrace buffer:[ 22.991934][ T1] (ftrace buffer empty)[ 22.991934][ T1] Modules linked in:[ 22.991934][ T1] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.6.98-android15-8-g0b1d2aee7fc3-dirty-4k #1 688c7060a825a3ac418fe53881730b355915a419[ 22.991934][ T1] Hardware name: Unisoc UMS9360-base Board (DT)[ 22.991934][ T1] pstate: 804000c5 (Nzcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)[ 22.991934][ T1] pc : swsusp_arch_resume+0x2ac/0x344[ 22.991934][ T1] lr : swsusp_arch_resume+0x294/0x344[ 22.991934][ T1] sp : ffffffc08006b960[ 22.991934][ T1] x29: ffffffc08006b9c0 x28: 0000000000000000 x27: 0000000000000000[ 22.991934][ T1] x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000820[ 22.991934][ T1] x23: ffffffd0817e3000 x22: ffffffd0817e3000 x21: 0000000000000000[ 22.991934][ T1] x20: ffffff8089171000 x19: ffffffd08252c8c8 x18: ffffffc080061058[ 22.991934][ T1] x17: 00000000529c6ef0 x16: 00000000529c6ef0 x15: 0000000000000004[ 22.991934][ T1] x14: ffffff8178c88000 x13: 0000000000000006 x12: 0000000000000000[ 22.991934][ T1] x11: 0000000000000015 x10: 0000000000000001 x9 : ffffffd082533000[ 22.991934][ T1] x8 : 0000000109171000 x7 : 205b5d3433393139 x6 : 392e32322020205b[ 22.991934][ T1] x5 : 000000010916f000 x4 : 000000008164b000 x3 : ffffff808a4e0530[ 22.991934][ T1] x2 : ffffffd08058e784 x1 : 0000000082326000 x0 : 000000010a283000[ 22.991934][ T1] Call trace:[ 22.991934][ T1] swsusp_arch_resume+0x2ac/0x344[ 22.991934][ T1] hibernation_restore+0x158/0x18c[ 22.991934][ T1] load_image_and_restore+0xb0/0xec[ 22.991934][ T1] software_resume+0xf4/0x19c[ 22.991934][ T1] software_resume_initcall+0x34/0x78[ 22.991934][ T1] do_one_initcall+0xe8/0x370[ 22.991934][ T1] do_initcall_level+0xc8/0x19c[ 22.991934][ T1] do_initcalls+0x70/0xc0[ 22.991934][ T1] do_basic_setup+0x1c/0x28[ 22.991934][ T1] kernel_init_freeable+0xe0/0x148[ 22.991934][ T1] kernel_init+0x20/0x1a8[ 22.991934][ T1] ret_from_fork+0x10/0x20[ 22.991934][ T1] Code: a9400a61 f94013e0 f9438923 f9400a64 (b85fc110)[catalin.marinas@arm.com: commit log updated by Mark Rutland]

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23136 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:libceph: reset sparse-read state in osd_fault()When a fault occurs, the connection is abandoned, reestablished, and anypending operations are retried. The OSD client tracks the progress of asparse-read reply using a separate state machine, largely independent ofthe messenger's state.If a connection is lost mid-payload or the sparse-read state machinereturns an error, the sparse-read state is not reset. The OSD clientwill then interpret the beginning of a new reply as the continuation ofthe old one. If this makes the sparse-read machinery enter a failurestate, it may never recover, producing loops like: libceph: [0] got 0 extents libceph: data len 142248331 != extent len 0 libceph: osd0 (1)...:6801 socket error on read libceph: data len 142248331 != extent len 0 libceph: osd0 (1)...:6801 socket error on readTherefore, reset the sparse-read state in osd_fault(), ensuring retriesstart from a clean state.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23138 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:tracing: Add recursion protection in kernel stack trace recordingA bug was reported about an infinite recursion caused by tracing the rcuevents with the kernel stack trace trigger enabled. The stack trace codecalled back into RCU which then called the stack trace again.Expand the ftrace recursion protection to add a set of bits to protectevents from recursion. Each bit represents the context that the event isin (normal, softirq, interrupt and NMI).Have the stack trace code use the interrupt context to protect againstrecursion.Note, the bug showed an issue in both the RCU code as well as the tracingstacktrace code. This only handles the tracing stack trace side of thebug. The RCU fix will be handled separately.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23139 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:netfilter: nf_conncount: update last_gc only when GC has been performedCurrently last_gc is being updated everytime a new connection istracked, that means that it is updated even if a GC wasn't performed.With a sufficiently high packet rate, it is possible to always bypassthe GC, causing the list to grow infinitely.Update the last_gc value only when a GC has been actually performed.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23140 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:bpf, test_run: Subtract size of xdp_frame from allowed metadata sizeThe xdp_frame structure takes up part of the XDP frame headroom,limiting the size of the metadata. However, in bpf_test_run, we don'ttake this into account, which makes it possible for userspace to supplya metadata size that is too large (taking up the entire headroom).If userspace supplies such a large metadata size in live packet mode,the xdp_update_frame_from_buff() call in xdp_test_run_init_page() callwill fail, after which packet transmission proceeds with anuninitialised frame structure, leading to the usual Bad Stuff.The commit in the Fixes tag fixed a related bug where the second checkin xdp_update_frame_from_buff() could fail, but did not add anyadditional constraints on the metadata size. Complete the fix by addingan additional check on the metadata size. Reorder the checks slightly tomake the logic clearer and add a comment.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23141 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:btrfs: send: check for inline extents in range_is_hole_in_parent()Before accessing the disk_bytenr field of a file extent item we needto check if we are dealing with an inline extent.This is because for inline extents their data starts at the offset ofthe disk_bytenr field. So accessing the disk_bytenrmeans we are accessing inline data or in case the inline data is lessthan 8 bytes we can actually cause an invalidmemory access if this inline extent item is the first item in the leafor access metadata from other items.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default < 6.4.0-150600.23.92.1 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23154 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net: fix segmentation of forwarding fraglist GROThis patch enhances GSO segment handling by properly checkingthe SKB_GSO_DODGY flag for frag_list GSO packets, addressinglow throughput issues observed when a station accesses IPv4servers via hotspots with an IPv6-only upstream interface.Specifically, it fixes a bug in GSO segmentation when forwardingGRO packets containing a frag_list. The function skb_segment_listcannot correctly process GRO skbs that have been converted by XLAT,since XLAT only translates the header of the head skb. Consequently,skbs in the frag_list may remain untranslated, resulting in protocolinconsistencies and reduced throughput.To address this, the patch explicitly sets the SKB_GSO_DODGY flagfor GSO packets in XLAT's IPv4/IPv6 protocol translation helpers(bpf_skb_proto_4_to_6 and bpf_skb_proto_6_to_4). This marks GSOpackets as potentially modified after protocol translation. As aresult, GSO segmentation will avoid using skb_segment_list andinstead falls back to skb_segment for packets with the SKB_GSO_DODGYflag. This ensures that only safe and fully translated frag_listpackets are processed by skb_segment_list, resolving protocolinconsistencies and improving throughput when forwarding GRO packetsconverted by XLAT.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23157 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:btrfs: do not strictly require dirty metadata threshold for metadata writepages[BUG]There is an internal report that over 1000 processes arewaiting at the io_schedule_timeout() of balance_dirty_pages(), causinga system hang and trigger a kernel coredump.The kernel is v6.4 kernel based, but the root problem still applies toany upstream kernel before v6.18.[CAUSE]From Jan Kara for his wisdom on the dirty page balance behavior first. This cgroup dirty limit was what was actually playing the role here because the cgroup had only a small amount of memory and so the dirty limit for it was something like 16MB. Dirty throttling is responsible for enforcing that nobody can dirty (significantly) more dirty memory than there's dirty limit. Thus when a task is dirtying pages it periodically enters into balance_dirty_pages() and we let it sleep there to slow down the dirtying. When the system is over dirty limit already (either globally or within a cgroup of the running task), we will not let the task exit from balance_dirty_pages() until the number of dirty pages drops below the limit. So in this particular case, as I already mentioned, there was a cgroup with relatively small amount of memory and as a result with dirty limit set at 16MB. A task from that cgroup has dirtied about 28MB worth of pages in btrfs btree inode and these were practically the only dirty pages in that cgroup.So that means the only way to reduce the dirty pages of that cgroup isto writeback the dirty pages of btrfs btree inode, and only after thatthose processes can exit balance_dirty_pages().Now back to the btrfs part, btree_writepages() is responsible forwriting back dirty btree inode pages.The problem here is, there is a btrfs internal threshold that if thebtree inode's dirty bytes are below the 32M threshold, it will notdo any writeback.This behavior is to batch as much metadata as possible so we won't writeback those tree blocks and then later re-COW them again for anothermodification.This internal 32MiB is higher than the existing dirty page size (28MiB),meaning no writeback will happen, causing a deadlock between btrfs andcgroup:- Btrfs doesn't want to write back btree inode until more dirty pages- Cgroup/MM doesn't want more dirty pages for btrfs btree inode Thus any process touching that btree inode is put into sleep until the number of dirty pages is reduced.Thanks Jan Kara a lot for the analysis of the root cause.[ENHANCEMENT]Since kernel commit b55102826d7d ("btrfs: set AS_KERNEL_FILE on thebtree_inode"), btrfs btree inode pages will only be charged to the rootcgroup which should have a much larger limit than btrfs' 32MiBthreshold.So it should not affect newer kernels.But for all current LTS kernels, they are all affected by this problem,and backporting the whole AS_KERNEL_FILE may not be a good idea.Even for newer kernels I still think it's a good idea to getrid of the internal threshold at btree_writepages(), since for most casescgroup/MM has a better view of full system memory usage than btrfs' fixedthreshold.For internal callers using btrfs_btree_balance_dirty() since thatfunction is already doing internal threshold check, we don't need tobother them.But for external callers of btree_writepages(), just respect theirrequests and write back whatever they want, ignoring the internalbtrfs threshold to avoid such deadlock on btree inode dirty pagebalancing.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default < 6.4.0-150600.23.92.1 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23160 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:octeon_ep: Fix memory leak in octep_device_setup()In octep_device_setup(), if octep_ctrl_net_init() fails, the functionreturns directly without unmapping the mapped resources and freeing theallocated configuration memory.Fix this by jumping to the unsupported_dev label, which performs thenecessary cleanup. This aligns with the error handling logic of otherpaths in this function.Compile tested only. Issue found using a prototype static analysis tooland code review.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23164 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:rocker: fix memory leak in rocker_world_port_post_fini()In rocker_world_port_pre_init(), rocker_port->wpriv is allocated withkzalloc(wops->port_priv_size, GFP_KERNEL). However, inrocker_world_port_post_fini(), the memory is only freed whenwops->port_post_fini callback is set: if (!wops->port_post_fini) return; wops->port_post_fini(rocker_port); kfree(rocker_port->wpriv);Since rocker_ofdpa_ops does not implement port_post_fini callback(it is NULL), the wpriv memory allocated for each port is never freedwhen ports are removed. This leads to a memory leak ofsizeof(struct ofdpa_port) bytes per port on every device removal.Fix this by always calling kfree(rocker_port->wpriv) regardless ofwhether the port_post_fini callback exists.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23167 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:nfc: nci: Fix race between rfkill and nci_unregister_device().syzbot reported the splat below [0] without a repro.It indicates that struct nci_dev.cmd_wq had been destroyed beforenci_close_device() was called via rfkill.nci_dev.cmd_wq is only destroyed in nci_unregister_device(), which(I think) was called from virtual_ncidev_close() when syzbot close()dan fd of virtual_ncidev.The problem is that nci_unregister_device() destroys nci_dev.cmd_wqfirst and then calls nfc_unregister_device(), which removes thedevice from rfkill by rfkill_unregister().So, the device is still visible via rfkill even after nci_dev.cmd_wqis destroyed.Let's unregister the device from rfkill first in nci_unregister_device().Note that we cannot call nfc_unregister_device() beforenci_close_device() because 1) nfc_unregister_device() calls device_del() which frees all memory allocated by devm_kzalloc() and linked to ndev->conn_info_list 2) nci_rx_work() could try to queue nci_conn_info to ndev->conn_info_list which could be leakedThus, nfc_unregister_device() is split into two functions so wecan remove rfkill interfaces only before nci_close_device().[0]:DEBUG_LOCKS_WARN_ON(1)WARNING: kernel/locking/lockdep.c:238 at hlock_class kernel/locking/lockdep.c:238 [inline], CPU#0: syz.0.8675/6349WARNING: kernel/locking/lockdep.c:238 at check_wait_context kernel/locking/lockdep.c:4854 [inline], CPU#0: syz.0.8675/6349WARNING: kernel/locking/lockdep.c:238 at __lock_acquire+0x39d/0x2cf0 kernel/locking/lockdep.c:5187, CPU#0: syz.0.8675/6349Modules linked in:CPU: 0 UID: 0 PID: 6349 Comm: syz.0.8675 Not tainted syzkaller #0 PREEMPT(full)Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/13/2026RIP: 0010:hlock_class kernel/locking/lockdep.c:238 [inline]RIP: 0010:check_wait_context kernel/locking/lockdep.c:4854 [inline]RIP: 0010:__lock_acquire+0x3a4/0x2cf0 kernel/locking/lockdep.c:5187Code: 18 00 4c 8b 74 24 08 75 27 90 e8 17 f2 fc 02 85 c0 74 1c 83 3d 50 e0 4e 0e 00 75 13 48 8d 3d 43 f7 51 0e 48 c7 c6 8b 3a de 8d <67> 48 0f b9 3a 90 31 c0 0f b6 98 c4 00 00 00 41 8b 45 20 25 ff 1fRSP: 0018:ffffc9000c767680 EFLAGS: 00010046RAX: 0000000000000001 RBX: 0000000000040000 RCX: 0000000000080000RDX: ffffc90013080000 RSI: ffffffff8dde3a8b RDI: ffffffff8ff24ca0RBP: 0000000000000003 R08: ffffffff8fef35a3 R09: 1ffffffff1fde6b4R10: dffffc0000000000 R11: fffffbfff1fde6b5 R12: 00000000000012a2R13: ffff888030338ba8 R14: ffff888030338000 R15: ffff888030338b30FS: 00007fa5995f66c0(0000) GS:ffff8881256f8000(0000) knlGS:0000000000000000CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033CR2: 00007f7e72f842d0 CR3: 00000000485a0000 CR4: 00000000003526f0Call Trace: lock_acquire+0x106/0x330 kernel/locking/lockdep.c:5868 touch_wq_lockdep_map+0xcb/0x180 kernel/workqueue.c:3940 __flush_workqueue+0x14b/0x14f0 kernel/workqueue.c:3982 nci_close_device+0x302/0x630 net/nfc/nci/core.c:567 nci_dev_down+0x3b/0x50 net/nfc/nci/core.c:639 nfc_dev_down+0x152/0x290 net/nfc/core.c:161 nfc_rfkill_set_block+0x2d/0x100 net/nfc/core.c:179 rfkill_set_block+0x1d2/0x440 net/rfkill/core.c:346 rfkill_fop_write+0x461/0x5a0 net/rfkill/core.c:1301 vfs_write+0x29a/0xb90 fs/read_write.c:684 ksys_write+0x150/0x270 fs/read_write.c:738 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7fRIP: 0033:0x7fa59b39acb9Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48RSP: 002b:00007fa5995f6028 EFLAGS: 00000246 ORIG_RAX: 0000000000000001RAX: ffffffffffffffda RBX: 00007fa59b615fa0 RCX: 00007fa59b39acb9RDX: 0000000000000008 RSI: 0000200000000080 RDI: 0000000000000007RBP: 00007fa59b408bf7 R08: ---truncated---

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23168 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:flex_proportions: make fprop_new_period() hardirq safeBernd has reported a lockdep splat from flexible proportions code that isessentially complaining about the following race:run_timer_softirq - we are in softirq context call_timer_fn writeout_period fprop_new_period write_seqcount_begin(&p->sequence); ... blk_mq_end_request() blk_update_request() ext4_end_bio() folio_end_writeback() __wb_writeout_add() __fprop_add_percpu_max() if (unlikely(max_frac < FPROP_FRAC_BASE)) { fprop_fraction_percpu() seq = read_seqcount_begin(&p->sequence); - sees odd sequence so loops indefinitelyNote that a deadlock like this is only possible if the bdi has configuredmaximum fraction of writeout throughput which is very rare in general butfrequent for example for FUSE bdis. To fix this problem we have to makesure write section of the sequence counter is irqsafe.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23172 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net: wwan: t7xx: fix potential skb->frags overflow in RX pathWhen receiving data in the DPMAIF RX path,the t7xx_dpmaif_set_frag_to_skb() function addspage fragments to an skb without checking if the number offragments has exceeded MAX_SKB_FRAGS. This could lead to a buffer overflowin skb_shinfo(skb)->frags[] array, corrupting adjacent memory andpotentially causing kernel crashes or other undefined behavior.This issue was identified through static code analysis by comparing with asimilar vulnerability fixed in the mt76 driver commit b102f0c522cf ("mt76:fix array overflow on receiving too many fragments for a packet").The vulnerability could be triggered if the modem firmware sends packetswith excessive fragments. While under normal protocol conditions (MTU 3080bytes, BAT buffer 3584 bytes),a single packet should not require additionalfragments, the kernel should not blindly trust firmware behavior.Malicious, buggy, or compromised firmware could potentially craft packetswith more fragments than the kernel expects.Fix this by adding a bounds check before calling skb_add_rx_frag() toensure nr_frags does not exceed MAX_SKB_FRAGS.The check must be performed before unmapping to avoid a page leakand double DMA unmap during device teardown.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23179 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:nvmet-tcp: fixup hang in nvmet_tcp_listen_data_ready()When the socket is closed while in TCP_LISTEN a callback is run toflush all outstanding packets, which in turns callsnvmet_tcp_listen_data_ready() with the sk_callback_lock held.So we need to check if we are in TCP_LISTEN before attemptingto get the sk_callback_lock() to avoid a deadlock.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23187 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:pmdomain: imx8m-blk-ctrl: fix out-of-range access of bc->domainsFix out-of-range access of bc->domains in imx8m_blk_ctrl_remove().

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23201 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ceph: fix oops due to invalid pointer for kfree() in parse_longname()This fixes a kernel oops when reading ceph snapshot directories (.snap),for example by simply running `ls /mnt/my_ceph/.snap`.The variable str is guarded by __free(kfree), but advanced by one forskipping the initial '_' in snapshot names. Thus, kfree() is calledwith an invalid pointer. This patch removes the need for advancing thepointer so kfree() is called with correct memory pointer.Steps to reproduce:1. Create snapshots on a cephfs volume (I've 63 snaps in my testcase)2. Add cephfs mount to fstab$ echo "samba-fileserver@.files=/volumes/datapool/stuff/3461082b-ecc9-4e82-8549-3fd2590d3fb6 /mnt/test/stuff ceph acl,noatime,_netdev 0 0" >> /etc/fstab3. Reboot the system$ systemctl reboot4. Check if it's really mounted$ mount | grep stuff5. List snapshots (expected 63 snapshots on my system)$ ls /mnt/test/stuff/.snapNow ls hangs forever and the kernel log shows the oops.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23212 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:bonding: annotate data-races around slave->last_rxslave->last_rx and slave->target_last_arp_rx[...] can be read and writtenlocklessly. Add READ_ONCE() and WRITE_ONCE() annotations.syzbot reported:BUG: KCSAN: data-race in bond_rcv_validate / bond_rcv_validatewrite to 0xffff888149f0d428 of 8 bytes by interrupt on cpu 1: bond_rcv_validate+0x202/0x7a0 drivers/net/bonding/bond_main.c:3335 bond_handle_frame+0xde/0x5e0 drivers/net/bonding/bond_main.c:1533 __netif_receive_skb_core+0x5b1/0x1950 net/core/dev.c:6039 __netif_receive_skb_one_core net/core/dev.c:6150 [inline] __netif_receive_skb+0x59/0x270 net/core/dev.c:6265 netif_receive_skb_internal net/core/dev.c:6351 [inline] netif_receive_skb+0x4b/0x2d0 net/core/dev.c:6410...write to 0xffff888149f0d428 of 8 bytes by interrupt on cpu 0: bond_rcv_validate+0x202/0x7a0 drivers/net/bonding/bond_main.c:3335 bond_handle_frame+0xde/0x5e0 drivers/net/bonding/bond_main.c:1533 __netif_receive_skb_core+0x5b1/0x1950 net/core/dev.c:6039 __netif_receive_skb_one_core net/core/dev.c:6150 [inline] __netif_receive_skb+0x59/0x270 net/core/dev.c:6265 netif_receive_skb_internal net/core/dev.c:6351 [inline] netif_receive_skb+0x4b/0x2d0 net/core/dev.c:6410 br_netif_receive_skb net/bridge/br_input.c:30 [inline] NF_HOOK include/linux/netfilter.h:318 [inline]...value changed: 0x0000000100005365 -> 0x0000000100005366

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23216 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:scsi: target: iscsi: Fix use-after-free in iscsit_dec_conn_usage_count()In iscsit_dec_conn_usage_count(), the function calls complete() whileholding the conn->conn_usage_lock. As soon as complete() is invoked, thewaiter (such as iscsit_close_connection()) may wake up and proceed to freethe iscsit_conn structure.If the waiter frees the memory before the current thread reachesspin_unlock_bh(), it results in a KASAN slab-use-after-free as the functionattempts to release a lock within the already-freed connection structure.Fix this by releasing the spinlock before calling complete().

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23242 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:RDMA/siw: Fix potential NULL pointer dereference in header processingIf siw_get_hdr() returns -EINVAL before set_rx_fpdu_context(),qp->rx_fpdu can be NULL. The error path in siw_tcp_rx_data()dereferences qp->rx_fpdu->more_ddp_segs without checking, whichmay lead to a NULL pointer deref. Only check more_ddp_segs whenrx_fpdu is present.KASAN splat:[ 101.384271] KASAN: null-ptr-deref in range [0x00000000000000c0-0x00000000000000c7][ 101.385869] RIP: 0010:siw_tcp_rx_data+0x13ad/0x1e50

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23244 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:nvme: fix memory allocation in nvme_pr_read_keys()nvme_pr_read_keys() takes num_keys from userspace and uses it tocalculate the allocation size for rse via struct_size(). The upperlimit is PR_KEYS_MAX (64K).A malicious or buggy userspace can pass a large num_keys value thatresults in a 4MB allocation attempt at most, causing a warning inthe page allocator when the order exceeds MAX_PAGE_ORDER.To fix this, use kvzalloc() instead of kzalloc().This bug has the same reasoning and fix with the patch below:https://lore.kernel.org/linux-block/20251212013510.3576091-1-kartikey406@gmail.com/Warning log:WARNING: mm/page_alloc.c:5216 at __alloc_frozen_pages_noprof+0x5aa/0x2300 mm/page_alloc.c:5216, CPU#1: syz-executor117/272Modules linked in:CPU: 1 UID: 0 PID: 272 Comm: syz-executor117 Not tainted 6.19.0 #1 PREEMPT(voluntary)Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014RIP: 0010:__alloc_frozen_pages_noprof+0x5aa/0x2300 mm/page_alloc.c:5216Code: ff 83 bd a8 fe ff ff 0a 0f 86 69 fb ff ff 0f b6 1d f9 f9 c4 04 80 fb 01 0f 87 3b 76 30 ff 83 e3 01 75 09 c6 05 e4 f9 c4 04 01 <0f> 0b 48 c7 85 70 fe ff ff 00 00 00 00 e9 8f fd ff ff 31 c0 e9 0dRSP: 0018:ffffc90000fcf450 EFLAGS: 00010246RAX: 0000000000000000 RBX: 0000000000000000 RCX: 1ffff920001f9ea0RDX: 0000000000000000 RSI: 000000000000000b RDI: 0000000000040dc0RBP: ffffc90000fcf648 R08: ffff88800b6c3380 R09: 0000000000000001R10: ffffc90000fcf840 R11: ffff88807ffad280 R12: 0000000000000000R13: 0000000000040dc0 R14: 0000000000000001 R15: ffffc90000fcf620FS: 0000555565db33c0(0000) GS:ffff8880be26c000(0000) knlGS:0000000000000000CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033CR2: 000000002000000c CR3: 0000000003b72000 CR4: 00000000000006f0Call Trace: alloc_pages_mpol+0x236/0x4d0 mm/mempolicy.c:2486 alloc_frozen_pages_noprof+0x149/0x180 mm/mempolicy.c:2557 ___kmalloc_large_node+0x10c/0x140 mm/slub.c:5598 __kmalloc_large_node_noprof+0x25/0xc0 mm/slub.c:5629 __do_kmalloc_node mm/slub.c:5645 [inline] __kmalloc_noprof+0x483/0x6f0 mm/slub.c:5669 kmalloc_noprof include/linux/slab.h:961 [inline] kzalloc_noprof include/linux/slab.h:1094 [inline] nvme_pr_read_keys+0x8f/0x4c0 drivers/nvme/host/pr.c:245 blkdev_pr_read_keys block/ioctl.c:456 [inline] blkdev_common_ioctl+0x1b71/0x29b0 block/ioctl.c:730 blkdev_ioctl+0x299/0x700 block/ioctl.c:786 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl fs/ioctl.c:583 [inline] __x64_sys_ioctl+0x1bf/0x220 fs/ioctl.c:583 x64_sys_call+0x1280/0x21b0 mnt/fuzznvme_1/fuzznvme/linux-build/v6.19/./arch/x86/include/generated/asm/syscalls_64.h:17 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x71/0x330 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7eRIP: 0033:0x7fb893d3108dCode: 28 c3 e8 46 1e 00 00 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48RSP: 002b:00007ffff61f2f38 EFLAGS: 00000246 ORIG_RAX: 0000000000000010RAX: ffffffffffffffda RBX: 00007ffff61f3138 RCX: 00007fb893d3108dRDX: 0000000020000040 RSI: 00000000c01070ce RDI: 0000000000000003RBP: 0000000000000001 R08: 0000000000000000 R09: 00007ffff61f3138R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001R13: 00007ffff61f3128 R14: 00007fb893dae530 R15: 0000000000000001

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23246 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:wifi: mac80211: bounds-check link_id in ieee80211_ml_reconfigurationlink_id is taken from the ML Reconfiguration element (control & 0x000f),so it can be 0..15. link_removal_timeout[] has IEEE80211_MLD_MAX_NUM_LINKS(15) elements, so index 15 is out-of-bounds. Skip subelements withlink_id >= IEEE80211_MLD_MAX_NUM_LINKS to avoid a stack out-of-boundswrite.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23247 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:tcp: secure_seq: add back ports to TS offsetThis reverts 28ee1b746f49 ("secure_seq: downgrade to per-host timestamp offsets")tcp_tw_recycle went away in 2017.Zhouyan Deng reported off-path TCP source port leakage viaSYN cookie side-channel that can be fixed in multiple ways.One of them is to bring back TCP ports in TS offset randomization.As a bonus, we perform a single siphash() computationto provide both an ISN and a TS offset.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23253 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:media: dvb-core: fix wrong reinitialization of ringbuffer on reopendvb_dvr_open() calls dvb_ringbuffer_init() when a new reader opens theDVR device. dvb_ringbuffer_init() calls init_waitqueue_head(), whichreinitializes the waitqueue list head to empty.Since dmxdev->dvr_buffer.queue is a shared waitqueue (all opens of thesame DVR device share it), this orphans any existing waitqueue entriesfrom io_uring poll or epoll, leaving them with stale prev/next pointerswhile the list head is reset to {self, self}.The waitqueue and spinlock in dvr_buffer are already properlyinitialized once in dvb_dmxdev_init(). The open path only needs toreset the buffer data pointer, size, and read/write positions.Replace the dvb_ringbuffer_init() call in dvb_dvr_open() with directassignment of data/size and a call to dvb_ringbuffer_reset(), whichproperly resets pread, pwrite, and error with correct memory orderingwithout touching the waitqueue or spinlock.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23256 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net: liquidio: Fix off-by-one error in VF setup_nic_devices() cleanupIn setup_nic_devices(), the initialization loop jumps to the labelsetup_nic_dev_free on failure. The current cleanup loop while(i--)skip the failing index i, causing a memory leak.Fix this by changing the loop to iterate from the current index idown to 0.Compile tested only. Issue found using code review.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23257 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net: liquidio: Fix off-by-one error in PF setup_nic_devices() cleanupIn setup_nic_devices(), the initialization loop jumps to the labelsetup_nic_dev_free on failure. The current cleanup loop while(i--)skip the failing index i, causing a memory leak.Fix this by changing the loop to iterate from the current index idown to 0.Also, decrement i in the devlink_alloc failure path to point to thelast successfully allocated index.Compile tested only. Issue found using code review.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23264 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:Revert "drm/amd: Check if ASPM is enabled from PCIe subsystem"This reverts commit 7294863a6f01248d72b61d38478978d638641bee.This commit was erroneously applied again after commit 0ab5d711ec74("drm/amd: Refactor `amdgpu_aspm` to be evaluated per device")removed it, leading to very hard to debug crashes, when used with a system with twoAMD GPUs of which only one supports ASPM.(cherry picked from commit 97a9689300eb2b393ba5efc17c8e5db835917080)

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23270 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocksAs Paolo said earlier [1]:"Since the blamed commit below, classify can return TC_ACT_CONSUMED whilethe current skb being held by the defragmentation engine. As reported byGangMin Kim, if such packet is that may cause a UaF when the defrag enginelater on tries to tuch again such packet."act_ct was never meant to be used in the egress path, however some usersare attaching it to egress today [2]. Attempting to reach a middleground, we noticed that, while most qdiscs are not handlingTC_ACT_CONSUMED, clsact/ingress qdiscs are. With that in mind, weaddress the issue by only allowing act_ct to bind to clsact/ingressqdiscs and shared blocks. That way it's still possible to attach act_ct toegress (albeit only with clsact).[1] https://lore.kernel.org/netdev/674b8cbfc385c6f37fb29a1de08d8fe5c2b0fbee.1771321118.git.pabeni@redhat.com/[2] https://lore.kernel.org/netdev/cc6bfb4a-4a2b-42d8-b9ce-7ef6644fb22b@ovn.org/

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23285 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:drbd: fix null-pointer dereference on local read errorIn drbd_request_endio(), READ_COMPLETED_WITH_ERROR is passed to__req_mod() with a NULL peer_device: __req_mod(req, what, NULL, &m);The READ_COMPLETED_WITH_ERROR handler then unconditionally passes thisNULL peer_device to drbd_set_out_of_sync(), which dereferences it,causing a null-pointer dereference.Fix this by obtaining the peer_device via first_peer_device(device),matching how drbd_req_destroy() handles the same situation.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23287 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:irqchip/sifive-plic: Fix frozen interrupt due to affinity settingPLIC ignores interrupt completion message for disabled interrupt, explainedby the specification: The PLIC signals it has completed executing an interrupt handler by writing the interrupt ID it received from the claim to the claim/complete register. The PLIC does not check whether the completion ID is the same as the last claim ID for that target. If the completion ID does not match an interrupt source that is currently enabled for the target, the completion is silently ignored.This caused problems in the past, because an interrupt can be disabledwhile still being handled and plic_irq_eoi() had no effect. That was fixedby checking if the interrupt is disabled, and if so enable it, beforesending the completion message. That check is done with irqd_irq_disabled().However, that is not sufficient because the enable bit for the handlinghart can be zero despite irqd_irq_disabled(d) being false. This can happenwhen affinity setting is changed while a hart is still handling theinterrupt.This problem is easily reproducible by dumping a large file to uart (whichgenerates lots of interrupts) and at the same time keep changing the uartinterrupt's affinity setting. The uart port becomes frozen almostinstantaneously.Fix this by checking PLIC's enable bit instead of irqd_irq_disabled().

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23289 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:IB/mthca: Add missed mthca_unmap_user_db() for mthca_create_srq()Fix a user triggerable leak on the system call failure path.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23291 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:nfc: pn533: properly drop the usb interface reference on disconnectWhen the device is disconnected from the driver, there is a "dangling"reference count on the usb interface that was grabbed in the probecallback. Fix this up by properly dropping the reference after we aredone with it.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23302 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net: annotate data-races around sk->sk_{data_ready,write_space}skmsg (and probably other layers) are changing these pointerswhile other cpus might read them concurrently.Add corresponding READ_ONCE()/WRITE_ONCE() annotationsfor UDP, TCP and AF_UNIX.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23303 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:smb: client: Don't log plaintext credentials in cifs_set_cifscredsWhen debug logging is enabled, cifs_set_cifscreds() logs the keypayload and exposes the plaintext username and password. Remove thedebug log to avoid exposing credentials.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23307 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:can: ems_usb: ems_usb_read_bulk_callback(): check the proper length of a messageWhen looking at the data in a USB urb, the actual_length is the size ofthe buffer passed to the driver, not the transfer_buffer_length which isset by the driver as the max size of the buffer.When parsing the messages in ems_usb_read_bulk_callback() properly checkthe size both at the beginning of parsing the message to make sure it isbig enough for the expected structure, and at the end of the message tomake sure we don't overflow past the end of the buffer for the nextmessage.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23313 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:i40e: Fix preempt count leak in napi poll tracepointUsing get_cpu() in the tracepoint assignment causes an obvious preemptcount leak because nothing invokes put_cpu() to undo it: softirq: huh, entered softirq 3 NET_RX with preempt_count 00000100, exited with 00000101?This clearly has seen a lot of testing in the last 3+ years...Use smp_processor_id() instead.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23315 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:wifi: mt76: Fix possible oob access in mt76_connac2_mac_write_txwi_80211()Check frame length before accessing the mgmt fields inmt76_connac2_mac_write_txwi_80211 in order to avoid a possible oobaccess.[fix check to also cover mgmt->u.action.u.addba_req.capab,correct Fixes tag]

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23318 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ALSA: usb-audio: Use correct version for UAC3 header validationThe entry of the validators table for UAC3 AC header descriptor isdefined with the wrong protocol version UAC_VERSION_2, while it shouldhave been UAC_VERSION_3. This results in the validator never matchingfor actual UAC3 devices (protocol == UAC_VERSION_3), causing theirheader descriptors to bypass validation entirely. A malicious USBdevice presenting a truncated UAC3 header could exploit this to causeout-of-bounds reads when the driver later accesses unvalidateddescriptor fields.The bug was introduced in the same commit as the recently fixed UAC3feature unit sub-type typo, and appears to be from the same copy-pasteerror when the UAC3 section was created from the UAC2 section.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23325 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:wifi: mt76: mt7996: Fix possible oob access in mt7996_mac_write_txwi_80211()Check frame length before accessing the mgmt fields inmt7996_mac_write_txwi_80211 in order to avoid a possible oob access.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23327 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:cxl/mbox: validate payload size before accessing contents in cxl_payload_from_user_allowed()cxl_payload_from_user_allowed() casts and dereferences the inputpayload without first verifying its size. When a raw mailbox commandis sent with an undersized payload (ie: 1 byte for CXL_MBOX_OP_CLEAR_LOG,which expects a 16-byte UUID), uuid_equal() reads past the allocated buffer,triggering a KASAN splat:BUG: KASAN: slab-out-of-bounds in memcmp+0x176/0x1d0 lib/string.c:683Read of size 8 at addr ffff88810130f5c0 by task syz.1.62/2258CPU: 2 UID: 0 PID: 2258 Comm: syz.1.62 Not tainted 6.19.0-dirty #3 PREEMPT(voluntary)Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0xab/0xe0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xce/0x650 mm/kasan/report.c:482 kasan_report+0xce/0x100 mm/kasan/report.c:595 memcmp+0x176/0x1d0 lib/string.c:683 uuid_equal include/linux/uuid.h:73 [inline] cxl_payload_from_user_allowed drivers/cxl/core/mbox.c:345 [inline] cxl_mbox_cmd_ctor drivers/cxl/core/mbox.c:368 [inline] cxl_validate_cmd_from_user drivers/cxl/core/mbox.c:522 [inline] cxl_send_cmd+0x9c0/0xb50 drivers/cxl/core/mbox.c:643 __cxl_memdev_ioctl drivers/cxl/core/memdev.c:698 [inline] cxl_memdev_ioctl+0x14f/0x190 drivers/cxl/core/memdev.c:713 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl fs/ioctl.c:583 [inline] __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xa8/0x330 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7fRIP: 0033:0x7fdaf331ba79Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48RSP: 002b:00007fdaf1d77038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010RAX: ffffffffffffffda RBX: 00007fdaf3585fa0 RCX: 00007fdaf331ba79RDX: 00002000000001c0 RSI: 00000000c030ce02 RDI: 0000000000000003RBP: 00007fdaf33749df R08: 0000000000000000 R09: 0000000000000000R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000R13: 00007fdaf3586038 R14: 00007fdaf3585fa0 R15: 00007ffced2af768 Add 'in_size' parameter to cxl_payload_from_user_allowed() and validatethe payload is large enough.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23336 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:wifi: cfg80211: cancel rfkill_block work in wiphy_unregister()There is a use-after-free error in cfg80211_shutdown_all_interfaces foundby syzkaller:BUG: KASAN: use-after-free in cfg80211_shutdown_all_interfaces+0x213/0x220Read of size 8 at addr ffff888112a78d98 by task kworker/0:5/5326CPU: 0 UID: 0 PID: 5326 Comm: kworker/0:5 Not tainted 6.19.0-rc2 #2 PREEMPT(voluntary)Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014Workqueue: events cfg80211_rfkill_block_workCall Trace: dump_stack_lvl+0x116/0x1f0 print_report+0xcd/0x630 kasan_report+0xe0/0x110 cfg80211_shutdown_all_interfaces+0x213/0x220 cfg80211_rfkill_block_work+0x1e/0x30 process_one_work+0x9cf/0x1b70 worker_thread+0x6c8/0xf10 kthread+0x3c5/0x780 ret_from_fork+0x56d/0x700 ret_from_fork_asm+0x1a/0x30 The problem arises due to the rfkill_block work is not cancelled when wiphyis being unregistered. In order to fix the issue cancel the correspondingwork in wiphy_unregister().Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23343 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:xdp: produce a warning when calculated tailroom is negativeMany ethernet drivers report xdp Rx queue frag size as being the same asDMA write size. However, the only user of this field, namelybpf_xdp_frags_increase_tail(), clearly expects a truesize.Such difference leads to unspecific memory corruption issues under certaincircumstances, e.g. in ixgbevf maximum DMA write size is 3 KB, so whenrunning xskxceiver's XDP_ADJUST_TAIL_GROW_MULTI_BUFF, 6K packet fully usesall DMA-writable space in 2 buffers. This would be fine, if onlyrxq->frag_size was properly set to 4K, but value of 3K results in anegative tailroom, because there is a non-zero page offset.We are supposed to return -EINVAL and be done with it in such case, but dueto tailroom being stored as an unsigned int, it is reported to be somewherenear UINT_MAX, resulting in a tail being grown, even if the requestedoffset is too much (it is around 2K in the abovementioned test). This laterleads to all kinds of unspecific calltraces.[ 7340.337579] xskxceiver[1440]: segfault at 1da718 ip 00007f4161aeac9d sp 00007f41615a6a00 error 6[ 7340.338040] xskxceiver[1441]: segfault at 7f410000000b ip 00000000004042b5 sp 00007f415bffecf0 error 4[ 7340.338179] in libc.so.6[61c9d,7f4161aaf000+160000][ 7340.339230] in xskxceiver[42b5,400000+69000][ 7340.340300] likely on CPU 6 (core 0, socket 6)[ 7340.340302] Code: ff ff 01 e9 f4 fe ff ff 0f 1f 44 00 00 4c 39 f0 74 73 31 c0 ba 01 00 00 00 f0 0f b1 17 0f 85 ba 00 00 00 49 8b 87 88 00 00 00 <4c> 89 70 08 eb cc 0f 1f 44 00 00 48 8d bd f0 fe ff ff 89 85 ec fe[ 7340.340888] likely on CPU 3 (core 0, socket 3)[ 7340.345088] Code: 00 00 00 ba 00 00 00 00 be 00 00 00 00 89 c7 e8 31 ca ff ff 89 45 ec 8b 45 ec 85 c0 78 07 b8 00 00 00 00 eb 46 e8 0b c8 ff ff <8b> 00 83 f8 69 74 24 e8 ff c7 ff ff 8b 00 83 f8 0b 74 18 e8 f3 c7[ 7340.404334] Oops: general protection fault, probably for non-canonical address 0x6d255010bdffc: 0000 [#1] SMP NOPTI[ 7340.405972] CPU: 7 UID: 0 PID: 1439 Comm: xskxceiver Not tainted 6.19.0-rc1+ #21 PREEMPT(lazy)[ 7340.408006] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-5.fc42 04/01/2014[ 7340.409716] RIP: 0010:lookup_swap_cgroup_id+0x44/0x80[ 7340.410455] Code: 83 f8 1c 73 39 48 ba ff ff ff ff ff ff ff 03 48 8b 04 c5 20 55 fa bd 48 21 d1 48 89 ca 83 e1 01 48 d1 ea c1 e1 04 48 8d 04 90 <8b> 00 48 83 c4 10 d3 e8 c3 cc cc cc cc 31 c0 e9 98 b7 dd 00 48 89[ 7340.412787] RSP: 0018:ffffcc5c04f7f6d0 EFLAGS: 00010202[ 7340.413494] RAX: 0006d255010bdffc RBX: ffff891f477895a8 RCX: 0000000000000010[ 7340.414431] RDX: 0001c17e3fffffff RSI: 00fa070000000000 RDI: 000382fc7fffffff[ 7340.415354] RBP: 00fa070000000000 R08: ffffcc5c04f7f8f8 R09: ffffcc5c04f7f7d0[ 7340.416283] R10: ffff891f4c1a7000 R11: ffffcc5c04f7f9c8 R12: ffffcc5c04f7f7d0[ 7340.417218] R13: 03ffffffffffffff R14: 00fa06fffffffe00 R15: ffff891f47789500[ 7340.418229] FS: 0000000000000000(0000) GS:ffff891ffdfaa000(0000) knlGS:0000000000000000[ 7340.419489] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033[ 7340.420286] CR2: 00007f415bfffd58 CR3: 0000000103f03002 CR4: 0000000000772ef0[ 7340.421237] PKRU: 55555554[ 7340.421623] Call Trace:[ 7340.421987] [ 7340.422309] ? softleaf_from_pte+0x77/0xa0[ 7340.422855] swap_pte_batch+0xa7/0x290[ 7340.423363] zap_nonpresent_ptes.constprop.0.isra.0+0xd1/0x270[ 7340.424102] zap_pte_range+0x281/0x580[ 7340.424607] zap_pmd_range.isra.0+0xc9/0x240[ 7340.425177] unmap_page_range+0x24d/0x420[ 7340.425714] unmap_vmas+0xa1/0x180[ 7340.426185] exit_mmap+0xe1/0x3b0[ 7340.426644] __mmput+0x41/0x150[ 7340.427098] exit_mm+0xb1/0x110[ 7340.427539] do_exit+0x1b2/0x460[ 7340.427992] do_group_exit+0x2d/0xc0[ 7340.428477] get_signal+0x79d/0x7e0[ 7340.428957] arch_do_signal_or_restart+0x34/0x100[ 7340.429571] exit_to_user_mode_loop+0x8e/0x4c0[ 7340.430159] do_syscall_64+0x188/---truncated---

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23346 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:arm64: io: Extract user memory type in ioremap_prot()The only caller of ioremap_prot() outside of the generic ioremap()implementation is generic_access_phys(), which passes a 'pgprot_t' valuedetermined from the user mapping of the target 'pfn' being accessed bythe kernel. On arm64, the 'pgprot_t' contains all of the non-addressbits from the pte, including the permission controls, and so we end upreturning a new user mapping from ioremap_prot() which faults whenaccessed from the kernel on systems with PAN: | Unable to handle kernel read from unreadable memory at virtual address ffff80008ea89000 | ... | Call trace: | __memcpy_fromio+0x80/0xf8 | generic_access_phys+0x20c/0x2b8 | __access_remote_vm+0x46c/0x5b8 | access_remote_vm+0x18/0x30 | environ_read+0x238/0x3e8 | vfs_read+0xe4/0x2b0 | ksys_read+0xcc/0x178 | __arm64_sys_read+0x4c/0x68Extract only the memory type from the user 'pgprot_t' in ioremap_prot()and assert that we're being passed a user mapping, to protect us againstany changes in future that may require additional handling. To avoidfalsely flagging users of ioremap(), provide our own ioremap() macrowhich simply wraps __ioremap_prot().

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23348 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:cxl: Fix race of nvdimm_bus object when creating nvdimm objectsFound issue during running of cxl-translate.sh unit test. Adding a 3ssleep right before the test seems to make the issue reproduce fairlyconsistently. The cxl_translate module has dependency on cxl_acpi andcauses orphaned nvdimm objects to reprobe after cxl_acpi is removed.The nvdimm_bus object is registered by the cxl_nvb object whencxl_acpi_probe() is called. With the nvdimm_bus object missing,__nd_device_register() will trigger NULL pointer dereference whenaccessing the dev->parent that points to &nvdimm_bus->dev.[ 192.884510] BUG: kernel NULL pointer dereference, address: 000000000000006c[ 192.895383] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20250812-19.fc42 08/12/2025[ 192.897721] Workqueue: cxl_port cxl_bus_rescan_queue [cxl_core][ 192.899459] RIP: 0010:kobject_get+0xc/0x90[ 192.924871] Call Trace:[ 192.925959] [ 192.926976] ? pm_runtime_init+0xb9/0xe0[ 192.929712] __nd_device_register.part.0+0x4d/0xc0 [libnvdimm][ 192.933314] __nvdimm_create+0x206/0x290 [libnvdimm][ 192.936662] cxl_nvdimm_probe+0x119/0x1d0 [cxl_pmem][ 192.940245] cxl_bus_probe+0x1a/0x60 [cxl_core][ 192.943349] really_probe+0xde/0x380This patch also relies on the previous change wheredevm_cxl_add_nvdimm_bridge() is called from drivers/cxl/pmem.c insteadof drivers/cxl/core.c to ensure the dependency of cxl_acpi on cxl_pmem.1. Set probe_type of cxl_nvb to PROBE_FORCE_SYNCHRONOUS to ensure the driver is probed synchronously when add_device() is called.2. Add a check in __devm_cxl_add_nvdimm_bridge() to ensure that the cxl_nvb driver is attached during cxl_acpi_probe().3. Take the cxl_root uport_dev lock and the cxl_nvb->dev lock in devm_cxl_add_nvdimm() before checking nvdimm_bus is valid.4. Set cxl_nvdimm flag to CXL_NVD_F_INVALIDATED so cxl_nvdimm_probe() will exit with -EBUSY.The removal of cxl_nvdimm devices should prevent any orphaned devicesfrom probing once the nvdimm_bus is gone.[ dj: Fixed 0-day reported kdoc issue. ][ dj: Fix cxl_nvb reference leak on error. Gregory (kreview-0811365) ]

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23351 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:netfilter: nft_set_pipapo: split gc into unlink and reclaim phaseYiming Qian reports Use-after-free in the pipapo set type: Under a large number of expired elements, commit-time GC can run for a very long time in a non-preemptible context, triggering soft lockup warnings and RCU stall reports (local denial of service).We must split GC in an unlink and a reclaim phase.We cannot queue elements for freeing until pointers have been swapped.Expired elements are still exposed to both the packet path and userspacedumpers via the live copy of the data structure.call_rcu() does not protect us: dump operations or element lookups startingafter call_rcu has fired can still observe the free'd element, unless thecommit phase has made enough progress to swap the clone and live pointersbefore any new reader has picked up the old version.This a similar approach as done recently for the rbtree backend in commit35f83a75529a ("netfilter: nft_set_rbtree: don't gc elements on insert").

