sles-15-sp7-hardened-byos-v20260520-x86-64 CVE scan on 2026-05-20T06:18:14+00:00

CVE-2026-31709 Severity: Important CVSS3 score: 8.8

Description: In the Linux kernel, the following vulnerability has been resolved:smb: client: validate the whole DACL before rewriting it in cifsaclbuild_sec_desc() and id_mode_to_cifs_acl() derive a DACL pointer from aserver-supplied dacloffset and then use the incoming ACL to rebuild thechmod/chown security descriptor.The original fix only checked that the struct smb_acl header fits beforereading dacl_ptr->size or dacl_ptr->num_aces. That avoids the immediateheader-field OOB read, but the rewrite helpers still walk ACEs based onpdacl->num_aces with no structural validation of the incoming DACL body.A malicious server can return a truncated DACL that still contains aheader, claims one or more ACEs, and then drivereplace_sids_and_copy_aces() or set_chmod_dacl() past the validatedextent while they compare or copy attacker-controlled ACEs.Factor the DACL structural checks into validate_dacl(), extend them tovalidate each ACE against the DACL bounds, and use the shared validatorbefore the chmod/chown rebuild paths. parse_dacl() reuses the samevalidator so the read-side parser and write-side rewrite paths agree onwhat constitutes a well-formed incoming DACL.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-46300 Severity: Important CVSS3 score: 8.8

Description: Unknown.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default < 6.4.0-150700.53.52.1 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-4775 Severity: Important CVSS3 score: 8.6

Description: A flaw was found in the libtiff library. A remote attacker could exploit a signed integer overflow vulnerability in the putcontig8bitYCbCr44tile function by providing a specially crafted TIFF file. This flaw can lead to an out-of-bounds heap write due to incorrect memory pointer calculations, potentially causing a denial of service (application crash) or arbitrary code execution.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
libtiff6 < 4.7.1-150600.3.26.1 (version in image is 4.7.1-150600.3.23.1).

CVE-2026-33747 Severity: Important CVSS3 score: 8.4

Description: BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, when using a custom BuildKit frontend, the frontend can craft an API message that causes files to be written outside of the BuildKit state directory for the execution context. The issue has been fixed in v0.28.1. The vulnerability requires using an untrusted BuildKit frontend set with `#syntax` or `--build-arg BUILDKIT_SYNTAX`. Using these options with a well-known frontend image like `docker/dockerfile` is not affected.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
docker > 0-0 (version in image is 28.5.1_ce-150000.245.2).

CVE-2026-31402 Severity: Important CVSS3 score: 8.2

Description: In the Linux kernel, the following vulnerability has been resolved:nfsd: fix heap overflow in NFSv4.0 LOCK replay cacheThe NFSv4.0 replay cache uses a fixed 112-byte inline buffer(rp_ibuf[NFSD4_REPLAY_ISIZE]) to store encoded operation responses.This size was calculated based on OPEN responses and does not accountfor LOCK denied responses, which include the conflicting lock owner asa variable-length field up to 1024 bytes (NFS4_OPAQUE_LIMIT).When a LOCK operation is denied due to a conflict with an existing lockthat has a large owner, nfsd4_encode_operation() copies the full encodedresponse into the undersized replay buffer via read_bytes_from_xdr_buf()with no bounds check. This results in a slab-out-of-bounds write of upto 944 bytes past the end of the buffer, corrupting adjacent heap memory.This can be triggered remotely by an unauthenticated attacker with twocooperating NFSv4.0 clients: one sets a lock with a large owner string,then the other requests a conflicting lock to provoke the denial.We could fix this by increasing NFSD4_REPLAY_ISIZE to allow for a fullopaque, but that would increase the size of every stateowner, when mostlockowners are not that large.Instead, fix this by checking the encoded response length againstNFSD4_REPLAY_ISIZE before copying into the replay buffer. If theresponse is too large, set rp_buflen to 0 to skip caching the replaypayload. The status is still cached, and the client already received thecorrect response on the original request.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-33845 Severity: Important CVSS3 score: 8.2

Description: A flaw in GnuTLS DTLS handshake parsing allows malformed fragments with zero length and non-zero offset, leading to an integer underflow during reassembly and resulting in an out-of-bounds read. This issue is remotely exploitable and may cause information disclosure or denial of service.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
libgnutls30 > 0-0 (version in image is 3.8.3-150600.4.17.1).

CVE-2026-43190 Severity: Important CVSS3 score: 8.2

Description: In the Linux kernel, the following vulnerability has been resolved:netfilter: xt_tcpmss: check remaining length before reading optlenQuoting reporter: In net/netfilter/xt_tcpmss.c (lines 53-68), the TCP option parser reads op[i+1] directly without validating the remaining option length. If the last byte of the option field is not EOL/NOP (0/1), the code attempts to index op[i+1]. In the case where i + 1 == optlen, this causes an out-of-bounds read, accessing memory past the optlen boundary (either reading beyond the stack buffer _opt or the following payload).

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43365 Severity: Important CVSS3 score: 8.2

Description: In the Linux kernel, the following vulnerability has been resolved:xfs: fix undersized l_iclog_roundoff valuesIf the superblock doesn't list a log stripe unit, we set the incore logroundoff value to 512. This leads to corrupt logs and unmountablefilesystems in generic/617 on a disk with 4k physical sectors...XFS (sda1): Mounting V5 Filesystem ff3121ca-26e6-4b77-b742-aaff9a449e1cXFS (sda1): Torn write (CRC failure) detected at log block 0x318e. Truncating head block from 0x3197.XFS (sda1): failed to locate log tailXFS (sda1): log mount/recovery failed: error -74XFS (sda1): log mount failedXFS (sda1): Mounting V5 Filesystem ff3121ca-26e6-4b77-b742-aaff9a449e1cXFS (sda1): Ending clean mount...on the current xfsprogs for-next which has a broken mkfs. xfs_infoshows this...meta-data=/dev/sda1 isize=512 agcount=4, agsize=644992 blks = sectsz=4096 attr=2, projid32bit=1 = crc=1 finobt=1, sparse=1, rmapbt=1 = reflink=1 bigtime=1 inobtcount=1 nrext64=1 = exchange=1 metadir=1data = bsize=4096 blocks=2579968, imaxpct=25 = sunit=0 swidth=0 blksnaming =version 2 bsize=4096 ascii-ci=0, ftype=1, parent=1log =internal log bsize=4096 blocks=16384, version=2 = sectsz=4096 sunit=0 blks, lazy-count=1realtime =none extsz=4096 blocks=0, rtextents=0 = rgcount=0 rgsize=268435456 extents = zoned=0 start=0 reserved=0...observe that the log section has sectsz=4096 sunit=0, which meansthat the roundoff factor is 512, not 4096 as you'd expect. We shouldfix mkfs not to generate broken filesystems, but anyone can fuzz theondisk superblock so we should be more cautious. I think the inadequatelogic predates commit a6a65fef5ef8d0, but that's clearly going torequire a different backport.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-8177 Severity: Important CVSS3 score: 8.2

Description: XML::LibXML versions through 2.0210 for Perl read out-of-bounds heap memory when parsing XML node names containing truncated UTF-8 byte sequences.A node name ending in the middle of a multi byte UTF-8 sequence causes the parser to read past the end of the input string into adjacent heap memory.Any Perl process that passes attacker controlled strings to XML::LibXML's DOM node-name methods can reach this path on the default API. The likely consequence is a crash, causing denial of service.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
perl-XML-LibXML > 0-0 (version in image is 2.0132-150000.3.3.1).

CVE-2026-31708 Severity: Important CVSS3 score: 8.1

Description: In the Linux kernel, the following vulnerability has been resolved:smb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO pathsmb2_ioctl_query_info() has two response-copy branches: PASSTHRU_FSCTLand the default QUERY_INFO path. The QUERY_INFO branch clampsqi.input_buffer_length to the server-reported OutputBufferLength and thencopies qi.input_buffer_length bytes from qi_rsp->Buffer to userspace, butit never verifies that the flexible-array payload actually fits withinrsp_iov[1].iov_len.A malicious server can return OutputBufferLength larger than the actualQUERY_INFO response, causing copy_to_user() to walk past the responsebuffer and expose adjacent kernel heap to userspace.Guard the QUERY_INFO copy with a bounds check on the actual Bufferpayload. Use struct_size(qi_rsp, Buffer, qi.input_buffer_length)rather than an open-coded addition so the guard cannot overflow on32-bit builds.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31771 Severity: Important CVSS3 score: 8.1

Description: In the Linux kernel, the following vulnerability has been resolved:Bluetooth: hci_event: move wake reason storage into validated event handlershci_store_wake_reason() is called from hci_event_packet() immediatelyafter stripping the HCI event header but before hci_event_func()enforces the per-event minimum payload length from hci_ev_table.This means a short HCI event frame can reach bacpy() before any boundscheck runs.Rather than duplicating skb parsing and per-event length checks insidehci_store_wake_reason(), move wake-address storage into the individualevent handlers after their existing event-length validation hassucceeded. Convert hci_store_wake_reason() into a small helper that onlystores an already-validated bdaddr while the caller holds hci_dev_lock().Use the same helper after hci_event_func() with a NULL address topreserve the existing unexpected-wake fallback semantics when novalidated event handler records a wake address.Annotate the helper with __must_hold(&hdev->lock) and addlockdep_assert_held(&hdev->lock) so future call paths keep the lockcontract explicit.Call the helper from hci_conn_request_evt(), hci_conn_complete_evt(),hci_sync_conn_complete_evt(), le_conn_complete_evt(),hci_le_adv_report_evt(), hci_le_ext_adv_report_evt(),hci_le_direct_adv_report_evt(), hci_le_pa_sync_established_evt(), andhci_le_past_received_evt().

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-33186 Severity: Important CVSS3 score: 8.1

Description: gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific "deny" rules for canonical paths but allows other requests by default (a fallback "allow" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
containerd > 0-0 (version in image is 1.7.29-150000.132.1).

CVE-2026-41316 Severity: Important CVSS3 score: 8.1

Description: ERB is a templating system for Ruby. Ruby 2.7.0 (before ERB 2.2.0 was published on rubygems.org) introduced an `@_init` instance variable guard in `ERB#result` and `ERB#run` to prevent code execution when an ERB object is reconstructed via `Marshal.load` (deserialization). However, three other public methods that also evaluate `@src` via `eval()` were not given the same guard: `ERB#def_method`, `ERB#def_module`, and `ERB#def_class`. An attacker who can trigger `Marshal.load` on untrusted data in a Ruby application that has `erb` loaded can use `ERB#def_module` (zero-arg, default parameters) as a code execution sink, bypassing the `@_init` protection entirely. ERB 4.0.3.1, 4.0.4.1, 6.0.1.1, and 6.0.4 patch the issue.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
ruby > 0-0 (version in image is 2.5-1.21).

CVE-2026-6100 Severity: Important CVSS3 score: 8.1

Description: Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition.The vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.

Packages affected:

sles-release == 15.7 (version in image is 15.7-150700.67.6.1).
python311 > 0-0 (version in image is 3.11.15-150600.3.53.1).

CVE-2025-71302 Severity: Important CVSS3 score: 7.8

Description: In the Linux kernel, the following vulnerability has been resolved:drm/panthor: fix for dma-fence safe access rulesCommit 506aa8b02a8d6 ("dma-fence: Add safe access helpers and documentthe rules") details the dma-fence safe access rules. The most commonculprit is that drm_sched_fence_get_timeline_name may race withgroup_free_queue.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23558 Severity: Important CVSS3 score: 7.8

Description: Unknown.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
xen-libs < 4.20.3_02-150700.3.33.1 (version in image is 4.20.2_08-150700.3.28.1).

CVE-2026-31507 Severity: Important CVSS3 score: 7.8

Description: In the Linux kernel, the following vulnerability has been resolved:net/smc: fix double-free of smc_spd_priv when tee() duplicates splice pipe buffersmc_rx_splice() allocates one smc_spd_priv per pipe_buffer and storesthe pointer in pipe_buffer.private. The pipe_buf_operations for thesebuffers used .get = generic_pipe_buf_get, which only increments the pagereference count when tee(2) duplicates a pipe buffer. The smc_spd_privpointer itself was not handled, so after tee() both the original and thecloned pipe_buffer share the same smc_spd_priv *.When both pipes are subsequently released, smc_rx_pipe_buf_release() iscalled twice against the same object: 1st call: kfree(priv) sock_put(sk) smc_rx_update_cons() [correct] 2nd call: kfree(priv) sock_put(sk) smc_rx_update_cons() [UAF]KASAN reports a slab-use-after-free in smc_rx_pipe_buf_release(), whichthen escalates to a NULL-pointer dereference and kernel panic viasmc_rx_update_consumer() when it chases the freed priv->smc pointer: BUG: KASAN: slab-use-after-free in smc_rx_pipe_buf_release+0x78/0x2a0 Read of size 8 at addr ffff888004a45740 by task smc_splice_tee_/74 Call Trace: dump_stack_lvl+0x53/0x70 print_report+0xce/0x650 kasan_report+0xc6/0x100 smc_rx_pipe_buf_release+0x78/0x2a0 free_pipe_info+0xd4/0x130 pipe_release+0x142/0x160 __fput+0x1c6/0x490 __x64_sys_close+0x4f/0x90 do_syscall_64+0xa6/0x1a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f BUG: kernel NULL pointer dereference, address: 0000000000000020 RIP: 0010:smc_rx_update_consumer+0x8d/0x350 Call Trace: smc_rx_pipe_buf_release+0x121/0x2a0 free_pipe_info+0xd4/0x130 pipe_release+0x142/0x160 __fput+0x1c6/0x490 __x64_sys_close+0x4f/0x90 do_syscall_64+0xa6/0x1a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Kernel panic - not syncing: Fatal exceptionBeyond the memory-safety problem, duplicating an SMC splice buffer issemantically questionable: smc_rx_update_cons() would advance theconsumer cursor twice for the same data, corrupting receive-windowaccounting. A refcount on smc_spd_priv could fix the double-free, butthe cursor-accounting issue would still need to be addressed separately.The .get callback is invoked by both tee(2) and splice_pipe_to_pipe()for partial transfers; both will now return -EFAULT. Users who needto duplicate SMC socket data must use a copy-based read path.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31580 Severity: Important CVSS3 score: 7.8

Description: In the Linux kernel, the following vulnerability has been resolved:bcache: fix cached_dev.sb_bio use-after-free and crashIn our production environment, we have received multiple crash reportsregarding libceph, which have caught our attention:```[6888366.280350] Call Trace:[6888366.280452] blk_update_request+0x14e/0x370[6888366.280561] blk_mq_end_request+0x1a/0x130[6888366.280671] rbd_img_handle_request+0x1a0/0x1b0 [rbd][6888366.280792] rbd_obj_handle_request+0x32/0x40 [rbd][6888366.280903] __complete_request+0x22/0x70 [libceph][6888366.281032] osd_dispatch+0x15e/0xb40 [libceph][6888366.281164] ? inet_recvmsg+0x5b/0xd0[6888366.281272] ? ceph_tcp_recvmsg+0x6f/0xa0 [libceph][6888366.281405] ceph_con_process_message+0x79/0x140 [libceph][6888366.281534] ceph_con_v1_try_read+0x5d7/0xf30 [libceph][6888366.281661] ceph_con_workfn+0x329/0x680 [libceph]```After analyzing the coredump file, we found that the address ofdc->sb_bio has been freed. We know that cached_dev is only freed when itis stopped.Since sb_bio is a part of struct cached_dev, rather than an alloc everytime. If the device is stopped while writing to the superblock, thereleased address will be accessed at endio.This patch hopes to wait for sb_write to complete in cached_dev_free.It should be noted that we analyzed the cause of the problem, then tellall details to the QWEN and adopted the modifications it made.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31584 Severity: Important CVSS3 score: 7.8