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23352 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:x86/efi: defer freeing of boot services memoryefi_free_boot_services() frees memory occupied by EFI_BOOT_SERVICES_CODEand EFI_BOOT_SERVICES_DATA using memblock_free_late().There are two issue with that: memblock_free_late() should be used formemory allocated with memblock_alloc() while the memory reserved withmemblock_reserve() should be freed with free_reserved_area().More acutely, with CONFIG_DEFERRED_STRUCT_PAGE_INIT=yefi_free_boot_services() is called before deferred initialization of thememory map is complete.Benjamin Herrenschmidt reports that this causes a leak of ~140MB ofRAM on EC2 t3a.nano instances which only have 512MB or RAM.If the freed memory resides in the areas that memory map for them isstill uninitialized, they won't be actually freed becausememblock_free_late() calls memblock_free_pages() and the latter skipsuninitialized pages.Using free_reserved_area() at this point is also problematic because__free_page() accesses the buddy of the freed page and that again mightend up in uninitialized part of the memory map.Delaying the entire efi_free_boot_services() could be problematicbecause in addition to freeing boot services memory it updatesefi.memmap without any synchronization and that's undesirable late inboot when there is concurrency.More robust approach is to only defer freeing of the EFI boot servicesmemory.Split efi_free_boot_services() in two. First efi_unmap_boot_services()collects ranges that should be freed into an array thenefi_free_boot_services() later frees them after deferred init is complete.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23362 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:can: bcm: fix locking for bcm_op runtime updatesCommit c2aba69d0c36 ("can: bcm: add locking for bcm_op runtime updates")added a locking for some variables that can be modified at runtime whenupdating the sending bcm_op with a new TX_SETUP command in bcm_tx_setup().Usually the RX_SETUP only handles and filters incoming traffic with oneexception: When the RX_RTR_FRAME flag is set a predefined CAN frame issent when a specific RTR frame is received. Therefore the rx bcm_op usesbcm_can_tx() which uses the bcm_tx_lock that was only initialized inbcm_tx_setup(). Add the missing spin_lock_init() when allocating thebcm_op in bcm_rx_setup() to handle the RTR case properly.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23363 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:wifi: mt76: mt7925: Fix possible oob access in mt7925_mac_write_txwi_80211()Check frame length before accessing the mgmt fields inmt7925_mac_write_txwi_80211 in order to avoid a possible oob access.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23364 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ksmbd: Compare MACs in constant timeTo prevent timing attacks, MAC comparisons need to be constant-time.Replace the memcmp() with the correct function, crypto_memneq().

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23365 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net: usb: kalmia: validate USB endpointsThe kalmia driver should validate that the device it is probing has theproper number and types of USB endpoints it is expecting before it bindsto it. If a malicious device were to not have the same urbs the driverwill crash later on when it blindly accesses these endpoints.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23368 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net: phy: register phy led_triggers during probe to avoid AB-BA deadlockThere is an AB-BA deadlock when both LEDS_TRIGGER_NETDEV andLED_TRIGGER_PHY are enabled:[ 1362.049207] [<8054e4b8>] led_trigger_register+0x5c/0x1fc <-- Trying to get lock "triggers_list_lock" via down_write(&triggers_list_lock);[ 1362.054536] [<80662830>] phy_led_triggers_register+0xd0/0x234[ 1362.060329] [<8065e200>] phy_attach_direct+0x33c/0x40c[ 1362.065489] [<80651fc4>] phylink_fwnode_phy_connect+0x15c/0x23c[ 1362.071480] [<8066ee18>] mtk_open+0x7c/0xba0[ 1362.075849] [<806d714c>] __dev_open+0x280/0x2b0[ 1362.080384] [<806d7668>] __dev_change_flags+0x244/0x24c[ 1362.085598] [<806d7698>] dev_change_flags+0x28/0x78[ 1362.090528] [<807150e4>] dev_ioctl+0x4c0/0x654 <-- Hold lock "rtnl_mutex" by calling rtnl_lock();[ 1362.094985] [<80694360>] sock_ioctl+0x2f4/0x4e0[ 1362.099567] [<802e9c4c>] sys_ioctl+0x32c/0xd8c[ 1362.104022] [<80014504>] syscall_common+0x34/0x58Here LED_TRIGGER_PHY is registering LED triggers during phy_attachwhile holding RTNL and then taking triggers_list_lock.[ 1362.191101] [<806c2640>] register_netdevice_notifier+0x60/0x168 <-- Trying to get lock "rtnl_mutex" via rtnl_lock();[ 1362.197073] [<805504ac>] netdev_trig_activate+0x194/0x1e4[ 1362.202490] [<8054e28c>] led_trigger_set+0x1d4/0x360 <-- Hold lock "triggers_list_lock" by down_read(&triggers_list_lock);[ 1362.207511] [<8054eb38>] led_trigger_write+0xd8/0x14c[ 1362.212566] [<80381d98>] sysfs_kf_bin_write+0x80/0xbc[ 1362.217688] [<8037fcd8>] kernfs_fop_write_iter+0x17c/0x28c[ 1362.223174] [<802cbd70>] vfs_write+0x21c/0x3c4[ 1362.227712] [<802cc0c4>] ksys_write+0x78/0x12c[ 1362.232164] [<80014504>] syscall_common+0x34/0x58Here LEDS_TRIGGER_NETDEV is being enabled on an LED. It first takestriggers_list_lock and then RTNL. A classical AB-BA deadlock.phy_led_triggers_registers() does not require the RTNL, it does notmake any calls into the network stack which require protection. Thereis also no requirement the PHY has been attached to a MAC, thetriggers only make use of phydev state. This allows the call tophy_led_triggers_registers() to be placed elsewhere. PHY probe() andrelease() don't hold RTNL, so solving the AB-BA deadlock.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23370 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:platform/x86: dell-wmi-sysman: Don't hex dump plaintext password dataset_new_password() hex dumps the entire buffer, which contains plaintextpassword data, including current and new passwords. Remove the hex dumpto avoid leaking credentials.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23372 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:nfc: rawsock: cancel tx_work before socket teardownIn rawsock_release(), cancel any pending tx_work and purge the writequeue before orphaning the socket. rawsock_tx_work runs on the systemworkqueue and calls nfc_data_exchange which dereferences the NCIdevice. Without synchronization, tx_work can race with socket anddevice teardown when a process is killed (e.g. by SIGKILL), leadingto use-after-free or leaked references.Set SEND_SHUTDOWN first so that if tx_work is already running it willsee the flag and skip transmitting, then use cancel_work_sync to waitfor any in-progress execution to finish, and finally purge anyremaining queued skbs.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23373 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:wifi: rsi: Don't default to -EOPNOTSUPP in rsi_mac80211_configThis triggers a WARN_ON in ieee80211_hw_conf_init and isn't the expectedbehavior from the driver - other drivers default to 0 too.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23374 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:blktrace: fix __this_cpu_read/write in preemptible contexttracing_record_cmdline() internally uses __this_cpu_read() and__this_cpu_write() on the per-CPU variable trace_cmdline_save, andtrace_save_cmdline() explicitly asserts preemption is disabled vialockdep_assert_preemption_disabled(). These operations are only safewhen preemption is off, as they were designed to be called from thescheduler context (probe_wakeup_sched_switch() / probe_wakeup()).__blk_add_trace() was calling tracing_record_cmdline(current) early inthe blk_tracer path, before ring buffer reservation, from processcontext where preemption is fully enabled. This triggers the followingusing blktests/blktrace/002:blktrace/002 (blktrace ftrace corruption with sysfs trace) [failed] runtime 0.367s ... 0.437s something found in dmesg: [ 81.211018] run blktests blktrace/002 at 2026-02-25 22:24:33 [ 81.239580] null_blk: disk nullb1 created [ 81.357294] BUG: using __this_cpu_read() in preemptible [00000000] code: dd/2516 [ 81.362842] caller is tracing_record_cmdline+0x10/0x40 [ 81.362872] CPU: 16 UID: 0 PID: 2516 Comm: dd Tainted: G N 7.0.0-rc1lblk+ #84 PREEMPT(full) [ 81.362877] Tainted: [N]=TEST [ 81.362878] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014 [ 81.362881] Call Trace: [ 81.362884] [ 81.362886] dump_stack_lvl+0x8d/0xb0 ... (See '/mnt/sda/blktests/results/nodev/blktrace/002.dmesg' for the entire message)[ 81.211018] run blktests blktrace/002 at 2026-02-25 22:24:33[ 81.239580] null_blk: disk nullb1 created[ 81.357294] BUG: using __this_cpu_read() in preemptible [00000000] code: dd/2516[ 81.362842] caller is tracing_record_cmdline+0x10/0x40[ 81.362872] CPU: 16 UID: 0 PID: 2516 Comm: dd Tainted: G N 7.0.0-rc1lblk+ #84 PREEMPT(full)[ 81.362877] Tainted: [N]=TEST[ 81.362878] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014[ 81.362881] Call Trace:[ 81.362884] [ 81.362886] dump_stack_lvl+0x8d/0xb0[ 81.362895] check_preemption_disabled+0xce/0xe0[ 81.362902] tracing_record_cmdline+0x10/0x40[ 81.362923] __blk_add_trace+0x307/0x5d0[ 81.362934] ? lock_acquire+0xe0/0x300[ 81.362940] ? iov_iter_extract_pages+0x101/0xa30[ 81.362959] blk_add_trace_bio+0x106/0x1e0[ 81.362968] submit_bio_noacct_nocheck+0x24b/0x3a0[ 81.362979] ? lockdep_init_map_type+0x58/0x260[ 81.362988] submit_bio_wait+0x56/0x90[ 81.363009] __blkdev_direct_IO_simple+0x16c/0x250[ 81.363026] ? __pfx_submit_bio_wait_endio+0x10/0x10[ 81.363038] ? rcu_read_lock_any_held+0x73/0xa0[ 81.363051] blkdev_read_iter+0xc1/0x140[ 81.363059] vfs_read+0x20b/0x330[ 81.363083] ksys_read+0x67/0xe0[ 81.363090] do_syscall_64+0xbf/0xf00[ 81.363102] entry_SYSCALL_64_after_hwframe+0x76/0x7e[ 81.363106] RIP: 0033:0x7f281906029d[ 81.363111] Code: 31 c0 e9 c6 fe ff ff 50 48 8d 3d 66 63 0a 00 e8 59 ff 01 00 66 0f 1f 84 00 00 00 00 00 80 3d 41 33 0e 00 00 74 17 31 c0 0f 05 <48> 3d 00 f0 ff ff 77 5b c3 66 2e 0f 1f 84 00 00 00 00 00 48 83 ec[ 81.363113] RSP: 002b:00007ffca127dd48 EFLAGS: 00000246 ORIG_RAX: 0000000000000000[ 81.363120] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f281906029d[ 81.363122] RDX: 0000000000001000 RSI: 0000559f8bfae000 RDI: 0000000000000000[ 81.363123] RBP: 0000000000001000 R08: 0000002863a10a81 R09: 00007f281915f000[ 81.363124] R10: 00007f2818f77b60 R11: 0000000000000246 R12: 0000559f8bfae000[ 81.363126] R13: 0000000000000000 R14: 0000000000000000 R15: 000000000000000a[ 81.363142] The same BUG fires from blk_add_trace_plug(), blk_add_trace_unplug(),and blk_add_trace_rq() paths as well.The purpose of tracin---truncated---

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23376 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:nvmet-fcloop: Check remoteport port_state before calling done callbackIn nvme_fc_handle_ls_rqst_work, the lsrsp->done callback is only set whenremoteport->port_state is FC_OBJSTATE_ONLINE. Otherwise, thenvme_fc_xmt_ls_rsp's LLDD call to lport->ops->xmt_ls_rsp is expected tofail and the nvme-fc transport layer itself will directly callnvme_fc_xmt_ls_rsp_free instead of relying on LLDD's done callback to freethe lsrsp resources.Update the fcloop_t2h_xmt_ls_rsp routine to check remoteport->port_state.If online, then lsrsp->done callback will free the lsrsp. Else, return-ENODEV to signal the nvme-fc transport to handle freeing lsrsp.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23377 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ice: change XDP RxQ frag_size from DMA write length to xdp.frame_szThe only user of frag_size field in XDP RxQ info isbpf_xdp_frags_increase_tail(). It clearly expects whole buff size insteadof DMA write size. Different assumptions in ice driver configuration leadto negative tailroom.This allows to trigger kernel panic, when usingXDP_ADJUST_TAIL_GROW_MULTI_BUFF xskxceiver test and changing packet size to6912 and the requested offset to a huge value, e.g.XSK_UMEM__MAX_FRAME_SIZE * 100.Due to other quirks of the ZC configuration in ice, panic is not observedin ZC mode, but tailroom growing still fails when it should not.Use fill queue buffer truesize instead of DMA write size in XDP RxQ info.Fix ZC mode too by using the new helper.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23379 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net/sched: ets: fix divide by zero in the offload pathOffloading ETS requires computing each class' WRR weight: this is done byaveraging over the sums of quanta as 'q_sum' and 'q_psum'. Using unsignedint, the same integer size as the individual DRR quanta, can overflow andeven cause division by zero, like it happened in the following splat: Oops: divide error: 0000 [#1] SMP PTI CPU: 13 UID: 0 PID: 487 Comm: tc Tainted: G E 6.19.0-virtme #45 PREEMPT(full) Tainted: [E]=UNSIGNED_MODULE Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 RIP: 0010:ets_offload_change+0x11f/0x290 [sch_ets] Code: e4 45 31 ff eb 03 41 89 c7 41 89 cb 89 ce 83 f9 0f 0f 87 b7 00 00 00 45 8b 08 31 c0 45 01 cc 45 85 c9 74 09 41 6b c4 64 31 d2 <41> f7 f2 89 c2 44 29 fa 45 89 df 41 83 fb 0f 0f 87 c7 00 00 00 44 RSP: 0018:ffffd0a180d77588 EFLAGS: 00010246 RAX: 00000000ffffff38 RBX: ffff8d3d482ca000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffd0a180d77660 RBP: ffffd0a180d77690 R08: ffff8d3d482ca2d8 R09: 00000000fffffffe R10: 0000000000000000 R11: 0000000000000000 R12: 00000000fffffffe R13: ffff8d3d472f2000 R14: 0000000000000003 R15: 0000000000000000 FS: 00007f440b6c2740(0000) GS:ffff8d3dc9803000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000003cdd2000 CR3: 0000000007b58002 CR4: 0000000000172ef0 Call Trace: ets_qdisc_change+0x870/0xf40 [sch_ets] qdisc_create+0x12b/0x540 tc_modify_qdisc+0x6d7/0xbd0 rtnetlink_rcv_msg+0x168/0x6b0 netlink_rcv_skb+0x5c/0x110 netlink_unicast+0x1d6/0x2b0 netlink_sendmsg+0x22e/0x470 ____sys_sendmsg+0x38a/0x3c0 ___sys_sendmsg+0x99/0xe0 __sys_sendmsg+0x8a/0xf0 do_syscall_64+0x111/0xf80 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f440b81c77e Code: 4d 89 d8 e8 d4 bc 00 00 4c 8b 5d f8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 11 c9 c3 0f 1f 80 00 00 00 00 48 8b 45 10 0f 05 c3 83 e2 39 83 fa 08 75 e7 e8 13 ff ff ff 0f 1f 00 f3 0f 1e fa RSP: 002b:00007fff951e4c10 EFLAGS: 00000202 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000000481820 RCX: 00007f440b81c77e RDX: 0000000000000000 RSI: 00007fff951e4cd0 RDI: 0000000000000003 RBP: 00007fff951e4c20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000202 R12: 00007fff951f4fa8 R13: 00000000699ddede R14: 00007f440bb01000 R15: 0000000000486980 Modules linked in: sch_ets(E) netdevsim(E) ---[ end trace 0000000000000000 ]--- RIP: 0010:ets_offload_change+0x11f/0x290 [sch_ets] Code: e4 45 31 ff eb 03 41 89 c7 41 89 cb 89 ce 83 f9 0f 0f 87 b7 00 00 00 45 8b 08 31 c0 45 01 cc 45 85 c9 74 09 41 6b c4 64 31 d2 <41> f7 f2 89 c2 44 29 fa 45 89 df 41 83 fb 0f 0f 87 c7 00 00 00 44 RSP: 0018:ffffd0a180d77588 EFLAGS: 00010246 RAX: 00000000ffffff38 RBX: ffff8d3d482ca000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffd0a180d77660 RBP: ffffd0a180d77690 R08: ffff8d3d482ca2d8 R09: 00000000fffffffe R10: 0000000000000000 R11: 0000000000000000 R12: 00000000fffffffe R13: ffff8d3d472f2000 R14: 0000000000000003 R15: 0000000000000000 FS: 00007f440b6c2740(0000) GS:ffff8d3dc9803000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000003cdd2000 CR3: 0000000007b58002 CR4: 0000000000172ef0 Kernel panic - not syncing: Fatal exception Kernel Offset: 0x30000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) ---[ end Kernel panic - not syncing: Fatal exception ]---Fix this using 64-bit integers for 'q_sum' and 'q_psum'.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23381 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net: bridge: fix nd_tbl NULL dereference when IPv6 is disabledWhen booting with the 'ipv6.disable=1' parameter, the nd_tbl is neverinitialized because inet6_init() exits before ndisc_init() is calledwhich initializes it. Then, if neigh_suppress is enabled and an ICMPv6Neighbor Discovery packet reaches the bridge, br_do_suppress_nd() willdereference ipv6_stub->nd_tbl which is NULL, passing it toneigh_lookup(). This causes a kernel NULL pointer dereference. BUG: kernel NULL pointer dereference, address: 0000000000000268 Oops: 0000 [#1] PREEMPT SMP NOPTI [...] RIP: 0010:neigh_lookup+0x16/0xe0 [...] Call Trace: ? neigh_lookup+0x16/0xe0 br_do_suppress_nd+0x160/0x290 [bridge] br_handle_frame_finish+0x500/0x620 [bridge] br_handle_frame+0x353/0x440 [bridge] __netif_receive_skb_core.constprop.0+0x298/0x1110 __netif_receive_skb_one_core+0x3d/0xa0 process_backlog+0xa0/0x140 __napi_poll+0x2c/0x170 net_rx_action+0x2c4/0x3a0 handle_softirqs+0xd0/0x270 do_softirq+0x3f/0x60Fix this by replacing IS_ENABLED(IPV6) call with ipv6_mod_enabled() inthe callers. This is in essence disabling NS/NA suppression when IPv6 isdisabled.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23382 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:HID: Add HID_CLAIMED_INPUT guards in raw_event callbacks missing themIn commit 2ff5baa9b527 ("HID: appleir: Fix potential NULL dereference atraw event handle"), we handle the fact that raw event callbackscan happen even for a HID device that has not been "claimed" causing acrash if a broken device were attempted to be connected to the system.Fix up the remaining in-tree HID drivers that forgot to add this samecheck to resolve the same issue.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23383 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:bpf, arm64: Force 8-byte alignment for JIT buffer to prevent atomic tearingstruct bpf_plt contains a u64 target field. Currently, the BPF JITallocator requests an alignment of 4 bytes (sizeof(u32)) for the JITbuffer.Because the base address of the JIT buffer can be 4-byte aligned (e.g.,ending in 0x4 or 0xc), the relative padding logic in build_plt() failsto ensure that target lands on an 8-byte boundary.This leads to two issues:1. UBSAN reports misaligned-access warnings when dereferencing the structure.2. More critically, target is updated concurrently via WRITE_ONCE() in bpf_arch_text_poke() while the JIT'd code executes ldr. On arm64, 64-bit loads/stores are only guaranteed to be single-copy atomic if they are 64-bit aligned. A misaligned target risks a torn read, causing the JIT to jump to a corrupted address.Fix this by increasing the allocation alignment requirement to 8 bytes(sizeof(u64)) in bpf_jit_binary_pack_alloc(). This anchors the base ofthe JIT buffer to an 8-byte boundary, allowing the relative padding mathin build_plt() to correctly align the target field.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23386 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:gve: fix incorrect buffer cleanup in gve_tx_clean_pending_packets for QPLIn DQ-QPL mode, gve_tx_clean_pending_packets() incorrectly uses the RDAbuffer cleanup path. It iterates num_bufs times and attempts to unmapentries in the dma array.This leads to two issues:1. The dma array shares storage with tx_qpl_buf_ids (union). Interpreting buffer IDs as DMA addresses results in attempting to unmap incorrect memory locations.2. num_bufs in QPL mode (counting 2K chunks) can significantly exceed the size of the dma array, causing out-of-bounds access warnings(trace below is how we noticed this issue).UBSAN: array-index-out-of-bounds indrivers/net/ethernet/drivers/net/ethernet/google/gve/gve_tx_dqo.c:178:5 index 18 is out ofrange for type 'dma_addr_t[18]' (aka 'unsigned long long[18]')Workqueue: gve gve_service_task [gve]Call Trace:dump_stack_lvl+0x33/0xa0__ubsan_handle_out_of_bounds+0xdc/0x110gve_tx_stop_ring_dqo+0x182/0x200 [gve]gve_close+0x1be/0x450 [gve]gve_reset+0x99/0x120 [gve]gve_service_task+0x61/0x100 [gve]process_scheduled_works+0x1e9/0x380Fix this by properly checking for QPL mode and delegating togve_free_tx_qpl_bufs() to reclaim the buffers.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23389 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ice: Fix memory leak in ice_set_ringparam()In ice_set_ringparam, tx_rings and xdp_rings are allocated beforerx_rings. If the allocation of rx_rings fails, the code jumps tothe done label leaking both tx_rings and xdp_rings. Furthermore, ifthe setup of an individual Rx ring fails during the loop, the code jumpsto the free_tx label which releases tx_rings but leaks xdp_rings.Fix this by introducing a free_xdp label and updating the error paths toensure both xdp_rings and tx_rings are properly freed if rx_ringsallocation or setup fails.Compile tested only. Issue found using a prototype static analysis tooland code review.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23391 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:netfilter: xt_CT: drop pending enqueued packets on template removalTemplates refer to objects that can go away while packets are sitting innfqueue refer to:- helper, this can be an issue on module removal.- timeout policy, nfnetlink_cttimeout might remove it.The use of templates with zone and event cache filter are safe, sincethis just copies values.Flush these enqueued packets in case the template rule gets removed.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23404 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:apparmor: replace recursive profile removal with iterative approachThe profile removal code uses recursion when removing nested profiles,which can lead to kernel stack exhaustion and system crashes.Reproducer: $ pf='a'; for ((i=0; i<1024; i++)); do echo -e "profile $pf { \n }" | apparmor_parser -K -a; pf="$pf//x"; done $ echo -n a > /sys/kernel/security/apparmor/.removeReplace the recursive __aa_profile_list_release() approach with aniterative approach in __remove_profile(). The function repeatedlyfinds and removes leaf profiles until the entire subtree is removed,maintaining the same removal semantic without recursion.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23405 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:apparmor: fix: limit the number of levels of policy namespacesCurrently the number of policy namespaces is not bounded relying onthe user namespace limit. However policy namespaces aren't strictlytied to user namespaces and it is possible to create them and nestthem arbitrarily deep which can be used to exhaust system resource.Hard cap policy namespaces to the same depth as user namespaces.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23419 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net/rds: Fix circular locking dependency in rds_tcp_tunesyzbot reported a circular locking dependency in rds_tcp_tune() wheresk_net_refcnt_upgrade() is called while holding the socket lock:======================================================WARNING: possible circular locking dependency detected======================================================kworker/u10:8/15040 is trying to acquire lock:ffffffff8e9aaf80 (fs_reclaim){+.+.}-{0:0},at: __kmalloc_cache_noprof+0x4b/0x6f0but task is already holding lock:ffff88805a3c1ce0 (k-sk_lock-AF_INET6){+.+.}-{0:0},at: rds_tcp_tune+0xd7/0x930The issue occurs because sk_net_refcnt_upgrade() performs memoryallocation (via get_net_track() -> ref_tracker_alloc()) while thesocket lock is held, creating a circular dependency with fs_reclaim.Fix this by moving sk_net_refcnt_upgrade() outside the socket lockcritical section. This is safe because the fields modified by thesk_net_refcnt_upgrade() call (sk_net_refcnt, ns_tracker) are notaccessed by any concurrent code path at this point.v2: - Corrected fixes tag - check patch line wrap nits - ai commentary nits

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23420 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:wifi: wlcore: Fix a locking bugMake sure that wl->mutex is locked before it is unlocked. This has beendetected by the Clang thread-safety analyzer.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23438 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net: mvpp2: guard flow control update with global_tx_fc in buffer switchingmvpp2_bm_switch_buffers() unconditionally callsmvpp2_bm_pool_update_priv_fc() when switching between per-cpu andshared buffer pool modes. This function programs CM3 flow controlregisters via mvpp2_cm3_read()/mvpp2_cm3_write(), which dereferencepriv->cm3_base without any NULL check.When the CM3 SRAM resource is not present in the device tree (thethird reg entry added by commit 60523583b07c ("dts: marvell: add CM3SRAM memory to cp11x ethernet device tree")), priv->cm3_base remainsNULL and priv->global_tx_fc is false. Any operation that triggersmvpp2_bm_switch_buffers(), for example an MTU change that crossesthe jumbo frame threshold, will crash: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 Mem abort info: ESR = 0x0000000096000006 EC = 0x25: DABT (current EL), IL = 32 bits pc : readl+0x0/0x18 lr : mvpp2_cm3_read.isra.0+0x14/0x20 Call trace: readl+0x0/0x18 mvpp2_bm_pool_update_fc+0x40/0x12c mvpp2_bm_pool_update_priv_fc+0x94/0xd8 mvpp2_bm_switch_buffers.isra.0+0x80/0x1c0 mvpp2_change_mtu+0x140/0x380 __dev_set_mtu+0x1c/0x38 dev_set_mtu_ext+0x78/0x118 dev_set_mtu+0x48/0xa8 dev_ifsioc+0x21c/0x43c dev_ioctl+0x2d8/0x42c sock_ioctl+0x314/0x378Every other flow control call site in the driver already guardshardware access with either priv->global_tx_fc or port->tx_fc.mvpp2_bm_switch_buffers() is the only place that omits this check.Add the missing priv->global_tx_fc guard to both the disable andre-enable calls in mvpp2_bm_switch_buffers(), consistent with therest of the driver.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23439 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:udp_tunnel: fix NULL deref caused by udp_sock_create6 when CONFIG_IPV6=nWhen CONFIG_IPV6 is disabled, the udp_sock_create6() function returns 0(success) without actually creating a socket. Callers such asfou_create() then proceed to dereference the uninitialized socketpointer, resulting in a NULL pointer dereference.The captured NULL deref crash: BUG: kernel NULL pointer dereference, address: 0000000000000018 RIP: 0010:fou_nl_add_doit (net/ipv4/fou_core.c:590 net/ipv4/fou_core.c:764) [...] Call Trace: genl_family_rcv_msg_doit.constprop.0 (net/netlink/genetlink.c:1114) genl_rcv_msg (net/netlink/genetlink.c:1194 net/netlink/genetlink.c:1209) [...] netlink_rcv_skb (net/netlink/af_netlink.c:2550) genl_rcv (net/netlink/genetlink.c:1219) netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344) netlink_sendmsg (net/netlink/af_netlink.c:1894) __sock_sendmsg (net/socket.c:727 (discriminator 1) net/socket.c:742 (discriminator 1)) __sys_sendto (./include/linux/file.h:62 (discriminator 1) ./include/linux/file.h:83 (discriminator 1) net/socket.c:2183 (discriminator 1)) __x64_sys_sendto (net/socket.c:2213 (discriminator 1) net/socket.c:2209 (discriminator 1) net/socket.c:2209 (discriminator 1)) do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) entry_SYSCALL_64_after_hwframe (net/arch/x86/entry/entry_64.S:130)This patch makes udp_sock_create6 return -EPFNOSUPPORT instead, socallers correctly take their error paths. There is only one caller ofthe vulnerable function and only privileged users can trigger it.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23446 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net: usb: aqc111: Do not perform PM inside suspend callbacksyzbot reports "task hung in rpm_resume"This is caused by aqc111_suspend callingthe PM variant of its write_cmd routine.The simplified call trace looks like this:rpm_suspend() usb_suspend_both() - here udev->dev.power.runtime_status == RPM_SUSPENDING aqc111_suspend() - called for the usb device interface aqc111_write32_cmd() usb_autopm_get_interface() pm_runtime_resume_and_get() rpm_resume() - here we call rpm_resume() on our parent rpm_resume() - Here we wait for a status change that will never happen.At this point we block another task which holdsrtnl_lock and locks up the whole networking stack.Fix this by replacing the write_cmd calls with their _nopm variants

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23468 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:drm/amdgpu: Limit BO list entry count to prevent resource exhaustionUserspace can pass an arbitrary number of BO list entries via thebo_number field. Although the previous multiplication overflow checkprevents out-of-bounds allocation, a large number of entries could stillcause excessive memory allocation (up to potentially gigabytes) andunnecessarily long list processing times.Introduce a hard limit of 128k entries per BO list, which is more thansufficient for any realistic use case (e.g., a single list containing allbuffers in a large scene). This prevents memory exhaustion attacks andensures predictable performance.Return -EINVAL if the requested entry count exceeds the limit(cherry picked from commit 688b87d39e0aa8135105b40dc167d74b5ada5332)

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23553 Severity: Moderate CVSS3 score: 5.5

Description: In the context switch logic Xen attempts to skip an IBPB in the case ofa vCPU returning to a CPU on which it was the previous vCPU to run.While safe for Xen's isolation between vCPUs, this prevents the guestkernel correctly isolating between tasks. Consider: 1) vCPU runs on CPU A, running task 1. 2) vCPU moves to CPU B, idle gets scheduled on A. Xen skips IBPB. 3) On CPU B, guest kernel switches from task 1 to 2, issuing IBPB. 4) vCPU moves back to CPU A. Xen skips IBPB again.Now, task 2 is running on CPU A with task 1's training still in the BTB.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
xen-libs > 0-0 (version in image is 4.18.5_10-150600.3.37.1).

CVE-2026-24515 Severity: Moderate CVSS3 score: 5.5

Description: In libexpat before 2.7.4, XML_ExternalEntityParserCreate does not copy unknown encoding handler user data.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
libexpat1 > 0-0 (version in image is 2.7.1-150400.3.31.1).

CVE-2026-25645 Severity: Moderate CVSS3 score: 5.5

Description: Requests is a HTTP library. Prior to version 2.33.0, the `requests.utils.extract_zipped_paths()` utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one. Standard usage of the Requests library is not affected by this vulnerability. Only applications that call `extract_zipped_paths()` directly are impacted. Starting in version 2.33.0, the library extracts files to a non-deterministic location. If developers are unable to upgrade, they can set `TMPDIR` in their environment to a directory with restricted write access.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
python3-requests > 0-0 (version in image is 2.25.1-150300.3.18.1).

CVE-2026-29111 Severity: Moderate CVSS3 score: 5.5

Description: systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
libsystemd0 < 254.27-150600.4.62.1 (version in image is 254.27-150600.4.46.2).

CVE-2026-31405 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:media: dvb-net: fix OOB access in ULE extension header tablesThe ule_mandatory_ext_handlers[] and ule_optional_ext_handlers[] tablesin handle_one_ule_extension() are declared with 255 elements (validindices 0-254), but the index htype is derived from network-controlleddata as (ule_sndu_type & 0x00FF), giving a range of 0-255. Whenhtype equals 255, an out-of-bounds read occurs on the function pointertable, and the OOB value may be called as a function pointer.Add a bounds check on htype against the array size before either tableis accessed. Out-of-range values now cause the SNDU to be discarded.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-31411 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net: atm: fix crash due to unvalidated vcc pointer in sigd_send()Reproducer available at [1].The ATM send path (sendmsg -> vcc_sendmsg -> sigd_send) reads the vccpointer from msg->vcc and uses it directly without any validation. Thispointer comes from userspace via sendmsg() and can be arbitrarily forged: int fd = socket(AF_ATMSVC, SOCK_DGRAM, 0); ioctl(fd, ATMSIGD_CTRL); // become ATM signaling daemon struct msghdr msg = { .msg_iov = &iov, ... }; *(unsigned long *)(buf + 4) = 0xdeadbeef; // fake vcc pointer sendmsg(fd, &msg, 0); // kernel dereferences 0xdeadbeefIn normal operation, the kernel sends the vcc pointer to the signalingdaemon via sigd_enq() when processing operations like connect(), bind(),or listen(). The daemon is expected to return the same pointer whenresponding. However, a malicious daemon can send arbitrary pointer values.Fix this by introducing find_get_vcc() which validates the pointer bysearching through vcc_hash (similar to how sigd_close() iterates overall VCCs), and acquires a reference via sock_hold() if found.Since struct atm_vcc embeds struct sock as its first member, they sharethe same lifetime. Therefore using sock_hold/sock_put is sufficient tokeep the vcc alive while it is being used.Note that there may be a race with sigd_close() which could mark the vccwith various flags (e.g., ATM_VF_RELEASED) after find_get_vcc() returns.However, sock_hold() guarantees the memory remains valid, so this raceonly affects the logical state, not memory safety.[1]: https://gist.github.com/mrpre/1ba5949c45529c511152e2f4c755b0f3

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-31414 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:netfilter: nf_conntrack_expect: use expect->helperUse expect->helper in ctnetlink and /proc to dump the helper name.Using nfct_help() without holding a reference to the master conntrackis unsafe.Use exp->master->helper in ctnetlink path if userspace does not providean explicit helper when creating an expectation to retain the existingbehaviour. The ctnetlink expectation path holds the reference on themaster conntrack and nf_conntrack_expect lock and the nfnetlink gluepath refers to the master ct that is attached to the skb.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-31418 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:netfilter: ipset: drop logically empty buckets in mtype_delmtype_del() counts empty slots below n->pos in k, but it only drops thebucket when both n->pos and k are zero. This misses buckets whose liveentries have all been removed while n->pos still points past deleted slots.Treat a bucket as empty when all positions below n->pos are unused andrelease it directly instead of shrinking it further.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-31420 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:bridge: mrp: reject zero test interval to avoid OOM panicbr_mrp_start_test() and br_mrp_start_in_test() accept the user-suppliedinterval value from netlink without validation. When interval is 0,usecs_to_jiffies(0) yields 0, causing the delayed work(br_mrp_test_work_expired / br_mrp_in_test_work_expired) to rescheduleitself with zero delay. This creates a tight loop on system_percpu_wqthat allocates and transmits MRP test frames at maximum rate, exhaustingall system memory and causing a kernel panic via OOM deadlock.The same zero-interval issue applies to br_mrp_start_in_test_parse()for interconnect test frames.Use NLA_POLICY_MIN(NLA_U32, 1) in the nla_policy tables for bothIFLA_BRIDGE_MRP_START_TEST_INTERVAL andIFLA_BRIDGE_MRP_START_IN_TEST_INTERVAL, so zero is rejected at thenetlink attribute parsing layer before the value ever reaches theworkqueue scheduling code. This is consistent with how other bridgesubsystems (br_fdb, br_mst) enforce range constraints on netlinkattributes.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-31421 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net/sched: cls_fw: fix NULL pointer dereference on shared blocksThe old-method path in fw_classify() calls tcf_block_q() anddereferences q->handle. Shared blocks leave block->q NULL, causing aNULL deref when an empty cls_fw filter is attached to a shared blockand a packet with a nonzero major skb mark is classified.Reject the configuration in fw_change() when the old method (noTCA_OPTIONS) is used on a shared block, since fw_classify()'sold-method path needs block->q which is NULL for shared blocks.The fixed null-ptr-deref calling stack: KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f] RIP: 0010:fw_classify (net/sched/cls_fw.c:81) Call Trace: tcf_classify (./include/net/tc_wrapper.h:197 net/sched/cls_api.c:1764 net/sched/cls_api.c:1860) tc_run (net/core/dev.c:4401) __dev_queue_xmit (net/core/dev.c:4535 net/core/dev.c:4790)

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-31422 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net/sched: cls_flow: fix NULL pointer dereference on shared blocksflow_change() calls tcf_block_q() and dereferences q->handle to derivea default baseclass. Shared blocks leave block->q NULL, causing a NULLderef when a flow filter without a fully qualified baseclass is createdon a shared block.Check tcf_block_shared() before accessing block->q and return -EINVALfor shared blocks. This avoids the null-deref shown below:=======================================================================KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f]RIP: 0010:flow_change (net/sched/cls_flow.c:508)Call Trace: tc_new_tfilter (net/sched/cls_api.c:2432) rtnetlink_rcv_msg (net/core/rtnetlink.c:6980) [...]=======================================================================

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-31423 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net/sched: sch_hfsc: fix divide-by-zero in rtsc_min()m2sm() converts a u32 slope to a u64 scaled value. For large inputs(e.g. m1=4000000000), the result can reach 2^32. rtsc_min() storesthe difference of two such u64 values in a u32 variable `dsm` anduses it as a divisor. When the difference is exactly 2^32 thetruncation yields zero, causing a divide-by-zero oops in theconcave-curve intersection path: Oops: divide error: 0000 RIP: 0010:rtsc_min (net/sched/sch_hfsc.c:601) Call Trace: init_ed (net/sched/sch_hfsc.c:629) hfsc_enqueue (net/sched/sch_hfsc.c:1569) [...]Widen `dsm` to u64 and replace do_div() with div64_u64() so the fulldifference is preserved.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-31424 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:netfilter: x_tables: restrict xt_check_match/xt_check_target extensions for NFPROTO_ARPWeiming Shi says:xt_match and xt_target structs registered with NFPROTO_UNSPEC can beloaded by any protocol family through nft_compat. When such amatch/target sets .hooks to restrict which hooks it may run on, thebitmask uses NF_INET_* constants. This is only correct for familieswhose hook layout matches NF_INET_*: IPv4, IPv6, INET, and bridgeall share the same five hooks (PRE_ROUTING ... POST_ROUTING).ARP only has three hooks (IN=0, OUT=1, FORWARD=2) with differentsemantics. Because NF_ARP_OUT == 1 == NF_INET_LOCAL_IN, the .hooksvalidation silently passes for the wrong reasons, allowing matches torun on ARP chains where the hook assumptions (e.g. state->in beingset on input hooks) do not hold. This leads to NULL pointerdereferences; xt_devgroup is one concrete example: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000044: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000220-0x0000000000000227] RIP: 0010:devgroup_mt+0xff/0x350 Call Trace: nft_match_eval (net/netfilter/nft_compat.c:407) nft_do_chain (net/netfilter/nf_tables_core.c:285) nft_do_chain_arp (net/netfilter/nft_chain_filter.c:61) nf_hook_slow (net/netfilter/core.c:623) arp_xmit (net/ipv4/arp.c:666) Kernel panic - not syncing: Fatal exception in interruptFix it by restricting arptables to NFPROTO_ARP extensions only.Note that arptables-legacy only supports:- arpt_CLASSIFY- arpt_mangle- arpt_MARKthat provide explicit NFPROTO_ARP match/target declarations.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-31425 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:rds: ib: reject FRMR registration before IB connection is establishedrds_ib_get_mr() extracts the rds_ib_connection from conn->c_transport_dataand passes it to rds_ib_reg_frmr() for FRWR memory registration. On afresh outgoing connection, ic is allocated in rds_ib_conn_alloc() withi_cm_id = NULL because the connection worker has not yet calledrds_ib_conn_path_connect() to create the rdma_cm_id. When sendmsg() withRDS_CMSG_RDMA_MAP is called on such a connection, the sendmsg path parsesthe control message before any connection establishment, allowingrds_ib_post_reg_frmr() to dereference ic->i_cm_id->qp and crash thekernel.The existing guard in rds_ib_reg_frmr() only checks for !ic (added incommit 9e630bcb7701), which does not catch this case since ic is allocatedearly and is always non-NULL once the connection object exists. KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] RIP: 0010:rds_ib_post_reg_frmr+0x50e/0x920 Call Trace: rds_ib_post_reg_frmr (net/rds/ib_frmr.c:167) rds_ib_map_frmr (net/rds/ib_frmr.c:252) rds_ib_reg_frmr (net/rds/ib_frmr.c:430) rds_ib_get_mr (net/rds/ib_rdma.c:615) __rds_rdma_map (net/rds/rdma.c:295) rds_cmsg_rdma_map (net/rds/rdma.c:860) rds_sendmsg (net/rds/send.c:1363) ____sys_sendmsg do_syscall_64Add a check in rds_ib_get_mr() that verifies ic, i_cm_id, and qp are allnon-NULL before proceeding with FRMR registration, mirroring the guardalready present in rds_ib_post_inv(). Return -ENODEV when the connectionis not ready, which the existing error handling in rds_cmsg_send() convertsto -EAGAIN for userspace retry and triggers rds_conn_connect_if_down() tostart the connection worker.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-31428 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:netfilter: nfnetlink_log: fix uninitialized padding leak in NFULA_PAYLOAD__build_packet_message() manually constructs the NFULA_PAYLOAD netlinkattribute using skb_put() and skb_copy_bits(), bypassing the standardnla_reserve()/nla_put() helpers. While nla_total_size(data_len) bytesare allocated (including NLA alignment padding), only data_len bytesof actual packet data are copied. The trailing nla_padlen(data_len)bytes (1-3 when data_len is not 4-byte aligned) are never initialized,leaking stale heap contents to userspace via the NFLOG netlink socket.Replace the manual attribute construction with nla_reserve(), whichhandles the tailroom check, header setup, and padding zeroing via__nla_reserve(). The subsequent skb_copy_bits() fills in the payloaddata on top of the properly initialized attribute.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-31429 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net: skb: fix cross-cache free of KFENCE-allocated skb headSKB_SMALL_HEAD_CACHE_SIZE is intentionally set to a non-power-of-2value (e.g. 704 on x86_64) to avoid collisions with generic kmallocbucket sizes. This ensures that skb_kfree_head() can reliably useskb_end_offset to distinguish skb heads allocated fromskb_small_head_cache vs. generic kmalloc caches.However, when KFENCE is enabled, kfence_ksize() returns the exactrequested allocation size instead of the slab bucket size. If a caller(e.g. bpf_test_init) allocates skb head data via kzalloc() and therequested size happens to equal SKB_SMALL_HEAD_CACHE_SIZE, thenslab_build_skb() -> ksize() returns that exact value. After subtractingskb_shared_info overhead, skb_end_offset ends up matchingSKB_SMALL_HEAD_HEADROOM, causing skb_kfree_head() to incorrectly freethe object to skb_small_head_cache instead of back to the originalkmalloc cache, resulting in a slab cross-cache free: kmem_cache_free(skbuff_small_head): Wrong slab cache. Expected skbuff_small_head but got kmalloc-1kFix this by always calling kfree(head) in skb_kfree_head(). This keepsthe free path generic and avoids allocator-specific misclassificationfor KFENCE objects.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-31439 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:dmaengine: xilinx: xdma: Fix regmap init error handlingdevm_regmap_init_mmio returns an ERR_PTR() upon error, not NULL.Fix the error check and also fix the error message. Use the error codefrom ERR_PTR() instead of the wrong value in ret.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-31444 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ksmbd: fix use-after-free and NULL deref in smb_grant_oplock()smb_grant_oplock() has two issues in the oplock publication sequence:1) opinfo is linked into ci->m_op_list (via opinfo_add) before add_lease_global_list() is called. If add_lease_global_list() fails (kmalloc returns NULL), the error path frees the opinfo via __free_opinfo() while it is still linked in ci->m_op_list. Concurrent m_op_list readers (opinfo_get_list, or direct iteration in smb_break_all_levII_oplock) dereference the freed node.2) opinfo->o_fp is assigned after add_lease_global_list() publishes the opinfo on the global lease list. A concurrent find_same_lease_key() can walk the lease list and dereference opinfo->o_fp->f_ci while o_fp is still NULL.Fix by restructuring the publication sequence to eliminate post-publishfailure:- Set opinfo->o_fp before any list publication (fixes NULL deref).- Preallocate lease_table via alloc_lease_table() before opinfo_add() so add_lease_global_list() becomes infallible after publication.- Keep the original m_op_list publication order (opinfo_add before lease list) so concurrent opens via same_client_has_lease() and opinfo_get_list() still see the in-flight grant.- Use opinfo_put() instead of __free_opinfo() on err_out so that the RCU-deferred free path is used.This also requires splitting add_lease_global_list() to take apreallocated lease_table and changing its return type from int to void,since it can no longer fail.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-31447 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ext4: reject mount if bigalloc with s_first_data_block != 0bigalloc with s_first_data_block != 0 is not supported, reject mountingit.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-31449 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ext4: validate p_idx bounds in ext4_ext_correct_indexesext4_ext_correct_indexes() walks up the extent tree correctingindex entries when the first extent in a leaf is modified. Beforeaccessing path[k].p_idx->ei_block, there is no validation thatp_idx falls within the valid range of index entries for thatlevel.If the on-disk extent header contains a corrupted or craftedeh_entries value, p_idx can point past the end of the allocatedbuffer, causing a slab-out-of-bounds read.Fix this by validating path[k].p_idx against EXT_LAST_INDEX() atboth access sites: before the while loop and inside it. Return-EFSCORRUPTED if the index pointer is out of range, consistentwith how other bounds violations are handled in the ext4 extenttree code.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-31450 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ext4: publish jinode after initializationext4_inode_attach_jinode() publishes ei->jinode to concurrent users.It used to set ei->jinode before jbd2_journal_init_jbd_inode(),allowing a reader to observe a non-NULL jinode with i_vfs_inodestill unset.The fast commit flush path can then pass this jinode tojbd2_wait_inode_data(), which dereferences i_vfs_inode->i_mapping andmay crash.Below is the crash I observe:```BUG: unable to handle page fault for address: 000000010beb47f4PGD 110e51067 P4D 110e51067 PUD 0Oops: Oops: 0000 [#1] SMP NOPTICPU: 1 UID: 0 PID: 4850 Comm: fc_fsync_bench_ Not tainted 6.18.0-00764-g795a690c06a5 #1 PREEMPT(voluntary)Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.17.0-2-2 04/01/2014RIP: 0010:xas_find_marked+0x3d/0x2e0Code: e0 03 48 83 f8 02 0f 84 f0 01 00 00 48 8b 47 08 48 89 c3 48 39 c6 0f 82 fd 01 00 00 48 85 c9 74 3d 48 83 f9 03 77 63 4c 8b 0f <49> 8b 71 08 48 c7 47 18 00 00 00 00 48 89 f1 83 e1 03 48 83 f9 02RSP: 0018:ffffbbee806e7bf0 EFLAGS: 00010246RAX: 000000000010beb4 RBX: 000000000010beb4 RCX: 0000000000000003RDX: 0000000000000001 RSI: 0000002000300000 RDI: ffffbbee806e7c10RBP: 0000000000000001 R08: 0000002000300000 R09: 000000010beb47ecR10: ffff9ea494590090 R11: 0000000000000000 R12: 0000002000300000R13: ffffbbee806e7c90 R14: ffff9ea494513788 R15: ffffbbee806e7c88FS: 00007fc2f9e3e6c0(0000) GS:ffff9ea6b1444000(0000) knlGS:0000000000000000CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033CR2: 000000010beb47f4 CR3: 0000000119ac5000 CR4: 0000000000750ef0PKRU: 55555554Call Trace:filemap_get_folios_tag+0x87/0x2a0__filemap_fdatawait_range+0x5f/0xd0? srso_alias_return_thunk+0x5/0xfbef5? __schedule+0x3e7/0x10c0? srso_alias_return_thunk+0x5/0xfbef5? srso_alias_return_thunk+0x5/0xfbef5? srso_alias_return_thunk+0x5/0xfbef5? preempt_count_sub+0x5f/0x80? srso_alias_return_thunk+0x5/0xfbef5? cap_safe_nice+0x37/0x70? srso_alias_return_thunk+0x5/0xfbef5? preempt_count_sub+0x5f/0x80? srso_alias_return_thunk+0x5/0xfbef5filemap_fdatawait_range_keep_errors+0x12/0x40ext4_fc_commit+0x697/0x8b0? ext4_file_write_iter+0x64b/0x950? srso_alias_return_thunk+0x5/0xfbef5? preempt_count_sub+0x5f/0x80? srso_alias_return_thunk+0x5/0xfbef5? vfs_write+0x356/0x480? srso_alias_return_thunk+0x5/0xfbef5? preempt_count_sub+0x5f/0x80ext4_sync_file+0xf7/0x370do_fsync+0x3b/0x80? syscall_trace_enter+0x108/0x1d0__x64_sys_fdatasync+0x16/0x20do_syscall_64+0x62/0x2c0entry_SYSCALL_64_after_hwframe+0x76/0x7e...```Fix this by initializing the jbd2_inode first.Use smp_wmb() and WRITE_ONCE() to publish ei->jinode afterinitialization. Readers use READ_ONCE() to fetch the pointer.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-31451 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ext4: replace BUG_ON with proper error handling in ext4_read_inline_folioReplace BUG_ON() with proper error handling when inline data sizeexceeds PAGE_SIZE. This prevents kernel panic and allows the system tocontinue running while properly reporting the filesystem corruption.The error is logged via ext4_error_inode(), the buffer head is releasedto prevent memory leak, and -EFSCORRUPTED is returned to indicatefilesystem corruption.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-31452 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ext4: convert inline data to extents when truncate exceeds inline sizeAdd a check in ext4_setattr() to convert files from inline data storageto extent-based storage when truncate() grows the file size beyond theinline capacity. This prevents the filesystem from entering aninconsistent state where the inline data flag is set but the file sizeexceeds what can be stored inline.Without this fix, the following sequence causes a kernel BUG_ON():1. Mount filesystem with inode that has inline flag set and small size2. truncate(file, 50MB) - grows size but inline flag remains set3. sendfile() attempts to write data4. ext4_write_inline_data() hits BUG_ON(write_size > inline_capacity)The crash occurs because ext4_write_inline_data() expects inline storageto accommodate the write, but the actual inline capacity (~60 bytes fori_block + ~96 bytes for xattrs) is far smaller than the file size andwrite request.The fix checks if the new size from setattr exceeds the inode's actualinline capacity (EXT4_I(inode)->i_inline_size) and converts the file toextent-based storage before proceeding with the size change.This addresses the root cause by ensuring the inline data flag and filesize remain consistent during truncate operations.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-31453 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:xfs: avoid dereferencing log items after push callbacksAfter xfsaild_push_item() calls iop_push(), the log item may have beenfreed if the AIL lock was dropped during the push. Background inodereclaim or the dquot shrinker can free the log item while the AIL lockis not held, and the tracepoints in the switch statement dereferencethe log item after iop_push() returns.Fix this by capturing the log item type, flags, and LSN before callingxfsaild_push_item(), and introducing a new xfs_ail_push_class traceevent class that takes these pre-captured values and the ailp pointerinstead of the log item pointer.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-31454 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:xfs: save ailp before dropping the AIL lock in push callbacksIn xfs_inode_item_push() and xfs_qm_dquot_logitem_push(), the AIL lockis dropped to perform buffer IO. Once the cluster buffer no longerprotects the log item from reclaim, the log item may be freed bybackground reclaim or the dquot shrinker. The subsequent spin_lock()call dereferences lip->li_ailp, which is a use-after-free.Fix this by saving the ailp pointer in a local variable while the AILlock is held and the log item is guaranteed to be valid.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-31455 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:xfs: stop reclaim before pushing AIL during unmountThe unmount sequence in xfs_unmount_flush_inodes() pushed the AIL whilebackground reclaim and inodegc are still running. This is brokenindependently of any use-after-free issues - background reclaim andinodegc should not be running while the AIL is being pushed duringunmount, as inodegc can dirty and insert inodes into the AIL during theflush, and background reclaim can race to abort and free dirty inodes.Reorder xfs_unmount_flush_inodes() to stop inodegc and cancel backgroundreclaim before pushing the AIL. Stop inodegc before cancellingm_reclaim_work because the inodegc worker can re-queue m_reclaim_workvia xfs_inodegc_set_reclaimable.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-31458 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:mm/damon/sysfs: check contexts->nr before accessing contexts_arr[0]Multiple sysfs command paths dereference contexts_arr[0] without firstverifying that kdamond->contexts->nr == 1. A user can set nr_contexts to0 via sysfs while DAMON is running, causing NULL pointer dereferences.In more detail, the issue can be triggered by privileged users likebelow.First, start DAMON and make contexts directory empty(kdamond->contexts->nr == 0). # damo start # cd /sys/kernel/mm/damon/admin/kdamonds/0 # echo 0 > contexts/nr_contextsThen, each of below commands will cause the NULL pointer dereference. # echo update_schemes_stats > state # echo update_schemes_tried_regions > state # echo update_schemes_tried_bytes > state # echo update_schemes_effective_quotas > state # echo update_tuned_intervals > stateGuard all commands (except OFF) at the entry point ofdamon_sysfs_handle_cmd().