Description: In the Linux kernel, the following vulnerability has been resolved:media: mediatek: vcodec: fix use-after-free in encoder release pathThe fops_vcodec_release() function frees the context structure (ctx)without first cancelling any pending or running work in ctx->encode_work.This creates a race window where the workqueue handler (mtk_venc_worker)may still be accessing the context memory after it has been freed.Race condition: CPU 0 (release path) CPU 1 (workqueue) --------------------- ------------------ fops_vcodec_release() v4l2_m2m_ctx_release() v4l2_m2m_cancel_job() // waits for m2m job "done" mtk_venc_worker() v4l2_m2m_job_finish() // m2m job "done" // BUT worker still running! // post-job_finish access: other ctx dereferences // UAF if ctx already freed // returns (job "done") kfree(ctx) // ctx freedRoot cause: The v4l2_m2m_ctx_release() only waits for the m2m joblifecycle (via TRANS_RUNNING flag), not the workqueue lifecycle.After v4l2_m2m_job_finish() is called, the m2m framework considersthe job complete and v4l2_m2m_ctx_release() returns, but the workerfunction continues executing and may still access ctx.The work is queued during encode operations via: queue_work(ctx->dev->encode_workqueue, &ctx->encode_work)The worker function accesses ctx->m2m_ctx, ctx->dev, and other ctxfields even after calling v4l2_m2m_job_finish().This vulnerability was confirmed with KASAN by running an instrumentedtest module that widens the post-job_finish race window. KASAN detected: BUG: KASAN: slab-use-after-free in mtk_venc_worker+0x159/0x180 Read of size 4 at addr ffff88800326e000 by task kworker/u8:0/12 Workqueue: mtk_vcodec_enc_wq mtk_venc_worker Allocated by task 47: __kasan_kmalloc+0x7f/0x90 fops_vcodec_open+0x85/0x1a0 Freed by task 47: __kasan_slab_free+0x43/0x70 kfree+0xee/0x3a0 fops_vcodec_release+0xb7/0x190Fix this by calling cancel_work_sync(&ctx->encode_work) before kfree(ctx).This ensures the workqueue handler is both cancelled (if pending) andsynchronized (waits for any running handler to complete) before thecontext is freed.Placement rationale: The fix is placed after v4l2_ctrl_handler_free()and before list_del_init(&ctx->list). At this point, all m2m operationsare done (v4l2_m2m_ctx_release() has returned), and we need to ensurethe workqueue is synchronized before removing ctx from the list andfreeing it.Note: The open error path does NOT need cancel_work_sync() becauseINIT_WORK() only initializes the work structure - it does not scheduleit. Work is only scheduled later during device_run() operations.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31602 Severity: Important CVSS3 score: 7.8

Description: In the Linux kernel, the following vulnerability has been resolved:ALSA: ctxfi: Limit PTP to a single pageCommit 391e69143d0a increased CT_PTP_NUM from 1 to 4 to support 256playback streams, but the additional pages are not used by the cardcorrectly. The CT20K2 hardware already has multiple VMEM_PTPALregisters, but using them separately would require refactoring theentire virtual memory allocation logic.ct_vm_map() always uses PTEs in vm->ptp[0].area regardless ofCT_PTP_NUM. On AMD64 systems, a single PTP covers 512 PTEs (2M). Whenaggregate memory allocations exceed this limit, ct_vm_map() tries toaccess beyond the allocated space and causes a page fault: BUG: unable to handle page fault for address: ffffd4ae8a10a000 Oops: Oops: 0002 [#1] SMP PTI RIP: 0010:ct_vm_map+0x17c/0x280 [snd_ctxfi] Call Trace: atc_pcm_playback_prepare+0x225/0x3b0 ct_pcm_playback_prepare+0x38/0x60 snd_pcm_do_prepare+0x2f/0x50 snd_pcm_action_single+0x36/0x90 snd_pcm_action_nonatomic+0xbf/0xd0 snd_pcm_ioctl+0x28/0x40 __x64_sys_ioctl+0x97/0xe0 do_syscall_64+0x81/0x610 entry_SYSCALL_64_after_hwframe+0x76/0x7eRevert CT_PTP_NUM to 1. The 256 SRC_RESOURCE_NUM and playback_countremain unchanged.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31694 Severity: Important CVSS3 score: 7.8

Description: In the Linux kernel, the following vulnerability has been resolved:fuse: reject oversized dirents in page cachefuse_add_dirent_to_cache() computes a serialized dirent size from theserver-controlled namelen field and copies the dirent into a singlepage-cache page. The existing logic only checks whether the dirent fitsin the remaining space of the current page and advances to a fresh pageif not. It never checks whether the dirent itself exceeds PAGE_SIZE.As a result, a malicious FUSE server can return a dirent withnamelen=4095, producing a serialized record size of 4120 bytes. On 4 KiBpage systems this causes memcpy() to overflow the cache page by 24 bytesinto the following kernel page.Reject dirents that cannot fit in a single page before copying them intothe readdir cache.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43074 Severity: Important CVSS3 score: 7.8

Description: In the Linux kernel, the following vulnerability has been resolved:eventpoll: defer struct eventpoll free to RCU grace periodIn certain situations, ep_free() in eventpoll.c will kfree the epi->epeventpoll struct while it still being used by another concurrent thread.Defer the kfree() to an RCU callback to prevent UAF.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43329 Severity: Important CVSS3 score: 7.8

Description: In the Linux kernel, the following vulnerability has been resolved:netfilter: flowtable: strictly check for maximum number of actionsThe maximum number of flowtable hardware offload actions in IPv6 is:* ethernet mangling (4 payload actions, 2 for each ethernet address)* SNAT (4 payload actions)* DNAT (4 payload actions)* Double VLAN (4 vlan actions, 2 for popping vlan, and 2 for pushing) for QinQ.* Redirect (1 action)Which makes 17, while the maximum is 16. But act_ct supports for tunnelsactions too. Note that payload action operates at 32-bit word level, somangling an IPv6 address takes 4 payload actions.Update flow_action_entry_next() calls to check for the maximum number ofsupported actions.While at it, rise the maximum number of actions per flow from 16 to 24so this works fine with IPv6 setups.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43332 Severity: Important CVSS3 score: 7.8

Description: In the Linux kernel, the following vulnerability has been resolved:thermal: core: Fix thermal zone device registration error pathIf thermal_zone_device_register_with_trips() fails after registeringa thermal zone device, it needs to wait for the tz->removal completionlike thermal_zone_device_unregister(), in case user space has managedto take a reference to the thermal zone device's kobject, in which casethermal_release() may not be called by the error path itself and tz maybe freed prematurely.Add the missing wait_for_completion() call to the thermal zone deviceregistration error path.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-46333 Severity: Important CVSS3 score: 7.8

Description: In the Linux kernel, the following vulnerability has been resolved:ptrace: slightly saner 'get_dumpable()' logicThe 'dumpability' of a task is fundamentally about the memory image ofthe task - the concept comes from whether it can core dump or not - andmakes no sense when you don't have an associated mm.And almost all users do in fact use it only for the case where the taskhas a mm pointer.But we have one odd special case: ptrace_may_access() uses 'dumpable' tocheck various other things entirely independently of the MM (typicallyexplicitly using flags like PTRACE_MODE_READ_FSCREDS). Including forthreads that no longer have a VM (and maybe never did, like most kernelthreads).It's not what this flag was designed for, but it is what it is.The ptrace code does check that the uid/gid matches, so you do have tobe uid-0 to see kernel thread details, but this means that thetraditional "drop capabilities" model doesn't make any difference forthis all.Make it all make a *bit* more sense by saying that if you don't have aMM pointer, we'll use a cached "last dumpability" flag if the threadever had a MM (it will be zero for kernel threads since it is neverset), and require a proper CAP_SYS_PTRACE capability to override.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default < 6.4.0-150700.53.52.1 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-46483 Severity: Important CVSS3 score: 7.8

Description: Vim is an open source, command line text editor. Prior to 9.2.0479, a command injection vulnerability exists in tar#Vimuntar() inruntime/autoload/tar.vim when decompressing .tgz archives on Unix-like systems. The function builds :!gunzip and :!gzip -d commands using shellescape(tartail) without the {special} flag, allowing a crafted archive filename to trigger Vim cmdline-special expansion and execute shell commands in the user's context. This vulnerability is fixed in 9.2.0479.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
vim > 0-0 (version in image is 9.2.0280-150500.20.46.1).

CVE-2026-6846 Severity: Important CVSS3 score: 7.8

Description: A flaw was found in binutils. A heap-buffer-overflow vulnerability exists when processing a specially crafted XCOFF (Extended Common Object File Format) object file during linking. A local attacker could trick a user into processing this malicious file, which could lead to arbitrary code execution, allowing the attacker to run unauthorized commands, or cause a denial of service, making the system unavailable.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
binutils > 0-0 (version in image is 2.45-150100.7.57.1).

CVE-2026-31589 Severity: Important CVSS3 score: 7.6

Description: In the Linux kernel, the following vulnerability has been resolved:mm: call ->free_folio() directly in folio_unmap_invalidate()We can only call filemap_free_folio() if we have a reference to (or hold alock on) the mapping. Otherwise, we've already removed the folio from themapping so it no longer pins the mapping and the mapping can be removed,causing a use-after-free when accessing mapping->a_ops.Follow the same pattern as __remove_mapping() and load the free_foliofunction pointer before dropping the lock on the mapping. That lets usmake filemap_free_folio() static as this was the only caller outsidefilemap.c.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31611 Severity: Important CVSS3 score: 7.6

Description: In the Linux kernel, the following vulnerability has been resolved:ksmbd: require 3 sub-authorities before reading sub_auth[2]parse_dacl() compares each ACE SID against sid_unix_NFS_mode and onmatch reads sid.sub_auth[2] as the file mode. If sid_unix_NFS_mode isthe prefix S-1-5-88-3 with num_subauth = 2 then compare_sids() comparesonly min(num_subauth, 2) sub-authorities so a client SID withnum_subauth = 2 and sub_auth = {88, 3} will match.If num_subauth = 2 and the ACE is placed at the very end of the securitydescriptor, sub_auth[2] will be 4 bytes past end_of_acl. Theout-of-band bytes will then be masked to the low 9 bits and applied asthe file's POSIX mode, probably not something that is good to havehappen.Fix this up by forcing the SID to actually carry a third sub-authoritybefore reading it at all.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43350 Severity: Important CVSS3 score: 7.6

Description: In the Linux kernel, the following vulnerability has been resolved:smb: client: require a full NFS mode SID before reading mode bitsparse_dacl() treats an ACE SID matching sid_unix_NFS_mode as an NFSmode SID and reads sid.sub_auth[2] to recover the mode bits.That assumes the ACE carries three subauthorities, but compare_sids()only compares min(a, b) subauthorities. A malicious server can returnan ACE with num_subauth = 2 and sub_auth[] = {88, 3}, which stillmatches sid_unix_NFS_mode and then drives the sub_auth[2] read fourbytes past the end of the ACE.Require num_subauth >= 3 before treating the ACE as an NFS mode SID.This keeps the fix local to the special-SID mode path without changingcompare_sids() semantics for the rest of cifsacl.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2025-47913 Severity: Important CVSS3 score: 7.5

Description: SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
docker > 0-0 (version in image is 28.5.1_ce-150000.245.2).

CVE-2026-31598 Severity: Important CVSS3 score: 7.5

Description: In the Linux kernel, the following vulnerability has been resolved:ocfs2: fix possible deadlock between unlink and dio_end_io_writeocfs2_unlink takes orphan dir inode_lock first and then ip_alloc_sem,while in ocfs2_dio_end_io_write, it acquires these locks in reverse order.This creates an ABBA lock ordering violation on lock classesocfs2_sysfile_lock_key[ORPHAN_DIR_SYSTEM_INODE] andocfs2_file_ip_alloc_sem_key.Lock Chain #0 (orphan dir inode_lock -> ip_alloc_sem):ocfs2_unlink ocfs2_prepare_orphan_dir ocfs2_lookup_lock_orphan_dir inode_lock(orphan_dir_inode) <- lock A __ocfs2_prepare_orphan_dir ocfs2_prepare_dir_for_insert ocfs2_extend_dir ocfs2_expand_inline_dir down_write(&oi->ip_alloc_sem) <- Lock BLock Chain #1 (ip_alloc_sem -> orphan dir inode_lock):ocfs2_dio_end_io_write down_write(&oi->ip_alloc_sem) <- Lock B ocfs2_del_inode_from_orphan() inode_lock(orphan_dir_inode) <- Lock ADeadlock Scenario: CPU0 (unlink) CPU1 (dio_end_io_write) ------ ------ inode_lock(orphan_dir_inode) down_write(ip_alloc_sem) down_write(ip_alloc_sem) inode_lock(orphan_dir_inode)Since ip_alloc_sem is to protect allocation changes, which is unrelatedwith operations in ocfs2_del_inode_from_orphan. So moveocfs2_del_inode_from_orphan out of ip_alloc_sem to fix the deadlock.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31649 Severity: Important CVSS3 score: 7.5

Description: In the Linux kernel, the following vulnerability has been resolved:net: stmmac: fix integer underflow in chain modeThe jumbo_frm() chain-mode implementation unconditionally computes len = nopaged_len - bmax;where nopaged_len = skb_headlen(skb) (linear bytes only) and bmax isBUF_SIZE_8KiB or BUF_SIZE_2KiB. However, the caller stmmac_xmit()decides to invoke jumbo_frm() based on skb->len (total length includingpage fragments): is_jumbo = stmmac_is_jumbo_frm(priv, skb->len, enh_desc);When a packet has a small linear portion (nopaged_len <= bmax) but alarge total length due to page fragments (skb->len > bmax), thesubtraction wraps as an unsigned integer, producing a huge len value(~0xFFFFxxxx). This causes the while (len != 0) loop to executehundreds of thousands of iterations, passing skb->data + bmax * ipointers far beyond the skb buffer to dma_map_single(). On IOMMU-lessSoCs (the typical deployment for stmmac), this maps arbitrary kernelmemory to the DMA engine, constituting a kernel memory disclosure andpotential memory corruption from hardware.Fix this by introducing a buf_len local variable clamped tomin(nopaged_len, bmax). Computing len = nopaged_len - buf_len is thenalways safe: it is zero when the linear portion fits within a singledescriptor, causing the while (len != 0) loop to be skipped naturally,and the fragment loop in stmmac_xmit() handles page fragments afterward.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31662 Severity: Important CVSS3 score: 7.5

Description: In the Linux kernel, the following vulnerability has been resolved:tipc: fix bc_ackers underflow on duplicate GRP_ACK_MSGThe GRP_ACK_MSG handler in tipc_group_proto_rcv() currently decrementsbc_ackers on every inbound group ACK, even when the same member hasalready acknowledged the current broadcast round.Because bc_ackers is a u16, a duplicate ACK received after the lastlegitimate ACK wraps the counter to 65535. Once wrapped,tipc_group_bc_cong() keeps reporting congestion and later groupbroadcasts on the affected socket stay blocked until the group isrecreated.Fix this by ignoring duplicate or stale ACKs before touching bc_acked orbc_ackers. This makes repeated GRP_ACK_MSG handling idempotent andprevents the underflow path.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-33748 Severity: Important CVSS3 score: 7.5

Description: BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, insufficient validation of Git URL fragment subdir components may allow access to files outside the checked-out Git repository root. Possible access is limited to files on the same mounted filesystem. The issue has been fixed in version v0.28.1 The issue affects only builds that use Git URLs with a subpath component. As a workaround, avoid building Dockerfiles from untrusted sources or using the subdir component from an untrusted Git repository where the subdir component could point to a symlink.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
docker > 0-0 (version in image is 28.5.1_ce-150000.245.2).

CVE-2026-33846 Severity: Important CVSS3 score: 7.5

Description: A heap buffer overflow vulnerability exists in the DTLS handshake fragment reassembly logic of GnuTLS. The issue arises in merge_handshake_packet() where incoming handshake fragments are matched and merged based solely on handshake type, without validating that the message_length field remains consistent across all fragments of the same logical message. An attacker can exploit this by sending crafted DTLS fragments with conflicting message_length values, causing the implementation to allocate a buffer based on a smaller initial fragment and subsequently write beyond its bounds using larger, inconsistent fragments. Because the merge operation does not enforce proper bounds checking against the allocated buffer size, this results in an out-of-bounds write on the heap. The vulnerability is remotely exploitable without authentication via the DTLS handshake path and can lead to application crashes or potential memory corruption.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
libgnutls30 > 0-0 (version in image is 3.8.3-150600.4.17.1).