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-31462 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:drm/amdgpu: prevent immediate PASID reuse casePASID resue could cause interrupt issue when processimmediately runs into hw state left by previousprocess exited with the same PASID, it's possible thatpage faults are still pending in the IH ring buffer whenthe process exits and frees up its PASID. To prevent thecase, it uses idr cyclic allocator same as kernel pid's.(cherry picked from commit 8f1de51f49be692de137c8525106e0fce2d1912d)

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-31477 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ksmbd: fix memory leaks and NULL deref in smb2_lock()smb2_lock() has three error handling issues after list_del() detachessmb_lock from lock_list at no_check_cl:1) If vfs_lock_file() returns an unexpected error in the non-UNLOCK path, goto out leaks smb_lock and its flock because the out: handler only iterates lock_list and rollback_list, neither of which contains the detached smb_lock.2) If vfs_lock_file() returns -ENOENT in the UNLOCK path, goto out leaks smb_lock and flock for the same reason. The error code returned to the dispatcher is also stale.3) In the rollback path, smb_flock_init() can return NULL on allocation failure. The result is dereferenced unconditionally, causing a kernel NULL pointer dereference. Add a NULL check to prevent the crash and clean up the bookkeeping; the VFS lock itself cannot be rolled back without the allocation and will be released at file or connection teardown.Fix cases 1 and 2 by hoisting the locks_free_lock()/kfree() to beforethe if(!rc) check in the UNLOCK branch so all exit paths share onefree site, and by freeing smb_lock and flock before goto out in thenon-UNLOCK branch. Propagate the correct error code in both cases.Fix case 3 by wrapping the VFS unlock in an if(rlock) guard and addinga NULL check for locks_free_lock(rlock) in the shared cleanup.Found via call-graph analysis using sqry.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-31510 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:Bluetooth: L2CAP: Fix null-ptr-deref on l2cap_sock_ready_cbBefore using sk pointer, check if it is null.Fix the following: KASAN: null-ptr-deref in range [0x0000000000000260-0x0000000000000267] CPU: 0 UID: 0 PID: 5985 Comm: kworker/0:5 Not tainted 7.0.0-rc4-00029-ga989fde763f4 #1 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-9.fc43 06/10/2025 Workqueue: events l2cap_info_timeout RIP: 0010:kasan_byte_accessible+0x12/0x30 Code: 79 ff ff ff 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 40 d6 48 c1 ef 03 48 b8 00 00 00 00 00 fc ff df <0f> b6 04 07 3c 08 0f 92 c0 c3 cc cce veth0_macvtap: entered promiscuous mode RSP: 0018:ffffc90006e0f808 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: ffffffff89746018 RCX: 0000000080000001 RDX: 0000000000000000 RSI: ffffffff89746018 RDI: 000000000000004c RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000 R10: dffffc0000000000 R11: ffffffff8aae3e70 R12: 0000000000000000 R13: 0000000000000260 R14: 0000000000000260 R15: 0000000000000001 FS: 0000000000000000(0000) GS:ffff8880983c2000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005582615a5008 CR3: 000000007007e000 CR4: 0000000000752ef0 PKRU: 55555554 Call Trace: __kasan_check_byte+0x12/0x40 lock_acquire+0x79/0x2e0 lock_sock_nested+0x48/0x100 ? l2cap_sock_ready_cb+0x46/0x160 l2cap_sock_ready_cb+0x46/0x160 l2cap_conn_start+0x779/0xff0 ? __pfx_l2cap_conn_start+0x10/0x10 ? l2cap_info_timeout+0x60/0xa0 ? __pfx___mutex_lock+0x10/0x10 l2cap_info_timeout+0x68/0xa0 ? process_scheduled_works+0xa8d/0x18c0 process_scheduled_works+0xb6e/0x18c0 ? __pfx_process_scheduled_works+0x10/0x10 ? assign_work+0x3d5/0x5e0 worker_thread+0xa53/0xfc0 kthread+0x388/0x470 ? __pfx_worker_thread+0x10/0x10 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x51e/0xb90 ? __pfx_ret_from_fork+0x10/0x10 veth1_macvtap: entered promiscuous mode ? __switch_to+0xc7d/0x1450 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 Modules linked in: ---[ end trace 0000000000000000 ]--- batman_adv: batadv0: Interface activated: batadv_slave_0 batman_adv: batadv0: Interface activated: batadv_slave_1 netdevsim netdevsim7 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 netdevsim netdevsim7 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 netdevsim netdevsim7 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 netdevsim netdevsim7 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 RIP: 0010:kasan_byte_accessible+0x12/0x30 Code: 79 ff ff ff 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 40 d6 48 c1 ef 03 48 b8 00 00 00 00 00 fc ff df <0f> b6 04 07 3c 08 0f 92 c0 c3 cc cce ieee80211 phy39: Selected rate control algorithm 'minstrel_ht' RSP: 0018:ffffc90006e0f808 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: ffffffff89746018 RCX: 0000000080000001 RDX: 0000000000000000 RSI: ffffffff89746018 RDI: 000000000000004c RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000 R10: dffffc0000000000 R11: ffffffff8aae3e70 R12: 0000000000000000 R13: 0000000000000260 R14: 0000000000000260 R15: 0000000000000001 FS: 0000000000000000(0000) GS:ffff8880983c2000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f7e16139e9c CR3: 000000000e74e000 CR4: 0000000000752ef0 PKRU: 55555554 Kernel panic - not syncing: Fatal exception

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-34933 Severity: Moderate CVSS3 score: 5.5

Description: Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. Prior to version 0.9-rc4, any unprivileged local user can crash avahi-daemon by sending a single D-Bus method call with conflicting publish flags. This issue has been patched in version 0.9-rc4.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
libavahi-client3 > 0-0 (version in image is 0.8-150600.15.12.1).

CVE-2026-4897 Severity: Moderate CVSS3 score: 5.5

Description: A flaw was found in polkit. A local user can exploit this by providing a specially crafted, excessively long input to the `polkit-agent-helper-1` setuid binary via standard input (stdin). This unbounded input can lead to an out-of-memory (OOM) condition, resulting in a Denial of Service (DoS) for the system.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
libpolkit-agent-1-0 > 0-0 (version in image is 121-150500.3.6.1).

CVE-2026-5704 Severity: Moderate CVSS3 score: 5.5

Description: A flaw was found in tar. A remote attacker could exploit this vulnerability by crafting a malicious archive, leading to hidden file injection with fully attacker-controlled content. This bypasses pre-extraction inspection mechanisms, potentially allowing an attacker to introduce malicious files onto a system without detection.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
tar > 0-0 (version in image is 1.34-150000.3.34.1).

CVE-2026-6862 Severity: Moderate CVSS3 score: 5.5

Description: A flaw was found in libefiboot, a component of efivar. The device path node parser in libefiboot fails to validate that each node's Length field is at least 4 bytes, which is the minimum size for an EFI (Extensible Firmware Interface) device path node header. A local user could exploit this vulnerability by providing a specially crafted device path node. This can lead to infinite recursion, causing stack exhaustion and a process crash, resulting in a denial of service (DoS).

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
libefivar1 > 0-0 (version in image is 37-6.12.1).

CVE-2025-7709 Severity: Moderate CVSS3 score: 5.4

Description: An integer overflow exists in the FTS5 https://sqlite.org/fts5.html extension. It occurs when the size of an array of tombstone pointers is calculated and truncated into a 32-bit integer. A pointer to partially controlled data can then be written out of bounds.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
libsqlite3-0 > 0-0 (version in image is 3.50.2-150000.3.33.1).

CVE-2026-23076 Severity: Moderate CVSS3 score: 5.4

Description: In the Linux kernel, the following vulnerability has been resolved:ALSA: ctxfi: Fix potential OOB access in audio mixer handlingIn the audio mixer handling code of ctxfi driver, the conf field isused as a kind of loop index, and it's referred in the index callbacks(amixer_index() and sum_index()).As spotted recently by fuzzers, the current code causes OOB access atthose functions.| UBSAN: array-index-out-of-bounds in /build/reproducible-path/linux-6.17.8/sound/pci/ctxfi/ctamixer.c:347:48| index 8 is out of range for type 'unsigned char [8]'After the analysis, the cause was found to be the lack of the proper(re-)initialization of conj field.This patch addresses those OOB accesses by adding the properinitializations of the loop indices.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-26269 Severity: Moderate CVSS3 score: 5.4

Description: Vim is an open source, command line text editor. Prior to 9.1.2148, a stack buffer overflow vulnerability exists in Vim's NetBeans integration when processing the specialKeys command, affecting Vim builds that enable and use the NetBeans feature. The Stack buffer overflow exists in special_keys() (in src/netbeans.c). The while (*tok) loop writes two bytes per iteration into a 64-byte stack buffer (keybuf) with no bounds check. A malicious NetBeans server can overflow keybuf with a single specialKeys command. The issue has been fixed as of Vim patch v9.1.2148.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
vim < 9.2.0110-150500.20.43.1 (version in image is 9.1.1629-150500.20.38.1).

CVE-2023-54118 Severity: Moderate CVSS3 score: 5.3

Description: In the Linux kernel, the following vulnerability has been resolved:serial: sc16is7xx: setup GPIO controller later in probeThe GPIO controller component of the sc16is7xx driver is setup tooearly, which can result in a race condition where another device triesto utilise the GPIO lines before the sc16is7xx device has finishedinitialising.This issue manifests itself as an Oops when the GPIO lines are configured: Unable to handle kernel read from unreadable memory at virtual address ... pc : sc16is7xx_gpio_direction_output+0x68/0x108 [sc16is7xx] lr : sc16is7xx_gpio_direction_output+0x4c/0x108 [sc16is7xx] ... Call trace: sc16is7xx_gpio_direction_output+0x68/0x108 [sc16is7xx] gpiod_direction_output_raw_commit+0x64/0x318 gpiod_direction_output+0xb0/0x170 create_gpio_led+0xec/0x198 gpio_led_probe+0x16c/0x4f0 platform_drv_probe+0x5c/0xb0 really_probe+0xe8/0x448 driver_probe_device+0xe8/0x138 __device_attach_driver+0x94/0x118 bus_for_each_drv+0x8c/0xe0 __device_attach+0x100/0x1b8 device_initial_probe+0x28/0x38 bus_probe_device+0xa4/0xb0 deferred_probe_work_func+0x90/0xe0 process_one_work+0x1c4/0x480 worker_thread+0x54/0x430 kthread+0x138/0x150 ret_from_fork+0x10/0x1cThis patch moves the setup of the GPIO controller functions to later in theprobe function, ensuring the sc16is7xx device has already finishedinitialising by the time other devices try to make use of the GPIO lines.The error handling has also been reordered to reflect the newinitialisation order.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-36923 Severity: Moderate CVSS3 score: 5.3

Description: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-14524 Severity: Moderate CVSS3 score: 5.3

Description: When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transferperforms a cross-protocol redirect to a second URL that uses an IMAP, LDAP,POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the newtarget host.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
curl > 0-0 (version in image is 8.14.1-150600.4.37.1).

CVE-2025-14819 Severity: Moderate CVSS3 score: 5.3

Description: When doing TLS related transfers with reused easy or multi handles andaltering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentallyreuse a CA store cached in memory for which the partial chain option wasreversed. Contrary to the user's wishes and expectations. This could makelibcurl find and accept a trust chain that it otherwise would not.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
curl > 0-0 (version in image is 8.14.1-150600.4.37.1).

CVE-2025-14831 Severity: Moderate CVSS3 score: 5.3

Description: A flaw was found in GnuTLS. This vulnerability allows a denial of service (DoS) by excessive CPU (Central Processing Unit) and memory consumption via specially crafted malicious certificates containing a large number of name constraints and subject alternative names (SANs).

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
libgnutls30 > 0-0 (version in image is 3.8.3-150600.4.12.1).

CVE-2025-15079 Severity: Moderate CVSS3 score: 5.3

Description: When doing SSH-based transfers using either SCP or SFTP, and setting theknown_hosts file, libcurl could still mistakenly accept connecting to hosts*not present* in the specified file if they were added as recognized in thelibssh *global* known_hosts file.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
curl > 0-0 (version in image is 8.14.1-150600.4.37.1).

CVE-2025-38539 Severity: Moderate CVSS3 score: 5.3

Description: In the Linux kernel, the following vulnerability has been resolved:tracing: Add down_write(trace_event_sem) when adding trace eventWhen a module is loaded, it adds trace events defined by the module. Itmay also need to modify the modules trace printk formats to replace enumnames with their values.If two modules are loaded at the same time, the adding of the event to theftrace_events list can corrupt the walking of the list in the code that ismodifying the printk format strings and crash the kernel.The addition of the event should take the trace_event_sem for write whileit adds the new event.Also add a lockdep_assert_held() on that semaphore in__trace_add_event_dirs() as it iterates the list.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default < 6.4.0-150600.23.87.1 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-39927 Severity: Moderate CVSS3 score: 5.3

Description: In the Linux kernel, the following vulnerability has been resolved:ceph: fix race condition validating r_parent before applying stateAdd validation to ensure the cached parent directory inode matches thedirectory info in MDS replies. This prevents client-side race conditionswhere concurrent operations (e.g. rename) cause r_parent to become stalebetween request initiation and reply processing, which could lead toapplying state changes to incorrect directory inodes.[ idryomov: folded a kerneldoc fixup and a follow-up fix from Alex to move CEPH_CAP_PIN reference when r_parent is updated: When the parent directory lock is not held, req->r_parent can become stale and is updated to point to the correct inode. However, the associated CEPH_CAP_PIN reference was not being adjusted. The CEPH_CAP_PIN is a reference on an inode that is tracked for accounting purposes. Moving this pin is important to keep the accounting balanced. When the pin was not moved from the old parent to the new one, it created two problems: The reference on the old, stale parent was never released, causing a reference leak. A reference for the new parent was never acquired, creating the risk of a reference underflow later in ceph_mdsc_release_request(). This patch corrects the logic by releasing the pin from the old parent and acquiring it for the new parent when r_parent is switched. This ensures reference accounting stays balanced. ]

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-39964 Severity: Moderate CVSS3 score: 5.3

Description: In the Linux kernel, the following vulnerability has been resolved:crypto: af_alg - Disallow concurrent writes in af_alg_sendmsgIssuing two writes to the same af_alg socket is bogus as thedata will be interleaved in an unpredictable fashion. Furthermore,concurrent writes may create inconsistencies in the internalsocket state.Disallow this by adding a new ctx->write field that indiciatesexclusive ownership for writing.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-40003 Severity: Moderate CVSS3 score: 5.3

Description: In the Linux kernel, the following vulnerability has been resolved:net: mscc: ocelot: Fix use-after-free caused by cyclic delayed workThe origin code calls cancel_delayed_work() in ocelot_stats_deinit()to cancel the cyclic delayed work item ocelot->stats_work. However,cancel_delayed_work() may fail to cancel the work item if it is alreadyexecuting. While destroy_workqueue() does wait for all pending work itemsin the work queue to complete before destroying the work queue, it cannotprevent the delayed work item from being rescheduled within theocelot_check_stats_work() function. This limitation exists because thedelayed work item is only enqueued into the work queue after its timerexpires. Before the timer expiration, destroy_workqueue() has no visibilityof this pending work item. Once the work queue appears empty,destroy_workqueue() proceeds with destruction. When the timer eventuallyexpires, the delayed work item gets queued again, leading to the followingwarning:workqueue: cannot queue ocelot_check_stats_work on wq ocelot-switch-statsWARNING: CPU: 2 PID: 0 at kernel/workqueue.c:2255 __queue_work+0x875/0xaf0...RIP: 0010:__queue_work+0x875/0xaf0...RSP: 0018:ffff88806d108b10 EFLAGS: 00010086RAX: 0000000000000000 RBX: 0000000000000101 RCX: 0000000000000027RDX: 0000000000000027 RSI: 0000000000000004 RDI: ffff88806d123e88RBP: ffffffff813c3170 R08: 0000000000000000 R09: ffffed100da247d2R10: ffffed100da247d1 R11: ffff88806d123e8b R12: ffff88800c00f000R13: ffff88800d7285c0 R14: ffff88806d0a5580 R15: ffff88800d7285a0FS: 0000000000000000(0000) GS:ffff8880e5725000(0000) knlGS:0000000000000000CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033CR2: 00007fe18e45ea10 CR3: 0000000005e6c000 CR4: 00000000000006f0Call Trace: ? kasan_report+0xc6/0xf0 ? __pfx_delayed_work_timer_fn+0x10/0x10 ? __pfx_delayed_work_timer_fn+0x10/0x10 call_timer_fn+0x25/0x1c0 __run_timer_base.part.0+0x3be/0x8c0 ? __pfx_delayed_work_timer_fn+0x10/0x10 ? rcu_sched_clock_irq+0xb06/0x27d0 ? __pfx___run_timer_base.part.0+0x10/0x10 ? try_to_wake_up+0xb15/0x1960 ? _raw_spin_lock_irq+0x80/0xe0 ? __pfx__raw_spin_lock_irq+0x10/0x10 tmigr_handle_remote_up+0x603/0x7e0 ? __pfx_tmigr_handle_remote_up+0x10/0x10 ? sched_balance_trigger+0x1c0/0x9f0 ? sched_tick+0x221/0x5a0 ? _raw_spin_lock_irq+0x80/0xe0 ? __pfx__raw_spin_lock_irq+0x10/0x10 ? tick_nohz_handler+0x339/0x440 ? __pfx_tmigr_handle_remote_up+0x10/0x10 __walk_groups.isra.0+0x42/0x150 tmigr_handle_remote+0x1f4/0x2e0 ? __pfx_tmigr_handle_remote+0x10/0x10 ? ktime_get+0x60/0x140 ? lapic_next_event+0x11/0x20 ? clockevents_program_event+0x1d4/0x2a0 ? hrtimer_interrupt+0x322/0x780 handle_softirqs+0x16a/0x550 irq_exit_rcu+0xaf/0xe0 sysvec_apic_timer_interrupt+0x70/0x80 ...The following diagram reveals the cause of the above warning:CPU 0 (remove) | CPU 1 (delayed work callback)mscc_ocelot_remove() | ocelot_deinit() | ocelot_check_stats_work() ocelot_stats_deinit() | cancel_delayed_work()| ... | queue_delayed_work() destroy_workqueue() | (wait a time) | __queue_work() //UAFThe above scenario actually constitutes a UAF vulnerability.The ocelot_stats_deinit() is only invoked when initializationfailure or resource destruction, so we must ensure that anydelayed work items cannot be rescheduled.Replace cancel_delayed_work() with disable_delayed_work_sync()to guarantee proper cancellation of the delayed work item andensure completion of any currently executing work before theworkqueue is deallocated.A deadlock concern was considered: ocelot_stats_deinit() is calledin a process context and is not holding any locks that the delayedwork item might also need. Therefore, the use of the _sync() variantis safe here.This bug was identified through static analysis. To reproduce theissue and validate the fix, I simulated ocelot-swit---truncated---

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-40303 Severity: Moderate CVSS3 score: 5.3

Description: In the Linux kernel, the following vulnerability has been resolved:btrfs: ensure no dirty metadata is written back for an fs with errors[BUG]During development of a minor feature (make sure all btrfs_bio::end_io()is called in task context), I noticed a crash in generic/388, wheremetadata writes triggered new works after btrfs_stop_all_workers().It turns out that it can even happen without any code modification, justusing RAID5 for metadata and the same workload from generic/388 is goingto trigger the use-after-free.[CAUSE]If btrfs hits an error, the fs is marked as error, no newtransaction is allowed thus metadata is in a frozen state.But there are some metadata modifications before that error, and they arestill in the btree inode page cache.Since there will be no real transaction commit, all those dirty foliosare just kept as is in the page cache, and they can not be invalidatedby invalidate_inode_pages2() call inside close_ctree(), because they aredirty.And finally after btrfs_stop_all_workers(), we call iput() on btreeinode, which triggers writeback of those dirty metadata.And if the fs is using RAID56 metadata, this will trigger RMW and queuenew works into rmw_workers, which is already stopped, causing warningfrom queue_work() and use-after-free.[FIX]Add a special handling for write_one_eb(), that if the fs is already inan error state, immediately mark the bbio as failure, instead of reallysubmitting them.Then during close_ctree(), iput() will just discard all those dirtytree blocks without really writing them back, thus no more new jobs foralready stopped-and-freed workqueues.The extra discard in write_one_eb() also acts as an extra safenet.E.g. the transaction abort is triggered by some extent/free spacetree corruptions, and since extent/free space tree is already corruptedsome tree blocks may be allocated where they shouldn't be (overwritingexisting tree blocks). In that case writing them back will furthercorrupting the fs.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-47911 Severity: Moderate CVSS3 score: 5.3

Description: The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
docker > 0-0 (version in image is 28.5.1_ce-150000.238.1).

CVE-2025-47914 Severity: Moderate CVSS3 score: 5.3

Description: SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
amazon-ssm-agent > 0-0 (version in image is 3.3.1611.0-150000.5.26.1).

CVE-2025-58150 Severity: Moderate CVSS3 score: 5.3

Description: Shadow mode tracing code uses a set of per-CPU variables to avoidcumbersome parameter passing. Some of these variables are written towith guest controlled data, of guest controllable size. That size canbe larger than the variable, and bounding of the writes was missing.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
xen-libs > 0-0 (version in image is 4.18.5_10-150600.3.37.1).

CVE-2025-58181 Severity: Moderate CVSS3 score: 5.3

Description: SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.

Packages affected:

sle-module-containers-release == 15.6 (version in image is 15.6-150600.37.2).
docker > 0-0 (version in image is 28.5.1_ce-150000.238.1).

CVE-2025-66418 Severity: Moderate CVSS3 score: 5.3

Description: urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data. This vulnerability is fixed in 2.6.0.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
python3-urllib3 > 0-0 (version in image is 1.25.10-150300.4.18.1).

CVE-2025-66471 Severity: Moderate CVSS3 score: 5.3

Description: urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly compressed data. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. When streaming a compressed response, urllib3 can perform decoding or decompression based on the HTTP Content-Encoding header (e.g., gzip, deflate, br, or zstd). The library must read compressed data from the network and decompress it until the requested chunk size is met. Any resulting decompressed data that exceeds the requested amount is held in an internal buffer for the next read operation. The decompression logic could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This can result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
python3-urllib3 > 0-0 (version in image is 1.25.10-150300.4.18.1).

CVE-2025-69418 Severity: Moderate CVSS3 score: 5.3

Description: Issue summary: When using the low-level OCB API directly with AES-NI or
other hardware-accelerated code paths, inputs whose length is not a multiple
of 16 bytes can leave the final partial block unencrypted and unauthenticated.

Impact summary: The trailing 1-15 bytes of a message may be exposed in
cleartext on encryption and are not covered by the authentication tag,
allowing an attacker to read or tamper with those bytes without detection.

The low-level OCB encrypt and decrypt routines in the hardware-accelerated
stream path process full 16-byte blocks but do not advance the input/output
pointers. The subsequent tail-handling code then operates on the original
base pointers, effectively reprocessing the beginning of the buffer while
leaving the actual trailing bytes unprocessed. The authentication checksum
also excludes the true tail bytes.

However, typical OpenSSL consumers using EVP are not affected because the
higher-level EVP and provider OCB implementations split inputs so that full
blocks and trailing partial blocks are processed in separate calls, avoiding
the problematic code path. Additionally, TLS does not use OCB ciphersuites.
The vulnerability only affects applications that call the low-level
CRYPTO_ocb128_encrypt() or CRYPTO_ocb128_decrypt() functions directly with
non-block-aligned lengths in a single call on hardware-accelerated builds.
For these reasons the issue was assessed as Low severity.

The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected
by this issue, as OCB mode is not a FIPS-approved algorithm.

OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.

OpenSSL 1.0.2 is not affected by this issue.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
libopenssl1_1 < 1.1.1w-150600.5.21.1 (version in image is 1.1.1w-150600.5.18.1).

CVE-2025-69420 Severity: Moderate CVSS3 score: 5.3

Description: Issue summary: A type confusion vulnerability exists in the TimeStamp Responseverification code where an ASN1_TYPE union member is accessed without firstvalidating the type, causing an invalid or NULL pointer dereference whenprocessing a malformed TimeStamp Response file.Impact summary: An application calling TS_RESP_verify_response() with amalformed TimeStamp Response can be caused to dereference an invalid orNULL pointer when reading, resulting in a Denial of Service.The functions ossl_ess_get_signing_cert() and ossl_ess_get_signing_cert_v2()access the signing cert attribute value without validating its type.When the type is not V_ASN1_SEQUENCE, this results in accessing invalid memorythrough the ASN1_TYPE union, causing a crash.Exploiting this vulnerability requires an attacker to provide a malformedTimeStamp Response to an application that verifies timestamp responses. TheTimeStamp protocol (RFC 3161) is not widely used and the impact of theexploit is just a Denial of Service. For these reasons the issue wasassessed as Low severity.The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,as the TimeStamp Response implementation is outside the OpenSSL FIPS moduleboundary.OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.OpenSSL 1.0.2 is not affected by this issue.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
libopenssl1_1 < 1.1.1w-150600.5.21.1 (version in image is 1.1.1w-150600.5.18.1).

CVE-2025-71093 Severity: Moderate CVSS3 score: 5.3

Description: In the Linux kernel, the following vulnerability has been resolved:e1000: fix OOB in e1000_tbi_should_accept()In e1000_tbi_should_accept() we read the last byte of the frame via'data[length - 1]' to evaluate the TBI workaround. If the descriptor-reported length is zero or larger than the actual RX buffer size, thisread goes out of bounds and can hit unrelated slab objects. The issueis observed from the NAPI receive path (e1000_clean_rx_irq):==================================================================BUG: KASAN: slab-out-of-bounds in e1000_tbi_should_accept+0x610/0x790Read of size 1 at addr ffff888014114e54 by task sshd/363CPU: 0 PID: 363 Comm: sshd Not tainted 5.18.0-rc1 #1Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014Call Trace: dump_stack_lvl+0x5a/0x74 print_address_description+0x7b/0x440 print_report+0x101/0x200 kasan_report+0xc1/0xf0 e1000_tbi_should_accept+0x610/0x790 e1000_clean_rx_irq+0xa8c/0x1110 e1000_clean+0xde2/0x3c10 __napi_poll+0x98/0x380 net_rx_action+0x491/0xa20 __do_softirq+0x2c9/0x61d do_softirq+0xd1/0x120 __local_bh_enable_ip+0xfe/0x130 ip_finish_output2+0x7d5/0xb00 __ip_queue_xmit+0xe24/0x1ab0 __tcp_transmit_skb+0x1bcb/0x3340 tcp_write_xmit+0x175d/0x6bd0 __tcp_push_pending_frames+0x7b/0x280 tcp_sendmsg_locked+0x2e4f/0x32d0 tcp_sendmsg+0x24/0x40 sock_write_iter+0x322/0x430 vfs_write+0x56c/0xa60 ksys_write+0xd1/0x190 do_syscall_64+0x43/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xaeRIP: 0033:0x7f511b476b10Code: 73 01 c3 48 8b 0d 88 d3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d f9 2b 2c 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 8e 9b 01 00 48 89 04 24RSP: 002b:00007ffc9211d4e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001RAX: ffffffffffffffda RBX: 0000000000004024 RCX: 00007f511b476b10RDX: 0000000000004024 RSI: 0000559a9385962c RDI: 0000000000000003RBP: 0000559a9383a400 R08: fffffffffffffff0 R09: 0000000000004f00R10: 0000000000000070 R11: 0000000000000246 R12: 0000000000000000R13: 00007ffc9211d57f R14: 0000559a9347bde7 R15: 0000000000000003 Allocated by task 1: __kasan_krealloc+0x131/0x1c0 krealloc+0x90/0xc0 add_sysfs_param+0xcb/0x8a0 kernel_add_sysfs_param+0x81/0xd4 param_sysfs_builtin+0x138/0x1a6 param_sysfs_init+0x57/0x5b do_one_initcall+0x104/0x250 do_initcall_level+0x102/0x132 do_initcalls+0x46/0x74 kernel_init_freeable+0x28f/0x393 kernel_init+0x14/0x1a0 ret_from_fork+0x22/0x30The buggy address belongs to the object at ffff888014114000 which belongs to the cache kmalloc-2k of size 2048The buggy address is located 1620 bytes to the right of 2048-byte region [ffff888014114000, ffff888014114800]The buggy address belongs to the physical page:page:ffffea0000504400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14110head:ffffea0000504400 order:3 compound_mapcount:0 compound_pincount:0flags: 0x100000000010200(slab|head|node=0|zone=1)raw: 0100000000010200 0000000000000000 dead000000000001 ffff888013442000raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000page dumped because: kasan: bad access detected==================================================================This happens because the TBI check unconditionally dereferences the lastbyte without validating the reported length first: u8 last_byte = *(data + length - 1);Fix by rejecting the frame early if the length is zero, or if it exceedsadapter->rx_buffer_len. This preserves the TBI workaround semantics forvalid frames and prevents touching memory beyond the RX buffer.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-71182 Severity: Moderate CVSS3 score: 5.3

Description: In the Linux kernel, the following vulnerability has been resolved:can: j1939: make j1939_session_activate() fail if device is no longer registeredsyzbot is still reporting unregister_netdevice: waiting for vcan0 to become free. Usage count = 2even after commit 93a27b5891b8 ("can: j1939: add missing calls inNETDEV_UNREGISTER notification handler") was added. A debug printk() patchfound that j1939_session_activate() can succeed even afterj1939_cancel_active_session() from j1939_netdev_notify(NETDEV_UNREGISTER)has completed.Since j1939_cancel_active_session() is processed with the session list lockheld, checking ndev->reg_state in j1939_session_activate() with the sessionlist lock held can reliably close the race window.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-71225 Severity: Moderate CVSS3 score: 5.3

Description: In the Linux kernel, the following vulnerability has been resolved:md: suspend array while updating raid_disks via sysfsIn raid1_reshape(), freeze_array() is called before modifying the r1biomemory pool (conf->r1bio_pool) and conf->raid_disks, andunfreeze_array() is called after the update is completed.However, freeze_array() only waits until nr_sync_pending and(nr_pending - nr_queued) of all buckets reaches zero. When an I/O erroroccurs, nr_queued is increased and the corresponding r1bio is queued toeither retry_list or bio_end_io_list. As a result, freeze_array() mayunblock before these r1bios are released.This can lead to a situation where conf->raid_disks and the mempool havealready been updated while queued r1bios, allocated with the oldraid_disks value, are later released. Consequently, free_r1bio() mayaccess memory out of bounds in put_all_bios() and release r1bios of thewrong size to the new mempool, potentially causing issues with themempool as well.Since only normal I/O might increase nr_queued while an I/O error occurs,suspending the array avoids this issue.Note: Updating raid_disks via ioctl SET_ARRAY_INFO already suspendsthe array. Therefore, we suspend the array when updating raid_disksvia sysfs to avoid this issue too.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-9390 Severity: Moderate CVSS3 score: 5.3

Description: A security flaw has been discovered in vim up to 9.1.1615. Affected by this vulnerability is the function main of the file src/xxd/xxd.c of the component xxd. The manipulation results in buffer overflow. The attack requires a local approach. The exploit has been released to the public and may be exploited. Upgrading to version 9.1.1616 addresses this issue. The patch is identified as eeef7c77436a78cd27047b0f5fa6925d56de3cb0. It is recommended to upgrade the affected component.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
vim > 0-0 (version in image is 9.1.1629-150500.20.38.1).

CVE-2026-0915 Severity: Moderate CVSS3 score: 5.3

Description: Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend for networks and queries for a zero-valued network in the GNU C Library version 2.0 to version 2.42 can leak stack contents to the configured DNS resolver.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
glibc < 2.38-150600.14.40.1 (version in image is 2.38-150600.14.37.1).

CVE-2026-0992 Severity: Moderate CVSS3 score: 5.3

Description: A flaw was found in the libxml2 library. This uncontrolled resource consumption vulnerability occurs when processing XML catalogs that contain repeated elements pointing to the same downstream catalog. A remote attacker can exploit this by supplying crafted catalogs, causing the parser to redundantly traverse catalog chains. This leads to excessive CPU consumption and degrades application availability, resulting in a denial-of-service condition.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
libxml2-2 > 0-0 (version in image is 2.10.3-150500.5.32.1).

CVE-2026-22796 Severity: Moderate CVSS3 score: 5.3

Description: Issue summary: A type confusion vulnerability exists in the signatureverification of signed PKCS#7 data where an ASN1_TYPE union member isaccessed without first validating the type, causing an invalid or NULLpointer dereference when processing malformed PKCS#7 data.Impact summary: An application performing signature verification of PKCS#7data or calling directly the PKCS7_digest_from_attributes() function can becaused to dereference an invalid or NULL pointer when reading, resulting ina Denial of Service.The function PKCS7_digest_from_attributes() accesses the message digest attributevalue without validating its type. When the type is not V_ASN1_OCTET_STRING,this results in accessing invalid memory through the ASN1_TYPE union, causinga crash.Exploiting this vulnerability requires an attacker to provide a malformedsigned PKCS#7 to an application that verifies it. The impact of theexploit is just a Denial of Service, the PKCS7 API is legacy and applicationsshould be using the CMS API instead. For these reasons the issue wasassessed as Low severity.The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,as the PKCS#7 parsing implementation is outside the OpenSSL FIPS moduleboundary.OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
libopenssl1_1 < 1.1.1w-150600.5.21.1 (version in image is 1.1.1w-150600.5.18.1).

CVE-2026-22979 Severity: Moderate CVSS3 score: 5.3

Description: In the Linux kernel, the following vulnerability has been resolved:net: fix memory leak in skb_segment_list for GRO packetsWhen skb_segment_list() is called during packet forwarding, it handlespackets that were aggregated by the GRO engine.Historically, the segmentation logic in skb_segment_list assumes thatindividual segments are split from a parent SKB and may need to carrytheir own socket memory accounting. Accordingly, the code transferstruesize from the parent to the newly created segments.Prior to commit ed4cccef64c1 ("gro: fix ownership transfer"), thistruesize subtraction in skb_segment_list() was valid because fragmentsstill carry a reference to the original socket.However, commit ed4cccef64c1 ("gro: fix ownership transfer") changedthis behavior by ensuring that fraglist entries are explicitlyorphaned (skb->sk = NULL) to prevent illegal orphaning later in thestack. This change meant that the entire socket memory charge remainedwith the head SKB, but the corresponding accounting logic inskb_segment_list() was never updated.As a result, the current code unconditionally adds each fragment'struesize to delta_truesize and subtracts it from the parent SKB. Sincethe fragments are no longer charged to the socket, this subtractionresults in an effective under-count of memory when the head is freed.This causes sk_wmem_alloc to remain non-zero, preventing socketdestruction and leading to a persistent memory leak.The leak can be observed via KMEMLEAK when tearing down the networkingenvironment:unreferenced object 0xffff8881e6eb9100 (size 2048): comm "ping", pid 6720, jiffies 4295492526 backtrace: kmem_cache_alloc_noprof+0x5c6/0x800 sk_prot_alloc+0x5b/0x220 sk_alloc+0x35/0xa00 inet6_create.part.0+0x303/0x10d0 __sock_create+0x248/0x640 __sys_socket+0x11b/0x1d0Since skb_segment_list() is exclusively used for SKB_GSO_FRAGLISTpackets constructed by GRO, the truesize adjustment is removed.The call to skb_release_head_state() must be preserved. As documented incommit cf673ed0e057 ("net: fix fraglist segmentation reference countleak"), it is still required to correctly drop references to SKBextensions that may be overwritten during __copy_skb_header().