CVE-2026-34986 Severity: Important CVSS3 score: 7.5

Description: Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JWE) object will panic if the alg field indicates a key wrapping algorithm (one ending in KW, with the exception of A128GCMKW, A192GCMKW, and A256GCMKW) and the encrypted_key field is empty. The panic happens when cipher.KeyUnwrap() in key_wrap.go attempts to allocate a slice with a zero or negative length based on the length of the encrypted_key. This code path is reachable from ParseEncrypted() / ParseEncryptedJSON() / ParseEncryptedCompact() followed by Decrypt() on the resulting object. Note that the parse functions take a list of accepted key algorithms. If the accepted key algorithms do not include any key wrapping algorithms, parsing will fail and the application will be unaffected. This panic is also reachable by calling cipher.KeyUnwrap() directly with any ciphertext parameter less than 16 bytes long, but calling this function directly is less common. Panics can lead to denial of service. This vulnerability is fixed in 4.1.4 and 3.0.5.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
containerd > 0-0 (version in image is 1.7.29-150000.132.1).

CVE-2026-35385 Severity: Important CVSS3 score: 7.5

Description: In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode).

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
openssh < 9.6p1-150600.6.37.1 (version in image is 9.6p1-150600.6.34.1).

CVE-2026-4046 Severity: Important CVSS3 score: 7.5

Description: The iconv() function in the GNU C Library versions 2.43 and earlier may crash due to an assertion failure when converting inputs from the IBM1390 or IBM1399 character sets, which may be used to remotely crash an application.This vulnerability can be trivially mitigated by removing the IBM1390 and IBM1399 character sets from systems that do not need them.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
glibc > 0-0 (version in image is 2.38-150600.14.46.1).

CVE-2026-42009 Severity: Important CVSS3 score: 7.5

Description: A flaw was found in gnutls. A remote attacker could exploit an issue in the Datagram Transport Layer Security (DTLS) packet reordering logic. The comparator function, responsible for ordering DTLS packets by sequence numbers, did not correctly handle packets with duplicate sequence numbers. This could lead to unstable packet ordering or undefined behavior, resulting in a denial of service.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
libgnutls30 > 0-0 (version in image is 3.8.3-150600.4.17.1).

CVE-2026-4224 Severity: Important CVSS3 score: 7.5

Description: When an Expat parser with a registered ElementDeclHandler parses an inlinedocument type definition containing a deeply nested content model a C stackoverflow occurs.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
libpython3_6m1_0 < 3.6.15-150300.10.118.1 (version in image is 3.6.15-150300.10.109.1).

CVE-2026-43037 Severity: Important CVSS3 score: 7.5

Description: In the Linux kernel, the following vulnerability has been resolved:ip6_tunnel: clear skb2->cb[] in ip4ip6_err()Oskar Kjos reported the following problem.ip4ip6_err() calls icmp_send() on a cloned skb whose cb[] was writtenby the IPv6 receive path as struct inet6_skb_parm. icmp_send() passesIPCB(skb2) to __ip_options_echo(), which interprets that cb[] regionas struct inet_skb_parm (IPv4). The layouts differ: inet6_skb_parm.nhoffat offset 14 overlaps inet_skb_parm.opt.rr, producing a non-zero rrvalue. __ip_options_echo() then reads optlen from attacker-controlledpacket data at sptr[rr+1] and copies that many bytes into dopt->__data,a fixed 40-byte stack buffer (IP_OPTIONS_DATA_FIXED_SIZE).To fix this we clear skb2->cb[], as suggested by Oskar Kjos.Also add minimal IPv4 header validation (version == 4, ihl >= 5).

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-44431 Severity: Important CVSS3 score: 7.5

Description: urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward these sensitive headers. This vulnerability is fixed in 2.7.0.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
python3-urllib3 > 0-0 (version in image is 1.25.10-150300.4.24.1).

CVE-2026-7210 Severity: Important CVSS3 score: 7.5

Description: `xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\r\n\r\nFully mitigating this vulnerability requires both updating libexpat to 2.8.0 or later and applying this patch.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
python3 > 0-0 (version in image is 3.6.15-150300.10.109.1).

CVE-2025-54518 Severity: Important CVSS3 score: 7.4

Description: Improper isolation of shared resources within the CPU operation cache on Zen 2-based products could allow an attacker to corrupt instructions executed at a different privilege level, potentially resulting in privilege escalation.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default < 6.4.0-150700.53.52.1 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31685 Severity: Important CVSS3 score: 7.4

Description: In the Linux kernel, the following vulnerability has been resolved:netfilter: ip6t_eui64: reject invalid MAC header for all packets`eui64_mt6()` derives a modified EUI-64 from the Ethernet source addressand compares it with the low 64 bits of the IPv6 source address.The existing guard only rejects an invalid MAC header when`par->fragoff != 0`. For packets with `par->fragoff == 0`, `eui64_mt6()`can still reach `eth_hdr(skb)` even when the MAC header is not valid.Fix this by removing the `par->fragoff != 0` condition so that packetswith an invalid MAC header are rejected before accessing `eth_hdr(skb)`.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-34743 Severity: Important CVSS3 score: 7.4

Description: XZ Utils provide a general-purpose data-compression library plus command-line tools. Prior to version 5.8.3, if lzma_index_decoder() was used to decode an Index that contained no Records, the resulting lzma_index was left in a state where where a subsequent lzma_index_append() would allocate too little memory, and a buffer overflow would occur. This issue has been patched in version 5.8.3.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
liblzma5 > 0-0 (version in image is 5.4.1-150600.3.3.1).

CVE-2026-41035 Severity: Important CVSS3 score: 7.2

Description: In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted length value during a qsort call, leading to a receiver use-after-free. The victim must run rsync with -X (aka --xattrs). On Linux, many (but not all) common configurations are vulnerable. Non-Linux platforms are more widely vulnerable.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
rsync > 0-0 (version in image is 3.2.7-150600.3.14.1).

CVE-2026-31613 Severity: Important CVSS3 score: 7.1

Description: In the Linux kernel, the following vulnerability has been resolved:smb: client: fix OOB reads parsing symlink error responseWhen a CREATE returns STATUS_STOPPED_ON_SYMLINK, smb2_check_message()returns success without any length validation, leaving the symlinkparsers as the only defense against an untrusted server.symlink_data() walks SMB 3.1.1 error contexts with the loop test "p ErrorId at offset 4 and p->ErrorDataLength at offset0. When the server-controlled ErrorDataLength advances p to within 1-7bytes of end, the next iteration will read past it. When the matchingcontext is found, sym->SymLinkErrorTag is read at offset 4 fromp->ErrorContextData with no check that the symlink header itself fits.smb2_parse_symlink_response() then bounds-checks the substitute nameusing SMB2_SYMLINK_STRUCT_SIZE as the offset of PathBuffer fromiov_base. That value is computed as sizeof(smb2_err_rsp) +sizeof(smb2_symlink_err_rsp), which is correct only whenErrorContextCount == 0.With at least one error context the symlink data sits 8 bytes deeper,and each skipped non-matching context shifts it further by 8 +ALIGN(ErrorDataLength, 8). The check is too short, allowing thesubstitute name read to run past iov_len. The out-of-bound heap bytesare UTF-16-decoded into the symlink target and returned to userspace viareadlink(2).Fix this all up by making the loops test require the full context headerto fit, rejecting sym if its header runs past end, and bound thesubstitute name against the actual position of sym->PathBuffer ratherthan a fixed offset.Because sub_offs and sub_len are 16bits, the pointer math will notoverflow here with the new greater-than.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31614 Severity: Important CVSS3 score: 7.1

Description: In the Linux kernel, the following vulnerability has been resolved:smb: client: fix off-by-8 bounds check in check_wsl_eas()The bounds check uses (u8 *)ea + nlen + 1 + vlen as the end of the EAname and value, but ea_data sits at offset sizeof(structsmb2_file_full_ea_info) = 8 from ea, not at offset 0. The strncmp()later reads ea->ea_data[0..nlen-1] and the value bytes follow atea_data[nlen+1..nlen+vlen], so the actual end is ea->ea_data + nlen + 1+ vlen. Isn't pointer math fun?The earlier check (u8 *)ea > end - sizeof(*ea) only guarantees the8-byte header is in bounds, but since the last EA is placed within 8bytes of the end of the response, the name and value bytes are read pastthe end of iov.Fix this mess all up by using ea->ea_data as the base for the boundscheck.An "untrusted" server can use this to leak up to 8 bytes of kernel heapinto the EA name comparison and influence which WSL xattr the data isinterpreted as.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-42010 Severity: Important CVSS3 score: 7.1

Description: A flaw was found in gnutls. Servers configured with RSA-PSK (Rivest-Shamir-Adleman - Pre-Shared Key) wrongfully matched usernames containing a NUL character with truncated usernames. A remote attacker could exploit this by sending a specially crafted username, leading to an authentication bypass. This vulnerability allows an attacker to gain unauthorized access by circumventing the authentication process.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
libgnutls30 > 0-0 (version in image is 3.8.3-150600.4.17.1).

CVE-2026-43120 Severity: Important CVSS3 score: 7.1

Description: In the Linux kernel, the following vulnerability has been resolved:RDMA/irdma: Fix double free related to rereg_user_mrIf IB_MR_REREG_TRANS is set during rereg_user_mr, theumem will be released and a new one will be allocatedin irdma_rereg_mr_trans. If any step of irdma_rereg_mr_transfails after the new umem is allocated, it releases the umem,but does not set iwmr->region to NULL. The problem is thatthis failure is propagated to the user, who will then callibv_dereg_mr (as they should). Then, the dereg_mr path willsee a non-NULL umem and attempt to call ib_umem_release again.Fix this by setting iwmr->region to NULL after ib_umem_release.Fixed: 5ac388db27c4 ("RDMA/irdma: Add support to re-register a memory region")

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43414 Severity: Important CVSS3 score: 7.1

Description: In the Linux kernel, the following vulnerability has been resolved:scsi: qla2xxx: Completely fix fcport double freeIn qla24xx_els_dcmd_iocb() sp->free is set to qla2x00_els_dcmd_sp_free().When an error happens, this function is called by qla2x00_sp_release(),when kref_put() releases the first and the last reference.qla2x00_els_dcmd_sp_free() frees fcport by calling qla2x00_free_fcport().Doing it one more time after kref_put() is a bad idea.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-4786 Severity: Important CVSS3 score: 7.1

Description: Mitgation of CVE-2026-4519 was incomplete. If the URL contained "%action" the mitigation could be bypassed for certain browser types the "webbrowser.open()" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.

Packages affected:

sles-release == 15.7 (version in image is 15.7-150700.67.6.1).
python311 > 0-0 (version in image is 3.11.15-150600.3.53.1).

CVE-2025-68324 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:scsi: imm: Fix use-after-free bug caused by unfinished delayed workThe delayed work item 'imm_tq' is initialized in imm_attach() andscheduled via imm_queuecommand() for processing SCSI commands. When theIMM parallel port SCSI host adapter is detached through imm_detach(),the imm_struct device instance is deallocated.However, the delayed work might still be pending or executingwhen imm_detach() is called, leading to use-after-free bugswhen the work function imm_interrupt() accesses the alreadyfreed imm_struct memory.The race condition can occur as follows:CPU 0(detach thread) | CPU 1 | imm_queuecommand() | imm_queuecommand_lck()imm_detach() | schedule_delayed_work() kfree(dev) //FREE | imm_interrupt() | dev = container_of(...) //USE dev-> //USEAdd disable_delayed_work_sync() in imm_detach() to guarantee propercancellation of the delayed work item before imm_struct is deallocated.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2025-71202 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:iommu/sva: invalidate stale IOTLB entries for kernel address spaceIntroduce a new IOMMU interface to flush IOTLB paging cache entries forthe CPU kernel address space. This interface is invoked from the x86architecture code that manages combined user and kernel page tables,specifically before any kernel page table page is freed and reused.This addresses the main issue with vfree() which is a common occurrenceand can be triggered by unprivileged users. While this resolves theprimary problem, it doesn't address some extremely rare case related tomemory unplug of memory that was present as reserved memory at boot, whichcannot be triggered by unprivileged users. The discussion can be found atthe link below.Enable SVA on x86 architecture since the IOMMU can now receivenotification to flush the paging cache before freeing the CPU kernel pagetable pages.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23066 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:rxrpc: Fix recvmsg() unconditional requeueIf rxrpc_recvmsg() fails because MSG_DONTWAIT was specified but the call atthe front of the recvmsg queue already has its mutex locked, it requeuesthe call - whether or not the call is already queued. The call may be onthe queue because MSG_PEEK was also passed and so the call was not dequeuedor because the I/O thread requeued it.The unconditional requeue may then corrupt the recvmsg queue, leading tothings like UAFs or refcount underruns.Fix this by only requeuing the call if it isn't already on the queue - andmoving it to the front if it is already queued. If we don't queue it, wehave to put the ref we obtained by dequeuing it.Also, MSG_PEEK doesn't dequeue the call so shouldn't callrxrpc_notify_socket() for the call if we didn't use up all the data on thequeue, so fix that also.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23227 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:drm/exynos: vidi: use ctx->lock to protect struct vidi_context member variables related to memory alloc/freeExynos Virtual Display driver performs memory alloc/free operationswithout lock protection, which easily causes concurrency problem.For example, use-after-free can occur in race scenario like this:``` CPU0 CPU1 CPU2 ---- ---- ---- vidi_connection_ioctl() if (vidi->connection) // true drm_edid = drm_edid_alloc(); // alloc drm_edid ... ctx->raw_edid = drm_edid; ... drm_mode_getconnector() drm_helper_probe_single_connector_modes() vidi_get_modes() if (ctx->raw_edid) // true drm_edid_dup(ctx->raw_edid); if (!drm_edid) // false ... vidi_connection_ioctl() if (vidi->connection) // false drm_edid_free(ctx->raw_edid); // free drm_edid ... drm_edid_alloc(drm_edid->edid) kmemdup(edid); // UAF!! ...```To prevent these vulns, at least in vidi_context, member variables relatedto memory alloc/free should be protected with ctx->lock.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23239 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:espintcp: Fix race condition in espintcp_close()This issue was discovered during a code audit.After cancel_work_sync() is called from espintcp_close(),espintcp_tx_work() can still be scheduled from paths such asthe Delayed ACK handler or ksoftirqd.As a result, the espintcp_tx_work() worker may dereference afreed espintcp ctx or sk.The following is a simple race scenario: cpu0 cpu1 espintcp_close() cancel_work_sync(&ctx->work); espintcp_write_space() schedule_work(&ctx->work);To prevent this race condition, cancel_work_sync() isreplaced with disable_work_sync().

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23240 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:tls: Fix race condition in tls_sw_cancel_work_tx()This issue was discovered during a code audit.After cancel_delayed_work_sync() is called from tls_sk_proto_close(),tx_work_handler() can still be scheduled from paths such as theDelayed ACK handler or ksoftirqd.As a result, the tx_work_handler() worker may dereference a freedTLS object.The following is a simple race scenario: cpu0 cpu1tls_sk_proto_close() tls_sw_cancel_work_tx() tls_write_space() tls_sw_write_space() if (!test_and_set_bit(BIT_TX_SCHEDULED, &tx_ctx->tx_bitmask)) set_bit(BIT_TX_SCHEDULED, &ctx->tx_bitmask); cancel_delayed_work_sync(&ctx->tx_work.work); schedule_delayed_work(&tx_ctx->tx_work.work, 0);To prevent this race condition, cancel_delayed_work_sync() isreplaced with disable_delayed_work_sync().

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23248 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:perf/core: Fix refcount bug and potential UAF in perf_mmapSyzkaller reported a refcount_t: addition on 0; use-after-free warningin perf_mmap.The issue is caused by a race condition between a failing mmap() setupand a concurrent mmap() on a dependent event (e.g., using outputredirection).In perf_mmap(), the ring_buffer (rb) is allocated and assigned toevent->rb with the mmap_mutex held. The mutex is then released toperform map_range().If map_range() fails, perf_mmap_close() is called to clean up.However, since the mutex was dropped, another thread attaching tothis event (via inherited events or output redirection) can acquirethe mutex, observe the valid event->rb pointer, and attempt toincrement its reference count. If the cleanup path has alreadydropped the reference count to zero, this results in ause-after-free or refcount saturation warning.Fix this by extending the scope of mmap_mutex to cover themap_range() call. This ensures that the ring buffer initializationand mapping (or cleanup on failure) happens atomically effectively,preventing other threads from accessing a half-initialized ordying ring buffer.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23268 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:apparmor: fix unprivileged local user can do privileged policy managementAn unprivileged local user can load, replace, and remove profiles byopening the apparmorfs interfaces, via a confused deputy attack, bypassing the opened fd to a privileged process, and getting theprivileged process to write to the interface.This does require a privileged target that can be manipulated to dothe write for the unprivileged process, but once such access isachieved full policy management is possible and all the possibleimplications that implies: removing confinement, DoS of system ortarget applications by denying all execution, by-passing theunprivileged user namespace restriction, to exploiting kernel bugs fora local privilege escalation.The policy management interface can not have its permissions simplychanged from 0666 to 0600 because non-root processes need to be ableto load policy to different policy namespaces.Instead ensure the task writing the interface has privileges thatare a subset of the task that opened the interface. This is alreadydone via policy for confined processes, but unconfined can delegateaccess to the opened fd, by-passing the usual policy check.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23392 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:netfilter: nf_tables: release flowtable after rcu grace period on errorCall synchronize_rcu() after unregistering the hooks from error path,since a hook that already refers to this flowtable can be alreadyregistered, exposing this flowtable to packet path and nfnetlink_hookcontrol plane.This error path is rare, it should only happen by reaching the maximumnumber hooks or by failing to set up to hardware offload, just callsynchronize_rcu().There is a check for already used device hooks by different flowtablethat could result in EEXIST at this late stage. The hook parser can beupdated to perform this check earlier to this error path really becomesrarely exercised.Uncovered by KASAN reported as use-after-free from nfnetlink_hook pathwhen dumping hooks.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23393 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:bridge: cfm: Fix race condition in peer_mep deletionWhen a peer MEP is being deleted, cancel_delayed_work_sync() is calledon ccm_rx_dwork before freeing. However, br_cfm_frame_rx() runs insoftirq context under rcu_read_lock (without RTNL) and can re-scheduleccm_rx_dwork via ccm_rx_timer_start() between cancel_delayed_work_sync()returning and kfree_rcu() being called.The following is a simple race scenario: cpu0 cpu1mep_delete_implementation() cancel_delayed_work_sync(ccm_rx_dwork); br_cfm_frame_rx() // peer_mep still in hlist if (peer_mep->ccm_defect) ccm_rx_timer_start() queue_delayed_work(ccm_rx_dwork) hlist_del_rcu(&peer_mep->head); kfree_rcu(peer_mep, rcu); ccm_rx_work_expired() // on freed peer_mepTo prevent this, cancel_delayed_work_sync() is replaced withdisable_delayed_work_sync() in both peer MEP deletion paths, sothat subsequent queue_delayed_work() calls from br_cfm_frame_rx()are silently rejected.The cc_peer_disable() helper retains cancel_delayed_work_sync()because it is also used for the CC enable/disable toggle path wherethe work must remain re-schedulable.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23412 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:netfilter: bpf: defer hook memory release until rcu readers are doneYiming Qian reports UaF when concurrent process is dumping hooks vianfnetlink_hooks:BUG: KASAN: slab-use-after-free in nfnl_hook_dump_one.isra.0+0xe71/0x10f0Read of size 8 at addr ffff888003edbf88 by task poc/79Call Trace: nfnl_hook_dump_one.isra.0+0xe71/0x10f0 netlink_dump+0x554/0x12b0 nfnl_hook_get+0x176/0x230 [..]Defer release until after concurrent readers have completed.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23449 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:net/sched: teql: Fix double-free in teql_master_xmitWhenever a TEQL devices has a lockless Qdisc as root, qdisc_reset shouldbe called using the seq_lock to avoid racing with the datapath. Failureto do so may cause crashes like the following:[ 238.028993][ T318] BUG: KASAN: double-free in skb_release_data (net/core/skbuff.c:1139)[ 238.029328][ T318] Free of addr ffff88810c67ec00 by task poc_teql_uaf_ke/318[ 238.029749][ T318][ 238.029900][ T318] CPU: 3 UID: 0 PID: 318 Comm: poc_teql_ke Not tainted 7.0.0-rc3-00149-ge5b31d988a41 #704 PREEMPT(full)[ 238.029906][ T318] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011[ 238.029910][ T318] Call Trace:[ 238.029913][ T318] [ 238.029916][ T318] dump_stack_lvl (lib/dump_stack.c:122)[ 238.029928][ T318] print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)[ 238.029940][ T318] ? skb_release_data (net/core/skbuff.c:1139)[ 238.029944][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)...[ 238.029957][ T318] ? skb_release_data (net/core/skbuff.c:1139)[ 238.029969][ T318] kasan_report_invalid_free (mm/kasan/report.c:221 mm/kasan/report.c:563)[ 238.029979][ T318] ? skb_release_data (net/core/skbuff.c:1139)[ 238.029989][ T318] check_slab_allocation (mm/kasan/common.c:231)[ 238.029995][ T318] kmem_cache_free (mm/slub.c:2637 (discriminator 1) mm/slub.c:6168 (discriminator 1) mm/slub.c:6298 (discriminator 1))[ 238.030004][ T318] skb_release_data (net/core/skbuff.c:1139)...[ 238.030025][ T318] sk_skb_reason_drop (net/core/skbuff.c:1256)[ 238.030032][ T318] pfifo_fast_reset (./include/linux/ptr_ring.h:171 ./include/linux/ptr_ring.h:309 ./include/linux/skb_array.h:98 net/sched/sch_generic.c:827)[ 238.030039][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)...[ 238.030054][ T318] qdisc_reset (net/sched/sch_generic.c:1034)[ 238.030062][ T318] teql_destroy (./include/linux/spinlock.h:395 net/sched/sch_teql.c:157)[ 238.030071][ T318] __qdisc_destroy (./include/net/pkt_sched.h:328 net/sched/sch_generic.c:1077)[ 238.030077][ T318] qdisc_graft (net/sched/sch_api.c:1062 net/sched/sch_api.c:1053 net/sched/sch_api.c:1159)[ 238.030089][ T318] ? __pfx_qdisc_graft (net/sched/sch_api.c:1091)[ 238.030095][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)[ 238.030102][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)[ 238.030106][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)[ 238.030114][ T318] tc_get_qdisc (net/sched/sch_api.c:1529 net/sched/sch_api.c:1556)...[ 238.072958][ T318] Allocated by task 303 on cpu 5 at 238.026275s:[ 238.073392][ T318] kasan_save_stack (mm/kasan/common.c:58)[ 238.073884][ T318] kasan_save_track (mm/kasan/common.c:64 (discriminator 5) mm/kasan/common.c:79 (discriminator 5))[ 238.074230][ T318] __kasan_slab_alloc (mm/kasan/common.c:369)[ 238.074578][ T318] kmem_cache_alloc_node_noprof (./include/linux/kasan.h:253 mm/slub.c:4542 mm/slub.c:4869 mm/slub.c:4921)[ 238.076091][ T318] kmalloc_reserve (net/core/skbuff.c:616 (discriminator 107))[ 238.076450][ T318] __alloc_skb (net/core/skbuff.c:713)[ 238.076834][ T318] alloc_skb_with_frags (./include/linux/skbuff.h:1383 net/core/skbuff.c:6763)[ 238.077178][ T318] sock_alloc_send_pskb (net/core/sock.c:2997)[ 238.077520][ T318] packet_sendmsg (net/packet/af_packet.c:2926 net/packet/af_packet.c:3019 net/packet/af_packet.c:3108)[ 238.081469][ T318][ 238.081870][ T318] Freed by task 299 on cpu 1 at 238.028496s:[ 238.082761][ T318] kasan_save_stack (mm/kasan/common.c:58)[ 238.083481][ T318] kasan_save_track (mm/kasan/common.c:64 (discriminator 5) mm/kasan/common.c:79 (discriminator 5))[ 238.085348][ T318] kasan_save_free_info (mm/kasan/generic.c:587 (discriminator 1))[ 238.085900][ T318] __kasan_slab_free (mm/---truncated---

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23450 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:net/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock()Syzkaller reported a panic in smc_tcp_syn_recv_sock() [1].smc_tcp_syn_recv_sock() is called in the TCP receive path(softirq) via icsk_af_ops->syn_recv_sock on the clcsock (TCPlistening socket). It reads sk_user_data to get the smc_sockpointer. However, when the SMC listen socket is being closedconcurrently, smc_close_active() sets clcsock->sk_user_datato NULL under sk_callback_lock, and then the smc_sock itselfcan be freed via sock_put() in smc_release().This leads to two issues:1) NULL pointer dereference: sk_user_data is NULL when accessed.2) Use-after-free: sk_user_data is read as non-NULL, but the smc_sock is freed before its fields (e.g., queued_smc_hs, ori_af_ops) are accessed.The race window looks like this (the syzkaller crash [1]triggers via the SYN cookie path: tcp_get_cookie_sock() ->smc_tcp_syn_recv_sock(), but the normal tcp_check_req() pathhas the same race): CPU A (softirq) CPU B (process ctx) tcp_v4_rcv() TCP_NEW_SYN_RECV: sk = req->rsk_listener sock_hold(sk) /* No lock on listener */ smc_close_active(): write_lock_bh(cb_lock) sk_user_data = NULL write_unlock_bh(cb_lock) ... smc_clcsock_release() sock_put(smc->sk) x2 -> smc_sock freed! tcp_check_req() smc_tcp_syn_recv_sock(): smc = user_data(sk) -> NULL or dangling smc->queued_smc_hs -> crash!Note that the clcsock and smc_sock are two independent objectswith separate refcounts. TCP stack holds a reference on theclcsock, which keeps it alive, but this does NOT prevent thesmc_sock from being freed.Fix this by using RCU and refcount_inc_not_zero() to safelyaccess smc_sock. Since smc_tcp_syn_recv_sock() is called inthe TCP three-way handshake path, taking read_lock_bh onsk_callback_lock is too heavy and would not survive a SYNflood attack. Using rcu_read_lock() is much more lightweight.- Set SOCK_RCU_FREE on the SMC listen socket so that smc_sock freeing is deferred until after the RCU grace period. This guarantees the memory is still valid when accessed inside rcu_read_lock().- Use rcu_read_lock() to protect reading sk_user_data.- Use refcount_inc_not_zero(&smc->sk.sk_refcnt) to pin the smc_sock. If the refcount has already reached zero (close path completed), it returns false and we bail out safely.Note: smc_hs_congested() has a similar lockless read ofsk_user_data without rcu_read_lock(), but it only checks forNULL and accesses the global smc_hs_wq, never dereferencingany smc_sock field, so it is not affected.Reproducer was verified with mdelay injection and smc_run,the issue no longer occurs with this patch applied.[1] https://syzkaller.appspot.com/bug?extid=827ae2bfb3a3529333e9

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23458 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct()ctnetlink_dump_exp_ct() stores a conntrack pointer in cb->data for thenetlink dump callback ctnetlink_exp_ct_dump_table(), but drops theconntrack reference immediately after netlink_dump_start(). When thedump spans multiple rounds, the second recvmsg() triggers the dumpcallback which dereferences the now-freed conntrack via nfct_help(ct),leading to a use-after-free on ct->ext.The bug is that the netlink_dump_control has no .start or .donecallbacks to manage the conntrack reference across dump rounds. Otherdump functions in the same file (e.g. ctnetlink_get_conntrack) properlyuse .start/.done callbacks for this purpose.Fix this by adding .start and .done callbacks that hold and release theconntrack reference for the duration of the dump, and move thenfct_help() call after the cb->args[0] early-return check in the dumpcallback to avoid dereferencing ct->ext unnecessarily. BUG: KASAN: slab-use-after-free in ctnetlink_exp_ct_dump_table+0x4f/0x2e0 Read of size 8 at addr ffff88810597ebf0 by task ctnetlink_poc/133 CPU: 1 UID: 0 PID: 133 Comm: ctnetlink_poc Not tainted 7.0.0-rc2+ #3 PREEMPTLAZY Call Trace: ctnetlink_exp_ct_dump_table+0x4f/0x2e0 netlink_dump+0x333/0x880 netlink_recvmsg+0x3e2/0x4b0 ? aa_sk_perm+0x184/0x450 sock_recvmsg+0xde/0xf0 Allocated by task 133: kmem_cache_alloc_noprof+0x134/0x440 __nf_conntrack_alloc+0xa8/0x2b0 ctnetlink_create_conntrack+0xa1/0x900 ctnetlink_new_conntrack+0x3cf/0x7d0 nfnetlink_rcv_msg+0x48e/0x510 netlink_rcv_skb+0xc9/0x1f0 nfnetlink_rcv+0xdb/0x220 netlink_unicast+0x3ec/0x590 netlink_sendmsg+0x397/0x690 __sys_sendmsg+0xf4/0x180 Freed by task 0: slab_free_after_rcu_debug+0xad/0x1e0 rcu_core+0x5c3/0x9c0

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23471 Severity: Important CVSS3 score: 7.0

Description: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31403 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:NFSD: Hold net reference for the lifetime of /proc/fs/nfs/exports fdThe /proc/fs/nfs/exports proc entry is created at module initand persists for the module's lifetime. exports_proc_open()captures the caller's current network namespace and storesits svc_export_cache in seq->private, but takes no referenceon the namespace. If the namespace is subsequently torn down(e.g. container destruction after the opener does setns() to adifferent namespace), nfsd_net_exit() calls nfsd_export_shutdown()which frees the cache. Subsequent reads on the still-open fddereference the freed cache_detail, walking a freed hash table.Hold a reference on the struct net for the lifetime of the openfile descriptor. This prevents nfsd_net_exit() from running --and thus prevents nfsd_export_shutdown() from freeing the cache-- while any exports fd is open. cache_detail already storesits net pointer (cd->net, set by cache_create_net()), soexports_release() can retrieve it without additional per-filestorage.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31419 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:net: bonding: fix use-after-free in bond_xmit_broadcast()bond_xmit_broadcast() reuses the original skb for the last slave(determined by bond_is_last_slave()) and clones it for others.Concurrent slave enslave/release can mutate the slave list duringRCU-protected iteration, changing which slave is "last" mid-loop.This causes the original skb to be double-consumed (double-freed).Replace the racy bond_is_last_slave() check with a simple indexcomparison (i + 1 == slaves_count) against the pre-snapshot slavecount taken via READ_ONCE() before the loop. This preserves thezero-copy optimization for the last slave while making the "last"determination stable against concurrent list mutations.The UAF can trigger the following crash:==================================================================BUG: KASAN: slab-use-after-free in skb_cloneRead of size 8 at addr ffff888100ef8d40 by task exploit/147CPU: 1 UID: 0 PID: 147 Comm: exploit Not tainted 7.0.0-rc3+ #4 PREEMPTLAZYCall Trace: dump_stack_lvl (lib/dump_stack.c:123) print_report (mm/kasan/report.c:379 mm/kasan/report.c:482) kasan_report (mm/kasan/report.c:597) skb_clone (include/linux/skbuff.h:1724 include/linux/skbuff.h:1792 include/linux/skbuff.h:3396 net/core/skbuff.c:2108) bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5334) bond_start_xmit (drivers/net/bonding/bond_main.c:5567 drivers/net/bonding/bond_main.c:5593) dev_hard_start_xmit (include/linux/netdevice.h:5325 include/linux/netdevice.h:5334 net/core/dev.c:3871 net/core/dev.c:3887) __dev_queue_xmit (include/linux/netdevice.h:3601 net/core/dev.c:4838) ip6_finish_output2 (include/net/neighbour.h:540 include/net/neighbour.h:554 net/ipv6/ip6_output.c:136) ip6_finish_output (net/ipv6/ip6_output.c:208 net/ipv6/ip6_output.c:219) ip6_output (net/ipv6/ip6_output.c:250) ip6_send_skb (net/ipv6/ip6_output.c:1985) udp_v6_send_skb (net/ipv6/udp.c:1442) udpv6_sendmsg (net/ipv6/udp.c:1733) __sys_sendto (net/socket.c:730 net/socket.c:742 net/socket.c:2206) __x64_sys_sendto (net/socket.c:2209) do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) Allocated by task 147:Freed by task 147:The buggy address belongs to the object at ffff888100ef8c80 which belongs to the cache skbuff_head_cache of size 224The buggy address is located 192 bytes inside of freed 224-byte region [ffff888100ef8c80, ffff888100ef8d60)Memory state around the buggy address: ffff888100ef8c00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc ffff888100ef8c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb>ffff888100ef8d00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ^ ffff888100ef8d80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ffff888100ef8e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb==================================================================