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23059 Severity: Moderate CVSS3 score: 5.3

Description: In the Linux kernel, the following vulnerability has been resolved:scsi: qla2xxx: Sanitize payload size to prevent member overflowIn qla27xx_copy_fpin_pkt() and qla27xx_copy_multiple_pkt(), the frame_sizereported by firmware is used to calculate the copy length intoitem->iocb. However, the iocb member is defined as a fixed-size 64-bytearray within struct purex_item.If the reported frame_size exceeds 64 bytes, subsequent memcpy calls willoverflow the iocb member boundary. While extra memory might be allocated,this cross-member write is unsafe and triggers warnings underCONFIG_FORTIFY_SOURCE.Fix this by capping total_bytes to the size of the iocb member (64 bytes)before allocation and copying. This ensures all copies remain within thebounds of the destination structure member.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23171 Severity: Moderate CVSS3 score: 5.3

Description: In the Linux kernel, the following vulnerability has been resolved:bonding: fix use-after-free due to enslave fail after slave array updateFix a use-after-free which happens due to enslave failure after the newslave has been added to the array. Since the new slave can be used for Tximmediately, we can use it after it has been freed by the enslave errorcleanup path which frees the allocated slave memory. Slave update array issupposed to be called last when further enslave failures are not expected.Move it after xdp setup to avoid any problems.It is very easy to reproduce the problem with a simple xdp_pass prog: ip l add bond1 type bond mode balance-xor ip l set bond1 up ip l set dev bond1 xdp object xdp_pass.o sec xdp_pass ip l add dumdum type dummyThen run in parallel: while :; do ip l set dumdum master bond1 1>/dev/null 2>&1; done; mausezahn bond1 -a own -b rand -A rand -B 1.1.1.1 -c 0 -t tcp "dp=1-1023, flags=syn"The crash happens almost immediately: [ 605.602850] Oops: general protection fault, probably for non-canonical address 0xe0e6fc2460000137: 0000 [#1] SMP KASAN NOPTI [ 605.602916] KASAN: maybe wild-memory-access in range [0x07380123000009b8-0x07380123000009bf] [ 605.602946] CPU: 0 UID: 0 PID: 2445 Comm: mausezahn Kdump: loaded Tainted: G B 6.19.0-rc6+ #21 PREEMPT(voluntary) [ 605.602979] Tainted: [B]=BAD_PAGE [ 605.602998] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 605.603032] RIP: 0010:netdev_core_pick_tx+0xcd/0x210 [ 605.603063] Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 3e 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 6b 08 49 8d 7d 30 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 25 01 00 00 49 8b 45 30 4c 89 e2 48 89 ee 48 89 [ 605.603111] RSP: 0018:ffff88817b9af348 EFLAGS: 00010213 [ 605.603145] RAX: dffffc0000000000 RBX: ffff88817d28b420 RCX: 0000000000000000 [ 605.603172] RDX: 00e7002460000137 RSI: 0000000000000008 RDI: 07380123000009be [ 605.603199] RBP: ffff88817b541a00 R08: 0000000000000001 R09: fffffbfff3ed8c0c [ 605.603226] R10: ffffffff9f6c6067 R11: 0000000000000001 R12: 0000000000000000 [ 605.603253] R13: 073801230000098e R14: ffff88817d28b448 R15: ffff88817b541a84 [ 605.603286] FS: 00007f6570ef67c0(0000) GS:ffff888221dfa000(0000) knlGS:0000000000000000 [ 605.603319] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 605.603343] CR2: 00007f65712fae40 CR3: 000000011371b000 CR4: 0000000000350ef0 [ 605.603373] Call Trace: [ 605.603392] [ 605.603410] __dev_queue_xmit+0x448/0x32a0 [ 605.603434] ? __pfx_vprintk_emit+0x10/0x10 [ 605.603461] ? __pfx_vprintk_emit+0x10/0x10 [ 605.603484] ? __pfx___dev_queue_xmit+0x10/0x10 [ 605.603507] ? bond_start_xmit+0xbfb/0xc20 [bonding] [ 605.603546] ? _printk+0xcb/0x100 [ 605.603566] ? __pfx__printk+0x10/0x10 [ 605.603589] ? bond_start_xmit+0xbfb/0xc20 [bonding] [ 605.603627] ? add_taint+0x5e/0x70 [ 605.603648] ? add_taint+0x2a/0x70 [ 605.603670] ? end_report.cold+0x51/0x75 [ 605.603693] ? bond_start_xmit+0xbfb/0xc20 [bonding] [ 605.603731] bond_start_xmit+0x623/0xc20 [bonding]

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23221 Severity: Moderate CVSS3 score: 5.3

Description: In the Linux kernel, the following vulnerability has been resolved:bus: fsl-mc: fix use-after-free in driver_override_show()The driver_override_show() function reads the driver_override stringwithout holding the device_lock. However, driver_override_store() usesdriver_set_override(), which modifies and frees the string while holdingthe device_lock.This can result in a concurrent use-after-free if the string is freedby the store function while being read by the show function.Fix this by holding the device_lock around the read operation.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23271 Severity: Moderate CVSS3 score: 5.3

Description: In the Linux kernel, the following vulnerability has been resolved:perf: Fix __perf_event_overflow() vs perf_remove_from_context() raceMake sure that __perf_event_overflow() runs with IRQs disabled for allpossible callchains. Specifically the software events can end up runningit with only preemption disabled.This opens up a race vs perf_event_exit_event() and friends that will goand free various things the overflow path expects to be present, likethe BPF program.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23286 Severity: Moderate CVSS3 score: 5.3

Description: In the Linux kernel, the following vulnerability has been resolved:atm: lec: fix null-ptr-deref in lec_arp_clear_vccssyzkaller reported a null-ptr-deref in lec_arp_clear_vccs().This issue can be easily reproduced using the syzkaller reproducer.In the ATM LANE (LAN Emulation) module, the same atm_vcc can be shared bymultiple lec_arp_table entries (e.g., via entry->vcc or entry->recv_vcc).When the underlying VCC is closed, lec_vcc_close() iterates over allARP entries and calls lec_arp_clear_vccs() for each matched entry.For example, when lec_vcc_close() iterates through the hlists inpriv->lec_arp_empty_ones or other ARP tables:1. In the first iteration, for the first matched ARP entry sharing the VCC,lec_arp_clear_vccs() frees the associated vpriv (which is vcc->user_back)and sets vcc->user_back to NULL.2. In the second iteration, for the next matched ARP entry sharing the sameVCC, lec_arp_clear_vccs() is called again. It obtains a NULL vpriv fromvcc->user_back (via LEC_VCC_PRIV(vcc)) and then attempts to dereference itvia `vcc->pop = vpriv->old_pop`, leading to a null-ptr-deref crash.Fix this by adding a null check for vpriv before dereferencingit. If vpriv is already NULL, it means the VCC has been clearedby a previous call, so we can safely skip the cleanup and justclear the entry's vcc/recv_vcc pointers.The entire cleanup block (including vcc_release_async()) is placed insidethe vpriv guard because a NULL vpriv indicates the VCC has already beenfully released by a prior iteration - repeating the teardown wouldredundantly set flags and trigger callbacks on an already-closing socket.The Fixes tag points to the initial commit because the entry->vcc path hasbeen vulnerable since the original code. The entry->recv_vcc path was lateradded by commit 8d9f73c0ad2f ("atm: fix a memory leak of vcc->user_back")with the same pattern, and both paths are fixed here.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23296 Severity: Moderate CVSS3 score: 5.3

Description: In the Linux kernel, the following vulnerability has been resolved:scsi: core: Fix refcount leak for tagset_refcntThis leak will cause a hang when tearing down the SCSI host. For example,iscsid hangs with the following call trace:[130120.652718] scsi_alloc_sdev: Allocation failure during SCSI scanning, some SCSI devices might not be configuredPID: 2528 TASK: ffff9d0408974e00 CPU: 3 COMMAND: "iscsid" #0 [ffffb5b9c134b9e0] __schedule at ffffffff860657d4 #1 [ffffb5b9c134ba28] schedule at ffffffff86065c6f #2 [ffffb5b9c134ba40] schedule_timeout at ffffffff86069fb0 #3 [ffffb5b9c134bab0] __wait_for_common at ffffffff8606674f #4 [ffffb5b9c134bb10] scsi_remove_host at ffffffff85bfe84b #5 [ffffb5b9c134bb30] iscsi_sw_tcp_session_destroy at ffffffffc03031c4 [iscsi_tcp] #6 [ffffb5b9c134bb48] iscsi_if_recv_msg at ffffffffc0292692 [scsi_transport_iscsi] #7 [ffffb5b9c134bb98] iscsi_if_rx at ffffffffc02929c2 [scsi_transport_iscsi] #8 [ffffb5b9c134bbf0] netlink_unicast at ffffffff85e551d6 #9 [ffffb5b9c134bc38] netlink_sendmsg at ffffffff85e554ef

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23456 Severity: Moderate CVSS3 score: 5.3

Description: In the Linux kernel, the following vulnerability has been resolved:netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS caseIn decode_int(), the CONS case calls get_bits(bs, 2) to read a lengthvalue, then calls get_uint(bs, len) without checking that len bytesremain in the buffer. The existing boundary check only validates the2 bits for get_bits(), not the subsequent 1-4 bytes that get_uint()reads. This allows a malformed H.323/RAS packet to cause a 1-4 byteslab-out-of-bounds read.Add a boundary check for len bytes after get_bits() and beforeget_uint().

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23457 Severity: Moderate CVSS3 score: 5.3

Description: In the Linux kernel, the following vulnerability has been resolved:netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp()sip_help_tcp() parses the SIP Content-Length header withsimple_strtoul(), which returns unsigned long, but stores the result inunsigned int clen. On 64-bit systems, values exceeding UINT_MAX aresilently truncated before computing the SIP message boundary.For example, Content-Length 4294967328 (2^32 + 32) is truncated to 32,causing the parser to miscalculate where the current message ends. Theloop then treats trailing data in the TCP segment as a second SIPmessage and processes it through the SDP parser.Fix this by changing clen to unsigned long to match the return type ofsimple_strtoul(), and reject Content-Length values that exceed theremaining TCP payload length.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-27171 Severity: Moderate CVSS3 score: 5.3

Description: zlib before 1.3.2 allows CPU consumption via crc32_combine64 and crc32_combine_gen64 because x2nmodp can do right shifts within a loop that has no termination condition.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
libz1 > 0-0 (version in image is 1.2.13-150500.4.3.1).

CVE-2026-28389 Severity: Moderate CVSS3 score: 5.3

Description: Issue summary: During processing of a crafted CMS EnvelopedData messagewith KeyAgreeRecipientInfo a NULL pointer dereference can happen.Impact summary: Applications that process attacker-controlled CMS data maycrash before authentication or cryptographic operations occur resulting inDenial of Service.When a CMS EnvelopedData message that uses KeyAgreeRecipientInfo isprocessed, the optional parameters field of KeyEncryptionAlgorithmIdentifieris examined without checking for its presence. This results in a NULLpointer dereference if the field is missing.Applications and services that call CMS_decrypt() on untrusted input(e.g., S/MIME processing or CMS-based protocols) are vulnerable.The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by thisissue, as the affected code is outside the OpenSSL FIPS module boundary.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
libopenssl1_1 < 1.1.1w-150600.5.26.2 (version in image is 1.1.1w-150600.5.18.1).

CVE-2026-28417 Severity: Moderate CVSS3 score: 5.3

Description: Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the `netrw` standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the `scp://` protocol handler), an attacker can execute arbitrary shell commands with the privileges of the Vim process. Version 9.2.0073 fixes the issue.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
vim < 9.2.0110-150500.20.43.1 (version in image is 9.1.1629-150500.20.38.1).

CVE-2026-28418 Severity: Moderate CVSS3 score: 5.3

Description: Vim is an open source, command line text editor. Prior to version 9.2.0074, a heap-based buffer overflow out-of-bounds read exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file, Vim can be tricked into reading up to 7 bytes beyond the allocated memory boundary. Version 9.2.0074 fixes the issue.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
vim < 9.2.0110-150500.20.43.1 (version in image is 9.1.1629-150500.20.38.1).

CVE-2026-28419 Severity: Moderate CVSS3 score: 5.3

Description: Vim is an open source, command line text editor. Prior to version 9.2.0075, a heap-based buffer underflow exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file where a delimiter appears at the start of a line, Vim attempts to read memory immediately preceding the allocated buffer. Version 9.2.0075 fixes the issue.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
vim < 9.2.0110-150500.20.43.1 (version in image is 9.1.1629-150500.20.38.1).

CVE-2026-28421 Severity: Moderate CVSS3 score: 5.3

Description: Vim is an open source, command line text editor. Versions prior to 9.2.0077 have a heap-buffer-overflow and a segmentation fault (SEGV) exist in Vim's swap file recovery logic. Both are caused by unvalidated fields read from crafted pointer blocks within a swap file. Version 9.2.0077 fixes the issue.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
vim < 9.2.0110-150500.20.43.1 (version in image is 9.1.1629-150500.20.38.1).

CVE-2026-31499 Severity: Moderate CVSS3 score: 5.3

Description: In the Linux kernel, the following vulnerability has been resolved:Bluetooth: L2CAP: Fix deadlock in l2cap_conn_del()l2cap_conn_del() calls cancel_delayed_work_sync() for both info_timerand id_addr_timer while holding conn->lock. However, the work functionsl2cap_info_timeout() and l2cap_conn_update_id_addr() both acquireconn->lock, creating a potential AB-BA deadlock if the work is alreadyexecuting when l2cap_conn_del() takes the lock.Move the work cancellations before acquiring conn->lock and usedisable_delayed_work_sync() to additionally prevent the works frombeing rearmed after cancellation, consistent with the pattern used inhci_conn_del().

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-32249 Severity: Moderate CVSS3 score: 5.3

Description: Vim is an open source, command line text editor. From 9.1.0011 to before 9.2.0137, Vim's NFA regex compiler, when encountering a collection containing a combining character as the endpoint of a character range (e.g. [0-0\u05bb]), incorrectly emits the composing bytes of that character as separate NFA states. This corrupts the NFA postfix stack, resulting in NFA_START_COLL having a NULL out1 pointer. When nfa_max_width() subsequently traverses the compiled NFA to estimate match width for the look-behind assertion, it dereferences state->out1->out without a NULL check, causing a segmentation fault. This vulnerability is fixed in 9.2.0137.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
vim > 0-0 (version in image is 9.1.1629-150500.20.38.1).

CVE-2026-33412 Severity: Moderate CVSS3 score: 5.3

Description: Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\n) in a pattern passed to glob(), an attacker may be able to execute arbitrary shell commands. This vulnerability depends on the user's 'shell' setting. This issue has been patched in version 9.2.0202.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
vim > 0-0 (version in image is 9.1.1629-150500.20.38.1).

CVE-2026-3446 Severity: Moderate CVSS3 score: 5.3

Description: When calling base64.b64decode() or related functions the decoding process would stop after encountering the first padded quad regardless of whether there was more information to be processed. This can lead to data being accepted which may be processed differently by other implementations. Use "validate=True" to enable stricter processing of base64 data.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
python3 > 0-0 (version in image is 3.6.15-150300.10.103.1).

CVE-2026-3731 Severity: Moderate CVSS3 score: 5.3

Description: A weakness has been identified in libssh up to 0.11.3. The impacted element is the function sftp_extensions_get_name/sftp_extensions_get_data of the file src/sftp.c of the component SFTP Extension Name Handler. Executing a manipulation of the argument idx can lead to out-of-bounds read. The attack may be performed from remote. Upgrading to version 0.11.4 and 0.12.0 is sufficient to resolve this issue. This patch is called 855a0853ad3abd4a6cd85ce06fce6d8d4c7a0b60. You should upgrade the affected component.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
libssh-config > 0-0 (version in image is 0.9.8-150600.11.6.1).

CVE-2025-40271 Severity: Moderate CVSS3 score: 5.2

Description: In the Linux kernel, the following vulnerability has been resolved:fs/proc: fix uaf in proc_readdir_de()Pde is erased from subdir rbtree through rb_erase(), but not set the nodeto EMPTY, which may result in uaf access. We should use RB_CLEAR_NODE()set the erased node to EMPTY, then pde_subdir_next() will return NULL toavoid uaf access.We found an uaf issue while using stress-ng testing, need to run testcasegetdent and tun in the same time. The steps of the issue is as follows:1) use getdent to traverse dir /proc/pid/net/dev_snmp6/, and current pde is tun3;2) in the [time windows] unregister netdevice tun3 and tun2, and erase them from rbtree. erase tun3 first, and then erase tun2. the pde(tun2) will be released to slab;3) continue to getdent process, then pde_subdir_next() will return pde(tun2) which is released, it will case uaf access.CPU 0 | CPU 1-------------------------------------------------------------------------traverse dir /proc/pid/net/dev_snmp6/ | unregister_netdevice(tun->dev) //tun3 tun2sys_getdents64() | iterate_dir() | proc_readdir() | proc_readdir_de() | snmp6_unregister_dev() pde_get(de); | proc_remove() read_unlock(&proc_subdir_lock); | remove_proc_subtree() | write_lock(&proc_subdir_lock); [time window] | rb_erase(&root->subdir_node, &parent->subdir); | write_unlock(&proc_subdir_lock); read_lock(&proc_subdir_lock); | next = pde_subdir_next(de); | pde_put(de); | de = next; //UAF |rbtree of dev_snmp6 | pde(tun3) / \ NULL pde(tun2)

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-40338 Severity: Moderate CVSS3 score: 5.2

Description: In the Linux kernel, the following vulnerability has been resolved:ASoC: Intel: avs: Do not share the name pointer between componentsBy sharing 'name' directly, tearing down components may lead touse-after-free errors. Duplicate the name to avoid that.At the same time, update the order of operations - since commitcee28113db17 ("ASoC: dmaengine_pcm: Allow passing component name viaconfig") the framework does not override component->name if set beforeinvoking the initializer.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-2201 Severity: Moderate CVSS3 score: 5.1

Description: A cross-privilege Spectre v2 vulnerability allows attackers to bypass all deployed mitigations, including the recent Fine(IBT), and to leak arbitrary Linux kernel memory on Intel systems.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-36934 Severity: Moderate CVSS3 score: 5.1

Description: In the Linux kernel, the following vulnerability has been resolved:bna: ensure the copied buf is NUL terminatedCurrently, we allocate a nbytes-sized kernel buffer and copy nbytes fromuserspace to that buffer. Later, we use sscanf on this buffer but we don'tensure that the string is terminated inside the buffer, this can lead toOOB read when using sscanf. Fix this issue by using memdup_user_nulinstead of memdup_user.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-36935 Severity: Moderate CVSS3 score: 5.1

Description: In the Linux kernel, the following vulnerability has been resolved:ice: ensure the copied buf is NUL terminatedCurrently, we allocate a count-sized kernel buffer and copy count bytesfrom userspace to that buffer. Later, we use sscanf on this buffer but wedon't ensure that the string is terminated inside the buffer, this can leadto OOB read when using sscanf. Fix this issue by using memdup_user_nulinstead of memdup_user.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23104 Severity: Moderate CVSS3 score: 5.1

Description: In the Linux kernel, the following vulnerability has been resolved:ice: fix devlink reload call traceCommit 4da71a77fc3b ("ice: read internal temperature sensor") introducedinternal temperature sensor reading via HWMON. ice_hwmon_init() was addedto ice_init_feature() and ice_hwmon_exit() was added to ice_remove(). As aresult if devlink reload is used to reinit the device and then the driveris removed, a call trace can occur.BUG: unable to handle page fault for address: ffffffffc0fd4b5dCall Trace: string+0x48/0xe0 vsnprintf+0x1f9/0x650 sprintf+0x62/0x80 name_show+0x1f/0x30 dev_attr_show+0x19/0x60The call trace repeats approximately every 10 minutes when systemmonitoring tools (e.g., sadc) attempt to read the orphaned hwmon sysfsattributes that reference freed module memory.The sequence is:1. Driver load, ice_hwmon_init() gets called from ice_init_feature()2. Devlink reload down, flow does not call ice_remove()3. Devlink reload up, ice_hwmon_init() gets called from ice_init_feature() resulting in a second instance4. Driver unload, ice_hwmon_exit() called from ice_remove() leaving the first hwmon instance orphaned with dangling pointerFix this by moving ice_hwmon_exit() from ice_remove() toice_deinit_features() to ensure proper cleanup symmetry withice_hwmon_init().

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23178 Severity: Moderate CVSS3 score: 5.1

Description: In the Linux kernel, the following vulnerability has been resolved:HID: i2c-hid: fix potential buffer overflow in i2c_hid_get_report()`i2c_hid_xfer` is used to read `recv_len + sizeof(__le16)` bytes of datainto `ihid->rawbuf`.The former can come from the userspace in the hidraw driver and is onlybounded by HID_MAX_BUFFER_SIZE(16384) by default (unless we also set`max_buffer_size` field of `struct hid_ll_driver` which we do not).The latter has size determined at runtime by the maximum size ofdifferent report types you could receive on any particular device andcan be a much smaller value.Fix this by truncating `recv_len` to `ihid->bufsize - sizeof(__le16)`.The impact is low since access to hidraw devices requires root.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-34757 Severity: Moderate CVSS3 score: 5.1

Description: LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.0.9 to before 1.6.57, passing a pointer obtained from png_get_PLTE, png_get_tRNS, or png_get_hIST back into the corresponding setter on the same png_struct/png_info pair causes the setter to read from freed memory and copy its contents into the replacement buffer. The setter frees the internal buffer before copying from the caller-supplied pointer, which now dangles. The freed region may contain stale data (producing silently corrupted chunk metadata) or data from subsequent heap allocations (leaking unrelated heap contents into the chunk struct). This vulnerability is fixed in 1.6.57.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
libpng16-16 > 0-0 (version in image is 1.6.40-150600.3.6.1).

CVE-2026-3842 Severity: Moderate CVSS3 score: 5.1

Description: Unknown.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
qemu-img > 0-0 (version in image is 8.2.10-150600.3.43.1).

CVE-2026-0964 Severity: Moderate CVSS3 score: 5.0

Description: A malicious SCP server can send unexpected paths that could make theclient application override local files outside of working directory.This could be misused to create malicious executable or configurationfiles and make the user execute them under specific consequences.This is the same issue as in OpenSSH, tracked as CVE-2019-6111.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
libssh-config > 0-0 (version in image is 0.9.8-150600.11.6.1).

CVE-2026-1502 Severity: Moderate CVSS3 score: 4.9

Description: CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
python3 > 0-0 (version in image is 3.6.15-150300.10.103.1).

CVE-2023-54013 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:interconnect: Fix locking for runpm vs reclaimFor cases where icc_bw_set() can be called in callbaths that coulddeadlock against shrinker/reclaim, such as runpm resume, we need todecouple the icc locking. Introduce a new icc_bw_lock for cases wherewe need to serialize bw aggregation and update to decouple that frompaths that require memory allocation such as node/link creation/destruction.Fixes this lockdep splat: ====================================================== WARNING: possible circular locking dependency detected 6.2.0-rc8-debug+ #554 Not tainted ------------------------------------------------------ ring0/132 is trying to acquire lock: ffffff80871916d0 (&gmu->lock){+.+.}-{3:3}, at: a6xx_pm_resume+0xf0/0x234 but task is already holding lock: ffffffdb5aee57e8 (dma_fence_map){++++}-{0:0}, at: msm_job_run+0x68/0x150 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #4 (dma_fence_map){++++}-{0:0}: __dma_fence_might_wait+0x74/0xc0 dma_resv_lockdep+0x1f4/0x2f4 do_one_initcall+0x104/0x2bc kernel_init_freeable+0x344/0x34c kernel_init+0x30/0x134 ret_from_fork+0x10/0x20 -> #3 (mmu_notifier_invalidate_range_start){+.+.}-{0:0}: fs_reclaim_acquire+0x80/0xa8 slab_pre_alloc_hook.constprop.0+0x40/0x25c __kmem_cache_alloc_node+0x60/0x1cc __kmalloc+0xd8/0x100 topology_parse_cpu_capacity+0x8c/0x178 get_cpu_for_node+0x88/0xc4 parse_cluster+0x1b0/0x28c parse_cluster+0x8c/0x28c init_cpu_topology+0x168/0x188 smp_prepare_cpus+0x24/0xf8 kernel_init_freeable+0x18c/0x34c kernel_init+0x30/0x134 ret_from_fork+0x10/0x20 -> #2 (fs_reclaim){+.+.}-{0:0}: __fs_reclaim_acquire+0x3c/0x48 fs_reclaim_acquire+0x54/0xa8 slab_pre_alloc_hook.constprop.0+0x40/0x25c __kmem_cache_alloc_node+0x60/0x1cc __kmalloc+0xd8/0x100 kzalloc.constprop.0+0x14/0x20 icc_node_create_nolock+0x4c/0xc4 icc_node_create+0x38/0x58 qcom_icc_rpmh_probe+0x1b8/0x248 platform_probe+0x70/0xc4 really_probe+0x158/0x290 __driver_probe_device+0xc8/0xe0 driver_probe_device+0x44/0x100 __driver_attach+0xf8/0x108 bus_for_each_dev+0x78/0xc4 driver_attach+0x2c/0x38 bus_add_driver+0xd0/0x1d8 driver_register+0xbc/0xf8 __platform_driver_register+0x30/0x3c qnoc_driver_init+0x24/0x30 do_one_initcall+0x104/0x2bc kernel_init_freeable+0x344/0x34c kernel_init+0x30/0x134 ret_from_fork+0x10/0x20 -> #1 (icc_lock){+.+.}-{3:3}: __mutex_lock+0xcc/0x3c8 mutex_lock_nested+0x30/0x44 icc_set_bw+0x88/0x2b4 _set_opp_bw+0x8c/0xd8 _set_opp+0x19c/0x300 dev_pm_opp_set_opp+0x84/0x94 a6xx_gmu_resume+0x18c/0x804 a6xx_pm_resume+0xf8/0x234 adreno_runtime_resume+0x2c/0x38 pm_generic_runtime_resume+0x30/0x44 __rpm_callback+0x15c/0x174 rpm_callback+0x78/0x7c rpm_resume+0x318/0x524 __pm_runtime_resume+0x78/0xbc adreno_load_gpu+0xc4/0x17c msm_open+0x50/0x120 drm_file_alloc+0x17c/0x228 drm_open_helper+0x74/0x118 drm_open+0xa0/0x144 drm_stub_open+0xd4/0xe4 chrdev_open+0x1b8/0x1e4 do_dentry_open+0x2f8/0x38c vfs_open+0x34/0x40 path_openat+0x64c/0x7b4 do_filp_open+0x54/0xc4 do_sys_openat2+0x9c/0x100 do_sys_open+0x50/0x7c __arm64_sys_openat+0x28/0x34 invoke_syscall+0x8c/0x128 el0_svc_common.constprop.0+0xa0/0x11c do_el0_---truncated---

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-35998 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:smb3: fix lock ordering potential deadlock in cifs_sync_mid_resultCoverity spotted that the cifs_sync_mid_result function could deadlock"Thread deadlock (ORDER_REVERSAL) lock_order: Calling spin_lock acquireslock TCP_Server_Info.srv_lock while holding lock TCP_Server_Info.mid_lock"Addresses-Coverity: 1590401 ("Thread deadlock (ORDER_REVERSAL)")

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-36024 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:drm/amd/display: Disable idle reallow as part of command/gpint execution[Why]Workaroud for a race condition where DMCUB is in the process ofcommitting to IPS1 during the handshake causing us to miss thetransition into IPS2 and touch the INBOX1 RPTR causing a HW hang.[How]Disable the reallow to ensure that we have enough of a gap between entryand exit and we're not seeing back-to-back wake_and_executes.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-36937 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:xdp: use flags field to disambiguate broadcast redirectWhen redirecting a packet using XDP, the bpf_redirect_map() helper will setup the redirect destination information in struct bpf_redirect_info (usingthe __bpf_xdp_redirect_map() helper function), and the xdp_do_redirect()function will read this information after the XDP program returns and passthe frame on to the right redirect destination.When using the BPF_F_BROADCAST flag to do multicast redirect to a wholemap, __bpf_xdp_redirect_map() sets the 'map' pointer in structbpf_redirect_info to point to the destination map to be broadcast. Andxdp_do_redirect() reacts to the value of this map pointer to decide whetherit's dealing with a broadcast or a single-value redirect. However, if thedestination map is being destroyed before xdp_do_redirect() is called, themap pointer will be cleared out (by bpf_clear_redirect_map()) withoutwaiting for any XDP programs to stop running. This causes xdp_do_redirect()to think that the redirect was to a single target, but the target pointeris also NULL (since broadcast redirects don't have a single target), sothis causes a crash when a NULL pointer is passed to dev_map_enqueue().To fix this, change xdp_do_redirect() to react directly to the presence ofthe BPF_F_BROADCAST flag in the 'flags' value in struct bpf_redirect_infoto disambiguate between a single-target and a broadcast redirect. And onlyread the 'map' pointer if the broadcast flag is set, aborting if that hasbeen cleared out in the meantime. This prevents the crash, while keepingthe atomic (cmpxchg-based) clearing of the map pointer itself, and withoutadding any more checks in the non-broadcast fast path.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-36938 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:bpf, skmsg: Fix NULL pointer dereference in sk_psock_skb_ingress_enqueueFix NULL pointer data-races in sk_psock_skb_ingress_enqueue() whichsyzbot reported [1].[1]BUG: KCSAN: data-race in sk_psock_drop / sk_psock_skb_ingress_enqueuewrite to 0xffff88814b3278b8 of 8 bytes by task 10724 on cpu 1: sk_psock_stop_verdict net/core/skmsg.c:1257 [inline] sk_psock_drop+0x13e/0x1f0 net/core/skmsg.c:843 sk_psock_put include/linux/skmsg.h:459 [inline] sock_map_close+0x1a7/0x260 net/core/sock_map.c:1648 unix_release+0x4b/0x80 net/unix/af_unix.c:1048 __sock_release net/socket.c:659 [inline] sock_close+0x68/0x150 net/socket.c:1421 __fput+0x2c1/0x660 fs/file_table.c:422 __fput_sync+0x44/0x60 fs/file_table.c:507 __do_sys_close fs/open.c:1556 [inline] __se_sys_close+0x101/0x1b0 fs/open.c:1541 __x64_sys_close+0x1f/0x30 fs/open.c:1541 do_syscall_64+0xd3/0x1d0 entry_SYSCALL_64_after_hwframe+0x6d/0x75read to 0xffff88814b3278b8 of 8 bytes by task 10713 on cpu 0: sk_psock_data_ready include/linux/skmsg.h:464 [inline] sk_psock_skb_ingress_enqueue+0x32d/0x390 net/core/skmsg.c:555 sk_psock_skb_ingress_self+0x185/0x1e0 net/core/skmsg.c:606 sk_psock_verdict_apply net/core/skmsg.c:1008 [inline] sk_psock_verdict_recv+0x3e4/0x4a0 net/core/skmsg.c:1202 unix_read_skb net/unix/af_unix.c:2546 [inline] unix_stream_read_skb+0x9e/0xf0 net/unix/af_unix.c:2682 sk_psock_verdict_data_ready+0x77/0x220 net/core/skmsg.c:1223 unix_stream_sendmsg+0x527/0x860 net/unix/af_unix.c:2339 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x140/0x180 net/socket.c:745 ____sys_sendmsg+0x312/0x410 net/socket.c:2584 ___sys_sendmsg net/socket.c:2638 [inline] __sys_sendmsg+0x1e9/0x280 net/socket.c:2667 __do_sys_sendmsg net/socket.c:2676 [inline] __se_sys_sendmsg net/socket.c:2674 [inline] __x64_sys_sendmsg+0x46/0x50 net/socket.c:2674 do_syscall_64+0xd3/0x1d0 entry_SYSCALL_64_after_hwframe+0x6d/0x75value changed: 0xffffffff83d7feb0 -> 0x0000000000000000Reported by Kernel Concurrency Sanitizer on:CPU: 0 PID: 10713 Comm: syz-executor.4 Tainted: G W 6.8.0-syzkaller-08951-gfe46a7dd189e #0Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024Prior to this, commit 4cd12c6065df ("bpf, sockmap: Fix NULL pointerdereference in sk_psock_verdict_data_ready()") fixed one NULL pointersimilarly due to no protection of saved_data_ready. Here is anotherdifferent caller causing the same issue because of the same reason. Sowe should protect it with sk_callback_lock read lock because the writerside in the sk_psock_drop() uses "write_lock_bh(&sk->sk_callback_lock);".To avoid errors that could happen in future, I move those two pairs oflock into the sk_psock_data_ready(), which is suggested by John Fastabend.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-36945 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:net/smc: fix neighbour and rtable leak in smc_ib_find_route()In smc_ib_find_route(), the neighbour found by neigh_lookup() and rtableresolved by ip_route_output_flow() are not released or put before return.It may cause the refcount leak, so fix it.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-38553 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:net: fec: remove .ndo_poll_controller to avoid deadlocksThere is a deadlock issue found in sungem driver, please refer to thecommit ac0a230f719b ("eth: sungem: remove .ndo_poll_controller to avoiddeadlocks"). The root cause of the issue is that netpoll is in atomiccontext and disable_irq() is called by .ndo_poll_controller interfaceof sungem driver, however, disable_irq() might sleep. After analyzingthe implementation of fec_poll_controller(), the fec driver should havethe same issue. Due to the fec driver uses NAPI for TX completions, the.ndo_poll_controller is unnecessary to be implemented in the fec driver,so fec_poll_controller() can be safely removed.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-38557 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:net/mlx5: Reload only IB representors upon lag disable/enableOn lag disable, the bond IB device along with all of itsrepresentors are destroyed, and then the slaves' representors get reloaded.In case the slave IB representor load fails, the eswitch error flowunloads all representors, including ethernet representors, where thenetdevs get detached and removed from lag bond. Such flow is inaccurateas the lag driver is not responsible for loading/unloading ethernetrepresentors. Furthermore, the flow described above begins by holdinglag lock to prevent bond changes during disable flow. However, whenreaching the ethernet representors detachment from lag, the lag lock isrequired again, triggering the following deadlock:Call trace:__switch_to+0xf4/0x148__schedule+0x2c8/0x7d0schedule+0x50/0xe0schedule_preempt_disabled+0x18/0x28__mutex_lock.isra.13+0x2b8/0x570__mutex_lock_slowpath+0x1c/0x28mutex_lock+0x4c/0x68mlx5_lag_remove_netdev+0x3c/0x1a0 [mlx5_core]mlx5e_uplink_rep_disable+0x70/0xa0 [mlx5_core]mlx5e_detach_netdev+0x6c/0xb0 [mlx5_core]mlx5e_netdev_change_profile+0x44/0x138 [mlx5_core]mlx5e_netdev_attach_nic_profile+0x28/0x38 [mlx5_core]mlx5e_vport_rep_unload+0x184/0x1b8 [mlx5_core]mlx5_esw_offloads_rep_load+0xd8/0xe0 [mlx5_core]mlx5_eswitch_reload_reps+0x74/0xd0 [mlx5_core]mlx5_disable_lag+0x130/0x138 [mlx5_core]mlx5_lag_disable_change+0x6c/0x70 [mlx5_core] // hold ldev->lockmlx5_devlink_eswitch_mode_set+0xc0/0x410 [mlx5_core]devlink_nl_cmd_eswitch_set_doit+0xdc/0x180genl_family_rcv_msg_doit.isra.17+0xe8/0x138genl_rcv_msg+0xe4/0x220netlink_rcv_skb+0x44/0x108genl_rcv+0x40/0x58netlink_unicast+0x198/0x268netlink_sendmsg+0x1d4/0x418sock_sendmsg+0x54/0x60__sys_sendto+0xf4/0x120__arm64_sys_sendto+0x30/0x40el0_svc_common+0x8c/0x120do_el0_svc+0x30/0xa0el0_svc+0x20/0x30el0_sync_handler+0x90/0xb8el0_sync+0x160/0x180Thus, upon lag enable/disable, load and unload only the IB representorsof the slaves preventing the deadlock mentioned above.While at it, refactor the mlx5_esw_offloads_rep_load() function to havea static helper method for its internal logic, in symmetry with therepresentor unload design.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-38590 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:RDMA/hns: Modify the print level of CQE errorToo much print may lead to a panic in kernel. Change ibdev_err() toibdev_err_ratelimited(), and change the printing level of cqe dumpto debug level.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-39291 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:drm/amdgpu: Fix buffer size in gfx_v9_4_3_init_ cp_compute_microcode() and rlc_microcode()The function gfx_v9_4_3_init_microcode in gfx_v9_4_3.c was generatingabout potential truncation of output when using the snprintf function.The issue was due to the size of the buffer 'ucode_prefix' being toosmall to accommodate the maximum possible length of the string beingwritten into it.The string being written is "amdgpu/%s_mec.bin" or "amdgpu/%s_rlc.bin",where %s is replaced by the value of 'chip_name'. The length of thisstring without the %s is 16 characters. The warning message indicatedthat 'chip_name' could be up to 29 characters long, resulting in a totalof 45 characters, which exceeds the buffer size of 30 characters.To resolve this issue, the size of the 'ucode_prefix' buffer has beenreduced from 30 to 15. This ensures that the maximum possible length ofthe string being written into the buffer will not exceed its size, thuspreventing potential buffer overflow and truncation issues.Fixes the below with gcc W=1:drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c: In function 'gfx_v9_4_3_early_init':drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c:379:52: warning: '%s' directive output may be truncated writing up to 29 bytes into a region of size 23 [-Wformat-truncation=] 379 | snprintf(fw_name, sizeof(fw_name), "amdgpu/%s_rlc.bin", chip_name); | ^~...... 439 | r = gfx_v9_4_3_init_rlc_microcode(adev, ucode_prefix); | ~~~~~~~~~~~~drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c:379:9: note: 'snprintf' output between 16 and 45 bytes into a destination of size 30 379 | snprintf(fw_name, sizeof(fw_name), "amdgpu/%s_rlc.bin", chip_name); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c:413:52: warning: '%s' directive output may be truncated writing up to 29 bytes into a region of size 23 [-Wformat-truncation=] 413 | snprintf(fw_name, sizeof(fw_name), "amdgpu/%s_mec.bin", chip_name); | ^~...... 443 | r = gfx_v9_4_3_init_cp_compute_microcode(adev, ucode_prefix); | ~~~~~~~~~~~~drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c:413:9: note: 'snprintf' output between 16 and 45 bytes into a destination of size 30 413 | snprintf(fw_name, sizeof(fw_name), "amdgpu/%s_mec.bin", chip_name); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-37942 Severity: Moderate CVSS3 score: 4.7

Description: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-38383 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:mm/vmalloc: fix data race in show_numa_info()The following data-race was found in show_numa_info():==================================================================BUG: KCSAN: data-race in vmalloc_info_show / vmalloc_info_showread to 0xffff88800971fe30 of 4 bytes by task 8289 on cpu 0: show_numa_info mm/vmalloc.c:4936 [inline] vmalloc_info_show+0x5a8/0x7e0 mm/vmalloc.c:5016 seq_read_iter+0x373/0xb40 fs/seq_file.c:230 proc_reg_read_iter+0x11e/0x170 fs/proc/inode.c:299....write to 0xffff88800971fe30 of 4 bytes by task 8287 on cpu 1: show_numa_info mm/vmalloc.c:4934 [inline] vmalloc_info_show+0x38f/0x7e0 mm/vmalloc.c:5016 seq_read_iter+0x373/0xb40 fs/seq_file.c:230 proc_reg_read_iter+0x11e/0x170 fs/proc/inode.c:299....value changed: 0x0000008f -> 0x00000000==================================================================According to this report,there is a read/write data-race becausem->private is accessible to multiple CPUs. To fix this, instead ofallocating the heap in proc_vmalloc_init() and passing the heap address tom->private, vmalloc_info_show() should allocate the heap.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-39953 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:cgroup: split cgroup_destroy_wq into 3 workqueuesA hung task can occur during [1] LTP cgroup testing when repeatedlymounting/unmounting perf_event and net_prio controllers withsystemd.unified_cgroup_hierarchy=1. The hang manifests incgroup_lock_and_drain_offline() during root destruction.Related case:cgroup_fj_function_perf_event cgroup_fj_function.sh perf_eventcgroup_fj_function_net_prio cgroup_fj_function.sh net_prioCall Trace: cgroup_lock_and_drain_offline+0x14c/0x1e8 cgroup_destroy_root+0x3c/0x2c0 css_free_rwork_fn+0x248/0x338 process_one_work+0x16c/0x3b8 worker_thread+0x22c/0x3b0 kthread+0xec/0x100 ret_from_fork+0x10/0x20Root Cause:CPU0 CPU1mount perf_event umount net_priocgroup1_get_tree cgroup_kill_sbrebind_subsystems // root destruction enqueues // cgroup_destroy_wq// kill all perf_event css // one perf_event css A is dying // css A offline enqueues cgroup_destroy_wq // root destruction will be executed first css_free_rwork_fn cgroup_destroy_root cgroup_lock_and_drain_offline // some perf descendants are dying // cgroup_destroy_wq max_active = 1 // waiting for css A to dieProblem scenario:1. CPU0 mounts perf_event (rebind_subsystems)2. CPU1 unmounts net_prio (cgroup_kill_sb), queuing root destruction work3. A dying perf_event CSS gets queued for offline after root destruction4. Root destruction waits for offline completion, but offline work is blocked behind root destruction in cgroup_destroy_wq (max_active=1)Solution:Split cgroup_destroy_wq into three dedicated workqueues:cgroup_offline_wq - Handles CSS offline operationscgroup_release_wq - Manages resource releasecgroup_free_wq - Performs final memory deallocationThis separation eliminates blocking in the CSS free path while waiting foroffline operations to complete.[1] https://github.com/linux-test-project/ltp/blob/master/runtest/controllers

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-40006 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:mm/hugetlb: fix folio is still mapped when deletedMigration may be raced with fallocating hole. remove_inode_single_foliowill unmap the folio if the folio is still mapped. However, it's calledwithout folio lock. If the folio is migrated and the mapped pte has beenconverted to migration entry, folio_mapped() returns false, and won'tunmap it. Due to extra refcount held by remove_inode_single_folio,migration fails, restores migration entry to normal pte, and the folio ismapped again. As a result, we triggered BUG in filemap_unaccount_folio.The log is as follows: BUG: Bad page cache in process hugetlb pfn:156c00 page: refcount:515 mapcount:0 mapping:0000000099fef6e1 index:0x0 pfn:0x156c00 head: order:9 mapcount:1 entire_mapcount:1 nr_pages_mapped:0 pincount:0 aops:hugetlbfs_aops ino:dcc dentry name(?):"my_hugepage_file" flags: 0x17ffffc00000c1(locked|waiters|head|node=0|zone=2|lastcpupid=0x1fffff) page_type: f4(hugetlb) page dumped because: still mapped when deleted CPU: 1 UID: 0 PID: 395 Comm: hugetlb Not tainted 6.17.0-rc5-00044-g7aac71907bde-dirty #484 NONE Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015 Call Trace: dump_stack_lvl+0x4f/0x70 filemap_unaccount_folio+0xc4/0x1c0 __filemap_remove_folio+0x38/0x1c0 filemap_remove_folio+0x41/0xd0 remove_inode_hugepages+0x142/0x250 hugetlbfs_fallocate+0x471/0x5a0 vfs_fallocate+0x149/0x380Hold folio lock before checking if the folio is mapped to avold race withmigration.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-40134 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:dm: fix NULL pointer dereference in __dm_suspend()There is a race condition between dm device suspend and table load thatcan lead to null pointer dereference. The issue occurs when suspend isinvoked before table load completes:BUG: kernel NULL pointer dereference, address: 0000000000000054Oops: 0000 [#1] PREEMPT SMP PTICPU: 6 PID: 6798 Comm: dmsetup Not tainted 6.6.0-g7e52f5f0ca9b #62Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014RIP: 0010:blk_mq_wait_quiesce_done+0x0/0x50Call Trace: blk_mq_quiesce_queue+0x2c/0x50 dm_stop_queue+0xd/0x20 __dm_suspend+0x130/0x330 dm_suspend+0x11a/0x180 dev_suspend+0x27e/0x560 ctl_ioctl+0x4cf/0x850 dm_ctl_ioctl+0xd/0x20 vfs_ioctl+0x1d/0x50 __se_sys_ioctl+0x9b/0xc0 __x64_sys_ioctl+0x19/0x30 x64_sys_call+0x2c4a/0x4620 do_syscall_64+0x9e/0x1b0The issue can be triggered as below:T1 T2dm_suspend table_load__dm_suspend dm_setup_md_queue dm_mq_init_request_queue blk_mq_init_allocated_queue => q->mq_ops = set->ops; (1)dm_stop_queue / dm_wait_for_completion=> q->tag_set NULL pointer! (2) => q->tag_set = set; (3)Fix this by checking if a valid table (map) exists before performingrequest-based suspend and waiting for target I/O. When map is NULL,skip these table-dependent suspend steps.Even when map is NULL, no I/O can reach any target because there isno table loaded; I/O submitted in this state will fail early in theDM layer. Skipping the table-dependent suspend logic in this caseis safe and avoids NULL pointer dereferences.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-40146 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:blk-mq: fix potential deadlock while nr_requests grownAllocate and free sched_tags while queue is freezed can deadlock[1],this is a long term problem, hence allocate memory before freezingqueue and free memory after queue is unfreezed.[1] https://lore.kernel.org/all/0659ea8d-a463-47c8-9180-43c719e106eb@linux.ibm.com/

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-40179 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:ext4: verify orphan file size is not too bigIn principle orphan file can be arbitrarily large. However orphan replayneeds to traverse it all and we also pin all its buffers in memory. Thusfilesystems with absurdly large orphan files can lead to big amounts ofmemory consumed. Limit orphan file size to a sane value and also usekvmalloc() for allocating array of block descriptor structures to avoidlarge order allocations for sane but large orphan files.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-40268 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:cifs: client: fix memory leak in smb3_fs_context_parse_paramThe user calls fsconfig twice, but when the program exits, free() onlyfrees ctx->source for the second fsconfig, not the first.Regarding fc->source, there is no code in the fs context related to itsmemory reclamation.To fix this memory leak, release the source memory corresponding to ctxor fc before each parsing.syzbot reported:BUG: memory leakunreferenced object 0xffff888128afa360 (size 96): backtrace (crc 79c9c7ba): kstrdup+0x3c/0x80 mm/util.c:84 smb3_fs_context_parse_param+0x229b/0x36c0 fs/smb/client/fs_context.c:1444BUG: memory leakunreferenced object 0xffff888112c7d900 (size 96): backtrace (crc 79c9c7ba): smb3_fs_context_fullpath+0x70/0x1b0 fs/smb/client/fs_context.c:629 smb3_fs_context_parse_param+0x2266/0x36c0 fs/smb/client/fs_context.c:1438

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68223 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:drm/radeon: delete radeon_fence_process in is_signaled, no deadlockDelete the attempt to progress the queue when checking if fence issignaled. This avoids deadlock.dma-fence_ops::signaled can be called with the fence lock in unknownstate. For radeon, the fence lock is also the wait queue lock. This cancause a self deadlock when signaled() tries to make forward progress onthe wait queue. But advancing the queue is unneeded because incorrectlyreturning false from signaled() is perfectly acceptable.(cherry picked from commit 527ba26e50ec2ca2be9c7c82f3ad42998a75d0db)

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68321 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:page_pool: always add GFP_NOWARN for ATOMIC allocationsDriver authors often forget to add GFP_NOWARN for page allocationfrom the datapath. This is annoying to users as OOMs are a factof life, and we pretty much expect network Rx to hit page allocationfailures during OOM. Make page pool add GFP_NOWARN for ATOMIC allocationsby default.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68745 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:scsi: qla2xxx: Clear cmds after chip resetCommit aefed3e5548f ("scsi: qla2xxx: target: Fix offline port handlingand host reset handling") caused two problems:1. Commands sent to FW, after chip reset got stuck and never freed as FW is not going to respond to them anymore.2. BUG_ON(cmd->sg_mapped) in qlt_free_cmd(). Commit 26f9ce53817a ("scsi: qla2xxx: Fix missed DMA unmap for aborted commands") attempted to fix this, but introduced another bug under different circumstances when two different CPUs were racing to call qlt_unmap_sg() at the same time: BUG_ON(!valid_dma_direction(dir)) in dma_unmap_sg_attrs().So revert "scsi: qla2xxx: Fix missed DMA unmap for aborted commands" andpartially revert "scsi: qla2xxx: target: Fix offline port handling andhost reset handling" at __qla2x00_abort_all_cmds.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68778 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:btrfs: don't log conflicting inode if it's a dir moved in the current transactionWe can't log a conflicting inode if it's a directory and it was movedfrom one parent directory to another parent directory in the currenttransaction, as this can result an attempt to have a directory withtwo hard links during log replay, one for the old parent directory andanother for the new parent directory.The following scenario triggers that issue:1) We have directories "dir1" and "dir2" created in a past transaction. Directory "dir1" has inode A as its parent directory;2) We move "dir1" to some other directory;3) We create a file with the name "dir1" in directory inode A;4) We fsync the new file. This results in logging the inode of the new file and the inode for the directory "dir1" that was previously moved in the current transaction. So the log tree has the INODE_REF item for the new location of "dir1";5) We move the new file to some other directory. This results in updating the log tree to included the new INODE_REF for the new location of the file and removes the INODE_REF for the old location. This happens during the rename when we call btrfs_log_new_name();6) We fsync the file, and that persists the log tree changes done in the previous step (btrfs_log_new_name() only updates the log tree in memory);7) We have a power failure;8) Next time the fs is mounted, log replay happens and when processing the inode for directory "dir1" we find a new INODE_REF and add that link, but we don't remove the old link of the inode since we have not logged the old parent directory of the directory inode "dir1".As a result after log replay finishes when we trigger writeback of thesubvolume tree's extent buffers, the tree check will detect that we havea directory a hard link count of 2 and we get a mount failure.The errors and stack traces reported in dmesg/syslog are like this: [ 3845.729764] BTRFS info (device dm-0): start tree-log replay [ 3845.730304] page: refcount:3 mapcount:0 mapping:000000005c8a3027 index:0x1d00 pfn:0x11510c [ 3845.731236] memcg:ffff9264c02f4e00 [ 3845.731751] aops:btree_aops [btrfs] ino:1 [ 3845.732300] flags: 0x17fffc00000400a(uptodate|private|writeback|node=0|zone=2|lastcpupid=0x1ffff) [ 3845.733346] raw: 017fffc00000400a 0000000000000000 dead000000000122 ffff9264d978aea8 [ 3845.734265] raw: 0000000000001d00 ffff92650e6d4738 00000003ffffffff ffff9264c02f4e00 [ 3845.735305] page dumped because: eb page dump [ 3845.735981] BTRFS critical (device dm-0): corrupt leaf: root=5 block=30408704 slot=6 ino=257, invalid nlink: has 2 expect no more than 1 for dir [ 3845.737786] BTRFS info (device dm-0): leaf 30408704 gen 10 total ptrs 17 free space 14881 owner 5 [ 3845.737789] BTRFS info (device dm-0): refs 4 lock_owner 0 current 30701 [ 3845.737792] item 0 key (256 INODE_ITEM 0) itemoff 16123 itemsize 160 [ 3845.737794] inode generation 3 transid 9 size 16 nbytes 16384 [ 3845.737795] block group 0 mode 40755 links 1 uid 0 gid 0 [ 3845.737797] rdev 0 sequence 2 flags 0x0 [ 3845.737798] atime 1764259517.0 [ 3845.737800] ctime 1764259517.572889464 [ 3845.737801] mtime 1764259517.572889464 [ 3845.737802] otime 1764259517.0 [ 3845.737803] item 1 key (256 INODE_REF 256) itemoff 16111 itemsize 12 [ 3845.737805] index 0 name_len 2 [ 3845.737807] item 2 key (256 DIR_ITEM 2363071922) itemoff 16077 itemsize 34 [ 3845.737808] location key (257 1 0) type 2 [ 3845.737810] transid 9 data_len 0 name_len 4 [ 3845.737811] item 3 key (256 DIR_ITEM 2676584006) itemoff 16043 itemsize 34 [ 3845.737813] location key (258 1 0) type 2 [ 3845.737814] transid 9 data_len 0 name_len 4 [ 3845.737815] item 4 key (256 DIR_INDEX 2) itemoff 16009 itemsize 34 [ 3845.737816] location key (257 1 0) type 2 [---truncated---

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68788 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:fsnotify: do not generate ACCESS/MODIFY events on child for special filesinotify/fanotify do not allow users with no read access to a file tosubscribe to events (e.g. IN_ACCESS/IN_MODIFY), but they do allow thesame user to subscribe for watching events on children when the userhas access to the parent directory (e.g. /dev).Users with no read access to a file but with read access to its parentdirectory can still stat the file and see if it was accessed/modifiedvia atime/mtime change.The same is not true for special files (e.g. /dev/null). Users will notgenerally observe atime/mtime changes when other users read/write tospecial files, only when someone sets atime/mtime via utimensat().Align fsnotify events with this stat behavior and do not generateACCESS/MODIFY events to parent watchers on read/write of special files.The events are still generated to parent watchers on utimensat(). Thiscloses some side-channels that could be possibly used for informationexfiltration [1].[1] https://snee.la/pdf/pubs/file-notification-attacks.pdf

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68789 Severity: Moderate CVSS3 score: 4.7

Description: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68820 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:ext4: xattr: fix null pointer deref in ext4_raw_inode()If ext4_get_inode_loc() fails (e.g. if it returns -EFSCORRUPTED),iloc.bh will remain set to NULL. Since ext4_xattr_inode_dec_ref_all()lacks error checking, this will lead to a null pointer dereferencein ext4_raw_inode(), called right after ext4_get_inode_loc().Found by Linux Verification Center (linuxtesting.org) with SVACE.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-71071 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:iommu/mediatek: fix use-after-free on probe deferralThe driver is dropping the references taken to the larb devices duringprobe after successful lookup as well as on errors. This canpotentially lead to a use-after-free in case a larb device has not yetbeen bound to its driver so that the iommu driver probe defers.Fix this by keeping the references as expected while the iommu driver isbound.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-71147 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:KEYS: trusted: Fix a memory leak in tpm2_load_cmd'tpm2_load_cmd' allocates a tempoary blob indirectly via 'tpm2_key_decode'but it is not freed in the failure paths. Address this by wrapping the blobinto with a cleanup helper.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default < 6.4.0-150600.23.87.1 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-71148 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:net/handshake: restore destructor on submit failurehandshake_req_submit() replaces sk->sk_destruct but never restores it whensubmission fails before the request is hashed. handshake_sk_destruct() thenreturns early and the original destructor never runs, leaking the socket.Restore sk_destruct on the error path.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-71154 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:net: usb: rtl8150: fix memory leak on usb_submit_urb() failureIn async_set_registers(), when usb_submit_urb() fails, the allocated async_req structure and URB are not freed, causing a memory leak. The completion callback async_set_reg_cb() is responsible for freeing these allocations, but it is only called after the URB is successfully submitted and completes (successfully or with error). If submission fails, the callback never runs and the memory is leaked. Fix this by freeing both the URB and the request structure in the error path when usb_submit_urb() fails.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-71194 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:btrfs: fix deadlock in wait_current_trans() due to ignored transaction typeWhen wait_current_trans() is called during start_transaction(), itcurrently waits for a blocked transaction without considering whetherthe given transaction type actually needs to wait for that particulartransaction state. The btrfs_blocked_trans_types[] array already defineswhich transaction types should wait for which transaction states, butthis check was missing in wait_current_trans().This can lead to a deadlock scenario involving two transactions andpending ordered extents: 1. Transaction A is in TRANS_STATE_COMMIT_DOING state 2. A worker processing an ordered extent calls start_transaction() with TRANS_JOIN 3. join_transaction() returns -EBUSY because Transaction A is in TRANS_STATE_COMMIT_DOING 4. Transaction A moves to TRANS_STATE_UNBLOCKED and completes 5. A new Transaction B is created (TRANS_STATE_RUNNING) 6. The ordered extent from step 2 is added to Transaction B's pending ordered extents 7. Transaction B immediately starts commit by another task and enters TRANS_STATE_COMMIT_START 8. The worker finally reaches wait_current_trans(), sees Transaction B in TRANS_STATE_COMMIT_START (a blocked state), and waits unconditionally 9. However, TRANS_JOIN should NOT wait for TRANS_STATE_COMMIT_START according to btrfs_blocked_trans_types[] 10. Transaction B is waiting for pending ordered extents to complete 11. Deadlock: Transaction B waits for ordered extent, ordered extent waits for Transaction BThis can be illustrated by the following call stacks: CPU0 CPU1 btrfs_finish_ordered_io() start_transaction(TRANS_JOIN) join_transaction() # -EBUSY (Transaction A is # TRANS_STATE_COMMIT_DOING) # Transaction A completes # Transaction B created # ordered extent added to # Transaction B's pending list btrfs_commit_transaction() # Transaction B enters # TRANS_STATE_COMMIT_START # waiting for pending ordered # extents wait_current_trans() # waits for Transaction B # (should not wait!)Task bstore_kv_sync in btrfs_commit_transaction waiting for orderedextents: __schedule+0x2e7/0x8a0 schedule+0x64/0xe0 btrfs_commit_transaction+0xbf7/0xda0 [btrfs] btrfs_sync_file+0x342/0x4d0 [btrfs] __x64_sys_fdatasync+0x4b/0x80 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xa9Task kworker in wait_current_trans waiting for transaction commit: Workqueue: btrfs-syno_nocow btrfs_work_helper [btrfs] __schedule+0x2e7/0x8a0 schedule+0x64/0xe0 wait_current_trans+0xb0/0x110 [btrfs] start_transaction+0x346/0x5b0 [btrfs] btrfs_finish_ordered_io.isra.0+0x49b/0x9c0 [btrfs] btrfs_work_helper+0xe8/0x350 [btrfs] process_one_work+0x1d3/0x3c0 worker_thread+0x4d/0x3e0 kthread+0x12d/0x150 ret_from_fork+0x1f/0x30Fix this by passing the transaction type to wait_current_trans() andchecking btrfs_blocked_trans_types[cur_trans->state] against the giventype before deciding to wait. This ensures that transaction types whichare allowed to join during certain blocked states will not unnecessarilywait and cause deadlocks.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-71269 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:btrfs: do not free data reservation in fallback from inline due to -ENOSPCIf we fail to create an inline extent due to -ENOSPC, we will attempt togo through the normal COW path, reserve an extent, create an orderedextent, etc. However we were always freeing the reserved qgroup data,which is wrong since we will use data. Fix this by freeing the reservedqgroup data in __cow_file_range_inline() only if we are not doing thefallback (ret is <= 0).

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-22985 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:idpf: Fix RSS LUT NULL pointer crash on early ethtool operationsThe RSS LUT is not initialized until the interface comes up, causingthe following NULL pointer crash when ethtool operations like rxhash on/offare performed before the interface is brought up for the first time.Move RSS LUT initialization from ndo_open to vport creation to ensure LUTis always available. This enables RSS configuration via ethtool beforebringing the interface up. Simplify LUT management by maintaining allchanges in the driver's soft copy and programming zeros to the indirectiontable when rxhash is disabled. Defer HW programming until the interfacecomes up if it is down during rxhash and LUT configuration changes.Steps to reproduce:** Load idpf driver; interfaces will be created modprobe idpf** Before bringing the interfaces up, turn rxhash off ethtool -K eth2 rxhash off[89408.371875] BUG: kernel NULL pointer dereference, address: 0000000000000000[89408.371908] #PF: supervisor read access in kernel mode[89408.371924] #PF: error_code(0x0000) - not-present page[89408.371940] PGD 0 P4D 0[89408.371953] Oops: Oops: 0000 [#1] SMP NOPTI[89408.372052] RIP: 0010:memcpy_orig+0x16/0x130[89408.372310] Call Trace:[89408.372317] [89408.372326] ? idpf_set_features+0xfc/0x180 [idpf][89408.372363] __netdev_update_features+0x295/0xde0[89408.372384] ethnl_set_features+0x15e/0x460[89408.372406] genl_family_rcv_msg_doit+0x11f/0x180[89408.372429] genl_rcv_msg+0x1ad/0x2b0[89408.372446] ? __pfx_ethnl_set_features+0x10/0x10[89408.372465] ? __pfx_genl_rcv_msg+0x10/0x10[89408.372482] netlink_rcv_skb+0x58/0x100[89408.372502] genl_rcv+0x2c/0x50[89408.372516] netlink_unicast+0x289/0x3e0[89408.372533] netlink_sendmsg+0x215/0x440[89408.372551] __sys_sendto+0x234/0x240[89408.372571] __x64_sys_sendto+0x28/0x30[89408.372585] x64_sys_call+0x1909/0x1da0[89408.372604] do_syscall_64+0x7a/0xfa0[89408.373140] ? clear_bhb_loop+0x60/0xb0[89408.373647] entry_SYSCALL_64_after_hwframe+0x76/0x7e[89408.378887]

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23019 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:net: marvell: prestera: fix NULL dereference on devlink_alloc() failuredevlink_alloc() may return NULL on allocation failure, butprestera_devlink_alloc() unconditionally calls devlink_priv() onthe returned pointer.This leads to a NULL pointer dereference if devlink allocation fails.Add a check for a NULL devlink pointer and return NULL early to avoidthe crash.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23030 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:phy: rockchip: inno-usb2: Fix a double free bug in rockchip_usb2phy_probe()The for_each_available_child_of_node() calls of_node_put() torelease child_np in each success loop. After breaking from theloop with the child_np has been released, the code will jump tothe put_child label and will call the of_node_put() again if thedevm_request_threaded_irq() fails. These cause a double free bug.Fix by returning directly to avoid the duplicate of_node_put().

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23050 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:pNFS: Fix a deadlock when returning a delegation during open()Ben Coddington reports seeing a hang in the following stack trace: 0 [ffffd0b50e1774e0] __schedule at ffffffff9ca05415 1 [ffffd0b50e177548] schedule at ffffffff9ca05717 2 [ffffd0b50e177558] bit_wait at ffffffff9ca061e1 3 [ffffd0b50e177568] __wait_on_bit at ffffffff9ca05cfb 4 [ffffd0b50e1775c8] out_of_line_wait_on_bit at ffffffff9ca05ea5 5 [ffffd0b50e177618] pnfs_roc at ffffffffc154207b [nfsv4] 6 [ffffd0b50e1776b8] _nfs4_proc_delegreturn at ffffffffc1506586 [nfsv4] 7 [ffffd0b50e177788] nfs4_proc_delegreturn at ffffffffc1507480 [nfsv4] 8 [ffffd0b50e1777f8] nfs_do_return_delegation at ffffffffc1523e41 [nfsv4] 9 [ffffd0b50e177838] nfs_inode_set_delegation at ffffffffc1524a75 [nfsv4] 10 [ffffd0b50e177888] nfs4_process_delegation at ffffffffc14f41dd [nfsv4] 11 [ffffd0b50e1778a0] _nfs4_opendata_to_nfs4_state at ffffffffc1503edf [nfsv4] 12 [ffffd0b50e1778c0] _nfs4_open_and_get_state at ffffffffc1504e56 [nfsv4] 13 [ffffd0b50e177978] _nfs4_do_open at ffffffffc15051b8 [nfsv4] 14 [ffffd0b50e1779f8] nfs4_do_open at ffffffffc150559c [nfsv4] 15 [ffffd0b50e177a80] nfs4_atomic_open at ffffffffc15057fb [nfsv4] 16 [ffffd0b50e177ad0] nfs4_file_open at ffffffffc15219be [nfsv4] 17 [ffffd0b50e177b78] do_dentry_open at ffffffff9c09e6ea 18 [ffffd0b50e177ba8] vfs_open at ffffffff9c0a082e 19 [ffffd0b50e177bd0] dentry_open at ffffffff9c0a0935The issue is that the delegreturn is being asked to wait for a layoutreturn that cannot complete because a state recovery was initiated. Thestate recovery cannot complete until the open() finishes processing thedelegations it was given.The solution is to propagate the existing flags that indicate anon-blocking call to the function pnfs_roc(), so that it knows not towait in this situation.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23053 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:NFS: Fix a deadlock involving nfs_release_folio()Wang Zhaolong reports a deadlock involving NFSv4.1 state recoverywaiting on kthreadd, which is attempting to reclaim memory by callingnfs_release_folio(). The latter cannot make progress due to staterecovery being needed.It seems that the only safe thing to do here is to kick off a writebackof the folio, without waiting for completion, or else kicking off anasynchronous commit.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23061 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:can: kvaser_usb: kvaser_usb_read_bulk_callback(): fix URB memory leakFix similar memory leak as in commit 7352e1d5932a ("can: gs_usb:gs_usb_receive_bulk_callback(): fix URB memory leak").In kvaser_usb_set_{,data_}bittiming() -> kvaser_usb_setup_rx_urbs(), theURBs for USB-in transfers are allocated, added to the dev->rx_submittedanchor and submitted. In the complete callbackkvaser_usb_read_bulk_callback(), the URBs are processed and resubmitted. Inkvaser_usb_remove_interfaces() the URBs are freed by callingusb_kill_anchored_urbs(&dev->rx_submitted).However, this does not take into account that the USB framework unanchorsthe URB before the complete function is called. This means that once anin-URB has been completed, it is no longer anchored and is ultimately notreleased in usb_kill_anchored_urbs().Fix the memory leak by anchoring the URB in thekvaser_usb_read_bulk_callback() to the dev->rx_submitted anchor.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23069 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:vsock/virtio: fix potential underflow in virtio_transport_get_credit()The credit calculation in virtio_transport_get_credit() uses unsignedarithmetic: ret = vvs->peer_buf_alloc - (vvs->tx_cnt - vvs->peer_fwd_cnt);If the peer shrinks its advertised buffer (peer_buf_alloc) while bytesare in flight, the subtraction can underflow and produce a largepositive value, potentially allowing more data to be queued than thepeer can handle.Reuse virtio_transport_has_space() which already handles this case andadd a comment to make it clear why we are doing that.[Stefano: use virtio_transport_has_space() instead of duplicating the code][Stefano: tweak the commit message]

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23105 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:net/sched: qfq: Use cl_is_active to determine whether class is active in qfq_rm_from_agThis is more of a preventive patch to make the code more consistent andto prevent possible exploits that employ child qlen manipulations on qfq.use cl_is_active instead of relying on the child qdisc's qlen to determineclass activation.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23110 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:scsi: core: Wake up the error handler when final completions race against each otherThe fragile ordering between marking commands completed or failed sothat the error handler only wakes when the last running commandcompletes or times out has race conditions. These race conditions cancause the SCSI layer to fail to wake the error handler, leaving I/Othrough the SCSI host stuck as the error state cannot advance.First, there is an memory ordering issue within scsi_dec_host_busy().The write which clears SCMD_STATE_INFLIGHT may be reordered with readscounting in scsi_host_busy(). While the local CPU will see its ownwrite, reordering can allow other CPUs in scsi_dec_host_busy() orscsi_eh_inc_host_failed() to see a raised busy count, causing no CPU tosee a host busy equal to the host_failed count.This race condition can be prevented with a memory barrier on the errorpath to force the write to be visible before counting host busycommands.Second, there is a general ordering issue with scsi_eh_inc_host_failed(). Bycounting busy commands before incrementing host_failed, it can race with afinal command in scsi_dec_host_busy(), such that scsi_dec_host_busy() doesnot see host_failed incremented but scsi_eh_inc_host_failed() counts busycommands before SCMD_STATE_INFLIGHT is cleared by scsi_dec_host_busy(),resulting in neither waking the error handler task.This needs the call to scsi_host_busy() to be moved after host_failed isincremented to close the race condition.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23133 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:wifi: ath10k: fix dma_free_coherent() pointerdma_alloc_coherent() allocates a DMA mapped buffer and stores theaddresses in XXX_unaligned fields. Those should be reused when freeingthe buffer rather than the aligned addresses.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23150 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:nfc: llcp: Fix memleak in nfc_llcp_send_ui_frame().syzbot reported various memory leaks related to NFC, structnfc_llcp_sock, sk_buff, nfc_dev, etc. [0]The leading log hinted that nfc_llcp_send_ui_frame() failedto allocate skb due to sock_error(sk) being -ENXIO.ENXIO is set by nfc_llcp_socket_release() when structnfc_llcp_local is destroyed by local_cleanup().The problem is that there is no synchronisation betweennfc_llcp_send_ui_frame() and local_cleanup(), and skbcould be put into local->tx_queue after it was purged inlocal_cleanup(): CPU1 CPU2 ---- ---- nfc_llcp_send_ui_frame() local_cleanup() |- do { ' |- pdu = nfc_alloc_send_skb(..., &err) | . | |- nfc_llcp_socket_release(local, false, ENXIO); | |- skb_queue_purge(&local->tx_queue); | | ' | |- skb_queue_tail(&local->tx_queue, pdu); | ... | |- pdu = nfc_alloc_send_skb(..., &err) | ^._________________________________.'local_cleanup() is called for struct nfc_llcp_local onlyafter nfc_llcp_remove_local() unlinks it from llcp_devices.If we hold local->tx_queue.lock then, we can synchronisethe thread and nfc_llcp_send_ui_frame().Let's do that and check list_empty(&local->list) beforequeuing skb to local->tx_queue in nfc_llcp_send_ui_frame().[0]:[ 56.074943][ T6096] llcp: nfc_llcp_send_ui_frame: Could not allocate PDU (error=-6)[ 64.318868][ T5813] kmemleak: 6 new suspected memory leaks (see /sys/kernel/debug/kmemleak)BUG: memory leakunreferenced object 0xffff8881272f6800 (size 1024): comm "syz.0.17", pid 6096, jiffies 4294942766 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 27 00 03 40 00 00 00 00 00 00 00 00 00 00 00 00 '..@............ backtrace (crc da58d84d): kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline] slab_post_alloc_hook mm/slub.c:4979 [inline] slab_alloc_node mm/slub.c:5284 [inline] __do_kmalloc_node mm/slub.c:5645 [inline] __kmalloc_noprof+0x3e3/0x6b0 mm/slub.c:5658 kmalloc_noprof include/linux/slab.h:961 [inline] sk_prot_alloc+0x11a/0x1b0 net/core/sock.c:2239 sk_alloc+0x36/0x360 net/core/sock.c:2295 nfc_llcp_sock_alloc+0x37/0x130 net/nfc/llcp_sock.c:979 llcp_sock_create+0x71/0xd0 net/nfc/llcp_sock.c:1044 nfc_sock_create+0xc9/0xf0 net/nfc/af_nfc.c:31 __sock_create+0x1a9/0x340 net/socket.c:1605 sock_create net/socket.c:1663 [inline] __sys_socket_create net/socket.c:1700 [inline] __sys_socket+0xb9/0x1a0 net/socket.c:1747 __do_sys_socket net/socket.c:1761 [inline] __se_sys_socket net/socket.c:1759 [inline] __x64_sys_socket+0x1b/0x30 net/socket.c:1759 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7fBUG: memory leakunreferenced object 0xffff88810fbd9800 (size 240): comm "syz.0.17", pid 6096, jiffies 4294942850 hex dump (first 32 bytes): 68 f0 ff 08 81 88 ff ff 68 f0 ff 08 81 88 ff ff h.......h....... 00 00 00 00 00 00 00 00 00 68 2f 27 81 88 ff ff .........h/'.... backtrace (crc 6cc652b1): kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline] slab_post_alloc_hook mm/slub.c:4979 [inline] slab_alloc_node mm/slub.c:5284 [inline] kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5336 __alloc_skb+0x203/0x240 net/core/skbuff.c:660 alloc_skb include/linux/skbuff.h:1383 [inline] alloc_skb_with_frags+0x69/0x3f0 net/core/sk---truncated---

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23198 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:KVM: Don't clobber irqfd routing type when deassigning irqfdWhen deassigning a KVM_IRQFD, don't clobber the irqfd's copy of the IRQ'srouting entry as doing so breaks kvm_arch_irq_bypass_del_producer() on x86and arm64, which explicitly look for KVM_IRQ_ROUTING_MSI. Instead, tohandle a concurrent routing update, verify that the irqfd is still activebefore consuming the routing information. As evidenced by the x86 andarm64 bugs, and another bug in kvm_arch_update_irqfd_routing() (see below),clobbering the entry type without notifying arch code is surprising anderror prone.As a bonus, checking that the irqfd is active provides a convenientlocation for documenting _why_ KVM must not consume the routing entry foran irqfd that is in the process of being deassigned: once the irqfd isdeleted from the list (which happens *before* the eventfd is detached), itwill no longer receive updates via kvm_irq_routing_update(), and so KVMcould deliver an event using stale routing information (relative toKVM_SET_GSI_ROUTING returning to userspace).As an even better bonus, explicitly checking for the irqfd being activefixes a similar bug to the one the clobbering is trying to prevent: if anirqfd is deactivated, and then its routing is changed,kvm_irq_routing_update() won't invoke kvm_arch_update_irqfd_routing()(because the irqfd isn't in the list). And so if the irqfd is in bypassmode, IRQs will continue to be posted using the old routing information.As for kvm_arch_irq_bypass_del_producer(), clobbering the routing typeresults in KVM incorrectly keeping the IRQ in bypass mode, which isespecially problematic on AMD as KVM tracks IRQs that are being posted toa vCPU in a list whose lifetime is tied to the irqfd.Without the help of KASAN to detect use-after-free, the most commonsympton on AMD is a NULL pointer deref in amd_iommu_update_ga() due tothe memory for irqfd structure being re-allocated and zeroed, resultingin irqfd->irq_bypass_data being NULL when read byavic_update_iommu_vcpu_affinity(): BUG: kernel NULL pointer dereference, address: 0000000000000018 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 40cf2b9067 P4D 40cf2b9067 PUD 408362a067 PMD 0 Oops: Oops: 0000 [#1] SMP CPU: 6 UID: 0 PID: 40383 Comm: vfio_irq_test Tainted: G U W O 6.19.0-smp--5dddc257e6b2-irqfd #31 NONE Tainted: [U]=USER, [W]=WARN, [O]=OOT_MODULE Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 34.78.2-0 09/05/2025 RIP: 0010:amd_iommu_update_ga+0x19/0xe0 Call Trace: avic_update_iommu_vcpu_affinity+0x3d/0x90 [kvm_amd] __avic_vcpu_load+0xf4/0x130 [kvm_amd] kvm_arch_vcpu_load+0x89/0x210 [kvm] vcpu_load+0x30/0x40 [kvm] kvm_arch_vcpu_ioctl_run+0x45/0x620 [kvm] kvm_vcpu_ioctl+0x571/0x6a0 [kvm] __se_sys_ioctl+0x6d/0xb0 do_syscall_64+0x6f/0x9d0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x46893b ---[ end trace 0000000000000000 ]---If AVIC is inhibited when the irfd is deassigned, the bug will manifest aslist corruption, e.g. on the next irqfd assignment. list_add corruption. next->prev should be prev (ffff8d474d5cd588), but was 0000000000000000. (next=ffff8d8658f86530). ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:31! Oops: invalid opcode: 0000 [#1] SMP CPU: 128 UID: 0 PID: 80818 Comm: vfio_irq_test Tainted: G U W O 6.19.0-smp--f19dc4d680ba-irqfd #28 NONE Tainted: [U]=USER, [W]=WARN, [O]=OOT_MODULE Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 34.78.2-0 09/05/2025 RIP: 0010:__list_add_valid_or_report+0x97/0xc0 Call Trace: avic_pi_update_irte+0x28e/0x2b0 [kvm_amd] kvm_pi_update_irte+0xbf/0x190 [kvm] kvm_arch_irq_bypass_add_producer+0x72/0x90 [kvm] irq_bypass_register_consumer+0xcd/0x170 [irqbypa---truncated---

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23207 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:spi: tegra210-quad: Protect curr_xfer check in IRQ handlerNow that all other accesses to curr_xfer are done under the lock,protect the curr_xfer NULL check in tegra_qspi_isr_thread() with thespinlock. Without this protection, the following race can occur: CPU0 (ISR thread) CPU1 (timeout path) ---------------- ------------------- if (!tqspi->curr_xfer) // sees non-NULL spin_lock() tqspi->curr_xfer = NULL spin_unlock() handle_*_xfer() spin_lock() t = tqspi->curr_xfer // NULL! ... t->len ... // NULL dereference!With this patch, all curr_xfer accesses are now properly synchronized.Although all accesses to curr_xfer are done under the lock, integra_qspi_isr_thread() it checks for NULL, releases the lock andreacquires it later in handle_cpu_based_xfer()/handle_dma_based_xfer().There is a potential for an update in between, which could cause a NULLpointer dereference.To handle this, add a NULL check inside the handlers after acquiringthe lock. This ensures that if the timeout path has already clearedcurr_xfer, the handler will safely return without dereferencing theNULL pointer.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default < 6.4.0-150600.23.92.1 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23255 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:net: add proper RCU protection to /proc/net/ptypeYin Fengwei reported an RCU stall in ptype_seq_show() and provideda patch.Real issue is that ptype_seq_next() and ptype_seq_show() violateRCU rules.ptype_seq_show() runs under rcu_read_lock(), and reads pt->devto get device name without any barrier.At the same time, concurrent writers can remove a packet_type structure(which is correctly freed after an RCU grace period) and clear pt->devwithout an RCU grace period.Define ptype_iter_state to carry a dev pointer along seq_net_private:struct ptype_iter_state { struct seq_net_private p; struct net_device *dev; // added in this patch};We need to record the device pointer in ptype_get_idx() andptype_seq_next() so that ptype_seq_show() is safe againstconcurrent pt->dev changes.We also need to add full RCU protection in ptype_seq_next().(Missing READ_ONCE() when reading list.next values)Many thanks to Dong Chenchen for providing a repro.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23304 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:ipv6: fix NULL pointer deref in ip6_rt_get_dev_rcu()l3mdev_master_dev_rcu() can return NULL when the slave device is beingun-slaved from a VRF. All other callers deal with this, but we lostthe fallback to loopback in ip6_rt_pcpu_alloc() -> ip6_rt_get_dev_rcu()with commit 4832c30d5458 ("net: ipv6: put host and anycast routes ondevice with address"). KASAN: null-ptr-deref in range [0x0000000000000108-0x000000000000010f] RIP: 0010:ip6_rt_pcpu_alloc (net/ipv6/route.c:1418) Call Trace: ip6_pol_route (net/ipv6/route.c:2318) fib6_rule_lookup (net/ipv6/fib6_rules.c:115) ip6_route_output_flags (net/ipv6/route.c:2607) vrf_process_v6_outbound (drivers/net/vrf.c:437)I was tempted to rework the un-slaving code to clear the flag firstand insert synchronize_rcu() before we remove the upper. But looks likethe explicit fallback to loopback_dev is an established pattern.And I guess avoiding the synchronize_rcu() is nice, too.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23324 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:can: usb: etas_es58x: correctly anchor the urb in the read bulk callbackWhen submitting an urb, that is using the anchor pattern, it needs to beanchored before submitting it otherwise it could be leaked ifusb_kill_anchored_urbs() is called. This logic is correctly doneelsewhere in the driver, except in the read bulk callback so do thathere also.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23371 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:sched/deadline: Fix missing ENQUEUE_REPLENISH during PI de-boostingRunning stress-ng --schedpolicy 0 on an RT kernel on a big machinemight lead to the following WARNINGs (edited). sched: DL de-boosted task PID 22725: REPLENISH flag missing WARNING: CPU: 93 PID: 0 at kernel/sched/deadline.c:239 dequeue_task_dl+0x15c/0x1f8 ... (running_bw underflow) Call trace: dequeue_task_dl+0x15c/0x1f8 (P) dequeue_task+0x80/0x168 deactivate_task+0x24/0x50 push_dl_task+0x264/0x2e0 dl_task_timer+0x1b0/0x228 __hrtimer_run_queues+0x188/0x378 hrtimer_interrupt+0xfc/0x260 ...The problem is that when a SCHED_DEADLINE task (lock holder) ischanged to a lower priority class via sched_setscheduler(), it mayfail to properly inherit the parameters of potential DEADLINE donorsif it didn't already inherit them in the past (shorter deadline thandonor's at that time). This might lead to bandwidth accountingcorruption, as enqueue_task_dl() won't recognize the lock holder asboosted.The scenario occurs when:1. A DEADLINE task (donor) blocks on a PI mutex held by another DEADLINE task (holder), but the holder doesn't inherit parameters (e.g., it already has a shorter deadline)2. sched_setscheduler() changes the holder from DEADLINE to a lower class while still holding the mutex3. The holder should now inherit DEADLINE parameters from the donor and be enqueued with ENQUEUE_REPLENISH, but this doesn't happenFix the issue by introducing __setscheduler_dl_pi(), which detects whena DEADLINE (proper or boosted) task gets setscheduled to a lowerpriority class. In case, the function makes the task inherit DEADLINEparameters of the donoer (pi_se) and sets ENQUEUE_REPLENISH flag toensure proper bandwidth accounting during the next enqueue operation.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23399 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:nf_tables: nft_dynset: fix possible stateful expression memleak in error pathIf cloning the second stateful expression in the element via GFP_ATOMICfails, then the first stateful expression remains in place without beingreleased. unreferenced object (percpu) 0x607b97e9cab8 (size 16): comm "softirq", pid 0, jiffies 4294931867 hex dump (first 16 bytes on cpu 3): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 backtrace (crc 0): pcpu_alloc_noprof+0x453/0xd80 nft_counter_clone+0x9c/0x190 [nf_tables] nft_expr_clone+0x8f/0x1b0 [nf_tables] nft_dynset_new+0x2cb/0x5f0 [nf_tables] nft_rhash_update+0x236/0x11c0 [nf_tables] nft_dynset_eval+0x11f/0x670 [nf_tables] nft_do_chain+0x253/0x1700 [nf_tables] nft_do_chain_ipv4+0x18d/0x270 [nf_tables] nf_hook_slow+0xaa/0x1e0 ip_local_deliver+0x209/0x330

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23414 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:tls: Purge async_hold in tls_decrypt_async_wait()The async_hold queue pins encrypted input skbs whilethe AEAD engine references their scatterlist data. Oncetls_decrypt_async_wait() returns, every AEAD operationhas completed and the engine no longer references thoseskbs, so they can be freed unconditionally.A subsequent patch adds batch async decryption totls_sw_read_sock(), introducing a new call site thatmust drain pending AEAD operations and release heldskbs. Move __skb_queue_purge(&ctx->async_hold) intotls_decrypt_async_wait() so the purge is centralizedand every caller -- recvmsg's drain path, the -EBUSYfallback in tls_do_decryption(), and the new read_sockbatch path -- releases held skbs on synchronizationwithout each site managing the purge independently.This fixes a leak when tls_strp_msg_hold() fails part-way through,after having added some cloned skbs to the async_holdqueue. tls_decrypt_sg() will then call tls_decrypt_async_wait() toprocess all pending decrypts, and drop back to synchronous mode, buttls_sw_recvmsg() only flushes the async_hold queue when one record hasbeen processed in "fully-async" mode, which may not be the case here.[pabeni@redhat.com: added leak comment]

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23426 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:drm/logicvc: Fix device node reference leak in logicvc_drm_config_parse()The logicvc_drm_config_parse() function calls of_get_child_by_name() tofind the "layers" node but fails to release the reference, leading to adevice node reference leak.Fix this by using the __free(device_node) cleanup attribute to automaticrelease the reference when the variable goes out of scope.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23440 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:net/mlx5e: Fix race condition during IPSec ESN updateIn IPSec full offload mode, the device reports an ESN (ExtendedSequence Number) wrap event to the driver. The driver validates thisevent by querying the IPSec ASO and checking that the esn_event_armfield is 0x0, which indicates an event has occurred. After handlingthe event, the driver must re-arm the context by setting esn_event_armback to 0x1.A race condition exists in this handling path. After validating theevent, the driver calls mlx5_accel_esp_modify_xfrm() to update thekernel's xfrm state. This function temporarily releases andre-acquires the xfrm state lock.So, need to acknowledge the event first by setting esn_event_arm to0x1. This prevents the driver from reprocessing the same ESN update ifthe hardware sends events for other reason. Since the next ESN updateonly occurs after nearly 2^31 packets are received, there's no risk ofmissing an update, as it will happen long after this handling hasfinished.Processing the event twice causes the ESN high-order bits (esn_msb) tobe incremented incorrectly. The driver then programs the hardware withthis invalid ESN state, which leads to anti-replay failures and acomplete halt of IPSec traffic.Fix this by re-arming the ESN event immediately after it is validated,before calling mlx5_accel_esp_modify_xfrm(). This ensures that anyspurious, duplicate events are correctly ignored, closing the racewindow.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23452 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:PM: runtime: Fix a race condition related to device removalThe following code in pm_runtime_work() may dereference the dev->parentpointer after the parent device has been freed: /* Maybe the parent is now able to suspend. */ if (parent && !parent->power.ignore_children) { spin_unlock(&dev->power.lock); spin_lock(&parent->power.lock); rpm_idle(parent, RPM_ASYNC); spin_unlock(&parent->power.lock); spin_lock(&dev->power.lock); }Fix this by inserting a flush_work() call in pm_runtime_remove().Without this patch blktest block/001 triggers the following complaintsporadically:BUG: KASAN: slab-use-after-free in lock_acquire+0x70/0x160Read of size 1 at addr ffff88812bef7198 by task kworker/u553:1/3081Workqueue: pm pm_runtime_workCall Trace: dump_stack_lvl+0x61/0x80 print_address_description.constprop.0+0x8b/0x310 print_report+0xfd/0x1d7 kasan_report+0xd8/0x1d0 __kasan_check_byte+0x42/0x60 lock_acquire.part.0+0x38/0x230 lock_acquire+0x70/0x160 _raw_spin_lock+0x36/0x50 rpm_suspend+0xc6a/0xfe0 rpm_idle+0x578/0x770 pm_runtime_work+0xee/0x120 process_one_work+0xde3/0x1410 worker_thread+0x5eb/0xfe0 kthread+0x37b/0x480 ret_from_fork+0x6cb/0x920 ret_from_fork_asm+0x11/0x20 Allocated by task 4314: kasan_save_stack+0x2a/0x50 kasan_save_track+0x18/0x40 kasan_save_alloc_info+0x3d/0x50 __kasan_kmalloc+0xa0/0xb0 __kmalloc_noprof+0x311/0x990 scsi_alloc_target+0x122/0xb60 [scsi_mod] __scsi_scan_target+0x101/0x460 [scsi_mod] scsi_scan_channel+0x179/0x1c0 [scsi_mod] scsi_scan_host_selected+0x259/0x2d0 [scsi_mod] store_scan+0x2d2/0x390 [scsi_mod] dev_attr_store+0x43/0x80 sysfs_kf_write+0xde/0x140 kernfs_fop_write_iter+0x3ef/0x670 vfs_write+0x506/0x1470 ksys_write+0xfd/0x230 __x64_sys_write+0x76/0xc0 x64_sys_call+0x213/0x1810 do_syscall_64+0xee/0xfc0 entry_SYSCALL_64_after_hwframe+0x4b/0x53Freed by task 4314: kasan_save_stack+0x2a/0x50 kasan_save_track+0x18/0x40 kasan_save_free_info+0x3f/0x50 __kasan_slab_free+0x67/0x80 kfree+0x225/0x6c0 scsi_target_dev_release+0x3d/0x60 [scsi_mod] device_release+0xa3/0x220 kobject_cleanup+0x105/0x3a0 kobject_put+0x72/0xd0 put_device+0x17/0x20 scsi_device_dev_release+0xacf/0x12c0 [scsi_mod] device_release+0xa3/0x220 kobject_cleanup+0x105/0x3a0 kobject_put+0x72/0xd0 put_device+0x17/0x20 scsi_device_put+0x7f/0xc0 [scsi_mod] sdev_store_delete+0xa5/0x120 [scsi_mod] dev_attr_store+0x43/0x80 sysfs_kf_write+0xde/0x140 kernfs_fop_write_iter+0x3ef/0x670 vfs_write+0x506/0x1470 ksys_write+0xfd/0x230 __x64_sys_write+0x76/0xc0 x64_sys_call+0x213/0x1810

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23473 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:io_uring/poll: fix multishot recv missing EOF on wakeup raceWhen a socket send and shutdown() happen back-to-back, both firewake-ups before the receiver's task_work has a chance to run. The firstwake gets poll ownership (poll_refs=1), and the second bumps it to 2.When io_poll_check_events() runs, it calls io_poll_issue() which does arecv that reads the data and returns IOU_RETRY. The loop then drains allaccumulated refs (atomic_sub_return(2) -> 0) and exits, even though onlythe first event was consumed. Since the shutdown is a persistent statechange, no further wakeups will happen, and the multishot recv can hangforever.Check specifically for HUP in the poll loop, and ensure that anotherloop is done to check for status if more than a single poll activationis pending. This ensures we don't lose the shutdown event.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23474 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:mtd: Avoid boot crash in RedBoot partition table parserGiven CONFIG_FORTIFY_SOURCE=y and a recent compiler,commit 439a1bcac648 ("fortify: Use __builtin_dynamic_object_size() whenavailable") produces the warning below and an oops. Searching for RedBoot partition table in 50000000.flash at offset 0x7e0000 ------------[ cut here ]------------ WARNING: lib/string_helpers.c:1035 at 0xc029e04c, CPU#0: swapper/0/1 memcmp: detected buffer overflow: 15 byte read of buffer size 14 Modules linked in: CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.19.0 #1 NONEAs Kees said, "'names' is pointing to the final 'namelen' many bytesof the allocation ... 'namelen' could be basically any length at all.This fortify warning looks legit to me -- this code used to be readingbeyond the end of the allocation."Since the size of the dynamic allocation is calculated with strlen()we can use strcmp() instead of memcmp() and remain within bounds.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23475 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:spi: fix statistics allocationThe controller per-cpu statistics is not allocated until after thecontroller has been registered with driver core, which leaves a windowwhere accessing the sysfs attributes can trigger a NULL-pointerdereference.Fix this by moving the statistics allocation to controller allocationwhile tying its lifetime to that of the controller (rather than usingimplicit devres).

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-27456 Severity: Moderate CVSS3 score: 4.7

Description: util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
libblkid1 > 0-0 (version in image is 2.39.3-150600.4.15.1).

CVE-2026-31399 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:nvdimm/bus: Fix potential use after free in asynchronous initializationDingisoul with KASAN reports a use after free if device_add() fails innd_async_device_register().Commit b6eae0f61db2 ("libnvdimm: Hold reference on parent whilescheduling async init") correctly added a reference on the parent deviceto be held until asynchronous initialization was complete. However, ifdevice_add() results in an allocation failure the ref count of thedevice drops to 0 prior to the parent pointer being accessed. Thusresulting in use after free.The bug bot AI correctly identified the fix. Save a reference to theparent pointer to be used to drop the parent reference regardless of theoutcome of device_add().

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-31404 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:NFSD: Defer sub-object cleanup in export put callbackssvc_export_put() calls path_put() and auth_domain_put() immediatelywhen the last reference drops, before the RCU grace period. RCUreaders in e_show() and c_show() access both ex_path (viaseq_path/d_path) and ex_client->name (via seq_escape) withoutholding a reference. If cache_clean removes the entry and drops thelast reference concurrently, the sub-objects are freed while stillin use, producing a NULL pointer dereference in d_path.Commit 2530766492ec ("nfsd: fix UAF when access ex_uuid orex_stats") moved kfree of ex_uuid and ex_stats into thecall_rcu callback, but left path_put() and auth_domain_put() runningbefore the grace period because both may sleep and call_rcucallbacks execute in softirq context.Replace call_rcu/kfree_rcu with queue_rcu_work(), which defers thecallback until after the RCU grace period and executes it in processcontext where sleeping is permitted. This allows path_put() andauth_domain_put() to be moved into the deferred callback alongsidethe other resource releases. Apply the same fix to expkey_put(),which has the identical pattern with ek_path and ek_client.A dedicated workqueue scopes the shutdown drain to only NFSDexport release work items; flushing the sharedsystem_unbound_wq would stall on unrelated work from othersubsystems. nfsd_export_shutdown() uses rcu_barrier() followedby flush_workqueue() to ensure all deferred release callbackscomplete before the export caches are destroyed.Reviwed-by: Jeff Layton

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-31440 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:dmaengine: idxd: Fix leaking event log memoryDuring the device remove process, the device is reset, causing theconfiguration registers to go back to their default state, which iszero. As the driver is checking if the event log support was enabledbefore deallocating, it will fail if a reset happened before.Do not check if the support was enabled, the check for 'idxd->evl'being valid (only allocated if the HW capability is available) isenough.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-31441 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:dmaengine: idxd: Fix memory leak when a wq is resetidxd_wq_disable_cleanup() which is called from the reset path for aworkqueue, sets the wq type to NONE, which for other parts of thedriver mean that the wq is empty (all its resources were released).Only set the wq type to NONE after its resources are released.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-31446 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:ext4: fix use-after-free in update_super_work when racing with umountCommit b98535d09179 ("ext4: fix bug_on in start_this_handle during umountfilesystem") moved ext4_unregister_sysfs() before flushing s_sb_upd_workto prevent new error work from being queued via /proc/fs/ext4/xx/mb_groupsreads during unmount. However, this introduced a use-after-free becauseupdate_super_work calls ext4_notify_error_sysfs() -> sysfs_notify() whichaccesses the kobject's kernfs_node after it has been freed by kobject_del()in ext4_unregister_sysfs(): update_super_work ext4_put_super ----------------- -------------- ext4_unregister_sysfs(sb) kobject_del(&sbi->s_kobj) __kobject_del() sysfs_remove_dir() kobj->sd = NULL sysfs_put(sd) kernfs_put() // RCU free ext4_notify_error_sysfs(sbi) sysfs_notify(&sbi->s_kobj) kn = kobj->sd // stale pointer kernfs_get(kn) // UAF on freed kernfs_node ext4_journal_destroy() flush_work(&sbi->s_sb_upd_work)Instead of reordering the teardown sequence, fix this by makingext4_notify_error_sysfs() detect that sysfs has already been torn downby checking s_kobj.state_in_sysfs, and skipping the sysfs_notify() callin that case. A dedicated mutex (s_error_notify_mutex) serializesext4_notify_error_sysfs() against kobject_del() in ext4_unregister_sysfs()to prevent TOCTOU races where the kobject could be deleted between thestate_in_sysfs check and the sysfs_notify() call.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-31461 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:drm/amd/display: Fix drm_edid leak in amdgpu_dm[WHAT]When a sink is connected, aconnector->drm_edid was overwritten withoutfreeing the previous allocation, causing a memory leak on resume.[HOW]Free the previous drm_edid before updating it.(cherry picked from commit 52024a94e7111366141cfc5d888b2ef011f879e5)

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-31480 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:tracing: Fix potential deadlock in cpu hotplug with osnoiseThe following sequence may leads deadlock in cpu hotplug: task1 task2 task3 ----- ----- ----- mutex_lock(&interface_lock) [CPU GOING OFFLINE] cpus_write_lock(); osnoise_cpu_die(); kthread_stop(task3); wait_for_completion(); osnoise_sleep(); mutex_lock(&interface_lock); cpus_read_lock(); [DEAD LOCK]Fix by swap the order of cpus_read_lock() and mutex_lock(&interface_lock).

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-31518 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:esp: fix skb leak with espintcp and async cryptoWhen the TX queue for espintcp is full, esp_output_tail_tcp willreturn an error and not free the skb, because with synchronous crypto,the common xfrm output code will drop the packet for us.With async crypto (esp_output_done), we need to drop the skb whenesp_output_tail_tcp returns an error.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-31522 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:HID: magicmouse: avoid memory leak in magicmouse_report_fixup()The magicmouse_report_fixup() function was returning anewly kmemdup()-allocated buffer, but never freeing it.The caller of report_fixup() does not take ownership of the returnedpointer, but it *is* permitted to return a sub-portion of the inputrdesc, whose lifetime is managed by the caller.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-31524 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:HID: asus: avoid memory leak in asus_report_fixup()The asus_report_fixup() function was returning a newly allocatedkmemdup()-allocated buffer, but never freeing it. Switch todevm_kzalloc() to ensure the memory is managed and freed automaticallywhen the device is removed.The caller of report_fixup() does not take ownership of the returnedpointer, but it is permitted to return a pointer whose lifetime is atleast that of the input buffer.Also fix a harmless out-of-bounds read by copying only the originaldescriptor size.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-3783 Severity: Moderate CVSS3 score: 4.7

Description: When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transferperforms a redirect to a second URL, curl could leak that token to the secondhostname under some circumstances.If the hostname that the first request is redirected to has information in theused .netrc file, with either of the `machine` or `default` keywords, curlwould pass on the bearer token set for the first host also to the second one.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
curl < 8.14.1-150600.4.40.1 (version in image is 8.14.1-150600.4.37.1).

CVE-2026-4437 Severity: Moderate CVSS3 score: 4.7

Description: Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C Library version 2.34 to version 2.43 could, with a crafted response from the configured DNS server, result in a violation of the DNS specification that causes the application to treat a non-answer section of the DNS response as a valid answer.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
glibc < 2.38-150600.14.46.1 (version in image is 2.38-150600.14.37.1).

CVE-2026-4438 Severity: Moderate CVSS3 score: 4.7

Description: Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C library version 2.34 to version 2.43 could result in an invalid DNS hostname being returned to the caller in violation of the DNS specification.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
glibc < 2.38-150600.14.46.1 (version in image is 2.38-150600.14.37.1).