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31500 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:Bluetooth: btintel: serialize btintel_hw_error() with hci_req_sync_lockbtintel_hw_error() issues two __hci_cmd_sync() calls (HCI_OP_RESETand Intel exception-info retrieval) without holdinghci_req_sync_lock(). This lets it race againsthci_dev_do_close() -> btintel_shutdown_combined(), which also runs__hci_cmd_sync() under the same lock. When both paths manipulatehdev->req_status/req_rsp concurrently, the close path may free theresponse skb first, and the still-running hw_error path hits aslab-use-after-free in kfree_skb().Wrap the whole recovery sequence in hci_req_sync_lock/unlock so itis serialized with every other synchronous HCI command issuer.Below is the data race report and the kasan report: BUG: data-race in __hci_cmd_sync_sk / btintel_shutdown_combined read of hdev->req_rsp at net/bluetooth/hci_sync.c:199 by task kworker/u17:1/83: __hci_cmd_sync_sk+0x12f2/0x1c30 net/bluetooth/hci_sync.c:200 __hci_cmd_sync+0x55/0x80 net/bluetooth/hci_sync.c:223 btintel_hw_error+0x114/0x670 drivers/bluetooth/btintel.c:254 hci_error_reset+0x348/0xa30 net/bluetooth/hci_core.c:1030 write/free by task ioctl/22580: btintel_shutdown_combined+0xd0/0x360 drivers/bluetooth/btintel.c:3648 hci_dev_close_sync+0x9ae/0x2c10 net/bluetooth/hci_sync.c:5246 hci_dev_do_close+0x232/0x460 net/bluetooth/hci_core.c:526 BUG: KASAN: slab-use-after-free in sk_skb_reason_drop+0x43/0x380 net/core/skbuff.c:1202 Read of size 4 at addr ffff888144a738dc by task kworker/u17:1/83: __hci_cmd_sync_sk+0x12f2/0x1c30 net/bluetooth/hci_sync.c:200 __hci_cmd_sync+0x55/0x80 net/bluetooth/hci_sync.c:223 btintel_hw_error+0x186/0x670 drivers/bluetooth/btintel.c:260

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31504 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:net: fix fanout UAF in packet_release() via NETDEV_UP race`packet_release()` has a race window where `NETDEV_UP` can re-register asocket into a fanout group's `arr[]` array. The re-registration is notcleaned up by `fanout_release()`, leaving a dangling pointer in the fanoutarray.`packet_release()` does NOT zero `po->num` in its `bind_lock` section.After releasing `bind_lock`, `po->num` is still non-zero and `po->ifindex`still matches the bound device. A concurrent `packet_notifier(NETDEV_UP)`that already found the socket in `sklist` can re-register the hook.For fanout sockets, this re-registration calls `__fanout_link(sk, po)`which adds the socket back into `f->arr[]` and increments `f->num_members`,but does NOT increment `f->sk_ref`.The fix sets `po->num` to zero in `packet_release` while `bind_lock` isheld to prevent NETDEV_UP from linking, preventing the race window.This bug was found following an additional audit with Claude Code basedon CVE-2025-38617.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31505 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:iavf: fix out-of-bounds writes in iavf_get_ethtool_stats()iavf incorrectly uses real_num_tx_queues for ETH_SS_STATS. Since thevalue could change in runtime, we should use num_tx_queues instead.Moreover iavf_get_ethtool_stats() uses num_active_queues whileiavf_get_sset_count() and iavf_get_stat_strings() usereal_num_tx_queues, which triggers out-of-bounds writes when we do"ethtool -L" and "ethtool -S" simultaneously [1].For example when we change channels from 1 to 8, Thread 3 could bescheduled before Thread 2, and out-of-bounds writes could be triggeredin Thread 3:Thread 1 (ethtool -L) Thread 2 (work) Thread 3 (ethtool -S)iavf_set_channels()...iavf_alloc_queues()-> num_active_queues = 8iavf_schedule_finish_config() iavf_get_sset_count() real_num_tx_queues: 1 -> buffer for 1 queue iavf_get_ethtool_stats() num_active_queues: 8 -> out-of-bounds! iavf_finish_config() -> real_num_tx_queues = 8Use immutable num_tx_queues in all related functions to avoid the issue.[1] BUG: KASAN: vmalloc-out-of-bounds in iavf_add_one_ethtool_stat+0x200/0x270 Write of size 8 at addr ffffc900031c9080 by task ethtool/5800 CPU: 1 UID: 0 PID: 5800 Comm: ethtool Not tainted 6.19.0-enjuk-08403-g8137e3db7f1c #241 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: dump_stack_lvl+0x6f/0xb0 print_report+0x170/0x4f3 kasan_report+0xe1/0x180 iavf_add_one_ethtool_stat+0x200/0x270 iavf_get_ethtool_stats+0x14c/0x2e0 __dev_ethtool+0x3d0c/0x5830 dev_ethtool+0x12d/0x270 dev_ioctl+0x53c/0xe30 sock_do_ioctl+0x1a9/0x270 sock_ioctl+0x3d4/0x5e0 __x64_sys_ioctl+0x137/0x1c0 do_syscall_64+0xf3/0x690 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f7da0e6e36d ... The buggy address belongs to a 1-page vmalloc region starting at 0xffffc900031c9000 allocated at __dev_ethtool+0x3cc9/0x5830 The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88813a013de0 pfn:0x13a013 flags: 0x200000000000000(node=0|zone=2) raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000 raw: ffff88813a013de0 0000000000000000 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffffc900031c8f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ffffc900031c9000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffffc900031c9080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ^ ffffc900031c9100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ffffc900031c9180: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31528 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:perf: Make sure to use pmu_ctx->pmu for groupsOliver reported that x86_pmu_del() ended up doing an out-of-bound memory accesswhen group_sched_in() fails and needs to roll back.This *should* be handled by the transaction callbacks, but he found that whenthe group leader is a software event, the transaction handlers of the wrong PMUare used. Despite the move_group case in perf_event_open() and group_sched_in()using pmu_ctx->pmu.Turns out, inherit uses event->pmu to clone the events, effectively undoing themove_group case for all inherited contexts. Fix this by also making inherit usepmu_ctx->pmu, ensuring all inherited counters end up in the same pmu context.Similarly, __perf_event_read() should use equally use pmu_ctx->pmu for thegroup case.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31533 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:net/tls: fix use-after-free in -EBUSY error path of tls_do_encryptionThe -EBUSY handling in tls_do_encryption(), introduced by commit859054147318 ("net: tls: handle backlogging of crypto requests"), hasa use-after-free due to double cleanup of encrypt_pending and thescatterlist entry.When crypto_aead_encrypt() returns -EBUSY, the request is enqueued tothe cryptd backlog and the async callback tls_encrypt_done() will beinvoked upon completion. That callback unconditionally restores thescatterlist entry (sge->offset, sge->length) and decrementsctx->encrypt_pending. However, if tls_encrypt_async_wait() returns anerror, the synchronous error path in tls_do_encryption() performs thesame cleanup again, double-decrementing encrypt_pending anddouble-restoring the scatterlist.The double-decrement corrupts the encrypt_pending sentinel (initializedto 1), making tls_encrypt_async_wait() permanently skip the wait forpending async callbacks. A subsequent sendmsg can then free thetls_rec via bpf_exec_tx_verdict() while a cryptd callback is stillpending, resulting in a use-after-free when the callback fires on thefreed record.Fix this by skipping the synchronous cleanup when the -EBUSY asyncwait returns an error, since the callback has already handledencrypt_pending and sge restoration.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31535 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:smb: client: make use of smbdirect_socket.recv_io.credits.availableThe logic off managing recv credits by counting posted recv_io andgranted credits is racy.That's because the peer might already consumed a credit,but between receiving the incoming recv at the hardwareand processing the completion in the 'recv_done' functionswe likely have a window where we grant credits, whichdon't really exist.So we better have a decicated counter for theavailable credits, which will be incrementedwhen we posted new recv buffers and drained whenwe grant the credits to the peer.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31555 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:futex: Clear stale exiting pointer in futex_lock_pi() retry pathFuzzying/stressing futexes triggered: WARNING: kernel/futex/core.c:825 at wait_for_owner_exiting+0x7a/0x80, CPU#11: futex_lock_pi_s/524When futex_lock_pi_atomic() sees the owner is exiting, it returns -EBUSYand stores a refcounted task pointer in 'exiting'.After wait_for_owner_exiting() consumes that reference, the local pointeris never reset to nil. Upon a retry, if futex_lock_pi_atomic() returns adifferent error, the bogus pointer is passed to wait_for_owner_exiting(). CPU0 CPU1 CPU2 futex_lock_pi(uaddr) // acquires the PI futex exit() futex_cleanup_begin() futex_state = EXITING; futex_lock_pi(uaddr) futex_lock_pi_atomic() attach_to_pi_owner() // observes EXITING *exiting = owner; // takes ref return -EBUSY wait_for_owner_exiting(-EBUSY, owner) put_task_struct(); // drops ref // exiting still points to owner goto retry; futex_lock_pi_atomic() lock_pi_update_atomic() cmpxchg(uaddr) *uaddr ^= WAITERS // whatever // value changed return -EAGAIN; wait_for_owner_exiting(-EAGAIN, exiting) // stale WARN_ON_ONCE(exiting)Fix this by resetting upon retry, essentially aligning it with requeue_pi.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31583 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:media: em28xx: fix use-after-free in em28xx_v4l2_open()em28xx_v4l2_open() reads dev->v4l2 without holding dev->lock,creating a race with em28xx_v4l2_init()'s error path andem28xx_v4l2_fini(), both of which free the em28xx_v4l2 structand set dev->v4l2 to NULL under dev->lock.This race leads to two issues: - use-after-free in v4l2_fh_init() when accessing vdev->ctrl_handler, since the video_device is embedded in the freed em28xx_v4l2 struct. - NULL pointer dereference in em28xx_resolution_set() when accessing v4l2->norm, since dev->v4l2 has been set to NULL.Fix this by moving the mutex_lock() before the dev->v4l2 read andadding a NULL check for dev->v4l2 under the lock.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31586 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:mm: blk-cgroup: fix use-after-free in cgwb_release_workfn()cgwb_release_workfn() calls css_put(wb->blkcg_css) and then later accesseswb->blkcg_css again via blkcg_unpin_online(). If css_put() drops the lastreference, the blkcg can be freed asynchronously (css_free_rwork_fn ->blkcg_css_free -> kfree) before blkcg_unpin_online() dereferences thepointer to access blkcg->online_pin, resulting in a use-after-free: BUG: KASAN: slab-use-after-free in blkcg_unpin_online (./include/linux/instrumented.h:112 ./include/linux/atomic/atomic-instrumented.h:400 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 block/blk-cgroup.c:1367) Write of size 4 at addr ff11000117aa6160 by task kworker/71:1/531 Workqueue: cgwb_release cgwb_release_workfn Call Trace: blkcg_unpin_online (./include/linux/instrumented.h:112 ./include/linux/atomic/atomic-instrumented.h:400 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 block/blk-cgroup.c:1367) cgwb_release_workfn (mm/backing-dev.c:629) process_scheduled_works (kernel/workqueue.c:3278 kernel/workqueue.c:3385) Freed by task 1016: kfree (./include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:6246 mm/slub.c:6561) css_free_rwork_fn (kernel/cgroup/cgroup.c:5542) process_scheduled_works (kernel/workqueue.c:3302 kernel/workqueue.c:3385)** Stack based on commit 66672af7a095 ("Add linux-next specific filesfor 20260410")I am seeing this crash sporadically in Meta fleet across multiple kernelversions. A full reproducer is available at:https://github.com/leitao/debug/blob/main/reproducers/repro_blkcg_uaf.sh(The race window is narrow. To make it easily reproducible, inject amsleep(100) between css_put() and blkcg_unpin_online() incgwb_release_workfn(). With that delay and a KASAN-enabled kernel, thereproducer triggers the splat reliably in less than a second.)Fix this by moving blkcg_unpin_online() before css_put(), so thecgwb's CSS reference keeps the blkcg alive while blkcg_unpin_online()accesses it.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31588 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:KVM: x86: Use scratch field in MMIO fragment to hold small write valuesWhen exiting to userspace to service an emulated MMIO write, copy theto-be-written value to a scratch field in the MMIO fragment if the sizeof the data payload is 8 bytes or less, i.e. can fit in a single chunk,instead of pointing the fragment directly at the source value.This fixes a class of use-after-free bugs that occur when the emulatorinitiates a write using an on-stack, local variable as the source, thewrite splits a page boundary, *and* both pages are MMIO pages. BecauseKVM's ABI only allows for physically contiguous MMIO requests, accessesthat split MMIO pages are separated into two fragments, and are sent touserspace one at a time. When KVM attempts to complete userspace MMIO inresponse to KVM_RUN after the first fragment, KVM will detect the secondfragment and generate a second userspace exit, and reference the on-stackvariable.The issue is most visible if the second KVM_RUN is performed by a separatetask, in which case the stack of the initiating task can show up as trulyfreed data. ================================================================== BUG: KASAN: use-after-free in complete_emulated_mmio+0x305/0x420 Read of size 1 at addr ffff888009c378d1 by task syz-executor417/984 CPU: 1 PID: 984 Comm: syz-executor417 Not tainted 5.10.0-182.0.0.95.h2627.eulerosv2r13.x86_64 #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014 Call Trace: dump_stack+0xbe/0xfd print_address_description.constprop.0+0x19/0x170 __kasan_report.cold+0x6c/0x84 kasan_report+0x3a/0x50 check_memory_region+0xfd/0x1f0 memcpy+0x20/0x60 complete_emulated_mmio+0x305/0x420 kvm_arch_vcpu_ioctl_run+0x63f/0x6d0 kvm_vcpu_ioctl+0x413/0xb20 __se_sys_ioctl+0x111/0x160 do_syscall_64+0x30/0x40 entry_SYSCALL_64_after_hwframe+0x67/0xd1 RIP: 0033:0x42477d Code: <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007faa8e6890e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00000000004d7338 RCX: 000000000042477d RDX: 0000000000000000 RSI: 000000000000ae80 RDI: 0000000000000005 RBP: 00000000004d7330 R08: 00007fff28d546df R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004d733c R13: 0000000000000000 R14: 000000000040a200 R15: 00007fff28d54720 The buggy address belongs to the page: page:0000000029f6a428 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x9c37 flags: 0xfffffc0000000(node=0|zone=1|lastcpupid=0x1fffff) raw: 000fffffc0000000 0000000000000000 ffffea0000270dc8 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888009c37780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888009c37800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff888009c37880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff888009c37900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888009c37980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================The bug can also be reproduced with a targeted KVM-Unit-Test by hackingKVM to fill a large on-stack variable in complete_emulated_mmio(), i.e. byoverwrite the data value with garbage.Limit the use of the scratch fields to 8-byte or smaller accesses, and tojust writes, as larger accesses and reads are not affected thanks toimplementation details in the emulator, but add a sanity check to ensurethose details don't change in the future. Specifically, KVM never useson-stack variables for accesses larger that 8 bytes, e.g. uses an operandin the emulator context, and *al---truncated---