CVE-2025-68803 Severity: Moderate CVSS3 score: 4.6

Description: In the Linux kernel, the following vulnerability has been resolved:NFSD: NFSv4 file creation neglects setting ACLAn NFSv4 client that sets an ACL with a named principal during filecreation retrieves the ACL afterwards, and finds that it is only adefault ACL (based on the mode bits) and not the ACL that wasrequested during file creation. This violates RFC 8881 section6.4.1.3: "the ACL attribute is set as given".The issue occurs in nfsd_create_setattr(), which callsnfsd_attrs_valid() to determine whether to call nfsd_setattr().However, nfsd_attrs_valid() checks only for iattr changes andsecurity labels, but not POSIX ACLs. When only an ACL is present,the function returns false, nfsd_setattr() is skipped, and thePOSIX ACL is never applied to the inode.Subsequently, when the client retrieves the ACL, the server findsno POSIX ACL on the inode and returns one generated from the file'smode bits rather than returning the originally-specified ACL.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23214 Severity: Moderate CVSS3 score: 4.6

Description: In the Linux kernel, the following vulnerability has been resolved:btrfs: reject new transactions if the fs is fully read-only[BUG]There is a bug report where a heavily fuzzed fs is mounted with allrescue mount options, which leads to the following warnings duringunmount: BTRFS: Transaction aborted (error -22) Modules linked in: CPU: 0 UID: 0 PID: 9758 Comm: repro.out Not tainted 6.19.0-rc5-00002-gb71e635feefc #7 PREEMPT(full) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:find_free_extent_update_loop fs/btrfs/extent-tree.c:4208 [inline] RIP: 0010:find_free_extent+0x52f0/0x5d20 fs/btrfs/extent-tree.c:4611 Call Trace: btrfs_reserve_extent+0x2cd/0x790 fs/btrfs/extent-tree.c:4705 btrfs_alloc_tree_block+0x1e1/0x10e0 fs/btrfs/extent-tree.c:5157 btrfs_force_cow_block+0x578/0x2410 fs/btrfs/ctree.c:517 btrfs_cow_block+0x3c4/0xa80 fs/btrfs/ctree.c:708 btrfs_search_slot+0xcad/0x2b50 fs/btrfs/ctree.c:2130 btrfs_truncate_inode_items+0x45d/0x2350 fs/btrfs/inode-item.c:499 btrfs_evict_inode+0x923/0xe70 fs/btrfs/inode.c:5628 evict+0x5f4/0xae0 fs/inode.c:837 __dentry_kill+0x209/0x660 fs/dcache.c:670 finish_dput+0xc9/0x480 fs/dcache.c:879 shrink_dcache_for_umount+0xa0/0x170 fs/dcache.c:1661 generic_shutdown_super+0x67/0x2c0 fs/super.c:621 kill_anon_super+0x3b/0x70 fs/super.c:1289 btrfs_kill_super+0x41/0x50 fs/btrfs/super.c:2127 deactivate_locked_super+0xbc/0x130 fs/super.c:474 cleanup_mnt+0x425/0x4c0 fs/namespace.c:1318 task_work_run+0x1d4/0x260 kernel/task_work.c:233 exit_task_work include/linux/task_work.h:40 [inline] do_exit+0x694/0x22f0 kernel/exit.c:971 do_group_exit+0x21c/0x2d0 kernel/exit.c:1112 __do_sys_exit_group kernel/exit.c:1123 [inline] __se_sys_exit_group kernel/exit.c:1121 [inline] __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1121 x64_sys_call+0x2210/0x2210 arch/x86/include/generated/asm/syscalls_64.h:232 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xe8/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x44f639 Code: Unable to access opcode bytes at 0x44f60f. RSP: 002b:00007ffc15c4e088 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 00000000004c32f0 RCX: 000000000044f639 RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001 RBP: 0000000000000001 R08: ffffffffffffffc0 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004c32f0 R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 Since rescue mount options will mark the full fs read-only, there shouldbe no new transaction triggered.But during unmount we will evict all inodes, which can trigger a newtransaction, and triggers warnings on a heavily corrupted fs.[CAUSE]Btrfs allows new transaction even on a read-only fs, this is to allowlog replay happen even on read-only mounts, just like what ext4/xfs do.However with rescue mount options, the fs is fully read-only and cannotbe remounted read-write, thus in that case we should also reject any newtransactions.[FIX]If we find the fs has rescue mount options, we should treat the fs aserror, so that no new transaction can be started.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default < 6.4.0-150600.23.92.1 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23290 Severity: Moderate CVSS3 score: 4.6

Description: In the Linux kernel, the following vulnerability has been resolved:net: usb: pegasus: validate USB endpointsThe pegasus driver should validate that the device it is probing has theproper number and types of USB endpoints it is expecting before it bindsto it. If a malicious device were to not have the same urbs the driverwill crash later on when it blindly accesses these endpoints.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23298 Severity: Moderate CVSS3 score: 4.6

Description: In the Linux kernel, the following vulnerability has been resolved:can: ucan: Fix infinite loop from zero-length messagesIf a broken ucan device gets a message with the message length field setto 0, then the driver will loop for forever inucan_read_bulk_callback(), hanging the system. If the length is 0, justskip the message and go on to the next one.This has been fixed in the kvaser_usb driver in the past in commit0c73772cd2b8 ("can: kvaser_usb: leaf: Fix potential infinite loop incommand parsers"), so there must be some broken devices out there likethis somewhere.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23312 Severity: Moderate CVSS3 score: 4.6

Description: In the Linux kernel, the following vulnerability has been resolved:net: usb: kaweth: validate USB endpointsThe kaweth driver should validate that the device it is probing has theproper number and types of USB endpoints it is expecting before it bindsto it. If a malicious device were to not have the same urbs the driverwill crash later on when it blindly accesses these endpoints.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-3784 Severity: Moderate CVSS3 score: 4.6

Description: curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to aserver, even if the new request uses different credentials for the HTTP proxy.The proper behavior is to create or use a separate connection.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
curl < 8.14.1-150600.4.40.1 (version in image is 8.14.1-150600.4.37.1).

CVE-2025-11065 Severity: Moderate CVSS3 score: 4.5

Description: A flaw was found in github.com/go-viper/mapstructure/v2, in the field processing component using mapstructure.WeakDecode. This vulnerability allows information disclosure through detailed error messages that may leak sensitive input values via malformed user-supplied data processed in security-critical contexts.

Packages affected:

sle-module-containers-release == 15.6 (version in image is 15.6-150600.37.2).
docker > 0-0 (version in image is 28.5.1_ce-150000.238.1).

CVE-2026-31427 Severity: Moderate CVSS3 score: 4.5

Description: In the Linux kernel, the following vulnerability has been resolved:netfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in process_sdpprocess_sdp() declares union nf_inet_addr rtp_addr on the stack andpasses it to the nf_nat_sip sdp_session hook after walking the SDPmedia descriptions. However rtp_addr is only initialized inside themedia loop when a recognized media type with a non-zero port is found.If the SDP body contains no m= lines, only inactive media sections(m=audio 0 ...) or only unrecognized media types, rtp_addr is neverassigned. Despite that, the function still calls hooks->sdp_session()with &rtp_addr, causing nf_nat_sdp_session() to format the stale stackvalue as an IP address and rewrite the SDP session owner and connectionlines with it.With CONFIG_INIT_STACK_ALL_ZERO (default on most distributions) thisresults in the session-level o= and c= addresses being rewritten to0.0.0.0 for inactive SDP sessions. Without stack auto-init therewritten address is whatever happened to be on the stack.Fix this by pre-initializing rtp_addr from the session-level connectionaddress (caddr) when available, and tracking via a have_rtp_addr flagwhether any valid address was established. Skip the sdp_session hookentirely when no valid address exists.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2023-52622 Severity: Moderate CVSS3 score: 4.4

Description: In the Linux kernel, the following vulnerability has been resolved:ext4: avoid online resizing failures due to oversized flex bgWhen we online resize an ext4 filesystem with a oversized flexbg_size, mkfs.ext4 -F -G 67108864 $dev -b 4096 100M mount $dev $dir resize2fs $dev 16Gthe following WARN_ON is triggered:==================================================================WARNING: CPU: 0 PID: 427 at mm/page_alloc.c:4402 __alloc_pages+0x411/0x550Modules linked in: sg(E)CPU: 0 PID: 427 Comm: resize2fs Tainted: G E 6.6.0-rc5+ #314RIP: 0010:__alloc_pages+0x411/0x550Call Trace: __kmalloc_large_node+0xa2/0x200 __kmalloc+0x16e/0x290 ext4_resize_fs+0x481/0xd80 __ext4_ioctl+0x1616/0x1d90 ext4_ioctl+0x12/0x20 __x64_sys_ioctl+0xf0/0x150 do_syscall_64+0x3b/0x90==================================================================This is because flexbg_size is too large and the size of the new_group_dataarray to be allocated exceeds MAX_ORDER. Currently, the minimum value ofMAX_ORDER is 8, the minimum value of PAGE_SIZE is 4096, the correspondingmaximum number of groups that can be allocated is: (PAGE_SIZE << MAX_ORDER) / sizeof(struct ext4_new_group_data) ~ 21845And the value that is down-aligned to the power of 2 is 16384. Therefore,this value is defined as MAX_RESIZE_BG, and the number of groups addedeach time does not exceed this value during resizing, and is added multipletimes to complete the online resizing. The difference is that the metadatain a flex_bg may be more dispersed.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2023-52884 Severity: Moderate CVSS3 score: 4.4

Description: In the Linux kernel, the following vulnerability has been resolved:Input: cyapa - add missing input core locking to suspend/resume functionsGrab input->mutex during suspend/resume functions like it is done inother input drivers. This fixes the following warning during systemsuspend/resume cycle on Samsung Exynos5250-based Snow Chromebook:------------[ cut here ]------------WARNING: CPU: 1 PID: 1680 at drivers/input/input.c:2291 input_device_enabled+0x68/0x6cModules linked in: ...CPU: 1 PID: 1680 Comm: kworker/u4:12 Tainted: G W 6.6.0-rc5-next-20231009 #14109Hardware name: Samsung Exynos (Flattened Device Tree)Workqueue: events_unbound async_run_entry_fn unwind_backtrace from show_stack+0x10/0x14 show_stack from dump_stack_lvl+0x58/0x70 dump_stack_lvl from __warn+0x1a8/0x1cc __warn from warn_slowpath_fmt+0x18c/0x1b4 warn_slowpath_fmt from input_device_enabled+0x68/0x6c input_device_enabled from cyapa_gen3_set_power_mode+0x13c/0x1dc cyapa_gen3_set_power_mode from cyapa_reinitialize+0x10c/0x15c cyapa_reinitialize from cyapa_resume+0x48/0x98 cyapa_resume from dpm_run_callback+0x90/0x298 dpm_run_callback from device_resume+0xb4/0x258 device_resume from async_resume+0x20/0x64 async_resume from async_run_entry_fn+0x40/0x15c async_run_entry_fn from process_scheduled_works+0xbc/0x6a8 process_scheduled_works from worker_thread+0x188/0x454 worker_thread from kthread+0x108/0x140 kthread from ret_from_fork+0x14/0x28Exception stack(0xf1625fb0 to 0xf1625ff8)...---[ end trace 0000000000000000 ]---...------------[ cut here ]------------WARNING: CPU: 1 PID: 1680 at drivers/input/input.c:2291 input_device_enabled+0x68/0x6cModules linked in: ...CPU: 1 PID: 1680 Comm: kworker/u4:12 Tainted: G W 6.6.0-rc5-next-20231009 #14109Hardware name: Samsung Exynos (Flattened Device Tree)Workqueue: events_unbound async_run_entry_fn unwind_backtrace from show_stack+0x10/0x14 show_stack from dump_stack_lvl+0x58/0x70 dump_stack_lvl from __warn+0x1a8/0x1cc __warn from warn_slowpath_fmt+0x18c/0x1b4 warn_slowpath_fmt from input_device_enabled+0x68/0x6c input_device_enabled from cyapa_gen3_set_power_mode+0x13c/0x1dc cyapa_gen3_set_power_mode from cyapa_reinitialize+0x10c/0x15c cyapa_reinitialize from cyapa_resume+0x48/0x98 cyapa_resume from dpm_run_callback+0x90/0x298 dpm_run_callback from device_resume+0xb4/0x258 device_resume from async_resume+0x20/0x64 async_resume from async_run_entry_fn+0x40/0x15c async_run_entry_fn from process_scheduled_works+0xbc/0x6a8 process_scheduled_works from worker_thread+0x188/0x454 worker_thread from kthread+0x108/0x140 kthread from ret_from_fork+0x14/0x28Exception stack(0xf1625fb0 to 0xf1625ff8)...---[ end trace 0000000000000000 ]---

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-26814 Severity: Moderate CVSS3 score: 4.4

Description: In the Linux kernel, the following vulnerability has been resolved:vfio/fsl-mc: Block calling interrupt handler without triggerThe eventfd_ctx trigger pointer of the vfio_fsl_mc_irq object isinitially NULL and may become NULL if the user sets the triggereventfd to -1. The interrupt handler itself is guaranteed thattrigger is always valid between request_irq() and free_irq(), butthe loopback testing mechanisms to invoke the handler functionneed to test the trigger. The triggering and setting ioctl pathsboth make use of igate and are therefore mutually exclusive.The vfio-fsl-mc driver does not make use of irqfds, nor does itsupport any sort of masking operations, therefore unlike vfio-pciand vfio-platform, the flow can remain essentially unchanged.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-33619 Severity: Moderate CVSS3 score: 4.4

Description: In the Linux kernel, the following vulnerability has been resolved:efi: libstub: only free priv.runtime_map when allocatedpriv.runtime_map is only allocated when efi_novamap is not set.Otherwise, it is an uninitialized value. In the error path, it is freedunconditionally. Avoid passing an uninitialized value to free_pool.Free priv.runtime_map only when it was allocated.This bug was discovered and resolved using Coverity Static AnalysisSecurity Testing (SAST) by Synopsys, Inc.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-35926 Severity: Moderate CVSS3 score: 4.4

Description: In the Linux kernel, the following vulnerability has been resolved:crypto: iaa - Fix async_disable descriptor leakThe disable_async paths of iaa_compress/decompress() don't free idxddescriptors in the async_disable case. Currently this only happens inthe testcases where req->dst is set to null. Add a test to free themin those paths.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-36926 Severity: Moderate CVSS3 score: 4.4

Description: In the Linux kernel, the following vulnerability has been resolved:powerpc/pseries/iommu: LPAR panics during boot up with a frozen PEAt the time of LPAR boot up, partition firmware provides Open Firmwareproperty ibm,dma-window for the PE. This property is provided on the PCIbus the PE is attached to.There are execptions where the partition firmware might not provide thisproperty for the PE at the time of LPAR boot up. One of the scenario iswhere the firmware has frozen the PE due to some error condition. ThisPE is frozen for 24 hours or unless the whole system is reinitialized.Within this time frame, if the LPAR is booted, the frozen PE will bepresented to the LPAR but ibm,dma-window property could be missing.Today, under these circumstances, the LPAR oopses with NULL pointerdereference, when configuring the PCI bus the PE is attached to. BUG: Kernel NULL pointer dereference on read at 0x000000c8 Faulting instruction address: 0xc0000000001024c0 Oops: Kernel access of bad area, sig: 7 [#1] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries Modules linked in: Supported: Yes CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.4.0-150600.9-default #1 Hardware name: IBM,9043-MRX POWER10 (raw) 0x800200 0xf000006 of:IBM,FW1060.00 (NM1060_023) hv:phyp pSeries NIP: c0000000001024c0 LR: c0000000001024b0 CTR: c000000000102450 REGS: c0000000037db5c0 TRAP: 0300 Not tainted (6.4.0-150600.9-default) MSR: 8000000002009033 CR: 28000822 XER: 00000000 CFAR: c00000000010254c DAR: 00000000000000c8 DSISR: 00080000 IRQMASK: 0 ... NIP [c0000000001024c0] pci_dma_bus_setup_pSeriesLP+0x70/0x2a0 LR [c0000000001024b0] pci_dma_bus_setup_pSeriesLP+0x60/0x2a0 Call Trace: pci_dma_bus_setup_pSeriesLP+0x60/0x2a0 (unreliable) pcibios_setup_bus_self+0x1c0/0x370 __of_scan_bus+0x2f8/0x330 pcibios_scan_phb+0x280/0x3d0 pcibios_init+0x88/0x12c do_one_initcall+0x60/0x320 kernel_init_freeable+0x344/0x3e4 kernel_init+0x34/0x1d0 ret_from_kernel_user_thread+0x14/0x1c

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-38545 Severity: Moderate CVSS3 score: 4.4

Description: In the Linux kernel, the following vulnerability has been resolved:RDMA/hns: Fix UAF for cq async eventThe refcount of CQ is not protected by locks. When CQ asynchronousevents and CQ destruction are concurrent, CQ may have been released,which will cause UAF.Use the xa_lock() to protect the CQ refcount.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-38546 Severity: Moderate CVSS3 score: 4.4

Description: In the Linux kernel, the following vulnerability has been resolved:drm: vc4: Fix possible null pointer dereferenceIn vc4_hdmi_audio_init() of_get_address() may returnNULL which is later dereferenced. Fix this bug by adding NULL check.Found by Linux Verification Center (linuxtesting.org) with SVACE.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-38555 Severity: Moderate CVSS3 score: 4.4

Description: In the Linux kernel, the following vulnerability has been resolved:net/mlx5: Discard command completions in internal errorFix use after free when FW completion arrives while device is ininternal error state. Avoid calling completion handler in this case,since the device will flush the command interface and trigger allcompletions manually.Kernel log:------------[ cut here ]------------refcount_t: underflow; use-after-free....RIP: 0010:refcount_warn_saturate+0xd8/0xe0...Call Trace:? __warn+0x79/0x120? refcount_warn_saturate+0xd8/0xe0? report_bug+0x17c/0x190? handle_bug+0x3c/0x60? exc_invalid_op+0x14/0x70? asm_exc_invalid_op+0x16/0x20? refcount_warn_saturate+0xd8/0xe0cmd_ent_put+0x13b/0x160 [mlx5_core]mlx5_cmd_comp_handler+0x5f9/0x670 [mlx5_core]cmd_comp_notifier+0x1f/0x30 [mlx5_core]notifier_call_chain+0x35/0xb0atomic_notifier_call_chain+0x16/0x20mlx5_eq_async_int+0xf6/0x290 [mlx5_core]notifier_call_chain+0x35/0xb0atomic_notifier_call_chain+0x16/0x20irq_int_handler+0x19/0x30 [mlx5_core]__handle_irq_event_percpu+0x4b/0x160handle_irq_event+0x2e/0x80handle_edge_irq+0x98/0x230__common_interrupt+0x3b/0xa0common_interrupt+0x7b/0xa0asm_common_interrupt+0x22/0x40

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-38580 Severity: Moderate CVSS3 score: 4.4

Description: In the Linux kernel, the following vulnerability has been resolved:epoll: be better about file lifetimesepoll can call out to vfs_poll() with a file pointer that may race withthe last 'fput()'. That would make f_count go down to zero, and whilethe ep->mtx locking means that the resulting file pointer tear-down willbe blocked until the poll returns, it means that f_count is alreadydead, and any use of it won't actually get a reference to the file anymore: it's dead regardless.Make sure we have a valid ref on the file pointer before we call down tovfs_poll() from the epoll routines.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-38597 Severity: Moderate CVSS3 score: 4.4

Description: In the Linux kernel, the following vulnerability has been resolved:eth: sungem: remove .ndo_poll_controller to avoid deadlocksErhard reports netpoll warnings from sungem: netpoll_send_skb_on_dev(): eth0 enabled interrupts in poll (gem_start_xmit+0x0/0x398) WARNING: CPU: 1 PID: 1 at net/core/netpoll.c:370 netpoll_send_skb+0x1fc/0x20cgem_poll_controller() disables interrupts, which may sleep.We can't sleep in netpoll, it has interrupts disabled completely.Strangely, gem_poll_controller() doesn't even poll the completions,and instead acts as if an interrupt has fired so it just schedulesNAPI and exits. None of this has been necessary for years, sincenetpoll invokes NAPI directly.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-38608 Severity: Moderate CVSS3 score: 4.4

Description: In the Linux kernel, the following vulnerability has been resolved:net/mlx5e: Fix netif state handlingmlx5e_suspend cleans resources only if netif_device_present() returnstrue. However, mlx5e_resume changes the state of netif, viamlx5e_nic_enable, only if reg_state == NETREG_REGISTERED.In the below case, the above leads to NULL-ptr Oops[1] and memoryleaks:mlx5e_probe _mlx5e_resume mlx5e_attach_netdev mlx5e_nic_enable <-- netdev not reg, not calling netif_device_attach() register_netdev <-- failed for some reason.ERROR_FLOW: _mlx5e_suspend <-- netif_device_present return false, resources aren't freed :(Hence, clean resources in this case as well.[1]BUG: kernel NULL pointer dereference, address: 0000000000000000PGD 0 P4D 0Oops: 0010 [#1] SMPCPU: 2 PID: 9345 Comm: test-ovs-ct-gen Not tainted 6.5.0_for_upstream_min_debug_2023_09_05_16_01 #1Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014RIP: 0010:0x0Code: Unable to access opcode bytes at0xffffffffffffffd6.RSP: 0018:ffff888178aaf758 EFLAGS: 00010246Call Trace: ? __die+0x20/0x60 ? page_fault_oops+0x14c/0x3c0 ? exc_page_fault+0x75/0x140 ? asm_exc_page_fault+0x22/0x30 notifier_call_chain+0x35/0xb0 blocking_notifier_call_chain+0x3d/0x60 mlx5_blocking_notifier_call_chain+0x22/0x30 [mlx5_core] mlx5_core_uplink_netdev_event_replay+0x3e/0x60 [mlx5_core] mlx5_mdev_netdev_track+0x53/0x60 [mlx5_ib] mlx5_ib_roce_init+0xc3/0x340 [mlx5_ib] __mlx5_ib_add+0x34/0xd0 [mlx5_ib] mlx5r_probe+0xe1/0x210 [mlx5_ib] ? auxiliary_match_id+0x6a/0x90 auxiliary_bus_probe+0x38/0x80 ? driver_sysfs_add+0x51/0x80 really_probe+0xc9/0x3e0 ? driver_probe_device+0x90/0x90 __driver_probe_device+0x80/0x160 driver_probe_device+0x1e/0x90 __device_attach_driver+0x7d/0x100 bus_for_each_drv+0x80/0xd0 __device_attach+0xbc/0x1f0 bus_probe_device+0x86/0xa0 device_add+0x637/0x840 __auxiliary_device_add+0x3b/0xa0 add_adev+0xc9/0x140 [mlx5_core] mlx5_rescan_drivers_locked+0x22a/0x310 [mlx5_core] mlx5_register_device+0x53/0xa0 [mlx5_core] mlx5_init_one_devl_locked+0x5c4/0x9c0 [mlx5_core] mlx5_init_one+0x3b/0x60 [mlx5_core] probe_one+0x44c/0x730 [mlx5_core] local_pci_probe+0x3e/0x90 pci_device_probe+0xbf/0x210 ? kernfs_create_link+0x5d/0xa0 ? sysfs_do_create_link_sd+0x60/0xc0 really_probe+0xc9/0x3e0 ? driver_probe_device+0x90/0x90 __driver_probe_device+0x80/0x160 driver_probe_device+0x1e/0x90 __device_attach_driver+0x7d/0x100 bus_for_each_drv+0x80/0xd0 __device_attach+0xbc/0x1f0 pci_bus_add_device+0x54/0x80 pci_iov_add_virtfn+0x2e6/0x320 sriov_enable+0x208/0x420 mlx5_core_sriov_configure+0x9e/0x200 [mlx5_core] sriov_numvfs_store+0xae/0x1a0 kernfs_fop_write_iter+0x10c/0x1a0 vfs_write+0x291/0x3c0 ksys_write+0x5f/0xe0 do_syscall_64+0x3d/0x90 entry_SYSCALL_64_after_hwframe+0x46/0xb0 CR2: 0000000000000000 ---[ end trace 0000000000000000 ]---

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-38615 Severity: Moderate CVSS3 score: 4.4

Description: In the Linux kernel, the following vulnerability has been resolved:cpufreq: exit() callback is optionalThe exit() callback is optional and shouldn't be called without checkinga valid pointer first.Also, we must clear freq_table pointer even if the exit() callback isn'tpresent.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-22870 Severity: Moderate CVSS3 score: 4.4

Description: Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.

Packages affected:

sle-module-containers-release == 15.6 (version in image is 15.6-150600.37.2).
containerd > 0-0 (version in image is 1.7.29-150000.128.1).

CVE-2025-38321 Severity: Moderate CVSS3 score: 4.4

Description: In the Linux kernel, the following vulnerability has been resolved:smb: Log an error when close_all_cached_dirs failsUnder low-memory conditions, close_all_cached_dirs() can't move thedentries to a separate list to dput() them once the locks are dropped.This will result in a "Dentry still in use" error, so add an errormessage that makes it clear this is what happened:[ 495.281119] CIFS: VFS: \\otters.example.com\share Out of memory while dropping dentries[ 495.281595] ------------[ cut here ]------------[ 495.281887] BUG: Dentry ffff888115531138{i=78,n=/} still in use (2) [unmount of cifs cifs][ 495.282391] WARNING: CPU: 1 PID: 2329 at fs/dcache.c:1536 umount_check+0xc8/0xf0Also, bail out of looping through all tcons as soon as a singleallocation fails, since we're already in trouble, and kmalloc() attemptsfor subseqeuent tcons are likely to fail just like the first one did.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-40092 Severity: Moderate CVSS3 score: 4.4

Description: In the Linux kernel, the following vulnerability has been resolved:usb: gadget: f_ncm: Refactor bind path to use __free()After an bind/unbind cycle, the ncm->notify_req is left stale. If asubsequent bind fails, the unified error label attempts to free thisstale request, leading to a NULL pointer dereference when accessingep->ops->free_request.Refactor the error handling in the bind path to use the __free()automatic cleanup mechanism.Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020Call trace: usb_ep_free_request+0x2c/0xec ncm_bind+0x39c/0x3dc usb_add_function+0xcc/0x1f0 configfs_composite_bind+0x468/0x588 gadget_bind_driver+0x104/0x270 really_probe+0x190/0x374 __driver_probe_device+0xa0/0x12c driver_probe_device+0x3c/0x218 __device_attach_driver+0x14c/0x188 bus_for_each_drv+0x10c/0x168 __device_attach+0xfc/0x198 device_initial_probe+0x14/0x24 bus_probe_device+0x94/0x11c device_add+0x268/0x48c usb_add_gadget+0x198/0x28c dwc3_gadget_init+0x700/0x858 __dwc3_set_mode+0x3cc/0x664 process_scheduled_works+0x1d8/0x488 worker_thread+0x244/0x334 kthread+0x114/0x1bc ret_from_fork+0x10/0x20

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-40136 Severity: Moderate CVSS3 score: 4.4

Description: In the Linux kernel, the following vulnerability has been resolved:crypto: hisilicon/qm - request reserved interrupt for virtual functionThe device interrupt vector 3 is an error interrupt forphysical function and a reserved interrupt for virtual function.However, the driver has not registered the reserved interrupt forvirtual function. When allocating interrupts, the number of interruptsis allocated based on powers of two, which includes this interrupt.When the system enables GICv4 and the virtual function passthroughto the virtual machine, releasing the interrupt in the drivertriggers a warning.The WARNING report is:WARNING: CPU: 62 PID: 14889 at arch/arm64/kvm/vgic/vgic-its.c:852 its_free_ite+0x94/0xb4Therefore, register a reserved interrupt for VF and set theIRQF_NO_AUTOEN flag to avoid that warning.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-40144 Severity: Moderate CVSS3 score: 4.4

Description: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-40178 Severity: Moderate CVSS3 score: 4.4

Description: In the Linux kernel, the following vulnerability has been resolved:pid: Add a judgment for ns null in pid_nr_ns__task_pid_nr_ns ns = task_active_pid_ns(current); pid_nr_ns(rcu_dereference(*task_pid_ptr(task, type)), ns); if (pid && ns->level <= pid->level) {Sometimes null is returned for task_active_pid_ns. Then it will trigger kernel panic in pid_nr_ns.For example: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000058 Mem abort info: ESR = 0x0000000096000007 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x07: level 3 translation fault Data abort info: ISV = 0, ISS = 0x00000007, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 4k pages, 39-bit VAs, pgdp=00000002175aa000 [0000000000000058] pgd=08000002175ab003, p4d=08000002175ab003, pud=08000002175ab003, pmd=08000002175be003, pte=0000000000000000 pstate: 834000c5 (Nzcv daIF +PAN -UAO +TCO +DIT -SSBS BTYPE=--) pc : __task_pid_nr_ns+0x74/0xd0 lr : __task_pid_nr_ns+0x24/0xd0 sp : ffffffc08001bd10 x29: ffffffc08001bd10 x28: ffffffd4422b2000 x27: 0000000000000001 x26: ffffffd442821168 x25: ffffffd442821000 x24: 00000f89492eab31 x23: 00000000000000c0 x22: ffffff806f5693c0 x21: ffffff806f5693c0 x20: 0000000000000001 x19: 0000000000000000 x18: 0000000000000000 x17: 00000000529c6ef0 x16: 00000000529c6ef0 x15: 00000000023a1adc x14: 0000000000000003 x13: 00000000007ef6d8 x12: 001167c391c78800 x11: 00ffffffffffffff x10: 0000000000000000 x9 : 0000000000000001 x8 : ffffff80816fa3c0 x7 : 0000000000000000 x6 : 49534d702d535449 x5 : ffffffc080c4c2c0 x4 : ffffffd43ee128c8 x3 : ffffffd43ee124dc x2 : 0000000000000000 x1 : 0000000000000001 x0 : ffffff806f5693c0 Call trace: __task_pid_nr_ns+0x74/0xd0 ... __handle_irq_event_percpu+0xd4/0x284 handle_irq_event+0x48/0xb0 handle_fasteoi_irq+0x160/0x2d8 generic_handle_domain_irq+0x44/0x60 gic_handle_irq+0x4c/0x114 call_on_irq_stack+0x3c/0x74 do_interrupt_handler+0x4c/0x84 el1_interrupt+0x34/0x58 el1h_64_irq_handler+0x18/0x24 el1h_64_irq+0x68/0x6c account_kernel_stack+0x60/0x144 exit_task_stack_account+0x1c/0x80 do_exit+0x7e4/0xaf8 ... get_signal+0x7bc/0x8d8 do_notify_resume+0x128/0x828 el0_svc+0x6c/0x70 el0t_64_sync_handler+0x68/0xbc el0t_64_sync+0x1a8/0x1ac Code: 35fffe54 911a02a8 f9400108 b4000128 (b9405a69) ---[ end trace 0000000000000000 ]--- Kernel panic - not syncing: Oops: Fatal exception in interrupt

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-40255 Severity: Moderate CVSS3 score: 4.4

Description: In the Linux kernel, the following vulnerability has been resolved:net: core: prevent NULL deref in generic_hwtstamp_ioctl_lower()The ethtool tsconfig Netlink path can trigger a null pointerdereference. A call chain such as: tsconfig_prepare_data() -> dev_get_hwtstamp_phylib() -> vlan_hwtstamp_get() -> generic_hwtstamp_get_lower() -> generic_hwtstamp_ioctl_lower()results in generic_hwtstamp_ioctl_lower() being called withkernel_cfg->ifr as NULL.The generic_hwtstamp_ioctl_lower() function does not expecta NULL ifr and dereferences it, leading to a system crash.Fix this by adding a NULL check for kernel_cfg->ifr ingeneric_hwtstamp_ioctl_lower(). If ifr is NULL, return -EINVAL.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-40279 Severity: Moderate CVSS3 score: 4.4

Description: In the Linux kernel, the following vulnerability has been resolved:net: sched: act_connmark: initialize struct tc_ife to fix kernel leakIn tcf_connmark_dump(), the variable 'opt' was partially initialized using adesignatied initializer. While the padding bytes are reamineduninitialized. nla_put() copies the entire structure into anetlink message, these uninitialized bytes leaked to userspace.Initialize the structure with memset before assigning its fieldsto ensure all members and padding are cleared prior to beign copied.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-40293 Severity: Moderate CVSS3 score: 4.4

Description: In the Linux kernel, the following vulnerability has been resolved:iommufd: Don't overflow during division for dirty trackingIf pgshift is 63 then BITS_PER_TYPE(*bitmap->bitmap) * pgsize will overflowto 0 and this triggers divide by 0.In this case the index should just be 0, so reorganize things to divideby shift and avoid hitting any overflows.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-68744 Severity: Moderate CVSS3 score: 4.4

Description: In the Linux kernel, the following vulnerability has been resolved:bpf: Free special fields when update [lru_,]percpu_hash mapsAs [lru_,]percpu_hash maps support BPF_KPTR_{REF,PERCPU}, missingcalls to 'bpf_obj_free_fields()' in 'pcpu_copy_value()' could cause thememory referenced by BPF_KPTR_{REF,PERCPU} fields to be held until themap gets freed.Fix this by calling 'bpf_obj_free_fields()' after'copy_map_value[,_long]()' in 'pcpu_copy_value()'.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-69277 Severity: Moderate CVSS3 score: 4.4

Description: libsodium before ad3004e, in atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic group.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
libsodium23 > 0-0 (version in image is 1.0.18-150000.4.11.1).

CVE-2025-69720 Severity: Moderate CVSS3 score: 4.4

Description: The infocmp command-line tool in ncurses before 6.5-20251213 has a stack-based buffer overflow in analyze_string in progs/infocmp.c.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
libncurses6 > 0-0 (version in image is 6.1-150000.5.30.1).

CVE-2025-71091 Severity: Moderate CVSS3 score: 4.4

Description: In the Linux kernel, the following vulnerability has been resolved:team: fix check for port enabled in team_queue_override_port_prio_changed()There has been a syzkaller bug reported recently with the followingtrace:list_del corruption, ffff888058bea080->prev is LIST_POISON2 (dead000000000122)------------[ cut here ]------------kernel BUG at lib/list_debug.c:59!Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTICPU: 3 UID: 0 PID: 21246 Comm: syz.0.2928 Not tainted syzkaller #0 PREEMPT(full)Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014RIP: 0010:__list_del_entry_valid_or_report+0x13e/0x200 lib/list_debug.c:59Code: 48 c7 c7 e0 71 f0 8b e8 30 08 ef fc 90 0f 0b 48 89 ef e8 a5 02 55 fd 48 89 ea 48 89 de 48 c7 c7 40 72 f0 8b e8 13 08 ef fc 90 <0f> 0b 48 89 ef e8 88 02 55 fd 48 89 ea 48 b8 00 00 00 00 00 fc ffRSP: 0018:ffffc9000d49f370 EFLAGS: 00010286RAX: 000000000000004e RBX: ffff888058bea080 RCX: ffffc9002817d000RDX: 0000000000000000 RSI: ffffffff819becc6 RDI: 0000000000000005RBP: dead000000000122 R08: 0000000000000005 R09: 0000000000000000R10: 0000000080000000 R11: 0000000000000001 R12: ffff888039e9c230R13: ffff888058bea088 R14: ffff888058bea080 R15: ffff888055461480FS: 00007fbbcfe6f6c0(0000) GS:ffff8880d6d0a000(0000) knlGS:0000000000000000CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033CR2: 000000110c3afcb0 CR3: 00000000382c7000 CR4: 0000000000352ef0Call Trace: __list_del_entry_valid include/linux/list.h:132 [inline] __list_del_entry include/linux/list.h:223 [inline] list_del_rcu include/linux/rculist.h:178 [inline] __team_queue_override_port_del drivers/net/team/team_core.c:826 [inline] __team_queue_override_port_del drivers/net/team/team_core.c:821 [inline] team_queue_override_port_prio_changed drivers/net/team/team_core.c:883 [inline] team_priority_option_set+0x171/0x2f0 drivers/net/team/team_core.c:1534 team_option_set drivers/net/team/team_core.c:376 [inline] team_nl_options_set_doit+0x8ae/0xe60 drivers/net/team/team_core.c:2653 genl_family_rcv_msg_doit+0x209/0x2f0 net/netlink/genetlink.c:1115 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0x55c/0x800 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2552 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] netlink_unicast+0x5aa/0x870 net/netlink/af_netlink.c:1346 netlink_sendmsg+0x8c8/0xdd0 net/netlink/af_netlink.c:1896 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg net/socket.c:742 [inline] ____sys_sendmsg+0xa98/0xc70 net/socket.c:2630 ___sys_sendmsg+0x134/0x1d0 net/socket.c:2684 __sys_sendmsg+0x16d/0x220 net/socket.c:2716 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7fThe problem is in this flow:1) Port is enabled, queue_id != 0, in qom_list2) Port gets disabled -> team_port_disable() -> team_queue_override_port_del() -> del (removed from list)3) Port is disabled, queue_id != 0, not in any list4) Priority changes -> team_queue_override_port_prio_changed() -> checks: port disabled && queue_id != 0 -> calls del - hits the BUG as it is removed alreadyTo fix this, change the check in team_queue_override_port_prio_changed()so it returns early if port is not enabled.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-71233 Severity: Moderate CVSS3 score: 4.4

Description: In the Linux kernel, the following vulnerability has been resolved:PCI: endpoint: Avoid creating sub-groups asynchronouslyThe asynchronous creation of sub-groups by a delayed work could lead to aNULL pointer dereference when the driver directory is removed before thework completes.The crash can be easily reproduced with the following commands: # cd /sys/kernel/config/pci_ep/functions/pci_epf_test # for i in {1..20}; do mkdir test && rmdir test; done BUG: kernel NULL pointer dereference, address: 0000000000000088 ... Call Trace: configfs_register_group+0x3d/0x190 pci_epf_cfs_work+0x41/0x110 process_one_work+0x18f/0x350 worker_thread+0x25a/0x3a0Fix this issue by using configfs_add_default_group() API which does nothave the deadlock problem as configfs_register_group() and does not requirethe delayed work handler.[mani: slightly reworded the description and added stable list]

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-71235 Severity: Moderate CVSS3 score: 4.4

Description: In the Linux kernel, the following vulnerability has been resolved:scsi: qla2xxx: Delay module unload while fabric scan in progressSystem crash seen during load/unload test in a loop.[105954.384919] RBP: ffff914589838dc0 R08: 0000000000000000 R09: 0000000000000086[105954.384920] R10: 000000000000000f R11: ffffa31240904be5 R12: ffff914605f868e0[105954.384921] R13: ffff914605f86910 R14: 0000000000008010 R15: 00000000ddb7c000[105954.384923] FS: 0000000000000000(0000) GS:ffff9163fec40000(0000) knlGS:0000000000000000[105954.384925] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033[105954.384926] CR2: 000055d31ce1d6a0 CR3: 0000000119f5e001 CR4: 0000000000770ee0[105954.384928] PKRU: 55555554[105954.384929] Call Trace:[105954.384931] [105954.384934] qla24xx_sp_unmap+0x1f3/0x2a0 [qla2xxx][105954.384962] ? qla_async_scan_sp_done+0x114/0x1f0 [qla2xxx][105954.384980] ? qla24xx_els_ct_entry+0x4de/0x760 [qla2xxx][105954.384999] ? __wake_up_common+0x80/0x190[105954.385004] ? qla24xx_process_response_queue+0xc2/0xaa0 [qla2xxx][105954.385023] ? qla24xx_msix_rsp_q+0x44/0xb0 [qla2xxx][105954.385040] ? __handle_irq_event_percpu+0x3d/0x190[105954.385044] ? handle_irq_event+0x58/0xb0[105954.385046] ? handle_edge_irq+0x93/0x240[105954.385050] ? __common_interrupt+0x41/0xa0[105954.385055] ? common_interrupt+0x3e/0xa0[105954.385060] ? asm_common_interrupt+0x22/0x40The root cause of this was that there was a free (dma_free_attrs) in theinterrupt context. There was a device discovery/fabric scan inprogress. A module unload was issued which set the UNLOADING flag. Aspart of the discovery, after receiving an interrupt a work queue wasscheduled (which involved a work to be queued). Since the UNLOADINGflag is set, the work item was not allocated and the mapped memory hadto be freed. The free occurred in interrupt context leading to systemcrash. Delay the driver unload until the fabric scan is complete toavoid the crash.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-2243 Severity: Moderate CVSS3 score: 4.4

Description: A flaw was found in QEMU. A specially crafted VMDK image could trigger an out-of-bounds read vulnerability, potentially leading to a 12-byte leak of sensitive information or a denial of service condition (DoS).

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
qemu-img > 0-0 (version in image is 8.2.10-150600.3.43.1).

CVE-2026-22993 Severity: Moderate CVSS3 score: 4.4

Description: In the Linux kernel, the following vulnerability has been resolved:idpf: Fix RSS LUT NULL ptr issue after soft resetDuring soft reset, the RSS LUT is freed and not restored unless theinterface is up. If an ethtool command that accesses the rss lut isattempted immediately after reset, it will result in NULL ptrdereference. Also, there is no need to reset the rss lut if the soft resetdoes not involve queue count change.After soft reset, set the RSS LUT to default values based on the updatedqueue count only if the reset was a result of a queue count change andthe LUT was not configured by the user. In all other cases, don't touchthe LUT.Steps to reproduce:** Bring the interface down (if up)ifconfig eth1 down** update the queue count (eg., 27->20)ethtool -L eth1 combined 20** display the RSS LUTethtool -x eth1[82375.558338] BUG: kernel NULL pointer dereference, address: 0000000000000000[82375.558373] #PF: supervisor read access in kernel mode[82375.558391] #PF: error_code(0x0000) - not-present page[82375.558408] PGD 0 P4D 0[82375.558421] Oops: Oops: 0000 [#1] SMP NOPTI[82375.558516] RIP: 0010:idpf_get_rxfh+0x108/0x150 [idpf][82375.558786] Call Trace:[82375.558793] [82375.558804] rss_prepare.isra.0+0x187/0x2a0[82375.558827] rss_prepare_data+0x3a/0x50[82375.558845] ethnl_default_doit+0x13d/0x3e0[82375.558863] genl_family_rcv_msg_doit+0x11f/0x180[82375.558886] genl_rcv_msg+0x1ad/0x2b0[82375.558902] ? __pfx_ethnl_default_doit+0x10/0x10[82375.558920] ? __pfx_genl_rcv_msg+0x10/0x10[82375.558937] netlink_rcv_skb+0x58/0x100[82375.558957] genl_rcv+0x2c/0x50[82375.558971] netlink_unicast+0x289/0x3e0[82375.558988] netlink_sendmsg+0x215/0x440[82375.559005] __sys_sendto+0x234/0x240[82375.559555] __x64_sys_sendto+0x28/0x30[82375.560068] x64_sys_call+0x1909/0x1da0[82375.560576] do_syscall_64+0x7a/0xfa0[82375.561076] ? clear_bhb_loop+0x60/0xb0[82375.561567] entry_SYSCALL_64_after_hwframe+0x76/0x7e

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23031 Severity: Moderate CVSS3 score: 4.4

Description: In the Linux kernel, the following vulnerability has been resolved:can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leakIn gs_can_open(), the URBs for USB-in transfers are allocated, added to theparent->rx_submitted anchor and submitted. In the complete callbackgs_usb_receive_bulk_callback(), the URB is processed and resubmitted. Ings_can_close() the URBs are freed by callingusb_kill_anchored_urbs(parent->rx_submitted).However, this does not take into account that the USB framework unanchorsthe URB before the complete function is called. This means that once anin-URB has been completed, it is no longer anchored and is ultimately notreleased in gs_can_close().Fix the memory leak by anchoring the URB in thegs_usb_receive_bulk_callback() to the parent->rx_submitted anchor.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23064 Severity: Moderate CVSS3 score: 4.4

Description: In the Linux kernel, the following vulnerability has been resolved:net/sched: act_ife: avoid possible NULL dereftcf_ife_encode() must make sure ife_encode() does not return NULL.syzbot reported:Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTIKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] RIP: 0010:ife_tlv_meta_encode+0x41/0xa0 net/ife/ife.c:166CPU: 3 UID: 0 PID: 8990 Comm: syz.0.696 Not tainted syzkaller #0 PREEMPT(full)Call Trace: ife_encode_meta_u32+0x153/0x180 net/sched/act_ife.c:101 tcf_ife_encode net/sched/act_ife.c:841 [inline] tcf_ife_act+0x1022/0x1de0 net/sched/act_ife.c:877 tc_act include/net/tc_wrapper.h:130 [inline] tcf_action_exec+0x1c0/0xa20 net/sched/act_api.c:1152 tcf_exts_exec include/net/pkt_cls.h:349 [inline] mall_classify+0x1a0/0x2a0 net/sched/cls_matchall.c:42 tc_classify include/net/tc_wrapper.h:197 [inline] __tcf_classify net/sched/cls_api.c:1764 [inline] tcf_classify+0x7f2/0x1380 net/sched/cls_api.c:1860 multiq_classify net/sched/sch_multiq.c:39 [inline] multiq_enqueue+0xe0/0x510 net/sched/sch_multiq.c:66 dev_qdisc_enqueue+0x45/0x250 net/core/dev.c:4147 __dev_xmit_skb net/core/dev.c:4262 [inline] __dev_queue_xmit+0x2998/0x46c0 net/core/dev.c:4798

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23084 Severity: Moderate CVSS3 score: 4.4

Description: In the Linux kernel, the following vulnerability has been resolved:be2net: Fix NULL pointer dereference in be_cmd_get_mac_from_listWhen the parameter pmac_id_valid argument of be_cmd_get_mac_from_list() isset to false, the driver may request the PMAC_ID from the firmware of thenetwork card, and this function will store that PMAC_ID at the providedaddress pmac_id. This is the contract of this function.However, there is a location within the driver where bothpmac_id_valid == false and pmac_id == NULL are being passed. This couldresult in dereferencing a NULL pointer.To resolve this issue, it is necessary to pass the address of a stubvariable to the function.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23108 Severity: Moderate CVSS3 score: 4.4

Description: In the Linux kernel, the following vulnerability has been resolved:can: usb_8dev: usb_8dev_read_bulk_callback(): fix URB memory leakFix similar memory leak as in commit 7352e1d5932a ("can: gs_usb:gs_usb_receive_bulk_callback(): fix URB memory leak").In usb_8dev_open() -> usb_8dev_start(), the URBs for USB-in transfers areallocated, added to the priv->rx_submitted anchor and submitted. In thecomplete callback usb_8dev_read_bulk_callback(), the URBs are processed andresubmitted. In usb_8dev_close() -> unlink_all_urbs() the URBs are freed bycalling usb_kill_anchored_urbs(&priv->rx_submitted).However, this does not take into account that the USB framework unanchorsthe URB before the complete function is called. This means that once anin-URB has been completed, it is no longer anchored and is ultimately notreleased in usb_kill_anchored_urbs().Fix the memory leak by anchoring the URB in theusb_8dev_read_bulk_callback() to the priv->rx_submitted anchor.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23163 Severity: Moderate CVSS3 score: 4.4

Description: In the Linux kernel, the following vulnerability has been resolved:drm/amdgpu: fix NULL pointer dereference in amdgpu_gmc_filter_faults_removeOn APUs such as Raven and Renoir (GC 9.1.0, 9.2.2, 9.3.0), the ih1 andih2 interrupt ring buffers are not initialized. This is by design, asthese secondary IH rings are only available on discrete GPUs. Seevega10_ih_sw_init() which explicitly skips ih1/ih2 initialization whenAMD_IS_APU is set.However, amdgpu_gmc_filter_faults_remove() unconditionally uses ih1 toget the timestamp of the last interrupt entry. When retry faults areenabled on APUs (noretry=0), this function is called from the SVM pagefault recovery path, resulting in a NULL pointer dereference whenamdgpu_ih_decode_iv_ts_helper() attempts to access ih->ring[].The crash manifests as: BUG: kernel NULL pointer dereference, address: 0000000000000004 RIP: 0010:amdgpu_ih_decode_iv_ts_helper+0x22/0x40 [amdgpu] Call Trace: amdgpu_gmc_filter_faults_remove+0x60/0x130 [amdgpu] svm_range_restore_pages+0xae5/0x11c0 [amdgpu] amdgpu_vm_handle_fault+0xc8/0x340 [amdgpu] gmc_v9_0_process_interrupt+0x191/0x220 [amdgpu] amdgpu_irq_dispatch+0xed/0x2c0 [amdgpu] amdgpu_ih_process+0x84/0x100 [amdgpu]This issue was exposed by commit 1446226d32a4 ("drm/amdgpu: Remove GC HWIP 9.3.0 from noretry=1") which changed the default for Renoir APU fromnoretry=1 to noretry=0, enabling retry fault handling and thusexercising the buggy code path.Fix this by adding a check for ih1.ring_size before attempting to useit. Also restore the soft_ih support from commit dd299441654f ("drm/amdgpu:Rework retry fault removal"). This is needed if the hardware doesn'tsupport secondary HW IH rings.v2: additional updates (Alex)(cherry picked from commit 6ce8d536c80aa1f059e82184f0d1994436b1d526)

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23166 Severity: Moderate CVSS3 score: 4.4

Description: In the Linux kernel, the following vulnerability has been resolved:ice: Fix NULL pointer dereference in ice_vsi_set_napi_queuesAdd NULL pointer checks in ice_vsi_set_napi_queues() to prevent crashesduring resume from suspend when rings[q_idx]->q_vector is NULL.Tested adaptor:60:00.0 Ethernet controller [0200]: Intel Corporation Ethernet Controller E810-XXV for SFP [8086:159b] (rev 02) Subsystem: Intel Corporation Ethernet Network Adapter E810-XXV-2 [8086:4003]SR-IOV state: both disabled and enabled can reproduce this issue.kernel version: v6.18Reproduce steps:Boot up and execute suspend like systemctl suspend or rtcwake.Log:<1>[ 231.443607] BUG: kernel NULL pointer dereference, address: 0000000000000040<1>[ 231.444052] #PF: supervisor read access in kernel mode<1>[ 231.444484] #PF: error_code(0x0000) - not-present page<6>[ 231.444913] PGD 0 P4D 0<4>[ 231.445342] Oops: Oops: 0000 [#1] SMP NOPTI<4>[ 231.446635] RIP: 0010:netif_queue_set_napi+0xa/0x170<4>[ 231.447067] Code: 31 f6 31 ff c3 cc cc cc cc 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 48 85 c9 74 0b <48> 83 79 30 00 0f 84 39 01 00 00 55 41 89 d1 49 89 f8 89 f2 48 89<4>[ 231.447513] RSP: 0018:ffffcc780fc078c0 EFLAGS: 00010202<4>[ 231.447961] RAX: ffff8b848ca30400 RBX: ffff8b848caf2028 RCX: 0000000000000010<4>[ 231.448443] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8b848dbd4000<4>[ 231.448896] RBP: ffffcc780fc078e8 R08: 0000000000000000 R09: 0000000000000000<4>[ 231.449345] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001<4>[ 231.449817] R13: ffff8b848dbd4000 R14: ffff8b84833390c8 R15: 0000000000000000<4>[ 231.450265] FS: 00007c7b29e9d740(0000) GS:ffff8b8c068e2000(0000) knlGS:0000000000000000<4>[ 231.450715] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<4>[ 231.451179] CR2: 0000000000000040 CR3: 000000030626f004 CR4: 0000000000f72ef0<4>[ 231.451629] PKRU: 55555554<4>[ 231.452076] Call Trace:<4>[ 231.452549] <4>[ 231.452996] ? ice_vsi_set_napi_queues+0x4d/0x110 [ice]<4>[ 231.453482] ice_resume+0xfd/0x220 [ice]<4>[ 231.453977] ? __pfx_pci_pm_resume+0x10/0x10<4>[ 231.454425] pci_pm_resume+0x8c/0x140<4>[ 231.454872] ? __pfx_pci_pm_resume+0x10/0x10<4>[ 231.455347] dpm_run_callback+0x5f/0x160<4>[ 231.455796] ? dpm_wait_for_superior+0x107/0x170<4>[ 231.456244] device_resume+0x177/0x270<4>[ 231.456708] dpm_resume+0x209/0x2f0<4>[ 231.457151] dpm_resume_end+0x15/0x30<4>[ 231.457596] suspend_devices_and_enter+0x1da/0x2b0<4>[ 231.458054] enter_state+0x10e/0x570Add defensive checks for both the ring pointer and its q_vectorbefore dereferencing, allowing the system to resume successfully even whenq_vectors are unmapped.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23170 Severity: Moderate CVSS3 score: 4.4

Description: In the Linux kernel, the following vulnerability has been resolved:drm/imx/tve: fix probe device leakMake sure to drop the reference taken to the DDC device during probe onprobe failure (e.g. probe deferral) and on driver unbind.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23173 Severity: Moderate CVSS3 score: 4.4

Description: In the Linux kernel, the following vulnerability has been resolved:net/mlx5e: TC, delete flows only for existing peersWhen deleting TC steering flows, iterate only over actual devcompeers instead of assuming all possible ports exist. This avoidstouching non-existent peers and ensures cleanup is limited todevices the driver is currently connected to. BUG: kernel NULL pointer dereference, address: 0000000000000008 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 133c8a067 P4D 0 Oops: Oops: 0002 [#1] SMP CPU: 19 UID: 0 PID: 2169 Comm: tc Not tainted 6.18.0+ #156 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:mlx5e_tc_del_fdb_peers_flow+0xbe/0x200 [mlx5_core] Code: 00 00 a8 08 74 a8 49 8b 46 18 f6 c4 02 74 9f 4c 8d bf a0 12 00 00 4c 89 ff e8 0e e7 96 e1 49 8b 44 24 08 49 8b 0c 24 4c 89 ff <48> 89 41 08 48 89 08 49 89 2c 24 49 89 5c 24 08 e8 7d ce 96 e1 49 RSP: 0018:ff11000143867528 EFLAGS: 00010246 RAX: 0000000000000000 RBX: dead000000000122 RCX: 0000000000000000 RDX: ff11000143691580 RSI: ff110001026e5000 RDI: ff11000106f3d2a0 RBP: dead000000000100 R08: 00000000000003fd R09: 0000000000000002 R10: ff11000101c75690 R11: ff1100085faea178 R12: ff11000115f0ae78 R13: 0000000000000000 R14: ff11000115f0a800 R15: ff11000106f3d2a0 FS: 00007f35236bf740(0000) GS:ff110008dc809000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000008 CR3: 0000000157a01001 CR4: 0000000000373eb0 Call Trace: mlx5e_tc_del_flow+0x46/0x270 [mlx5_core] mlx5e_flow_put+0x25/0x50 [mlx5_core] mlx5e_delete_flower+0x2a6/0x3e0 [mlx5_core] tc_setup_cb_reoffload+0x20/0x80 fl_reoffload+0x26f/0x2f0 [cls_flower] ? mlx5e_tc_reoffload_flows_work+0xc0/0xc0 [mlx5_core] ? mlx5e_tc_reoffload_flows_work+0xc0/0xc0 [mlx5_core] tcf_block_playback_offloads+0x9e/0x1c0 tcf_block_unbind+0x7b/0xd0 tcf_block_setup+0x186/0x1d0 tcf_block_offload_cmd.isra.0+0xef/0x130 tcf_block_offload_unbind+0x43/0x70 __tcf_block_put+0x85/0x160 ingress_destroy+0x32/0x110 [sch_ingress] __qdisc_destroy+0x44/0x100 qdisc_graft+0x22b/0x610 tc_get_qdisc+0x183/0x4d0 rtnetlink_rcv_msg+0x2d7/0x3d0 ? rtnl_calcit.isra.0+0x100/0x100 netlink_rcv_skb+0x53/0x100 netlink_unicast+0x249/0x320 ? __alloc_skb+0x102/0x1f0 netlink_sendmsg+0x1e3/0x420 __sock_sendmsg+0x38/0x60 ____sys_sendmsg+0x1ef/0x230 ? copy_msghdr_from_user+0x6c/0xa0 ___sys_sendmsg+0x7f/0xc0 ? ___sys_recvmsg+0x8a/0xc0 ? __sys_sendto+0x119/0x180 __sys_sendmsg+0x61/0xb0 do_syscall_64+0x55/0x640 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7f35238bb764 Code: 15 b9 86 0c 00 f7 d8 64 89 02 b8 ff ff ff ff eb bf 0f 1f 44 00 00 f3 0f 1e fa 80 3d e5 08 0d 00 00 74 13 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 4c c3 0f 1f 00 55 48 89 e5 48 83 ec 20 89 55 RSP: 002b:00007ffed4c35638 EFLAGS: 00000202 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 000055a2efcc75e0 RCX: 00007f35238bb764 RDX: 0000000000000000 RSI: 00007ffed4c356a0 RDI: 0000000000000003 RBP: 00007ffed4c35710 R08: 0000000000000010 R09: 00007f3523984b20 R10: 0000000000000004 R11: 0000000000000202 R12: 00007ffed4c35790 R13: 000000006947df8f R14: 000055a2efcc75e0 R15: 00007ffed4c35780

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23292 Severity: Moderate CVSS3 score: 4.4

Description: In the Linux kernel, the following vulnerability has been resolved:scsi: target: Fix recursive locking in __configfs_open_file()In flush_write_buffer, &p->frag_sem is acquired and then the loaded storefunction is called, which, here, is target_core_item_dbroot_store(). Thisfunction called filp_open(), following which these functions were called(in reverse order), according to the call trace: down_read __configfs_open_file do_dentry_open vfs_open do_open path_openat do_filp_open file_open_name filp_open target_core_item_dbroot_store flush_write_buffer configfs_write_itertarget_core_item_dbroot_store() tries to validate the new file path bytrying to open the file path provided to it; however, in this case, the bugreport shows:db_root: not a directory: /sys/kernel/config/target/dbrootindicating that the same configfs file was tried to be opened, on which itis currently working on. Thus, it is trying to acquire frag_sem semaphoreof the same file of which it already holds the semaphore obtained inflush_write_buffer(), leading to acquiring the semaphore in a nested mannerand a possibility of recursive locking.Fix this by modifying target_core_item_dbroot_store() to use kern_path()instead of filp_open() to avoid opening the file using filesystem-specificfunction __configfs_open_file(), and further modifying it to make this fixcompatible.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23300 Severity: Moderate CVSS3 score: 4.4

Description: In the Linux kernel, the following vulnerability has been resolved:net: ipv6: fix panic when IPv4 route references loopback IPv6 nexthopWhen a standalone IPv6 nexthop object is created with a loopback device(e.g., "ip -6 nexthop add id 100 dev lo"), fib6_nh_init() misclassifiesit as a reject route. This is because nexthop objects have no destinationprefix (fc_dst=::), causing fib6_is_reject() to match any loopbacknexthop. The reject path skips fib_nh_common_init(), leavingnhc_pcpu_rth_output unallocated. If an IPv4 route later references thisnexthop, __mkroute_output() dereferences NULL nhc_pcpu_rth_output andpanics.Simplify the check in fib6_nh_init() to only match explicit rejectroutes (RTF_REJECT) instead of using fib6_is_reject(). The loopbackpromotion heuristic in fib6_is_reject() is handled separately byip6_route_info_create_nh(). After this change, the three cases behaveas follows:1. Explicit reject route ("ip -6 route add unreachable 2001:db8::/64"): RTF_REJECT is set, enters reject path, skips fib_nh_common_init(). No behavior change.2. Implicit loopback reject route ("ip -6 route add 2001:db8::/32 dev lo"): RTF_REJECT is not set, takes normal path, fib_nh_common_init() is called. ip6_route_info_create_nh() still promotes it to reject afterward. nhc_pcpu_rth_output is allocated but unused, which is harmless.3. Standalone nexthop object ("ip -6 nexthop add id 100 dev lo"): RTF_REJECT is not set, takes normal path, fib_nh_common_init() is called. nhc_pcpu_rth_output is properly allocated, fixing the crash when IPv4 routes reference this nexthop.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23310 Severity: Moderate CVSS3 score: 4.4

Description: In the Linux kernel, the following vulnerability has been resolved:bpf/bonding: reject vlan+srcmac xmit_hash_policy change when XDP is loadedbond_option_mode_set() already rejects mode changes that would make aloaded XDP program incompatible via bond_xdp_check(). However,bond_option_xmit_hash_policy_set() has no such guard.For 802.3ad and balance-xor modes, bond_xdp_check() returns false whenxmit_hash_policy is vlan+srcmac, because the 802.1q payload is usuallyabsent due to hardware offload. This means a user can:1. Attach a native XDP program to a bond in 802.3ad/balance-xor mode with a compatible xmit_hash_policy (e.g. layer2+3).2. Change xmit_hash_policy to vlan+srcmac while XDP remains loaded.This leaves bond->xdp_prog set but bond_xdp_check() now returning falsefor the same device. When the bond is later destroyed, dev_xdp_uninstall()calls bond_xdp_set(dev, NULL, NULL) to remove the program, which hitsthe bond_xdp_check() guard and returns -EOPNOTSUPP, triggering:WARN_ON(dev_xdp_install(dev, mode, bpf_op, NULL, 0, NULL))Fix this by rejecting xmit_hash_policy changes to vlan+srcmac when anXDP program is loaded on a bond in 802.3ad or balance-xor mode.commit 39a0876d595b ("net, bonding: Disallow vlan+srcmac with XDP")introduced bond_xdp_check() which returns false for 802.3ad/balance-xormodes when xmit_hash_policy is vlan+srcmac. The check was wired intobond_xdp_set() to reject XDP attachment with an incompatible policy, butthe symmetric path -- preventing xmit_hash_policy from being changed to anincompatible value after XDP is already loaded -- was left unguarded inbond_option_xmit_hash_policy_set().Note:commit 094ee6017ea0 ("bonding: check xdp prog when set bond mode")later added a similar guard to bond_option_mode_set(), butbond_option_xmit_hash_policy_set() remained unprotected.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23333 Severity: Moderate CVSS3 score: 4.4

Description: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23397 Severity: Moderate CVSS3 score: 4.4

Description: In the Linux kernel, the following vulnerability has been resolved:nfnetlink_osf: validate individual option lengths in fingerprintsnfnl_osf_add_callback() validates opt_num bounds and stringNUL-termination but does not check individual option length fields.A zero-length option causes nf_osf_match_one() to enter the optionmatching loop even when foptsize sums to zero, which matches packetswith no TCP options where ctx->optp is NULL: Oops: general protection fault KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98) Call Trace: nf_osf_match (net/netfilter/nfnetlink_osf.c:227) xt_osf_match_packet (net/netfilter/xt_osf.c:32) ipt_do_table (net/ipv4/netfilter/ip_tables.c:293) nf_hook_slow (net/netfilter/core.c:623) ip_local_deliver (net/ipv4/ip_input.c:262) ip_rcv (net/ipv4/ip_input.c:573)Additionally, an MSS option (kind=2) with length < 4 causesout-of-bounds reads when nf_osf_match_one() unconditionally accessesoptp[2] and optp[3] for MSS value extraction. While RFC 9293section 3.2 specifies that the MSS option is always exactly 4bytes (Kind=2, Length=4), the check uses "< 4" rather than"!= 4" because lengths greater than 4 do not cause memorysafety issues -- the buffer is guaranteed to be at leastfoptsize bytes by the ctx->optsize == foptsize check.Reject fingerprints where any option has zero length, or where an MSSoption has length less than 4, at add time rather than trusting thesevalues in the packet matching hot path.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-31407 Severity: Moderate CVSS3 score: 4.4

Description: In the Linux kernel, the following vulnerability has been resolved:netfilter: conntrack: add missing netlink policy validationsHyunwoo Kim reports out-of-bounds access in sctp and ctnetlink.These attributes are used by the kernel without any validation.Extend the netlink policies accordingly.Quoting the reporter: nlattr_to_sctp() assigns the user-supplied CTA_PROTOINFO_SCTP_STATE value directly to ct->proto.sctp.state without checking that it is within the valid range. [..] and: ... with exp->dir = 100, the access at ct->master->tuplehash[100] reads 5600 bytes past the start of a 320-byte nf_conn object, causing a slab-out-of-bounds read confirmed by UBSAN.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-31415 Severity: Moderate CVSS3 score: 4.4

Description: In the Linux kernel, the following vulnerability has been resolved:ipv6: avoid overflows in ip6_datagram_send_ctl()Yiming Qian reported : I believe I found a locally triggerable kernel bug in the IPv6 sendmsg ancillary-data path that can panic the kernel via `skb_under_panic()` (local DoS). The core issue is a mismatch between: - a 16-bit length accumulator (`struct ipv6_txoptions::opt_flen`, type `__u16`) and - a pointer to the *last* provided destination-options header (`opt->dst1opt`) when multiple `IPV6_DSTOPTS` control messages (cmsgs) are provided. - `include/net/ipv6.h`: - `struct ipv6_txoptions::opt_flen` is `__u16` (wrap possible). (lines 291-307, especially 298) - `net/ipv6/datagram.c:ip6_datagram_send_ctl()`: - Accepts repeated `IPV6_DSTOPTS` and accumulates into `opt_flen` without rejecting duplicates. (lines 909-933) - `net/ipv6/ip6_output.c:__ip6_append_data()`: - Uses `opt->opt_flen + opt->opt_nflen` to compute header sizes/headroom decisions. (lines 1448-1466, especially 1463-1465) - `net/ipv6/ip6_output.c:__ip6_make_skb()`: - Calls `ipv6_push_frag_opts()` if `opt->opt_flen` is non-zero. (lines 1930-1934) - `net/ipv6/exthdrs.c:ipv6_push_frag_opts()` / `ipv6_push_exthdr()`: - Push size comes from `ipv6_optlen(opt->dst1opt)` (based on the pointed-to header). (lines 1179-1185 and 1206-1211) 1. `opt_flen` is a 16-bit accumulator: - `include/net/ipv6.h:298` defines `__u16 opt_flen; /* after fragment hdr */`. 2. `ip6_datagram_send_ctl()` accepts *repeated* `IPV6_DSTOPTS` cmsgs and increments `opt_flen` each time: - In `net/ipv6/datagram.c:909-933`, for `IPV6_DSTOPTS`: - It computes `len = ((hdr->hdrlen + 1) << 3);` - It checks `CAP_NET_RAW` using `ns_capable(net->user_ns, CAP_NET_RAW)`. (line 922) - Then it does: - `opt->opt_flen += len;` (line 927) - `opt->dst1opt = hdr;` (line 928) There is no duplicate rejection here (unlike the legacy `IPV6_2292DSTOPTS` path which rejects duplicates at `net/ipv6/datagram.c:901-904`). If enough large `IPV6_DSTOPTS` cmsgs are provided, `opt_flen` wraps while `dst1opt` still points to a large (2048-byte) destination-options header. In the attached PoC (`poc.c`): - 32 cmsgs with `hdrlen=255` => `len = (255+1)*8 = 2048` - 1 cmsg with `hdrlen=0` => `len = 8` - Total increment: `32*2048 + 8 = 65544`, so `(__u16)opt_flen == 8` - The last cmsg is 2048 bytes, so `dst1opt` points to a 2048-byte header. 3. The transmit path sizes headers using the wrapped `opt_flen`:- In `net/ipv6/ip6_output.c:1463-1465`: - `headersize = sizeof(struct ipv6hdr) + (opt ? opt->opt_flen + opt->opt_nflen : 0) + ...;` With wrapped `opt_flen`, `headersize`/headroom decisions underestimate what will be pushed later. 4. When building the final skb, the actual push length comes from `dst1opt` and is not limited by wrapped `opt_flen`: - In `net/ipv6/ip6_output.c:1930-1934`: - `if (opt->opt_flen) proto = ipv6_push_frag_opts(skb, opt, proto);` - In `net/ipv6/exthdrs.c:1206-1211`, `ipv6_push_frag_opts()` pushes `dst1opt` via `ipv6_push_exthdr()`. - In `net/ipv6/exthdrs.c:1179-1184`, `ipv6_push_exthdr()` does: - `skb_push(skb, ipv6_optlen(opt));` - `memcpy(h, opt, ipv6_optlen(opt));` With insufficient headroom, `skb_push()` underflows and triggers `skb_under_panic()` -> `BUG()`: - `net/core/skbuff.c:2669-2675` (`skb_push()` calls `skb_under_panic()`) - `net/core/skbuff.c:207-214` (`skb_panic()` ends in `BUG()`) - The `IPV6_DSTOPTS` cmsg path requires `CAP_NET_RAW` in the target netns user namespace (`ns_capable(net->user_ns, CAP_NET_RAW)`). - Root (or any task with `CAP_NET_RAW`) can trigger this without user namespaces. - An unprivileged `uid=1000` user can trigger this if unprivileged user namespaces are enabled and it can create a userns+netns to obtain namespaced `CAP_NET_RAW` (the attached PoC does this). - Local denial of service: kernel BUG/panic (system crash). ----truncated---

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-31464 Severity: Moderate CVSS3 score: 4.4

Description: In the Linux kernel, the following vulnerability has been resolved:scsi: ibmvfc: Fix OOB access in ibmvfc_discover_targets_done()A malicious or compromised VIO server can return a num_written value in thediscover targets MAD response that exceeds max_targets. This value isstored directly in vhost->num_targets without validation, and is then usedas the loop bound in ibmvfc_alloc_targets() to index into disc_buf[], whichis only allocated for max_targets entries. Indices at or beyond max_targetsaccess kernel memory outside the DMA-coherent allocation. Theout-of-bounds data is subsequently embedded in Implicit Logout and PLOGIMADs that are sent back to the VIO server, leaking kernel memory.Fix by clamping num_written to max_targets before storing it.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-31494 Severity: Moderate CVSS3 score: 4.4

Description: In the Linux kernel, the following vulnerability has been resolved:net: macb: use the current queue number for statsThere's a potential mismatch between the memory reserved for statisticsand the amount of memory written.gem_get_sset_count() correctly computes the number of stats based on theactive queues, whereas gem_get_ethtool_stats() indiscriminately copiesdata using the maximum number of queues, and in the case the number ofactive queues is less than MACB_MAX_QUEUES, this results in a OOB writeas observed in the KASAN splat.==================================================================BUG: KASAN: vmalloc-out-of-bounds in gem_get_ethtool_stats+0x54/0x78 [macb]Write of size 760 at addr ffff80008080b000 by task ethtool/1027CPU: [...]Tainted: [E]=UNSIGNED_MODULEHardware name: raspberrypi rpi/rpi, BIOS 2025.10 10/01/2025Call trace: show_stack+0x20/0x38 (C) dump_stack_lvl+0x80/0xf8 print_report+0x384/0x5e0 kasan_report+0xa0/0xf0 kasan_check_range+0xe8/0x190 __asan_memcpy+0x54/0x98 gem_get_ethtool_stats+0x54/0x78 [macb 926c13f3af83b0c6fe64badb21ec87d5e93fcf65] dev_ethtool+0x1220/0x38c0 dev_ioctl+0x4ac/0xca8 sock_do_ioctl+0x170/0x1d8 sock_ioctl+0x484/0x5d8 __arm64_sys_ioctl+0x12c/0x1b8 invoke_syscall+0xd4/0x258 el0_svc_common.constprop.0+0xb4/0x240 do_el0_svc+0x48/0x68 el0_svc+0x40/0xf8 el0t_64_sync_handler+0xa0/0xe8 el0t_64_sync+0x1b0/0x1b8The buggy address belongs to a 1-page vmalloc region starting at 0xffff80008080b000 allocated at dev_ethtool+0x11f0/0x38c0The buggy address belongs to the physical page:page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff00000a333000 pfn:0xa333flags: 0x7fffc000000000(node=0|zone=0|lastcpupid=0x1ffff)raw: 007fffc000000000 0000000000000000 dead000000000122 0000000000000000raw: ffff00000a333000 0000000000000000 00000001ffffffff 0000000000000000page dumped because: kasan: bad access detectedMemory state around the buggy address: ffff80008080b080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff80008080b100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00>ffff80008080b180: 00 00 00 00 00 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ^ ffff80008080b200: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ffff80008080b280: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8==================================================================Fix it by making sure the copied size only considers the active number ofqueues.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-10158 Severity: Moderate CVSS3 score: 4.3

Description: A malicious client acting as the receiver of an rsync file transfer can trigger an out of bounds read of a heap based buffer, via a negative array index. The malicious rsync client requires at least read access to the remote rsync module in order to trigger the issue.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
rsync > 0-0 (version in image is 3.2.7-150600.3.14.1).

CVE-2025-12084 Severity: Moderate CVSS3 score: 4.3

Description: When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
python3 > 0-0 (version in image is 3.6.15-150300.10.103.1).

CVE-2025-32728 Severity: Moderate CVSS3 score: 4.3

Description: In sshd in OpenSSH before 10.0, the DisableForwarding directive does not adhere to the documentation stating that it disables X11 and agent forwarding.

Packages affected:

sle-module-desktop-applications-release == 15.6 (version in image is 15.6-150600.37.2).
openssh > 0-0 (version in image is 9.6p1-150600.6.34.1).

CVE-2025-70873 Severity: Moderate CVSS3 score: 4.3

Description: An information disclosure issue in the zipfileInflate function in the zipfile extension in SQLite v3.51.1 and earlier allows attackers to obtain heap memory via supplying a crafted ZIP file.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
libsqlite3-0 > 0-0 (version in image is 3.50.2-150000.3.33.1).

CVE-2026-21441 Severity: Moderate CVSS3 score: 4.3

Description: urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression based on the HTTP `Content-Encoding` header (e.g., `gzip`, `deflate`, `br`, or `zstd`). When using the streaming API, the library decompresses only the necessary bytes, enabling partial content consumption. Starting in version 1.22 and prior to version 2.6.3, for HTTP redirect responses, the library would read the entire response body to drain the connection and decompress the content unnecessarily. This decompression occurred even before any read methods were called, and configured read limits did not restrict the amount of decompressed data. As a result, there was no safeguard against decompression bombs. A malicious server could exploit this to trigger excessive resource consumption on the client. Applications and libraries are affected when they stream content from untrusted sources by setting `preload_content=False` when they do not disable redirects. Users should upgrade to at least urllib3 v2.6.3, in which the library does not decode content of redirect responses when `preload_content=False`. If upgrading is not immediately possible, disable redirects by setting `redirect=False` for requests to untrusted source.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
python3-urllib3 > 0-0 (version in image is 1.25.10-150300.4.18.1).

CVE-2026-23180 Severity: Moderate CVSS3 score: 4.3

Description: In the Linux kernel, the following vulnerability has been resolved:dpaa2-switch: add bounds check for if_id in IRQ handlerThe IRQ handler extracts if_id from the upper 16 bits of the hardwarestatus register and uses it to index into ethsw->ports[] withoutvalidation. Since if_id can be any 16-bit value (0-65535) but the portsarray is only allocated with sw_attr.num_ifs elements, this can lead toan out-of-bounds read potentially.Add a bounds check before accessing the array, consistent with theexisting validation in dpaa2_switch_rx().

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23206 Severity: Moderate CVSS3 score: 4.3

Description: In the Linux kernel, the following vulnerability has been resolved:dpaa2-switch: prevent ZERO_SIZE_PTR dereference when num_ifs is zeroThe driver allocates arrays for ports, FDBs, and filter blocks usingkcalloc() with ethsw->sw_attr.num_ifs as the element count. When thedevice reports zero interfaces (either due to hardware configurationor firmware issues), kcalloc(0, ...) returns ZERO_SIZE_PTR (0x10)instead of NULL.Later in dpaa2_switch_probe(), the NAPI initialization unconditionallyaccesses ethsw->ports[0]->netdev, which attempts to dereferenceZERO_SIZE_PTR (address 0x10), resulting in a kernel panic.Add a check to ensure num_ifs is greater than zero after retrievingdevice attributes. This prevents the zero-sized allocations andsubsequent invalid pointer dereference.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-31393 Severity: Moderate CVSS3 score: 4.3

Description: In the Linux kernel, the following vulnerability has been resolved:Bluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before accessl2cap_information_rsp() checks that cmd_len covers the fixedl2cap_info_rsp header (type + result, 4 bytes) but then readsrsp->data without verifying that the payload is present: - L2CAP_IT_FEAT_MASK calls get_unaligned_le32(rsp->data), which reads 4 bytes past the header (needs cmd_len >= 8). - L2CAP_IT_FIXED_CHAN reads rsp->data[0], 1 byte past the header (needs cmd_len >= 5).A truncated L2CAP_INFO_RSP with result == L2CAP_IR_SUCCESS triggers anout-of-bounds read of adjacent skb data.Guard each data access with the required payload length check. If thepayload is too short, skip the read and let the state machine completewith safe defaults (feat_mask and remote_fixed_chan remain zero fromkzalloc), so the info timer cleanup and l2cap_conn_start() still runand the connection is not stalled.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2021-37577 Severity: Moderate CVSS3 score: 4.2

Description: Bluetooth LE and BR/EDR Secure Connections pairing and Secure Simple Pairing using the Passkey entry protocol in Bluetooth Core Specifications 2.1 through 5.3 may permit an unauthenticated man-in-the-middle attacker to identify the Passkey used during pairing by reflection of a crafted public key with the same X coordinate as the offered public key and by reflection of the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. This is a related issue to CVE-2020-26558.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-35414 Severity: Moderate CVSS3 score: 4.2

Description: OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
openssh > 0-0 (version in image is 9.6p1-150600.6.34.1).

CVE-2024-36478 Severity: Moderate CVSS3 score: 4.1

Description: In the Linux kernel, the following vulnerability has been resolved:null_blk: fix null-ptr-dereference while configuring 'power' and 'submit_queues'Writing 'power' and 'submit_queues' concurrently will trigger kernelpanic:Test script:modprobe null_blk nr_devices=0mkdir -p /sys/kernel/config/nullb/nullb0while true; do echo 1 > submit_queues; echo 4 > submit_queues; done &while true; do echo 1 > power; echo 0 > power; doneTest result:BUG: kernel NULL pointer dereference, address: 0000000000000148Oops: 0000 [#1] PREEMPT SMPRIP: 0010:__lock_acquire+0x41d/0x28f0Call Trace: lock_acquire+0x121/0x450 down_write+0x5f/0x1d0 simple_recursive_removal+0x12f/0x5c0 blk_mq_debugfs_unregister_hctxs+0x7c/0x100 blk_mq_update_nr_hw_queues+0x4a3/0x720 nullb_update_nr_hw_queues+0x71/0xf0 [null_blk] nullb_device_submit_queues_store+0x79/0xf0 [null_blk] configfs_write_iter+0x119/0x1e0 vfs_write+0x326/0x730 ksys_write+0x74/0x150This is because del_gendisk() can concurrent withblk_mq_update_nr_hw_queues():nullb_device_power_store nullb_apply_submit_queues null_del_dev del_gendisk nullb_update_nr_hw_queues if (!dev->nullb) // still set while gendisk is deleted return 0 blk_mq_update_nr_hw_queues dev->nullb = NULLFix this problem by resuing the global mutex to protectnullb_device_power_store() and nullb_update_nr_hw_queues() from configfs.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-37861 Severity: Moderate CVSS3 score: 4.1

Description: In the Linux kernel, the following vulnerability has been resolved:scsi: mpi3mr: Synchronous access b/w reset and tm thread for reply queueWhen the task management thread processes reply queues while the resetthread resets them, the task management thread accesses an invalid queue ID(0xFFFF), set by the reset thread, which points to unallocated memory,causing a crash.Add flag 'io_admin_reset_sync' to synchronize access between the reset,I/O, and admin threads. Before a reset, the reset handler sets this flag toblock I/O and admin processing threads. If any thread bypasses the initialcheck, the reset thread waits up to 10 seconds for processing to finish. Ifthe wait exceeds 10 seconds, the controller is marked as unrecoverable.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-40187 Severity: Moderate CVSS3 score: 4.1

Description: In the Linux kernel, the following vulnerability has been resolved:net/sctp: fix a null dereference in sctp_disposition sctp_sf_do_5_1D_ce()If new_asoc->peer.adaptation_ind=0 and sctp_ulpevent_make_authkey=0and sctp_ulpevent_make_authkey() returns 0, then the variableai_ev remains zero and the zero will be dereferencedin the sctp_ulpevent_free() function.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-53906 Severity: Moderate CVSS3 score: 4.1

Description: Vim is an open source, command line text editor. Prior to version 9.1.1551, a path traversal issue in Vim's zip.vim plugin can allow overwriting of arbitrary files when opening specially crafted zip archives. Impact is low because this exploit requires direct user interaction. However, successfully exploitation can lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the process editing the archive. The victim must edit such a file using Vim which will reveal the filename and the file content, a careful user may suspect some strange things going on. Successful exploitation could results in the ability to execute arbitrary commands on the underlying operating system. Version 9.1.1551 contains a patch for the vulnerability.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
vim < 9.2.0110-150500.20.43.1 (version in image is 9.1.1629-150500.20.38.1).

CVE-2025-68742 Severity: Moderate CVSS3 score: 4.1

Description: In the Linux kernel, the following vulnerability has been resolved:bpf: Fix invalid prog->stats access when update_effective_progs failsSyzkaller triggers an invalid memory access issue following faultinjection in update_effective_progs. The issue can be described asfollows:__cgroup_bpf_detach update_effective_progs compute_effective_progs bpf_prog_array_alloc <-- fault inject purge_effective_progs /* change to dummy_bpf_prog */ array->items[index] = &dummy_bpf_prog.prog---softirq start---__do_softirq ... __cgroup_bpf_run_filter_skb __bpf_prog_run_save_cb bpf_prog_run stats = this_cpu_ptr(prog->stats) /* invalid memory access */ flags = u64_stats_update_begin_irqsave(&stats->syncp)---softirq end--- static_branch_dec(&cgroup_bpf_enabled_key[atype])The reason is that fault injection caused update_effective_progs to failand then changed the original prog into dummy_bpf_prog.prog inpurge_effective_progs. Then a softirq came, and accessing the members ofdummy_bpf_prog.prog in the softirq triggers invalid mem access.To fix it, skip updating stats when stats is NULL.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-71079 Severity: Moderate CVSS3 score: 4.1

Description: In the Linux kernel, the following vulnerability has been resolved:net: nfc: fix deadlock between nfc_unregister_device and rfkill_fop_writeA deadlock can occur between nfc_unregister_device() and rfkill_fop_write()due to lock ordering inversion between device_lock and rfkill_global_mutex.The problematic lock order is:Thread A (rfkill_fop_write): rfkill_fop_write() mutex_lock(&rfkill_global_mutex) rfkill_set_block() nfc_rfkill_set_block() nfc_dev_down() device_lock(&dev->dev) <- waits for device_lockThread B (nfc_unregister_device): nfc_unregister_device() device_lock(&dev->dev) rfkill_unregister() mutex_lock(&rfkill_global_mutex) <- waits for rfkill_global_mutexThis creates a classic ABBA deadlock scenario.Fix this by moving rfkill_unregister() and rfkill_destroy() outside thedevice_lock critical section. Store the rfkill pointer in a local variablebefore releasing the lock, then call rfkill_unregister() after releasingdevice_lock.This change is safe because rfkill_fop_write() holds rfkill_global_mutexwhile calling the rfkill callbacks, and rfkill_unregister() also acquiresrfkill_global_mutex before cleanup. Therefore, rfkill_unregister() willwait for any ongoing callback to complete before proceeding, anddevice_del() is only called after rfkill_unregister() returns, preventingany use-after-free.The similar lock ordering in nfc_register_device() (device_lock ->rfkill_global_mutex via rfkill_register) is safe because duringregistration the device is not yet in rfkill_list, so no concurrentrfkill operations can occur on this device.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23361 Severity: Moderate CVSS3 score: 4.1

Description: In the Linux kernel, the following vulnerability has been resolved:PCI: dwc: ep: Flush MSI-X write before unmapping its ATU entryEndpoint drivers use dw_pcie_ep_raise_msix_irq() to raise an MSI-Xinterrupt to the host using a writel(), which generates a PCI posted writetransaction. There's no completion for posted writes, so the writel() mayreturn before the PCI write completes. dw_pcie_ep_raise_msix_irq() alsounmaps the outbound ATU entry used for the PCI write, so the write raceswith the unmap.If the PCI write loses the race with the ATU unmap, the write may corrupthost memory or cause IOMMU errors, e.g., these when running fio with alarger queue depth against nvmet-pci-epf: arm-smmu-v3 fc900000.iommu: 0x0000010000000010 arm-smmu-v3 fc900000.iommu: 0x0000020000000000 arm-smmu-v3 fc900000.iommu: 0x000000090000f040 arm-smmu-v3 fc900000.iommu: 0x0000000000000000 arm-smmu-v3 fc900000.iommu: event: F_TRANSLATION client: 0000:01:00.0 sid: 0x100 ssid: 0x0 iova: 0x90000f040 ipa: 0x0 arm-smmu-v3 fc900000.iommu: unpriv data write s1 "Input address caused fault" stag: 0x0Flush the write by performing a readl() of the same address to ensure thatthe write has reached the destination before the ATU entry is unmapped.The same problem was solved for dw_pcie_ep_raise_msi_irq() in commit8719c64e76bf ("PCI: dwc: ep: Cache MSI outbound iATU mapping"), but thereit was solved by dedicating an outbound iATU only for MSI. We can't do thesame for MSI-X because each vector can have a different msg_addr and themsg_addr may be changed while the vector is masked.[bhelgaas: commit log]

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-31389 Severity: Moderate CVSS3 score: 4.1

Description: In the Linux kernel, the following vulnerability has been resolved:spi: fix use-after-free on controller registration failureMake sure to deregister from driver core also in the unlikely event thatper-cpu statistics allocation fails during controller registration toavoid use-after-free (of driver resources) and unclocked registeraccesses.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-35177 Severity: Moderate CVSS3 score: 4.1

Description: Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives, circumventing the previous fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
vim > 0-0 (version in image is 9.1.1629-150500.20.38.1).

CVE-2025-13837 Severity: Moderate CVSS3 score: 4.0

Description: When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
python3 > 0-0 (version in image is 3.6.15-150300.10.103.1).

CVE-2025-66382 Severity: Moderate CVSS3 score: 4.0

Description: In libexpat through 2.7.3, a crafted file with an approximate size of 2 MiB can lead to dozens of seconds of processing time.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
libexpat1 > 0-0 (version in image is 2.7.1-150400.3.31.1).

CVE-2024-37353 Severity: Moderate CVSS3 score: 3.9

Description: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-28420 Severity: Low CVSS3 score: 3.9

Description: Vim is an open source, command line text editor. Prior to version 9.2.0076, a heap-based buffer overflow WRITE and an out-of-bounds READ exist in Vim's terminal emulator when processing maximum combining characters from Unicode supplementary planes. Version 9.2.0076 fixes the issue.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
vim < 9.2.0110-150500.20.43.1 (version in image is 9.1.1629-150500.20.38.1).

CVE-2026-6019 Severity: Low CVSS3 score: 3.8

Description: http.cookies.Morsel.js_output() returns an inline inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
python3 > 0-0 (version in image is 3.6.15-150300.10.103.1).

CVE-2026-0989 Severity: Moderate CVSS3 score: 3.7

Description: A flaw was identified in the RelaxNG parser of libxml2 related to how external schema inclusions are handled. The parser does not enforce a limit on inclusion depth when resolving nested directives. Specially crafted or overly complex schemas can cause excessive recursion during parsing. This may lead to stack exhaustion and application crashes, creating a denial-of-service risk.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
libxml2-2 > 0-0 (version in image is 2.10.3-150500.5.32.1).

CVE-2026-0988 Severity: Low CVSS3 score: 3.7

Description: A flaw was found in glib. Missing validation of offset and count parameters in the g_buffered_input_stream_peek() function can lead to an integer overflow during length calculation. When specially crafted values are provided, this overflow results in an incorrect size being passed to memcpy(), triggering a buffer overflow. This can cause application crashes, leading to a Denial of Service (DoS).

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
glib2-tools > 0-0 (version in image is 2.78.6-150600.4.28.1).

CVE-2026-27448 Severity: Low CVSS3 score: 3.7

Description: pyOpenSSL is a Python wrapper around the OpenSSL library. Starting in version 0.14.0 and prior to version 26.0.0, if a user provided callback to `set_tlsext_servername_callback` raised an unhandled exception, this would result in a connection being accepted. If a user was relying on this callback for any security-sensitive behavior, this could allow bypassing it. Starting in version 26.0.0, unhandled exceptions now result in rejecting the connection.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
python311-pyOpenSSL < 23.2.0-150400.3.13.1 (version in image is 23.2.0-150400.3.10.1).

CVE-2026-41990 Severity: Moderate CVSS3 score: 3.6

Description: Libgcrypt before 1.12.2 mishandles Dilithium signing. Writes to a static array lack a bounds check but do not use attacker-controlled data.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
grub2 > 0-0 (version in image is 2.12-150600.8.44.2).

CVE-2023-52786 Severity: Low CVSS3 score: 3.6

Description: In the Linux kernel, the following vulnerability has been resolved:ext4: fix racy may inline data check in dio writesyzbot reports that the following warning from ext4_iomap_begin()triggers as of the commit referenced below: if (WARN_ON_ONCE(ext4_has_inline_data(inode))) return -ERANGE;This occurs during a dio write, which is never expected to encounteran inode with inline data. To enforce this behavior,ext4_dio_write_iter() checks the current inline state of the inodeand clears the MAY_INLINE_DATA state flag to either fall back tobuffered writes, or enforce that any other writers in progress onthe inode are not allowed to create inline data.The problem is that the check for existing inline data and the stateflag can span a lock cycle. For example, if the ilock is originallylocked shared and subsequently upgraded to exclusive, another writermay have reacquired the lock and created inline data before the diowrite task acquires the lock and proceeds.The commit referenced below loosens the lock requirements to allowsome forms of unaligned dio writes to occur under shared lock, butAFAICT the inline data check was technically already racy for anydio write that would have involved a lock cycle. Regardless, liftclearing of the state bit to the same lock critical section thatchecks for preexisting inline data on the inode to close the race.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-35386 Severity: Low CVSS3 score: 3.6

Description: In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
openssh > 0-0 (version in image is 9.6p1-150600.6.34.1).

CVE-2025-38047 Severity: Moderate CVSS3 score: 3.4

Description: In the Linux kernel, the following vulnerability has been resolved:x86/fred: Fix system hang during S4 resume with FRED enabledUpon a wakeup from S4, the restore kernel starts and initializes theFRED MSRs as needed from its perspective. It then loads a hibernationimage, including the image kernel, and attempts to load image pagesdirectly into their original page frames used before hibernation unlessthose frames are currently in use. Once all pages are moved to theiroriginal locations, it jumps to a "trampoline" page in the image kernel.At this point, the image kernel takes control, but the FRED MSRs stillcontain values set by the restore kernel, which may differ from thoseset by the image kernel before hibernation. Therefore, the image kernelmust ensure the FRED MSRs have the same values as before hibernation.Since these values depend only on the location of the kernel text anddata, they can be recomputed from scratch.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2024-37078 Severity: Moderate CVSS3 score: 3.3

Description: In the Linux kernel, the following vulnerability has been resolved:nilfs2: fix potential kernel bug due to lack of writeback flag waitingDestructive writes to a block device on which nilfs2 is mounted can causea kernel bug in the folio/page writeback start routine or writeback endroutine (__folio_start_writeback in the log below): kernel BUG at mm/page-writeback.c:3070! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI ... RIP: 0010:__folio_start_writeback+0xbaa/0x10e0 Code: 25 ff 0f 00 00 0f 84 18 01 00 00 e8 40 ca c6 ff e9 17 f6 ff ff e8 36 ca c6 ff 4c 89 f7 48 c7 c6 80 c0 12 84 e8 e7 b3 0f 00 90 <0f> 0b e8 1f ca c6 ff 4c 89 f7 48 c7 c6 a0 c6 12 84 e8 d0 b3 0f 00 ... Call Trace: nilfs_segctor_do_construct+0x4654/0x69d0 [nilfs2] nilfs_segctor_construct+0x181/0x6b0 [nilfs2] nilfs_segctor_thread+0x548/0x11c0 [nilfs2] kthread+0x2f0/0x390 ret_from_fork+0x4b/0x80 ret_from_fork_asm+0x1a/0x30 This is because when the log writer starts a writeback for segment summaryblocks or a super root block that use the backing device's page cache, itdoes not wait for the ongoing folio/page writeback, resulting in aninconsistent writeback state.Fix this issue by waiting for ongoing writebacks when puttingfolios/pages on the backing device into writeback state.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-1372 Severity: Moderate CVSS3 score: 3.3

Description: A vulnerability was found in GNU elfutils 0.192. It has been declared as critical. Affected by this vulnerability is the function dump_data_section/print_string_section of the file readelf.c of the component eu-readelf. The manipulation of the argument z/x leads to buffer overflow. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The identifier of the patch is 73db9d2021cab9e23fd734b0a76a612d52a6f1db. It is recommended to apply a patch to fix this issue.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
elfutils > 0-0 (version in image is 0.185-150400.5.8.3).