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31669 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:mptcp: fix slab-use-after-free in __inet_lookup_establishedThe ehash table lookups are lockless and rely onSLAB_TYPESAFE_BY_RCU to guarantee socket memory stabilityduring RCU read-side critical sections. Both tcp_prot andtcpv6_prot have their slab caches created with this flagvia proto_register().However, MPTCP's mptcp_subflow_init() copies tcpv6_prot intotcpv6_prot_override during inet_init() (fs_initcall, level 5),before inet6_init() (module_init/device_initcall, level 6) hascalled proto_register(&tcpv6_prot). At that point,tcpv6_prot.slab is still NULL, so tcpv6_prot_override.slabremains NULL permanently.This causes MPTCP v6 subflow child sockets to be allocated viakmalloc (falling into kmalloc-4k) instead of the TCPv6 slabcache. The kmalloc-4k cache lacks SLAB_TYPESAFE_BY_RCU, sowhen these sockets are freed without SOCK_RCU_FREE (which iscleared for child sockets by design), the memory can beimmediately reused. Concurrent ehash lookups underrcu_read_lock can then access freed memory, triggering aslab-use-after-free in __inet_lookup_established.Fix this by splitting the IPv6-specific initialization out ofmptcp_subflow_init() into a new mptcp_subflow_v6_init(), calledfrom mptcp_proto_v6_init() before protocol registration. Thisensures tcpv6_prot_override.slab correctly inherits theSLAB_TYPESAFE_BY_RCU slab cache.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31700 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:net/packet: fix TOCTOU race on mmap'd vnet_hdr in tpacket_snd()In tpacket_snd(), when PACKET_VNET_HDR is enabled, vnet_hdr pointsdirectly into the mmap'd TX ring buffer shared with userspace. Thekernel validates the header via __packet_snd_vnet_parse() but thenre-reads all fields later in virtio_net_hdr_to_skb(). A concurrentuserspace thread can modify the vnet_hdr fields between validationand use, bypassing all safety checks.The non-TPACKET path (packet_snd()) already correctly copies vnet_hdrto a stack-local variable. All other vnet_hdr consumers in the kernel(tun.c, tap.c, virtio_net.c) also use stack copies. The TPACKET TXpath is the only caller of virtio_net_hdr_to_skb() that reads directlyfrom user-controlled shared memory.Fix this by copying vnet_hdr from the mmap'd ring buffer to astack-local variable before validation and use, consistent with theapproach used in packet_snd() and all other callers.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31738 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:vxlan: validate ND option lengths in vxlan_na_createvxlan_na_create() walks ND options according to option-providedlengths. A malformed option can make the parser advance beyond thecomputed option span or use a too-short source LLADDR option payload.Validate option lengths against the remaining NS option area beforeadvancing, and only read source LLADDR when the option is large enoughfor an Ethernet address.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-41257 Severity: Important CVSS3 score: 7.0

Description: jq is a command-line JSON processor. In 1.8.1 and earlier, the jq bytecode VM's data stack tracks its allocation size in a signed int. When the stack grows beyond ~1 GiB (via deeply nested generator forks), the doubling arithmetic overflows. The wrapped value is passed to realloc and then used for a memmove with attacker-influenced offsets.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
jq > 0-0 (version in image is 1.6-150000.3.12.1).

CVE-2026-43025 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:netfilter: ctnetlink: ignore explicit helper on new expectationsUse the existing master conntrack helper, anything else is not reallysupported and it just makes validation more complicated, so just ignorewhat helper userspace suggests for this expectation.This was uncovered when validating CTA_EXPECT_CLASS via different helperprovided by userspace than the existing master conntrack helper: BUG: KASAN: slab-out-of-bounds in nf_ct_expect_related_report+0x2479/0x27c0 Read of size 4 at addr ffff8880043fe408 by task poc/102 Call Trace: nf_ct_expect_related_report+0x2479/0x27c0 ctnetlink_create_expect+0x22b/0x3b0 ctnetlink_new_expect+0x4bd/0x5c0 nfnetlink_rcv_msg+0x67a/0x950 netlink_rcv_skb+0x120/0x350Allowing to read kernel memory bytes off the expectation boundary.CTA_EXPECT_HELP_NAME is still used to offer the helper name to userspacevia netlink dump.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43027 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:netfilter: nf_conntrack_helper: pass helper to expect cleanupnf_conntrack_helper_unregister() calls nf_ct_expect_iterate_destroy()to remove expectations belonging to the helper being unregistered.However, it passes NULL instead of the helper pointer as the dataargument, so expect_iter_me() never matches any expectation and allof them survive the cleanup.After unregister returns, nfnl_cthelper_del() frees the helperobject immediately. Subsequent expectation dumps or packet-driveninit_conntrack() calls then dereference the freed exp->helper,causing a use-after-free.Pass the actual helper pointer so expectations referencing it areproperly destroyed before the helper object is freed. BUG: KASAN: slab-use-after-free in string+0x38f/0x430 Read of size 1 at addr ffff888003b14d20 by task poc/103 Call Trace: string+0x38f/0x430 vsnprintf+0x3cc/0x1170 seq_printf+0x17a/0x240 exp_seq_show+0x2e5/0x560 seq_read_iter+0x419/0x1280 proc_reg_read+0x1ac/0x270 vfs_read+0x179/0x930 ksys_read+0xef/0x1c0 Freed by task 103: The buggy address is located 32 bytes inside of freed 192-byte region [ffff888003b14d00, ffff888003b14dc0)

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43050 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:atm: lec: fix use-after-free in sock_def_readable()A race condition exists between lec_atm_close() setting priv->lecdto NULL and concurrent access to priv->lecd in send_to_lecd(),lec_handle_bridge(), and lec_atm_send(). When the socket is freedvia RCU while another thread is still using it, a use-after-freeoccurs in sock_def_readable() when accessing the socket's wait queue.The root cause is that lec_atm_close() clears priv->lecd withoutany synchronization, while callers dereference priv->lecd withoutany protection against concurrent teardown.Fix this by converting priv->lecd to an RCU-protected pointer:- Mark priv->lecd as __rcu in lec.h- Use rcu_assign_pointer() in lec_atm_close() and lecd_attach() for safe pointer assignment- Use rcu_access_pointer() for NULL checks that do not dereference the pointer in lec_start_xmit(), lec_push(), send_to_lecd() and lecd_attach()- Use rcu_read_lock/rcu_dereference/rcu_read_unlock in send_to_lecd(), lec_handle_bridge() and lec_atm_send() to safely access lecd- Use rcu_assign_pointer() followed by synchronize_rcu() in lec_atm_close() to ensure all readers have completed before proceeding. This is safe since lec_atm_close() is called from vcc_release() which holds lock_sock(), a sleeping lock.- Remove the manual sk_receive_queue drain from lec_atm_close() since vcc_destroy_socket() already drains it after lec_atm_close() returns.v2: Switch from spinlock + sock_hold/put approach to RCU to properly fix the race. The v1 spinlock approach had two issues pointed out by Eric Dumazet: 1. priv->lecd was still accessed directly after releasing the lock instead of using a local copy. 2. The spinlock did not prevent packets being queued after lec_atm_close() drains sk_receive_queue since timer and workqueue paths bypass netif_stop_queue().Note: Syzbot patch testing was attempted but the test VM terminated unexpectedly with "Connection to localhost closed by remote host", likely due to a QEMU AHCI emulation issue unrelated to this fix. Compile testing with "make W=1 net/atm/lec.o" passes cleanly.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43126 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:ALSA: mixer: oss: Add card disconnect checkpointsALSA OSS mixer layer calls the kcontrol ops rather individually, andpending calls might be not always caught at disconnecting the device.For avoiding the potential UAF scenarios, add sanity checks of thecard disconnection at each entry point of OSS mixer accesses. Therwsem is taken just before that check, hence the rest context shouldbe covered by that properly.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43153 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:xfs: remove xfs_attr_leaf_hasnameThe calling convention of xfs_attr_leaf_hasname() is problematic, becauseit returns a NULL buffer when xfs_attr3_leaf_read fails, a valid bufferwhen xfs_attr3_leaf_lookup_int returns -ENOATTR or -EEXIST, and anon-NULL buffer pointer for an already released buffer whenxfs_attr3_leaf_lookup_int fails with other error values.Fix this by simply open coding xfs_attr_leaf_hasname in the callers, sothat the buffer release code is done by each caller ofxfs_attr3_leaf_read.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43198 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:tcp: fix potential race in tcp_v6_syn_recv_sock()Code in tcp_v6_syn_recv_sock() after the call to tcp_v4_syn_recv_sock()is done too late.After tcp_v4_syn_recv_sock(), the child socket is already visiblefrom TCP ehash table and other cpus might use it.Since newinet->pinet6 is still pointing to the listener ipv6_pinfobad things can happen as syzbot found.Move the problematic code in tcp_v6_mapped_child_init()and call this new helper from tcp_v4_syn_recv_sock() beforethe ehash insertion.This allows the removal of one tcp_sync_mss(), sincetcp_v4_syn_recv_sock() will call it with the correctcontext.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43214 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:KVM: x86: Add SRCU protection for reading PDPTRs in __get_sregs2()Add SRCU read-side protection when reading PDPTR registers in__get_sregs2().Reading PDPTRs may trigger access to guest memory:kvm_pdptr_read() -> svm_cache_reg() -> load_pdptrs() ->kvm_vcpu_read_guest_page() -> kvm_vcpu_gfn_to_memslot()kvm_vcpu_gfn_to_memslot() dereferences memslots via __kvm_memslots(),which uses srcu_dereference_check() and requires either kvm->srcu orkvm->slots_lock to be held. Currently only vcpu->mutex is held,triggering lockdep warning:=============================WARNING: suspicious RCU usage in kvm_vcpu_gfn_to_memslot6.12.59+ #3 Not taintedinclude/linux/kvm_host.h:1062 suspicious rcu_dereference_check() usage!other info that might help us debug this:rcu_scheduler_active = 2, debug_locks = 11 lock held by syz.5.1717/15100: #0: ff1100002f4b00b0 (&vcpu->mutex){+.+.}-{3:3}, at: kvm_vcpu_ioctl+0x1d5/0x1590Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0xf0/0x120 lib/dump_stack.c:120 lockdep_rcu_suspicious+0x1e3/0x270 kernel/locking/lockdep.c:6824 __kvm_memslots include/linux/kvm_host.h:1062 [inline] __kvm_memslots include/linux/kvm_host.h:1059 [inline] kvm_vcpu_memslots include/linux/kvm_host.h:1076 [inline] kvm_vcpu_gfn_to_memslot+0x518/0x5e0 virt/kvm/kvm_main.c:2617 kvm_vcpu_read_guest_page+0x27/0x50 virt/kvm/kvm_main.c:3302 load_pdptrs+0xff/0x4b0 arch/x86/kvm/x86.c:1065 svm_cache_reg+0x1c9/0x230 arch/x86/kvm/svm/svm.c:1688 kvm_pdptr_read arch/x86/kvm/kvm_cache_regs.h:141 [inline] __get_sregs2 arch/x86/kvm/x86.c:11784 [inline] kvm_arch_vcpu_ioctl+0x3e20/0x4aa0 arch/x86/kvm/x86.c:6279 kvm_vcpu_ioctl+0x856/0x1590 virt/kvm/kvm_main.c:4663 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __x64_sys_ioctl+0x18b/0x210 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xbd/0x1d0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7fFound by Linux Verification Center (linuxtesting.org) with Syzkaller.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43366 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:io_uring/kbuf: check if target buffer list is still legacy on recycleThere's a gap between when the buffer was grabbed and when itpotentially gets recycled, where if the list is empty, someone could'veupgraded it to a ring provided type. This can happen if the requestis forced via io-wq. The legacy recycling is missing checking if thebuffer_list still exists, and if it's of the correct type. Add thosechecks.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43421 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:usb: gadget: f_ncm: Fix net_device lifecycle with device_moveThe network device outlived its parent gadget device duringdisconnection, resulting in dangling sysfs links and null pointerdereference problems.A prior attempt to solve this by removing SET_NETDEV_DEV entirely [1]was reverted due to power management ordering concerns and a NO-CARRIERregression.A subsequent attempt to defer net_device allocation to bind [2] broke1:1 mapping between function instance and network device, making itimpossible for configfs to report the resolved interface name. Thisresults in a regression where the DHCP server fails on pmOS.Use device_move to reparent the net_device between the gadget device and/sys/devices/virtual/ across bind/unbind cycles. This preserves thenetwork interface across USB reconnection, allowing the DHCP server toretain their binding.Introduce gether_attach_gadget()/gether_detach_gadget() helpers and use__free(detach_gadget) macro to undo attachment on bind failure. Thebind_count ensures device_move executes only on the first bind.[1] https://lore.kernel.org/lkml/f2a4f9847617a0929d62025748384092e5f35cce.camel@crapouillou.net/[2] https://lore.kernel.org/linux-usb/795ea759-7eaf-4f78-81f4-01ffbf2d7961@ixit.cz/

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-4519 Severity: Moderate CVSS3 score: 6.9

Description: The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
libpython3_6m1_0 < 3.6.15-150300.10.118.1 (version in image is 3.6.15-150300.10.109.1).

CVE-2026-5958 Severity: Moderate CVSS3 score: 6.9

Description: When sed is invoked with both -i (in-place edit) and --follow-symlinks, the function open_next_file() performs two separate, non-atomic filesystem operations on the same path: 1. resolves symlink to its target and stores the resolved path for determining when output is written,2. opens the original symlink path (not the resolved one) to read the file. Between these two calls there is a race window. If an attacker atomically replaces the symlink with a different target during that window, sed will: read content from the new (attacker-chosen) symlink target and write the processed result to the path recorded in step 1. This can lead to arbitrary file overwrite with attacker-controlled content in the context of the sed process.This issue was fixed in version 4.10.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
sed < 4.9-150600.3.3.1 (version in image is 4.9-150600.1.4).

CVE-2026-31612 Severity: Moderate CVSS3 score: 6.8

Description: In the Linux kernel, the following vulnerability has been resolved:ksmbd: validate EaNameLength in smb2_get_ea()smb2_get_ea() reads ea_req->EaNameLength from the client request andpasses it directly to strncmp() as the comparison length withoutverifying that the length of the name really is the size of the inputbuffer received.Fix this up by properly checking the size of the name based on the valuereceived and the overall size of the request, to prevent a laterstrncmp() call to use the length as a "trusted" size of the buffer.Without this check, uninitialized heap values might be slowly leaked tothe client.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-32316 Severity: Moderate CVSS3 score: 6.8

Description: jq is a command-line JSON processor. An integer overflow vulnerability exists through version 1.8.1 within the jvp_string_append() and jvp_string_copy_replace_bad functions, where concatenating strings with a combined length exceeding 2^31 bytes causes a 32-bit unsigned integer overflow in the buffer allocation size calculation, resulting in a drastically undersized heap buffer. Subsequent memory copy operations then write the full string data into this undersized buffer, causing a heap buffer overflow classified as CWE-190 (Integer Overflow) leading to CWE-122 (Heap-based Buffer Overflow). Any system evaluating untrusted jq queries is affected, as an attacker can crash the process or potentially achieve further exploitation through heap corruption by crafting queries that produce extremely large strings. The root cause is the absence of string size bounds checking, unlike arrays and objects which already have size limits. The issue has been addressed in commit e47e56d226519635768e6aab2f38f0ab037c09e5.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
jq > 0-0 (version in image is 1.6-150000.3.12.1).

CVE-2025-40216 Severity: Moderate CVSS3 score: 6.7

Description: In the Linux kernel, the following vulnerability has been resolved:io_uring/rsrc: don't rely on user vaddr alignmentThere is no guaranteed alignment for user pointers, however thecalculation of an offset of the first page into a folio after coalescinguses some weird bit mask logic, get rid of it.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-22980 Severity: Moderate CVSS3 score: 6.7

Description: In the Linux kernel, the following vulnerability has been resolved:nfsd: provide locking for v4_end_graceWriting to v4_end_grace can race with server shutdown and result inmemory being accessed after it was freed - reclaim_str_hashtbl inparticularly.We cannot hold nfsd_mutex across the nfsd4_end_grace() call as that isheld while client_tracking_op->init() is called and that can wait foran upcall to nfsdcltrack which can write to v4_end_grace, resulting in adeadlock.nfsd4_end_grace() is also called by the landromat work queue and thisdoesn't require locking as server shutdown will stop the work and waitfor it before freeing anything that nfsd4_end_grace() might access.However, we must be sure that writing to v4_end_grace doesn't restartthe work item after shutdown has already waited for it. For this weadd a new flag protected with nn->client_lock. It is set only while itis safe to make client tracking calls, and v4_end_grace only scheduleswork while the flag is set with the spinlock held.So this patch adds a nfsd_net field "client_tracking_active" which isset as described. Another field "grace_end_forced", is set whenv4_end_grace is written. After this is set, and providingclient_tracking_active is set, the laundromat is scheduled.This "grace_end_forced" field bypasses other checks for whether thegrace period has finished.This resolves a race which can result in use-after-free.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31597 Severity: Moderate CVSS3 score: 6.7

Description: In the Linux kernel, the following vulnerability has been resolved:ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRYfilemap_fault() may drop the mmap_lock before returning VM_FAULT_RETRY,as documented in mm/filemap.c: "If our return value has VM_FAULT_RETRY set, it's because the mmap_lock may be dropped before doing I/O or by lock_folio_maybe_drop_mmap()."When this happens, a concurrent munmap() can call remove_vma() and freethe vm_area_struct via RCU. The saved 'vma' pointer in ocfs2_fault() thenbecomes a dangling pointer, and the subsequent trace_ocfs2_fault() calldereferences it -- a use-after-free.Fix this by saving ip_blkno as a plain integer before callingfilemap_fault(), and removing vma from the trace event. Sinceip_blkno is copied by value before the lock can be dropped, itremains valid regardless of what happens to the vma or inodeafterward.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31627 Severity: Moderate CVSS3 score: 6.7

Description: In the Linux kernel, the following vulnerability has been resolved:i2c: s3c24xx: check the size of the SMBUS message before using itThe first byte of an i2c SMBUS message is the size, and it should beverified to ensure that it is in the range of 0..I2C_SMBUS_BLOCK_MAXbefore processing it.This is the same logic that was added in commit a6e04f05ce0b ("i2c:tegra: check msg length in SMBUS block read") to the i2c tegra driver.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31679 Severity: Moderate CVSS3 score: 6.7

Description: In the Linux kernel, the following vulnerability has been resolved:openvswitch: validate MPLS set/set_masked payload lengthvalidate_set() accepted OVS_KEY_ATTR_MPLS as variable-sized payload forSET/SET_MASKED actions. In action handling, OVS expects fixed-sizeMPLS key data (struct ovs_key_mpls).Use the already normalized key_len (masked case included) and rejectnon-matching MPLS action key sizes.Reject invalid MPLS action payload lengths early.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31686 Severity: Moderate CVSS3 score: 6.7

Description: In the Linux kernel, the following vulnerability has been resolved:mm/kasan: fix double free for kasan pXdskasan_free_pxd() assumes the page table is always struct page aligned. But that's not always the case for all architectures. E.g. In case ofpowerpc with 64K pagesize, PUD table (of size 4096) comes from slab cachenamed pgtable-2^9. Hence instead of page_to_virt(pxd_page()) let's justdirectly pass the start of the pxd table which is passed as the 1stargument.This fixes the below double free kasan issue seen with PMEM:radix-mmu: Mapped 0x0000047d10000000-0x0000047f90000000 with 2.00 MiB pages==================================================================BUG: KASAN: double-free in kasan_remove_zero_shadow+0x9c4/0xa20Free of addr c0000003c38e0000 by task ndctl/2164CPU: 34 UID: 0 PID: 2164 Comm: ndctl Not tainted 6.19.0-rc1-00048-gea1013c15392 #157 VOLUNTARYHardware name: IBM,9080-HEX POWER10 (architected) 0x800200 0xf000006 of:IBM,FW1060.00 (NH1060_012) hv:phyp pSeriesCall Trace: dump_stack_lvl+0x88/0xc4 (unreliable) print_report+0x214/0x63c kasan_report_invalid_free+0xe4/0x110 check_slab_allocation+0x100/0x150 kmem_cache_free+0x128/0x6e0 kasan_remove_zero_shadow+0x9c4/0xa20 memunmap_pages+0x2b8/0x5c0 devm_action_release+0x54/0x70 release_nodes+0xc8/0x1a0 devres_release_all+0xe0/0x140 device_unbind_cleanup+0x30/0x120 device_release_driver_internal+0x3e4/0x450 unbind_store+0xfc/0x110 drv_attr_store+0x78/0xb0 sysfs_kf_write+0x114/0x140 kernfs_fop_write_iter+0x264/0x3f0 vfs_write+0x3bc/0x7d0 ksys_write+0xa4/0x190 system_call_exception+0x190/0x480 system_call_vectored_common+0x15c/0x2ec---- interrupt: 3000 at 0x7fff93b3d3f4NIP: 00007fff93b3d3f4 LR: 00007fff93b3d3f4 CTR: 0000000000000000REGS: c0000003f1b07e80 TRAP: 3000 Not tainted (6.19.0-rc1-00048-gea1013c15392)MSR: 800000000280f033 CR: 48888208 XER: 00000000<...>NIP [00007fff93b3d3f4] 0x7fff93b3d3f4LR [00007fff93b3d3f4] 0x7fff93b3d3f4---- interrupt: 3000 The buggy address belongs to the object at c0000003c38e0000 which belongs to the cache pgtable-2^9 of size 4096 The buggy address is located 0 bytes inside of 4096-byte region [c0000003c38e0000, c0000003c38e1000) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x3c38c head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 memcg:c0000003bfd63e01 flags: 0x63ffff800000040(head|node=6|zone=0|lastcpupid=0x7ffff) page_type: f5(slab) raw: 063ffff800000040 c000000140058980 5deadbeef0000122 0000000000000000 raw: 0000000000000000 0000000080200020 00000000f5000000 c0000003bfd63e01 head: 063ffff800000040 c000000140058980 5deadbeef0000122 0000000000000000 head: 0000000000000000 0000000080200020 00000000f5000000 c0000003bfd63e01 head: 063ffff800000002 c00c000000f0e301 00000000ffffffff 00000000ffffffff head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 page dumped because: kasan: bad access detected[ 138.953636] [ T2164] Memory state around the buggy address:[ 138.953643] [ T2164] c0000003c38dff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc[ 138.953652] [ T2164] c0000003c38dff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc[ 138.953661] [ T2164] >c0000003c38e0000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc[ 138.953669] [ T2164] ^[ 138.953675] [ T2164] c0000003c38e0080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc[ 138.953684] [ T2164] c0000003c38e0100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc[ 138.953692] [ T2164] ==================================================================[ 138.953701] [ T2164] Disabling lock debugging due to kernel taint

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43076 Severity: Moderate CVSS3 score: 6.7

Description: In the Linux kernel, the following vulnerability has been resolved:ocfs2: validate inline data i_size during inode readWhen reading an inode from disk, ocfs2_validate_inode_block() performsvarious sanity checks but does not validate the size of inline data. Ifthe filesystem is corrupted, an inode's i_size can exceed the actualinline data capacity (id_count).This causes ocfs2_dir_foreach_blk_id() to iterate beyond the inline databuffer, triggering a use-after-free when accessing directory entries fromfreed memory.In the syzbot report: - i_size was 1099511627576 bytes (~1TB) - Actual inline data capacity (id_count) is typically <256 bytes - A garbage rec_len (54648) caused ctx->pos to jump out of bounds - This triggered a UAF in ocfs2_check_dir_entry()Fix by adding a validation check in ocfs2_validate_inode_block() to ensureinodes with inline data have i_size <= id_count. This catches thecorruption early during inode read and prevents all downstream code fromoperating on invalid data.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31786 Severity: Moderate CVSS3 score: 6.6

Description: In the Linux kernel, the following vulnerability has been resolved:Buffer overflow in drivers/xen/sys-hypervisor.cThe build id returned by HYPERVISOR_xen_version(XENVER_build_id) isneither NUL terminated nor a string.The first causes a buffer overflow as sprintf in buildid_show willread and copy till it finds a NUL.00000000 f4 91 51 f4 dd 38 9e 9d 65 47 52 eb 10 71 db 50 |..Q..8..eGR..q.P|00000010 b9 a8 01 42 6f 2e 32 |...Bo.2|00000017So use a memcpy instead of sprintf to have the correct value:00000000 f4 91 51 f4 dd 00 9e 9d 65 47 52 eb 10 71 db 50 |..Q.....eGR..q.P|00000010 b9 a8 01 42 |...B|00000014(the above have a hack to embed a zero inside and check it'sreturned correctly).This is XSA-485 / CVE-2026-31786

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-40612 Severity: Moderate CVSS3 score: 6.6

Description: jq is a command-line JSON processor. In 1.8.1 and earlier, jv_contains recurses into nested arrays/objects with no depth limit. With a sufficiently nested input structure (built programmatically with reduce, since the JSON parser caps at depth 10000), the C stack is exhausted.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
jq > 0-0 (version in image is 1.6-150000.3.12.1).

CVE-2026-41411 Severity: Moderate CVSS3 score: 6.6

Description: Vim is an open source, command line text editor. Prior to 9.2.0357, A command injection vulnerability exists in Vim's tag file processing. When resolving a tag, the filename field from the tags file is passed through wildcard expansion to resolve environment variables and wildcards. If the filename field contains backtick syntax (e.g., `command`), Vim executes the embedded command via the system shell with the full privileges of the running user.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
vim > 0-0 (version in image is 9.2.0280-150500.20.46.1).

CVE-2026-43359 Severity: Moderate CVSS3 score: 6.6

Description: In the Linux kernel, the following vulnerability has been resolved:btrfs: fix transaction abort on set received ioctl due to item overflowIf the set received ioctl fails due to an item overflow when attempting toadd the BTRFS_UUID_KEY_RECEIVED_SUBVOL we have to abort the transactionsince we did some metadata updates before.This means that if a user calls this ioctl with the same received UUIDfield for a lot of subvolumes, we will hit the overflow, trigger thetransaction abort and turn the filesystem into RO mode. A malicious usercould exploit this, and this ioctl does not even requires that a userhas admin privileges (CAP_SYS_ADMIN), only that he/she owns the subvolume.Fix this by doing an early check for item overflow before starting atransaction. This is also race safe because we are holding the subvol_semsemaphore in exclusive (write) mode.A test case for fstests will follow soon.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-45130 Severity: Moderate CVSS3 score: 6.6

Description: Vim is an open source, command line text editor. Prior to version 9.2.0450, a heap buffer overflow exists in read_compound() in src/spellfile.c when loading a crafted spell file (.spl) with UTF-8 encoding active. An attacker-controlled length field in the spell file's compound section overflows a 32-bit signed integer multiplication, causing a small buffer to be allocated for a write loop that runs many iterations, overflowing the heap. Because the 'spelllang' option can be set from a modeline, a text file modeline can trigger spell file loading if a malicious .spl file has been planted on the runtimepath. This issue has been patched in version 9.2.0450.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
vim > 0-0 (version in image is 9.2.0280-150500.20.46.1).

CVE-2026-23223 Severity: Moderate CVSS3 score: 6.5

Description: In the Linux kernel, the following vulnerability has been resolved:xfs: fix UAF in xchk_btree_check_block_ownerWe cannot dereference bs->cur when trying to determine if bs->curaliases bs->sc->sa.{bno,rmap}_cur after the latter has been freed.Fix this by sampling before type before any freeing could happen.The correct temporal ordering was broken when we removed xfs_btnum_t.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23276 Severity: Moderate CVSS3 score: 6.5

Description: In the Linux kernel, the following vulnerability has been resolved:net: add xmit recursion limit to tunnel xmit functionsTunnel xmit functions (iptunnel_xmit, ip6tunnel_xmit) lack their ownrecursion limit. When a bond device in broadcast mode has GRE tapinterfaces as slaves, and those GRE tunnels route back through thebond, multicast/broadcast traffic triggers infinite recursion betweenbond_xmit_broadcast() and ip_tunnel_xmit()/ip6_tnl_xmit(), causingkernel stack overflow.The existing XMIT_RECURSION_LIMIT (8) in the no-qdisc path is notsufficient because tunnel recursion involves route lookups and full IPoutput, consuming much more stack per level. Use a lower limit of 4(IP_TUNNEL_RECURSION_LIMIT) to prevent overflow.Add recursion detection using dev_xmit_recursion helpers directly iniptunnel_xmit() and ip6tunnel_xmit() to cover all IPv4/IPv6 tunnelpaths including UDP encapsulated tunnels (VXLAN, Geneve, etc.).Move dev_xmit_recursion helpers from net/core/dev.h to public headerinclude/linux/netdevice.h so they can be used by tunnel code. BUG: KASAN: stack-out-of-bounds in blake2s.constprop.0+0xe7/0x160 Write of size 32 at addr ffff88810033fed0 by task kworker/0:1/11 Workqueue: mld mld_ifc_work Call Trace: __build_flow_key.constprop.0 (net/ipv4/route.c:515) ip_rt_update_pmtu (net/ipv4/route.c:1073) iptunnel_xmit (net/ipv4/ip_tunnel_core.c:84) ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847) gre_tap_xmit (net/ipv4/ip_gre.c:779) dev_hard_start_xmit (net/core/dev.c:3887) sch_direct_xmit (net/sched/sch_generic.c:347) __dev_queue_xmit (net/core/dev.c:4802) bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312) bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279) bond_start_xmit (drivers/net/bonding/bond_main.c:5530) dev_hard_start_xmit (net/core/dev.c:3887) __dev_queue_xmit (net/core/dev.c:4841) ip_finish_output2 (net/ipv4/ip_output.c:237) ip_output (net/ipv4/ip_output.c:438) iptunnel_xmit (net/ipv4/ip_tunnel_core.c:86) gre_tap_xmit (net/ipv4/ip_gre.c:779) dev_hard_start_xmit (net/core/dev.c:3887) sch_direct_xmit (net/sched/sch_generic.c:347) __dev_queue_xmit (net/core/dev.c:4802) bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312) bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279) bond_start_xmit (drivers/net/bonding/bond_main.c:5530) dev_hard_start_xmit (net/core/dev.c:3887) __dev_queue_xmit (net/core/dev.c:4841) ip_finish_output2 (net/ipv4/ip_output.c:237) ip_output (net/ipv4/ip_output.c:438) iptunnel_xmit (net/ipv4/ip_tunnel_core.c:86) ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847) gre_tap_xmit (net/ipv4/ip_gre.c:779) dev_hard_start_xmit (net/core/dev.c:3887) sch_direct_xmit (net/sched/sch_generic.c:347) __dev_queue_xmit (net/core/dev.c:4802) bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312) bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279) bond_start_xmit (drivers/net/bonding/bond_main.c:5530) dev_hard_start_xmit (net/core/dev.c:3887) __dev_queue_xmit (net/core/dev.c:4841) mld_sendpack mld_ifc_work process_one_work worker_thread

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23395 Severity: Moderate CVSS3 score: 6.5

Description: In the Linux kernel, the following vulnerability has been resolved:Bluetooth: L2CAP: Fix accepting multiple L2CAP_ECRED_CONN_REQCurrently the code attempts to accept requests regardless of thecommand identifier which may cause multiple requests to be markedas pending (FLAG_DEFER_SETUP) which can cause more thanL2CAP_ECRED_MAX_CID(5) to be allocated in l2cap_ecred_rsp_defercausing an overflow.The spec is quite clear that the same identifier shall not be used onsubsequent requests:'Within each signaling channel a different Identifier shall be usedfor each successive request or indication.'https://www.bluetooth.com/wp-content/uploads/Files/Specification/HTML/Core-62/out/en/host/logical-link-control-and-adaptation-protocol-specification.html#UUID-32a25a06-4aa4-c6c7-77c5-dcfe3682355dSo this attempts to check if there are any channels pending with thesame identifier and rejects if any are found.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23396 Severity: Moderate CVSS3 score: 6.5

Description: In the Linux kernel, the following vulnerability has been resolved:wifi: mac80211: fix NULL deref in mesh_matches_local()mesh_matches_local() unconditionally dereferences ie->mesh_config tocompare mesh configuration parameters. When called frommesh_rx_csa_frame(), the parsed action-frame elements may not contain aMesh Configuration IE, leaving ie->mesh_config NULL and triggering akernel NULL pointer dereference.The other two callers are already safe: - ieee80211_mesh_rx_bcn_presp() checks !elems->mesh_config before calling mesh_matches_local() - mesh_plink_get_event() is only reached through mesh_process_plink_frame(), which checks !elems->mesh_config, toomesh_rx_csa_frame() is the only caller that passes raw parsed elementsto mesh_matches_local() without guarding mesh_config. An adjacentattacker can exploit this by sending a crafted CSA action frame thatincludes a valid Mesh ID IE but omits the Mesh Configuration IE,crashing the kernel.The captured crash log:Oops: general protection fault, probably for non-canonical address ...KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]Workqueue: events_unbound cfg80211_wiphy_work[...]Call Trace: ? __pfx_mesh_matches_local (net/mac80211/mesh.c:65) ieee80211_mesh_rx_queued_mgmt (net/mac80211/mesh.c:1686) [...] ieee80211_iface_work (net/mac80211/iface.c:1754 net/mac80211/iface.c:1802) [...] cfg80211_wiphy_work (net/wireless/core.c:426) process_one_work (net/kernel/workqueue.c:3280) ? assign_work (net/kernel/workqueue.c:1219) worker_thread (net/kernel/workqueue.c:3352) ? __pfx_worker_thread (net/kernel/workqueue.c:3385) kthread (net/kernel/kthread.c:436) [...] ret_from_fork_asm (net/arch/x86/entry/entry_64.S:255) This patch adds a NULL check for ie->mesh_config at the top ofmesh_matches_local() to return false early when the Mesh ConfigurationIE is absent.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23401 Severity: Moderate CVSS3 score: 6.5

Description: In the Linux kernel, the following vulnerability has been resolved:KVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTEWhen installing an emulated MMIO SPTE, do so *after* dropping/zapping theexisting SPTE (if it's shadow-present). While commit a54aa15c6bda3 wasright about it being impossible to convert a shadow-present SPTE to anMMIO SPTE due to a _guest_ write, it failed to account for writes to guestmemory that are outside the scope of KVM.E.g. if host userspace modifies a shadowed gPTE to switch from a memslotto emulted MMIO and then the guest hits a relevant page fault, KVM willinstall the MMIO SPTE without first zapping the shadow-present SPTE. ------------[ cut here ]------------ is_shadow_present_pte(*sptep) WARNING: arch/x86/kvm/mmu/mmu.c:484 at mark_mmio_spte+0xb2/0xc0 [kvm], CPU#0: vmx_ept_stale_r/4292 Modules linked in: kvm_intel kvm irqbypass CPU: 0 UID: 1000 PID: 4292 Comm: vmx_ept_stale_r Not tainted 7.0.0-rc2-eafebd2d2ab0-sink-vm #319 PREEMPT Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 RIP: 0010:mark_mmio_spte+0xb2/0xc0 [kvm] Call Trace: mmu_set_spte+0x237/0x440 [kvm] ept_page_fault+0x535/0x7f0 [kvm] kvm_mmu_do_page_fault+0xee/0x1f0 [kvm] kvm_mmu_page_fault+0x8d/0x620 [kvm] vmx_handle_exit+0x18c/0x5a0 [kvm_intel] kvm_arch_vcpu_ioctl_run+0xc55/0x1c20 [kvm] kvm_vcpu_ioctl+0x2d5/0x980 [kvm] __x64_sys_ioctl+0x8a/0xd0 do_syscall_64+0xb5/0x730 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x47fa3f ---[ end trace 0000000000000000 ]---

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23442 Severity: Moderate CVSS3 score: 6.5

Description: In the Linux kernel, the following vulnerability has been resolved:ipv6: add NULL checks for idev in SRv6 paths__in6_dev_get() can return NULL when the device has no IPv6 configuration(e.g. MTU < IPV6_MIN_MTU or after NETDEV_UNREGISTER).Add NULL checks for idev returned by __in6_dev_get() in bothseg6_hmac_validate_skb() and ipv6_srh_rcv() to prevent potential NULLpointer dereferences.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23557 Severity: Moderate CVSS3 score: 6.5

Description: Unknown.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
xen-libs < 4.20.3_02-150700.3.33.1 (version in image is 4.20.2_08-150700.3.28.1).

CVE-2026-31470 Severity: Moderate CVSS3 score: 6.5

Description: In the Linux kernel, the following vulnerability has been resolved:virt: tdx-guest: Fix handling of host controlled 'quote' buffer lengthValidate host controlled value `quote_buf->out_len` that determines howmany bytes of the quote are copied out to guest userspace. In TDXenvironments with remote attestation, quotes are not considered private,and can be forwarded to an attestation server.Catch scenarios where the host specifies a response length larger thanthe guest's allocation, or otherwise races modifying the response whilethe guest consumes it.This prevents contents beyond the pages allocated for `quote_buf`(up to TSM_REPORT_OUTBLOB_MAX) from being read out to guest userspace,and possibly forwarded in attestation requests.Recall that some deployments want per-container configs-tsm-reportinterfaces, so the leak may cross container protection boundaries, notjust local root.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31591 Severity: Moderate CVSS3 score: 6.5

Description: In the Linux kernel, the following vulnerability has been resolved:KVM: SEV: Lock all vCPUs when synchronzing VMSAs for SNP launch finishLock all vCPUs when synchronizing and encrypting VMSAs for SNP guests, asallowing userspace to manipulate and/or run a vCPU while its state is beingsynchronized would at best corrupt vCPU state, and at worst crash the hostkernel.Opportunistically assert that vcpu->mutex is held when synchronizing itsVMSA (the SEV-ES path already locks vCPUs).

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31684 Severity: Moderate CVSS3 score: 6.5

Description: In the Linux kernel, the following vulnerability has been resolved:net: sched: act_csum: validate nested VLAN headerstcf_csum_act() walks nested VLAN headers directly from skb->data when anskb still carries in-payload VLAN tags. The current code readsvlan->h_vlan_encapsulated_proto and then pulls VLAN_HLEN bytes withoutfirst ensuring that the full VLAN header is present in the linear area.If only part of an inner VLAN header is linearized, accessingh_vlan_encapsulated_proto reads past the linear area, and the followingskb_pull(VLAN_HLEN) may violate skb invariants.Fix this by requiring pskb_may_pull(skb, VLAN_HLEN) before accessing andpulling each nested VLAN header. If the header still is not fullyavailable, drop the packet through the existing error path.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-3497 Severity: Moderate CVSS3 score: 6.5

Description: Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions. This vulnerability affects the GSSAPI patches added by various Linux distributions and does not affect the OpenSSH upstream project itself. The usage of sshpkt_disconnect() on an error, which does not terminate the process, allows an attacker to send an unexpected GSSAPI message type during the GSSAPI key exchange to the server, which will call the underlying function and continue the execution of the program without setting the related connection variables. As the variables are not initialized to NULL the code later accesses those uninitialized variables, accessing random memory, which could lead to undefined behavior. The recommended workaround is to use ssh_packet_disconnect() instead, which does terminate the process. The impact of the vulnerability depends heavily on the compiler flag hardening configuration.

Packages affected:

sle-module-desktop-applications-release == 15.7 (version in image is 15.7-150700.28.1).
openssh > 0-0 (version in image is 9.6p1-150600.6.34.1).

CVE-2026-34978 Severity: Moderate CVSS3 score: 6.5

Description: OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, the RSS notifier allows .. path traversal in notify-recipient-uri (e.g., rss:///../job.cache), letting a remote IPP client write RSS XML bytes outside CacheDir/rss (anywhere that is lp-writable). In particular, because CacheDir is group-writable by default (typically root:lp and mode 0770), the notifier (running as lp) can replace root-managed state files via temp-file + rename(). This PoC clobbers CacheDir/job.cache with RSS XML, and after restarting cupsd the scheduler fails to parse the job cache and previously queued jobs disappear. At time of publication, there are no publicly available patches.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
cups-config > 0-0 (version in image is 2.2.7-150000.3.86.1).

CVE-2026-35469 Severity: Moderate CVSS3 score: 6.5

Description: spdystream is a Go library for multiplexing streams over SPDY connections. In versions 0.5.0 and below, the SPDY/3 frame parser does not validate attacker-controlled counts and lengths before allocating memory. Three allocation paths are affected: the SETTINGS frame entry count, the header count in parseHeaderValueBlock, and individual header field sizes - all read as 32-bit integers and used directly as allocation sizes with no bounds checking. Because SPDY header blocks are zlib-compressed, a small on-the-wire payload can decompress into large attacker-controlled values. A remote peer that can send SPDY frames to a service using spdystream can exhaust process memory and cause an out-of-memory crash with a single crafted control frame. This issue has been fixed in version 0.5.1.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
containerd > 0-0 (version in image is 1.7.29-150000.132.1).

CVE-2026-3644 Severity: Moderate CVSS3 score: 6.5

Description: The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
libpython3_6m1_0 < 3.6.15-150300.10.118.1 (version in image is 3.6.15-150300.10.109.1).

CVE-2026-3833 Severity: Moderate CVSS3 score: 6.5

Description: A flaw was found in gnutls. This vulnerability occurs because gnutls performs case-sensitive comparisons of `nameConstraints` labels, specifically for `dNSName` (DNS) or `rfc822Name` (email) constraints within `excludedSubtrees` or `permittedSubtrees`. A remote attacker can exploit this by crafting a leaf certificate with casing differences in the Subject Alternative Name (SAN), leading to a policy bypass where a certificate that should be rejected is instead accepted. This could result in unauthorized access or information disclosure.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
libgnutls30 > 0-0 (version in image is 3.8.3-150600.4.17.1).

CVE-2026-42013 Severity: Moderate CVSS3 score: 6.5

Description: Unknown.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
libgnutls30 > 0-0 (version in image is 3.8.3-150600.4.17.1).

CVE-2026-44283 Severity: Moderate CVSS3 score: 6.5

Description: etcd is a distributed key-value store for the data of a distributed system. Prior to 3.4.44, 3.5.30, and 3.6.11, a vulnerability in etcd allows read access via PrevKv, or lease attachment in Put requests within transaction operations, to bypass RBAC authorization checks. An authenticated user without sufficient read or lease-related permissions may be able to access unauthorized data or attach leases by invoking transaction operations with these features enabled. This vulnerability is fixed in 3.4.44, 3.5.30, and 3.6.11.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
docker > 0-0 (version in image is 28.5.1_ce-150000.245.2).

CVE-2026-5545 Severity: Moderate CVSS3 score: 6.5

Description: libcurl might in some circumstances reuse the wrong connection when asked todo an authenticated HTTP(S) request after a Negotiate-authenticated one, whenboth use the same host.libcurl features a pool of recent connections so that subsequent requests canreuse an existing connection to avoid overhead.When reusing a connection a range of criteria must be met. Due to a logicalerror in the code, a request that was issued by an application couldwrongfully reuse an existing connection to the same server that wasauthenticated using different credentials.An application that first uses Negotiate authentication to a server with`user1:password1` and then does another operation to the same server askingfor any authentication method but for `user2:password2` (while the previousconnection is still alive) - the second request gets confused and wronglyreuses the same connection and sends the new request over that connectionthinking it uses a mix of user1's and user2's credentials when it is in factstill using the connection authenticated for user1...

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
curl > 0-0 (version in image is 8.14.1-150700.7.14.1).

CVE-2026-6732 Severity: Moderate CVSS3 score: 6.5

Description: A flaw was found in libxml2. This vulnerability occurs when the library processes a specially crafted XML Schema Definition (XSD) validated document that includes an internal entity reference. An attacker could exploit this by providing a malicious document, leading to a type confusion error that causes the application to crash. This results in a denial of service (DoS), making the affected system or application unavailable.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
libxml2-2 > 0-0 (version in image is 2.12.10-150700.4.11.1).

CVE-2025-39896 Severity: Moderate CVSS3 score: 6.4

Description: In the Linux kernel, the following vulnerability has been resolved:accel/ivpu: Prevent recovery work from being queued during device removalUse disable_work_sync() instead of cancel_work_sync() in ivpu_dev_fini()to ensure that no new recovery work items can be queued after deviceremoval has started. Previously, recovery work could be scheduled evenafter canceling existing work, potentially leading to use-after-freebugs if recovery accessed freed resources.Rename ivpu_pm_cancel_recovery() to ivpu_pm_disable_recovery() to betterreflect its new behavior.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2025-68748 Severity: Moderate CVSS3 score: 6.4

Description: In the Linux kernel, the following vulnerability has been resolved:drm/panthor: Fix UAF race between device unplug and FW event processingThe function panthor_fw_unplug() will free the FW memory sections.The problem is that there could still be pending FW events which are yetnot handled at this point. process_fw_events_work() can in this case tryto access said freed memory.Simply call disable_work_sync() to both drain and prevent futureinvocation of process_fw_events_work().

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23245 Severity: Moderate CVSS3 score: 6.4

Description: In the Linux kernel, the following vulnerability has been resolved:net/sched: act_gate: snapshot parameters with RCU on replaceThe gate action can be replaced while the hrtimer callback or dump path iswalking the schedule list.Convert the parameters to an RCU-protected snapshot and swap updates undertcf_lock, freeing the previous snapshot via call_rcu(). When REPLACE omitsthe entry list, preserve the existing schedule so the effective state isunchanged.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23284 Severity: Moderate CVSS3 score: 6.4

Description: In the Linux kernel, the following vulnerability has been resolved:net: ethernet: mtk_eth_soc: Reset prog ptr to old_prog in case of error in mtk_xdp_setup()Reset eBPF program pointer to old_prog and do not decrease its ref-countif mtk_open routine in mtk_xdp_setup() fails.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23340 Severity: Moderate CVSS3 score: 6.4

Description: In the Linux kernel, the following vulnerability has been resolved:net: sched: avoid qdisc_reset_all_tx_gt() vs dequeue race for lockless qdiscsWhen shrinking the number of real tx queues,netif_set_real_num_tx_queues() calls qdisc_reset_all_tx_gt() to flushqdiscs for queues which will no longer be used.qdisc_reset_all_tx_gt() currently serializes qdisc_reset() withqdisc_lock(). However, for lockless qdiscs, the dequeue path isserialized by qdisc_run_begin/end() using qdisc->seqlock instead, soqdisc_reset() can run concurrently with __qdisc_run() and free skbswhile they are still being dequeued, leading to UAF.This can easily be reproduced on e.g. virtio-net by imposing heavytraffic while frequently changing the number of queue pairs: iperf3 -ub0 -c $peer -t 0 & while :; do ethtool -L eth0 combined 1 ethtool -L eth0 combined 2 doneWith KASAN enabled, this leads to reports like: BUG: KASAN: slab-use-after-free in __qdisc_run+0x133f/0x1760 ... Call Trace: ... __qdisc_run+0x133f/0x1760 __dev_queue_xmit+0x248f/0x3550 ip_finish_output2+0xa42/0x2110 ip_output+0x1a7/0x410 ip_send_skb+0x2e6/0x480 udp