CVE-2025-40057 Severity: Moderate CVSS3 score: 3.3

Description: In the Linux kernel, the following vulnerability has been resolved:ptp: Add a upper bound on max_vclockssyzbot reported WARNING in max_vclocks_store.This occurs when the argument max is too large for kcalloc to handle.Extend the guard to guard against values that are too large forkcalloc

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23321 Severity: Moderate CVSS3 score: 3.3

Description: In the Linux kernel, the following vulnerability has been resolved:mptcp: pm: in-kernel: always mark signal+subflow endp as usedSyzkaller managed to find a combination of actions that was generatingthis warning: msk->pm.local_addr_used == 0 WARNING: net/mptcp/pm_kernel.c:1071 at __mark_subflow_endp_available net/mptcp/pm_kernel.c:1071 [inline], CPU#1: syz.2.17/961 WARNING: net/mptcp/pm_kernel.c:1071 at mptcp_nl_remove_subflow_and_signal_addr net/mptcp/pm_kernel.c:1103 [inline], CPU#1: syz.2.17/961 WARNING: net/mptcp/pm_kernel.c:1071 at mptcp_pm_nl_del_addr_doit+0x81d/0x8f0 net/mptcp/pm_kernel.c:1210, CPU#1: syz.2.17/961 Modules linked in: CPU: 1 UID: 0 PID: 961 Comm: syz.2.17 Not tainted 6.19.0-08368-gfafda3b4b06b #22 PREEMPT(full) Hardware name: QEMU Ubuntu 25.10 PC v2 (i440FX + PIIX, + 10.1 machine, 1996), BIOS 1.17.0-debian-1.17.0-1build1 04/01/2014 RIP: 0010:__mark_subflow_endp_available net/mptcp/pm_kernel.c:1071 [inline] RIP: 0010:mptcp_nl_remove_subflow_and_signal_addr net/mptcp/pm_kernel.c:1103 [inline] RIP: 0010:mptcp_pm_nl_del_addr_doit+0x81d/0x8f0 net/mptcp/pm_kernel.c:1210 Code: 89 c5 e8 46 30 6f fe e9 21 fd ff ff 49 83 ed 80 e8 38 30 6f fe 4c 89 ef be 03 00 00 00 e8 db 49 df fe eb ac e8 24 30 6f fe 90 <0f> 0b 90 e9 1d ff ff ff e8 16 30 6f fe eb 05 e8 0f 30 6f fe e8 9a RSP: 0018:ffffc90001663880 EFLAGS: 00010293 RAX: ffffffff82de1a6c RBX: 0000000000000000 RCX: ffff88800722b500 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffff8880158b22d0 R08: 0000000000010425 R09: ffffffffffffffff R10: ffffffff82de18ba R11: 0000000000000000 R12: ffff88800641a640 R13: ffff8880158b1880 R14: ffff88801ec3c900 R15: ffff88800641a650 FS: 00005555722c3500(0000) GS:ffff8880f909d000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f66346e0f60 CR3: 000000001607c000 CR4: 0000000000350ef0 Call Trace: genl_family_rcv_msg_doit+0x117/0x180 net/netlink/genetlink.c:1115 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0x3a8/0x3f0 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x16d/0x240 net/netlink/af_netlink.c:2550 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x3e9/0x4c0 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x4aa/0x5b0 net/netlink/af_netlink.c:1894 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg+0xc9/0xf0 net/socket.c:742 ____sys_sendmsg+0x272/0x3b0 net/socket.c:2592 ___sys_sendmsg+0x2de/0x320 net/socket.c:2646 __sys_sendmsg net/socket.c:2678 [inline] __do_sys_sendmsg net/socket.c:2683 [inline] __se_sys_sendmsg net/socket.c:2681 [inline] __x64_sys_sendmsg+0x110/0x1a0 net/socket.c:2681 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x143/0x440 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f66346f826d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffc83d8bdc8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f6634985fa0 RCX: 00007f66346f826d RDX: 00000000040000b0 RSI: 0000200000000740 RDI: 0000000000000007 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f6634985fa8 R13: 00007f6634985fac R14: 0000000000000000 R15: 0000000000001770 The actions that caused that seem to be: - Set the MPTCP subflows limit to 0 - Create an MPTCP endpoint with both the 'signal' and 'subflow' flags - Create a new MPTCP connection from a different address: an ADD_ADDR linked to the MPTCP endpoint will be sent ('signal' flag), but no subflows is initiated ('subflow' flag) - Remove the MPTCP endpoint---truncated---

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-3219 Severity: Moderate CVSS3 score: 3.3

Description: pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing "incorrect" files according to the filename of the archive. New behavior only proceeds with installation if the file identifies uniquely as a ZIP or tar archive, not as both.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
python3 > 0-0 (version in image is 3.6.15-150300.10.103.1).

CVE-2024-36957 Severity: Low CVSS3 score: 3.3

Description: In the Linux kernel, the following vulnerability has been resolved:octeontx2-af: avoid off-by-one read from userspaceWe try to access count + 1 byte from userspace with memdup_user(buffer,count + 1). However, the userspace only provides buffer of count bytes andonly these count bytes are verified to be okay to access. To ensure thecopied buffer is NUL terminated, we use memdup_user_nul instead.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-11839 Severity: Low CVSS3 score: 3.3

Description: A security flaw has been discovered in GNU Binutils 2.45. Impacted is the function tg_tag_type of the file prdbg.c. Performing a manipulation results in unchecked return value. The attack needs to be approached locally. The exploit has been released to the public and may be used for attacks.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
binutils > 0-0 (version in image is 2.45-150100.7.57.1).

CVE-2025-11840 Severity: Low CVSS3 score: 3.3

Description: A weakness has been identified in GNU Binutils 2.45. The affected element is the function vfinfo of the file ldmisc.c. Executing a manipulation can lead to out-of-bounds read. The attack can only be executed locally. The exploit has been made available to the public and could be used for attacks. This patch is called 16357. It is best practice to apply a patch to resolve this issue.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
binutils > 0-0 (version in image is 2.45-150100.7.57.1).

CVE-2025-11961 Severity: Low CVSS3 score: 3.3

Description: pcap_ether_aton() is an auxiliary function in libpcap, it takes a string argument and returns a fixed-size allocated buffer. The string argument must be a well-formed MAC-48 address in one of the supported formats, but this requirement has been poorly documented. If an application calls the function with an argument that deviates from the expected format, the function can read data beyond the end of the provided string and write data beyond the end of the allocated buffer.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
libpcap1 > 0-0 (version in image is 1.10.4-150600.3.9.1).

CVE-2025-12781 Severity: Low CVSS3 score: 3.3

Description: When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions in the "base64" module the characters "+/" will always be accepted, regardless of the value of "altchars" parameter, typically used to establish an "alternative base64 alphabet" such as the URL safe alphabet. This behavior matches what is recommended in earlier base64 RFCs, but newer RFCs now recommend either dropping characters outside the specified base64 alphabet or raising an error. The old behavior has the possibility of causing data integrity issues.This behavior can only be insecure if your application uses an alternate base64 alphabet (without "+/"). If your application does not use the "altchars" parameter or the urlsafe_b64decode() function, then your application does not use an alternative base64 alphabet.The attached patches DOES NOT make the base64-decode behavior raise an error, as this would be a change in behavior and break existing programs. Instead, the patch deprecates the behavior which will be replaced with the newly recommended behavior in a future version of Python. Users are recommended to mitigate by verifying user-controlled inputs match the base64 alphabet they are expecting or verify that their application would not be affected if the b64decode() functions accepted "+" or "/" outside of altchars.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
libpython3_11-1_0 < 3.11.14-150600.3.44.1 (version in image is 3.11.14-150600.3.41.2).

CVE-2025-28162 Severity: Low CVSS3 score: 3.3

Description: Buffer Overflow vulnerability in libpng 1.6.43-1.6.46 allows a local attacker to cause a denial of service via the pngimage with AddressSanitizer (ASan), the program leaks memory in various locations, eventually leading to high memory usage and causing the program to become unresponsive

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
libpng16-16 > 0-0 (version in image is 1.6.40-150600.3.6.1).

CVE-2025-28164 Severity: Low CVSS3 score: 3.3

Description: Buffer Overflow vulnerability in libpng 1.6.43-1.6.46 allows a local attacker to cause a denial of service via png_create_read_struct() function.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
libpng16-16 > 0-0 (version in image is 1.6.40-150600.3.6.1).

CVE-2025-38549 Severity: Low CVSS3 score: 3.3

Description: In the Linux kernel, the following vulnerability has been resolved:efivarfs: Fix memory leak of efivarfs_fs_info in fs_context error pathsWhen processing mount options, efivarfs allocates efivarfs_fs_info (sfi)early in fs_context initialization. However, sfi is associated with thesuperblock and typically freed when the superblock is destroyed. If thefs_context is released (final put) before fill_super is called-such ason error paths or during reconfiguration-the sfi structure would leak,as ownership never transfers to the superblock.Implement the .free callback in efivarfs_context_ops to ensure anyallocated sfi is properly freed if the fs_context is torn down beforefill_super, preventing this memory leak.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-40103 Severity: Low CVSS3 score: 3.3

Description: In the Linux kernel, the following vulnerability has been resolved:smb: client: Fix refcount leak for cifs_sb_tlinkFix three refcount inconsistency issues related to `cifs_sb_tlink`.Comments for `cifs_sb_tlink` state that `cifs_put_tlink()` needs to becalled after successful calls to `cifs_sb_tlink()`. Three calls fail toupdate refcount accordingly, leading to possible resource leaks.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-40153 Severity: Low CVSS3 score: 3.3

Description: In the Linux kernel, the following vulnerability has been resolved:mm: hugetlb: avoid soft lockup when mprotect to large memory areaWhen calling mprotect() to a large hugetlb memory area in our customer'sworkload (~300GB hugetlb memory), soft lockup was observed:watchdog: BUG: soft lockup - CPU#98 stuck for 23s! [t2_new_sysv:126916]CPU: 98 PID: 126916 Comm: t2_new_sysv Kdump: loaded Not tainted 6.17-rc7Hardware name: GIGACOMPUTING R2A3-T40-AAV1/Jefferson CIO, BIOS 5.4.4.1 07/15/2025pstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)pc : mte_clear_page_tags+0x14/0x24lr : mte_sync_tags+0x1c0/0x240sp : ffff80003150bb80x29: ffff80003150bb80 x28: ffff00739e9705a8 x27: 0000ffd2d6a00000x26: 0000ff8e4bc00000 x25: 00e80046cde00f45 x24: 0000000000022458x23: 0000000000000000 x22: 0000000000000004 x21: 000000011b380000x20: ffff000000000000 x19: 000000011b379f40 x18: 0000000000000000x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000x11: 0000000000000000 x10: 0000000000000000 x9 : ffffc875e0aa5e2cx8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000x5 : fffffc01ce7a5c00 x4 : 00000000046cde00 x3 : fffffc0000000000x2 : 0000000000000004 x1 : 0000000000000040 x0 : ffff0046cde7c000Call trace: mte_clear_page_tags+0x14/0x24 set_huge_pte_at+0x25c/0x280 hugetlb_change_protection+0x220/0x430 change_protection+0x5c/0x8c mprotect_fixup+0x10c/0x294 do_mprotect_pkey.constprop.0+0x2e0/0x3d4 __arm64_sys_mprotect+0x24/0x44 invoke_syscall+0x50/0x160 el0_svc_common+0x48/0x144 do_el0_svc+0x30/0xe0 el0_svc+0x30/0xf0 el0t_64_sync_handler+0xc4/0x148 el0t_64_sync+0x1a4/0x1a8Soft lockup is not triggered with THP or base page because there iscond_resched() called for each PMD size.Although the soft lockup was triggered by MTE, it should be not MTEspecific. The other processing which takes long time in the loop maytrigger soft lockup too.So add cond_resched() for hugetlb to avoid soft lockup.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-40160 Severity: Low CVSS3 score: 3.3

Description: In the Linux kernel, the following vulnerability has been resolved:xen/events: Return -EEXIST for bound VIRQsChange find_virq() to return -EEXIST when a VIRQ is bound to adifferent CPU than the one passed in. With that, remove the BUG_ON()from bind_virq_to_irq() to propogate the error upwards.Some VIRQs are per-cpu, but others are per-domain or global. Those mustbe bound to CPU0 and can then migrate elsewhere. The lookup forper-domain and global will probably fail when migrated off CPU 0,especially when the current CPU is tracked. This now returns -EEXISTinstead of BUG_ON().A second call to bind a per-domain or global VIRQ is not expected, butmake it non-fatal to avoid trying to look up the irq, since we don'tknow which per_cpu(virq_to_irq) it will be in.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-69645 Severity: Low CVSS3 score: 3.3

Description: Binutils objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF debug information. A logic error in the handling of DWARF compilation units can result in an invalid offset_size value being used inside byte_get_little_endian, leading to an abort (SIGABRT). The issue was observed in binutils 2.44. A local attacker can trigger the crash by supplying a malicious input file.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
binutils > 0-0 (version in image is 2.45-150100.7.57.1).

CVE-2025-69649 Severity: Low CVSS3 score: 3.3

Description: GNU Binutils thru 2.46 readelf contains a null pointer dereference vulnerability when processing a crafted ELF binary with malformed header fields. During relocation processing, an invalid or null section pointer may be passed into display_relocations(), resulting in a segmentation fault (SIGSEGV) and abrupt termination. No evidence of memory corruption beyond the null pointer dereference, nor any possibility of code execution, was observed.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
binutils > 0-0 (version in image is 2.45-150100.7.57.1).

CVE-2025-69652 Severity: Low CVSS3 score: 3.3

Description: GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an abort (SIGABRT) when processing a crafted ELF binary with malformed DWARF abbrev or debug information. Due to incomplete state cleanup in process_debug_info(), an invalid debug_info_p state may propagate into DWARF attribute parsing routines. When certain malformed attributes result in an unexpected data length of zero, byte_get_little_endian() triggers a fatal abort. No evidence of memory corruption or code execution was observed; the impact is limited to denial of service.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
binutils > 0-0 (version in image is 2.45-150100.7.57.1).

CVE-2025-71125 Severity: Low CVSS3 score: 3.3

Description: In the Linux kernel, the following vulnerability has been resolved:tracing: Do not register unsupported perf eventsSynthetic events currently do not have a function to register perf events.This leads to calling the tracepoint register functions with a NULLfunction pointer which triggers: ------------[ cut here ]------------ WARNING: kernel/tracepoint.c:175 at tracepoint_add_func+0x357/0x370, CPU#2: perf/2272 Modules linked in: kvm_intel kvm irqbypass CPU: 2 UID: 0 PID: 2272 Comm: perf Not tainted 6.18.0-ftest-11964-ge022764176fc-dirty #323 PREEMPTLAZY Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-debian-1.17.0-1 04/01/2014 RIP: 0010:tracepoint_add_func+0x357/0x370 Code: 28 9c e8 4c 0b f5 ff eb 0f 4c 89 f7 48 c7 c6 80 4d 28 9c e8 ab 89 f4 ff 31 c0 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc cc <0f> 0b 49 c7 c6 ea ff ff ff e9 ee fe ff ff 0f 0b e9 f9 fe ff ff 0f RSP: 0018:ffffabc0c44d3c40 EFLAGS: 00010246 RAX: 0000000000000001 RBX: ffff9380aa9e4060 RCX: 0000000000000000 RDX: 000000000000000a RSI: ffffffff9e1d4a98 RDI: ffff937fcf5fd6c8 RBP: 0000000000000001 R08: 0000000000000007 R09: ffff937fcf5fc780 R10: 0000000000000003 R11: ffffffff9c193910 R12: 000000000000000a R13: ffffffff9e1e5888 R14: 0000000000000000 R15: ffffabc0c44d3c78 FS: 00007f6202f5f340(0000) GS:ffff93819f00f000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055d3162281a8 CR3: 0000000106a56003 CR4: 0000000000172ef0 Call Trace: tracepoint_probe_register+0x5d/0x90 synth_event_reg+0x3c/0x60 perf_trace_event_init+0x204/0x340 perf_trace_init+0x85/0xd0 perf_tp_event_init+0x2e/0x50 perf_try_init_event+0x6f/0x230 ? perf_event_alloc+0x4bb/0xdc0 perf_event_alloc+0x65a/0xdc0 __se_sys_perf_event_open+0x290/0x9f0 do_syscall_64+0x93/0x7b0 ? entry_SYSCALL_64_after_hwframe+0x76/0x7e ? trace_hardirqs_off+0x53/0xc0 entry_SYSCALL_64_after_hwframe+0x76/0x7eInstead, have the code return -ENODEV, which doesn't warn and has perferror out with: # perf record -e synthetic:futex_waitError:The sys_perf_event_open() syscall returned with 19 (No such device) for event (synthetic:futex_wait)."dmesg | grep -i perf" may provide additional information.Ideally perf should support synthetic events, but for now just fix thewarning. The support can come later.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-71160 Severity: Low CVSS3 score: 3.3

Description: In the Linux kernel, the following vulnerability has been resolved:netfilter: nf_tables: avoid chain re-validation if possibleHamza Mahfooz reports cpu soft lock-ups innft_chain_validate(): watchdog: BUG: soft lockup - CPU#1 stuck for 27s! [iptables-nft-re:37547][..] RIP: 0010:nft_chain_validate+0xcb/0x110 [nf_tables][..] nft_immediate_validate+0x36/0x50 [nf_tables] nft_chain_validate+0xc9/0x110 [nf_tables] nft_immediate_validate+0x36/0x50 [nf_tables] nft_chain_validate+0xc9/0x110 [nf_tables] nft_immediate_validate+0x36/0x50 [nf_tables] nft_chain_validate+0xc9/0x110 [nf_tables] nft_immediate_validate+0x36/0x50 [nf_tables] nft_chain_validate+0xc9/0x110 [nf_tables] nft_immediate_validate+0x36/0x50 [nf_tables] nft_chain_validate+0xc9/0x110 [nf_tables] nft_immediate_validate+0x36/0x50 [nf_tables] nft_chain_validate+0xc9/0x110 [nf_tables] nft_table_validate+0x6b/0xb0 [nf_tables] nf_tables_validate+0x8b/0xa0 [nf_tables] nf_tables_commit+0x1df/0x1eb0 [nf_tables][..]Currently nf_tables will traverse the entire table (chain graph), startingfrom the entry points (base chains), exploring all possible paths(chain jumps). But there are cases where we could avoid revalidation.Consider:1 input -> j2 -> j32 input -> j2 -> j33 input -> j1 -> j2 -> j3Then the second rule does not need to revalidate j2, and, by extension j3,because this was already checked during validation of the first rule.We need to validate it only for rule 3.This is needed because chain loop detection also ensures we do not exceedthe jump stack: Just because we know that j2 is cycle free, its last jumpmight now exceed the allowed stack size. We also need to update allreachable chains with the new largest observed call depth.Care has to be taken to revalidate even if the chain depth won't be anissue: chain validation also ensures that expressions are not called frominvalid base chains. For example, the masquerade expression can only becalled from NAT postrouting base chains.Therefore we also need to keep record of the base chain context (type,hooknum) and revalidate if the chain becomes reachable from a differenthook location.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-71239 Severity: Low CVSS3 score: 3.3

Description: In the Linux kernel, the following vulnerability has been resolved:audit: add fchmodat2() to change attributes classfchmodat2(), introduced in version 6.6 is currently not in the changeattribute class of audit. Calling fchmodat2() to change a fileattribute in the same fashion than chmod() or fchmodat() will bypassaudit rules such as:-w /tmp/test -p rwa -k test_rwaThe current patch adds fchmodat2() to the change attributes class.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-8732 Severity: Low CVSS3 score: 3.3

Description: A vulnerability was found in libxml2 up to 2.14.5. It has been declared as problematic. This vulnerability affects the function xmlParseSGMLCatalog of the component xmlcatalog. The manipulation leads to uncontrolled recursion. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The code maintainer explains, that "[t]he issue can only be triggered with untrusted SGML catalogs and it makes absolutely no sense to use untrusted catalogs. I also doubt that anyone is still using SGML catalogs at all."

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
gettext-runtime > 0-0 (version in image is 0.21.1-150600.3.3.2).

CVE-2026-0965 Severity: Low CVSS3 score: 3.3

Description: A flaw was found in libssh where it can attempt to open arbitrary files during configuration parsing. A local attacker can exploit this by providing a malicious configuration file or when the system is misconfigured. This vulnerability could lead to a Denial of Service (DoS) by causing the system to try and access dangerous files, such as block devices or large system files, which can disrupt normal operations.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
libssh-config > 0-0 (version in image is 0.9.8-150600.11.6.1).

CVE-2026-1485 Severity: Low CVSS3 score: 3.3

Description: A flaw was found in Glib's content type parsing logic. This buffer underflow vulnerability occurs because the length of a header line is stored in a signed integer, which can lead to integer wraparound for very large inputs. This results in pointer underflow and out-of-bounds memory access. Exploitation requires a local user to install or process a specially crafted treemagic file, which can lead to local denial of service or application instability.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
glib2-tools < 2.78.6-150600.4.35.1 (version in image is 2.78.6-150600.4.28.1).

CVE-2026-1757 Severity: Low CVSS3 score: 3.3

Description: A flaw was identified in the interactive shell of the xmllint utility, part of the libxml2 project, where memory allocated for user input is not properly released under certain conditions. When a user submits input consisting only of whitespace, the program skips command execution but fails to free the allocated buffer. Repeating this action causes memory to continuously accumulate. Over time, this can exhaust system memory and terminate the xmllint process, creating a denial-of-service condition on the local system.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
libxml2-2 > 0-0 (version in image is 2.10.3-150500.5.32.1).

CVE-2026-23023 Severity: Low CVSS3 score: 3.3

Description: In the Linux kernel, the following vulnerability has been resolved:idpf: fix memory leak in idpf_vport_rel()Free vport->rx_ptype_lkup in idpf_vport_rel() to avoid leaking memoryduring a reset. Reported by kmemleak:unreferenced object 0xff450acac838a000 (size 4096): comm "kworker/u258:5", pid 7732, jiffies 4296830044 hex dump (first 32 bytes): 00 00 00 00 00 10 00 00 00 10 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 ................ backtrace (crc 3da81902): __kmalloc_cache_noprof+0x469/0x7a0 idpf_send_get_rx_ptype_msg+0x90/0x570 [idpf] idpf_init_task+0x1ec/0x8d0 [idpf] process_one_work+0x226/0x6d0 worker_thread+0x19e/0x340 kthread+0x10f/0x250 ret_from_fork+0x251/0x2b0 ret_from_fork_asm+0x1a/0x30

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23032 Severity: Low CVSS3 score: 3.3

Description: In the Linux kernel, the following vulnerability has been resolved:null_blk: fix kmemleak by releasing references to fault configfs itemsWhen CONFIG_BLK_DEV_NULL_BLK_FAULT_INJECTION is enabled, the null-blkdriver sets up fault injection support by creating the timeout_inject,requeue_inject, and init_hctx_fault_inject configfs items as childrenof the top-level nullbX configfs group.However, when the nullbX device is removed, the references taken tothese fault-config configfs items are not released. As a result,kmemleak reports a memory leak, for example:unreferenced object 0xc00000021ff25c40 (size 32): comm "mkdir", pid 10665, jiffies 4322121578 hex dump (first 32 bytes): 69 6e 69 74 5f 68 63 74 78 5f 66 61 75 6c 74 5f init_hctx_fault_ 69 6e 6a 65 63 74 00 88 00 00 00 00 00 00 00 00 inject.......... backtrace (crc 1a018c86): __kmalloc_node_track_caller_noprof+0x494/0xbd8 kvasprintf+0x74/0xf4 config_item_set_name+0xf0/0x104 config_group_init_type_name+0x48/0xfc fault_config_init+0x48/0xf0 0xc0080000180559e4 configfs_mkdir+0x304/0x814 vfs_mkdir+0x49c/0x604 do_mkdirat+0x314/0x3d0 sys_mkdir+0xa0/0xd8 system_call_exception+0x1b0/0x4f0 system_call_vectored_common+0x15c/0x2ecFix this by explicitly releasing the references to the fault-configconfigfs items when dropping the reference to the top-level nullbXconfigfs group.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23038 Severity: Low CVSS3 score: 3.3

Description: In the Linux kernel, the following vulnerability has been resolved:pnfs/flexfiles: Fix memory leak in nfs4_ff_alloc_deviceid_node()In nfs4_ff_alloc_deviceid_node(), if the allocation for ds_versions fails,the function jumps to the out_scratch label without freeing the alreadyallocated dsaddrs list, leading to a memory leak.Fix this by jumping to the out_err_drain_dsaddrs label, which properlyfrees the dsaddrs list before cleaning up other resources.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23083 Severity: Low CVSS3 score: 3.3

Description: In the Linux kernel, the following vulnerability has been resolved:fou: Don't allow 0 for FOU_ATTR_IPPROTO.fou_udp_recv() has the same problem mentioned in the previouspatch.If FOU_ATTR_IPPROTO is set to 0, skb is not freed byfou_udp_recv() nor "resubmit"-ted in ip_protocol_deliver_rcu().Let's forbid 0 for FOU_ATTR_IPPROTO.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23241 Severity: Low CVSS3 score: 3.3

Description: In the Linux kernel, the following vulnerability has been resolved:audit: add missing syscalls to read classThe "at" variant of getxattr() and listxattr() are missing from theaudit read class. Calling getxattrat() or listxattrat() on a file toread its extended attributes will bypass audit rules such as:-w /tmp/test -p rwa -k test_rwaThe current patch adds missing syscalls to the audit read class.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23258 Severity: Low CVSS3 score: 3.3

Description: In the Linux kernel, the following vulnerability has been resolved:net: liquidio: Initialize netdev pointer before queue setupIn setup_nic_devices(), the netdev is allocated using alloc_etherdev_mq().However, the pointer to this structure is stored in oct->props[i].netdevonly after the calls to netif_set_real_num_rx_queues() andnetif_set_real_num_tx_queues().If either of these functions fails, setup_nic_devices() returns an errorwithout freeing the allocated netdev. Since oct->props[i].netdev is stillNULL at this point, the cleanup function liquidio_destroy_nic_device()will fail to find and free the netdev, resulting in a memory leak.Fix this by initializing oct->props[i].netdev before calling the queuesetup functions. This ensures that the netdev is properly accessible forcleanup in case of errors.Compile tested only. Issue found using a prototype static analysis tooland code review.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23335 Severity: Low CVSS3 score: 3.3

Description: In the Linux kernel, the following vulnerability has been resolved:RDMA/irdma: Fix kernel stack leak in irdma_create_user_ah()struct irdma_create_ah_resp { // 8 bytes, no padding __u32 ah_id; // offset 0 - SET (uresp.ah_id = ah->sc_ah.ah_info.ah_idx) __u8 rsvd[4]; // offset 4 - NEVER SET <- LEAK};rsvd[4]: 4 bytes of stack memory leaked unconditionally. Only ah_id is assigned before ib_respond_udata().The reserved members of the structure were not zeroed.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-28422 Severity: Low CVSS3 score: 3.3

Description: Vim is an open source, command line text editor. Prior to version 9.2.0078, a stack-buffer-overflow occurs in `build_stl_str_hl()` when rendering a statusline with a multi-byte fill character on a very wide terminal. Version 9.2.0078 patches the issue.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
vim < 9.2.0110-150500.20.43.1 (version in image is 9.1.1629-150500.20.38.1).

CVE-2026-31391 Severity: Low CVSS3 score: 3.3

Description: In the Linux kernel, the following vulnerability has been resolved:crypto: atmel-sha204a - Fix OOM ->tfm_count leakIf memory allocation fails, decrement ->tfm_count to avoid blockingfuture reads.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-31416 Severity: Low CVSS3 score: 3.3

Description: In the Linux kernel, the following vulnerability has been resolved:netfilter: nfnetlink_log: account for netlink header sizeThis is a followup to an old bug fix: NLMSG_DONE needs to accountfor the netlink header size, not just the attribute size.This can result in a WARN splat + drop of the netlink message,but other than this there are no ill effects.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-31496 Severity: Low CVSS3 score: 3.3

Description: In the Linux kernel, the following vulnerability has been resolved:netfilter: nf_conntrack_expect: skip expectations in other netns via procSkip expectations that do not reside in this netns.Similar to e77e6ff502ea ("netfilter: conntrack: do not dump other netns'sconntrack entries via proc").

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-3479 Severity: Low CVSS3 score: 3.3

Description: DISPUTED: The project has clarified that the documentation was incorrect, and that pkgutil.get_data() has the same security model as open(). The documentation has been updated to clarify this point. There is no vulnerability in the function if following the intended security model.pkgutil.get_data() did not validate the resource argument as documented, allowing path traversals.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
libpython3_11-1_0 < 3.11.15-150600.3.53.1 (version in image is 3.11.14-150600.3.41.2).

CVE-2025-15224 Severity: Moderate CVSS3 score: 3.1

Description: When doing SSH-based transfers using either SCP or SFTP, and asked to dopublic key authentication, curl would wrongly still ask and authenticate usinga locally running SSH agent.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
curl > 0-0 (version in image is 8.14.1-150600.4.37.1).

CVE-2026-23339 Severity: Low CVSS3 score: 3.1

Description: In the Linux kernel, the following vulnerability has been resolved:nfc: nci: free skb on nci_transceive early error pathsnci_transceive() takes ownership of the skb passed by the caller,but the -EPROTO, -EINVAL, and -EBUSY error paths return withoutfreeing it.Due to issues clearing NCI_DATA_EXCHANGE fixed by subsequent changesthe nci/nci_dev selftest hits the error path occasionally in NIPA,and kmemleak detects leaks:unreferenced object 0xff11000015ce6a40 (size 640): comm "nci_dev", pid 3954, jiffies 4295441246 hex dump (first 32 bytes): 6b 6b 6b 6b 00 a4 00 0c 02 e1 03 6b 6b 6b 6b 6b kkkk.......kkkkk 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk backtrace (crc 7c40cc2a): kmem_cache_alloc_node_noprof+0x492/0x630 __alloc_skb+0x11e/0x5f0 alloc_skb_with_frags+0xc6/0x8f0 sock_alloc_send_pskb+0x326/0x3f0 nfc_alloc_send_skb+0x94/0x1d0 rawsock_sendmsg+0x162/0x4c0 do_syscall_64+0x117/0xfc0

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-35387 Severity: Low CVSS3 score: 3.1

Description: OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA algorithms.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
openssh > 0-0 (version in image is 9.6p1-150600.6.34.1).

CVE-2024-58251 Severity: Low CVSS3 score: 2.8

Description: In netstat in BusyBox through 1.37.0, local users can launch of network application with an argv[0] containing an ANSI terminal escape sequence, leading to a denial of service (terminal locked up) when netstat is used by a victim.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
iproute2 > 0-0 (version in image is 6.4-150600.7.9.1).

CVE-2024-38603 Severity: Moderate CVSS3 score: 2.5

Description: In the Linux kernel, the following vulnerability has been resolved:drivers/perf: hisi: hns3: Actually use devm_add_action_or_reset()pci_alloc_irq_vectors() allocates an irq vector. When devm_add_action()fails, the irq vector is not freed, which leads to a memory leak.Replace the devm_add_action with devm_add_action_or_reset to ensurethe irq vector can be destroyed when it fails.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-66863 Severity: Moderate CVSS3 score: 2.5

Description: An issue was discovered in function d_discriminator in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
binutils > 0-0 (version in image is 2.45-150100.7.57.1).

CVE-2025-66866 Severity: Moderate CVSS3 score: 2.5

Description: An issue was discovered in function d_abi_tags in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
binutils > 0-0 (version in image is 2.45-150100.7.57.1).

CVE-2026-3805 Severity: Moderate CVSS3 score: 2.5

Description: When doing a second SMB request to the same host again, curl would wrongly usea data pointer pointing into already freed memory.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
curl < 8.14.1-150600.4.40.1 (version in image is 8.14.1-150600.4.37.1).

CVE-2024-53149 Severity: Low CVSS3 score: 2.5

Description: In the Linux kernel, the following vulnerability has been resolved:usb: typec: ucsi: glink: fix off-by-one in connector_statusUCSI connector's indices start from 1 up to 3, PMIC_GLINK_MAX_PORTS.Correct the condition in the pmic_glink_ucsi_connector_status()callback, fixing Type-C orientation reporting for the third USB-Cconnector.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default < 6.4.0-150600.23.87.1 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-13462 Severity: Low CVSS3 score: 2.5

Description: The "tarfile" module would still apply normalization of AREGTYPE (\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
libpython3_11-1_0 < 3.11.15-150600.3.53.1 (version in image is 3.11.14-150600.3.41.2).

CVE-2025-1376 Severity: Low CVSS3 score: 2.5

Description: A vulnerability classified as problematic was found in GNU elfutils 0.192. This vulnerability affects the function elf_strptr in the library /libelf/elf_strptr.c of the component eu-strip. The manipulation leads to denial of service. It is possible to launch the attack on the local host. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is b16f441cca0a4841050e3215a9f120a6d8aea918. It is recommended to apply a patch to fix this issue.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
elfutils > 0-0 (version in image is 0.185-150400.5.8.3).

CVE-2025-39737 Severity: Low CVSS3 score: 2.5

Description: In the Linux kernel, the following vulnerability has been resolved:mm/kmemleak: avoid soft lockup in __kmemleak_do_cleanup()A soft lockup warning was observed on a relative small system x86-64system with 16 GB of memory when running a debug kernel with kmemleakenabled. watchdog: BUG: soft lockup - CPU#8 stuck for 33s! [kworker/8:1:134]The test system was running a workload with hot unplug happening inparallel. Then kemleak decided to disable itself due to its inability toallocate more kmemleak objects. The debug kernel has itsCONFIG_DEBUG_KMEMLEAK_MEM_POOL_SIZE set to 40,000.The soft lockup happened in kmemleak_do_cleanup() when the existingkmemleak objects were being removed and deleted one-by-one in a loop via aworkqueue. In this particular case, there are at least 40,000 objectsthat need to be processed and given the slowness of a debug kernel and thefact that a raw_spinlock has to be acquired and released in__delete_object(), it could take a while to properly handle all theseobjects.As kmemleak has been disabled in this case, the object removal anddeletion process can be further optimized as locking isn't really needed. However, it is probably not worth the effort to optimize for such an edgecase that should rarely happen. So the simple solution is to callcond_resched() at periodic interval in the iteration loop to avoid softlockup.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-40363 Severity: Low CVSS3 score: 2.5

Description: In the Linux kernel, the following vulnerability has been resolved:net: ipv6: fix field-spanning memcpy warning in AH outputFix field-spanning memcpy warnings in ah6_output() andah6_output_done() where extension headers are copied to/from IPv6address fields, triggering fortify-string warnings about writes beyondthe 16-byte address fields. memcpy: detected field-spanning write (size 40) of single field "&top_iph->saddr" at net/ipv6/ah6.c:439 (size 16) WARNING: CPU: 0 PID: 8838 at net/ipv6/ah6.c:439 ah6_output+0xe7e/0x14e0 net/ipv6/ah6.c:439The warnings are false positives as the extension headers areintentionally placed after the IPv6 header in memory. Fix by properlycopying addresses and extension headers separately, and introducehelper functions to avoid code duplication.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-6075 Severity: Low CVSS3 score: 2.5

Description: If the value passed to os.path.expandvars() is user-controlled a performance degradation is possible when expanding environment variables.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
libpython3_11-1_0 < 3.11.15-150600.3.53.1 (version in image is 3.11.14-150600.3.41.2).

CVE-2025-66861 Severity: Low CVSS3 score: 2.5

Description: An issue was discovered in function d_unqualified_name in file cp-demangle.c in BinUtils 2.26 allowing attackers to cause a denial of service via crafted PE file.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
binutils > 0-0 (version in image is 2.45-150100.7.57.1).

CVE-2025-66864 Severity: Low CVSS3 score: 2.5

Description: An issue was discovered in function d_print_comp_inner in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
binutils > 0-0 (version in image is 2.45-150100.7.57.1).

CVE-2025-66865 Severity: Low CVSS3 score: 2.5

Description: An issue was discovered in function d_print_comp_inner in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
binutils > 0-0 (version in image is 2.45-150100.7.57.1).

CVE-2025-71084 Severity: Low CVSS3 score: 2.5

Description: In the Linux kernel, the following vulnerability has been resolved:RDMA/cm: Fix leaking the multicast GID table referenceIf the CM ID is destroyed while the CM event for multicast creating isstill queued the cancel_work_sync() will prevent the work from runningwhich also prevents destroying the ah_attr. This leaks a refcount andtriggers a WARN: GID entry ref leak for dev syz1 index 2 ref=573 WARNING: CPU: 1 PID: 655 at drivers/infiniband/core/cache.c:809 release_gid_table drivers/infiniband/core/cache.c:806 [inline] WARNING: CPU: 1 PID: 655 at drivers/infiniband/core/cache.c:809 gid_table_release_one+0x284/0x3cc drivers/infiniband/core/cache.c:886Destroy the ah_attr after canceling the work, it is safe to call thistwice.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23330 Severity: Low CVSS3 score: 2.5

Description: In the Linux kernel, the following vulnerability has been resolved:nfc: nci: complete pending data exchange on device closeIn nci_close_device(), complete any pending data exchange beforeclosing. The data exchange callback (e.g.rawsock_data_exchange_complete) holds a socket reference.NIPA occasionally hits this leak:unreferenced object 0xff1100000f435000 (size 2048): comm "nci_dev", pid 3954, jiffies 4295441245 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 27 00 01 40 00 00 00 00 00 00 00 00 00 00 00 00 '..@............ backtrace (crc ec2b3c5): __kmalloc_noprof+0x4db/0x730 sk_prot_alloc.isra.0+0xe4/0x1d0 sk_alloc+0x36/0x760 rawsock_create+0xd1/0x540 nfc_sock_create+0x11f/0x280 __sock_create+0x22d/0x630 __sys_socket+0x115/0x1d0 __x64_sys_socket+0x72/0xd0 do_syscall_64+0x117/0xfc0 entry_SYSCALL_64_after_hwframe+0x4b/0x53

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-35388 Severity: Low CVSS3 score: 2.5

Description: OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
openssh > 0-0 (version in image is 9.6p1-150600.6.34.1).

CVE-2026-41080 Severity: Low CVSS3 score: 2.5

Description: libexpat before 2.7.6 uses insufficient entropy, and thus hash flooding can occur via a crafted XML document.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
libexpat1 > 0-0 (version in image is 2.7.1-150400.3.31.1).

CVE-2026-0967 Severity: Low CVSS3 score: 2.2

Description: A flaw was found in libssh. A remote attacker, by controlling client configuration files or known_hosts files, could craft specific hostnames that when processed by the `match_pattern()` function can lead to inefficient regular expression backtracking. This can cause timeouts and resource exhaustion, resulting in a Denial of Service (DoS) for the client.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
libssh-config > 0-0 (version in image is 0.9.8-150600.11.6.1).

CVE-2023-20585 Severity: Moderate CVSS3 score: None

Description: Insufficient checks of the RMP on host buffer access in IOMMU may allow an attacker with privileges and a compromised hypervisor to trigger an out of bounds condition without RMP checks, resulting in a potential loss of confidential guest integrity.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-38322 Severity: Moderate CVSS3 score: 0.0

Description: In the Linux kernel, the following vulnerability has been resolved:perf/x86/intel: Fix crash in icl_update_topdown_event()The perf_fuzzer found a hard-lockup crash on a RaptorLake machine: Oops: general protection fault, maybe for address 0xffff89aeceab400: 0000 CPU: 23 UID: 0 PID: 0 Comm: swapper/23 Tainted: [W]=WARN Hardware name: Dell Inc. Precision 9660/0VJ762 RIP: 0010:native_read_pmc+0x7/0x40 Code: cc e8 8d a9 01 00 48 89 03 5b cd cc cc cc cc 0f 1f ... RSP: 000:fffb03100273de8 EFLAGS: 00010046 .... Call Trace: icl_update_topdown_event+0x165/0x190 ? ktime_get+0x38/0xd0 intel_pmu_read_event+0xf9/0x210 __perf_event_read+0xf9/0x210CPUs 16-23 are E-core CPUs that don't support the perf metrics feature.The icl_update_topdown_event() should not be invoked on these CPUs.It's a regression of commit: f9bdf1f95339 ("perf/x86/intel: Avoid disable PMU if !cpuc->enabled in sample read")The bug introduced by that commit is that the is_topdown_event() functionis mistakenly used to replace the is_topdown_count() call to check if thetopdown functions for the perf metrics feature should be invoked.Fix it.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default < 6.4.0-150600.23.87.1 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-40102 Severity: Moderate CVSS3 score: 0.0

Description: In the Linux kernel, the following vulnerability has been resolved:KVM: arm64: Prevent access to vCPU events before initAnother day, another syzkaller bug. KVM erroneously allows userspace topend vCPU events for a vCPU that hasn't been initialized yet, leading toKVM interpreting a bunch of uninitialized garbage for routing /injecting the exception.In one case the injection code and the hyp disagree on whether the vCPUhas a 32bit EL1 and put the vCPU into an illegal mode for AArch64,tripping the BUG() in exception_target_el() during the next injection: kernel BUG at arch/arm64/kvm/inject_fault.c:40! Internal error: Oops - BUG: 00000000f2000800 [#1] SMP CPU: 3 UID: 0 PID: 318 Comm: repro Not tainted 6.17.0-rc4-00104-g10fd0285305d #6 PREEMPT Hardware name: linux,dummy-virt (DT) pstate: 21402009 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) pc : exception_target_el+0x88/0x8c lr : pend_serror_exception+0x18/0x13c sp : ffff800082f03a10 x29: ffff800082f03a10 x28: ffff0000cb132280 x27: 0000000000000000 x26: 0000000000000000 x25: ffff0000c2a99c20 x24: 0000000000000000 x23: 0000000000008000 x22: 0000000000000002 x21: 0000000000000004 x20: 0000000000008000 x19: ffff0000c2a99c20 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 00000000200000c0 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 x8 : ffff800082f03af8 x7 : 0000000000000000 x6 : 0000000000000000 x5 : ffff800080f621f0 x4 : 0000000000000000 x3 : 0000000000000000 x2 : 000000000040009b x1 : 0000000000000003 x0 : ffff0000c2a99c20 Call trace: exception_target_el+0x88/0x8c (P) kvm_inject_serror_esr+0x40/0x3b4 __kvm_arm_vcpu_set_events+0xf0/0x100 kvm_arch_vcpu_ioctl+0x180/0x9d4 kvm_vcpu_ioctl+0x60c/0x9f4 __arm64_sys_ioctl+0xac/0x104 invoke_syscall+0x48/0x110 el0_svc_common.constprop.0+0x40/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xf0 el0t_64_sync_handler+0xa0/0xe4 el0t_64_sync+0x198/0x19c Code: f946bc01 b4fffe61 9101e020 17fffff2 (d4210000)Reject the ioctls outright as no sane VMM would call these beforeKVM_ARM_VCPU_INIT anyway. Even if it did the exception would've beenthrown away by the eventual reset of the vCPU's state.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2025-40104 Severity: Moderate CVSS3 score: 0.0

Description: In the Linux kernel, the following vulnerability has been resolved:ixgbevf: fix mailbox API compatibility by negotiating supported featuresThere was backward compatibility in the terms of mailbox API. Variousdrivers from various OSes supporting 10G adapters from Intel portfoliocould easily negotiate mailbox API.This convention has been broken since introducing API 1.4.Commit 0062e7cc955e ("ixgbevf: add VF IPsec offload code") added supportfor IPSec which is specific only for the kernel ixgbe driver. None of therest of the Intel 10G PF/VF drivers supports it. And actually lack ofsupport was not included in the IPSec implementation - there were no suchcode paths. No possibility to negotiate support for the feature wasintroduced along with introduction of the feature itself.Commit 339f28964147 ("ixgbevf: Add support for new mailbox communicationbetween PF and VF") increasing API version to 1.5 did the same - itintroduced code supported specifically by the PF ESX driver. It altered APIversion for the VF driver in the same time not touching the versiondefined for the PF ixgbe driver. It led to additional discrepancies,as the code provided within API 1.6 cannot be supported for Linux ixgbedriver as it causes crashes.The issue was noticed some time ago and mitigated by Jake within the commitd0725312adf5 ("ixgbevf: stop attempting IPSEC offload on Mailbox API 1.5").As a result we have regression for IPsec support and after increasing APIto version 1.6 ixgbevf driver stopped to support ESX MBX.To fix this mess add new mailbox op asking PF driver about supportedfeatures. Basing on a response determine whether to set support for IPSecand ESX-specific enhanced mailbox.New mailbox op, for compatibility purposes, must be added within new APIrevision, as API version of OOT PF & VF drivers is already increased to1.6 and doesn't incorporate features negotiate op.Features negotiation mechanism gives possibility to be extended with newfeatures when needed in the future.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-23463 Severity: Moderate CVSS3 score: 0.0

Description: In the Linux kernel, the following vulnerability has been resolved:soc: fsl: qbman: fix race condition in qman_destroy_fqWhen QMAN_FQ_FLAG_DYNAMIC_FQID is set, there's a race condition betweenfq_table[fq->idx] state and freeing/allocating from the pool andWARN_ON(fq_table[fq->idx]) in qman_create_fq() gets triggered.Indeed, we can have: Thread A Thread B qman_destroy_fq() qman_create_fq() qman_release_fqid() qman_shutdown_fq() gen_pool_free() -- At this point, the fqid is available again -- qman_alloc_fqid() -- so, we can get the just-freed fqid in thread B -- fq->fqid = fqid; fq->idx = fqid * 2; WARN_ON(fq_table[fq->idx]); fq_table[fq->idx] = fq; fq_table[fq->idx] = NULL;And adding some logs between qman_release_fqid() andfq_table[fq->idx] = NULL makes the WARN_ON() trigger a lot more.To prevent that, ensure that fq_table[fq->idx] is set to NULL beforegen_pool_free() is called by using smp_wmb().

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
kernel-default > 0-0 (version in image is 6.4.0-150600.23.84.1).

CVE-2026-4176 Severity: Moderate CVSS3 score: None

Description: Perl versions from 5.9.4 before 5.40.4-RC1, from 5.41.0 before 5.42.2-RC1, from 5.43.0 before 5.43.9 contain a vulnerable version of Compress::Raw::Zlib.Compress::Raw::Zlib is included in the Perl package as a dual-life core module, and is vulnerable to CVE-2026-3381 due to a vendored version of zlib which has several vulnerabilities, including CVE-2026-27171. The bundled Compress::Raw::Zlib was updated to version 2.221 in Perl blead commit c75ae9cc164205e1b6d6dbd57bd2c65c8593fe94.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
libz1 > 0-0 (version in image is 1.2.13-150500.4.3.1).

CVE-2025-1377 Severity: Low CVSS3 score: 0.0

Description: A vulnerability, which was classified as problematic, has been found in GNU elfutils 0.192. This issue affects the function gelf_getsymshndx of the file strip.c of the component eu-strip. The manipulation leads to denial of service. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. The identifier of the patch is fbf1df9ca286de3323ae541973b08449f8d03aba. It is recommended to apply a patch to fix this issue.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.12.1).
elfutils > 0-0 (version in image is 0.185-150400.5.8.3).

CVE scan

Summary of CVEs affecting the image: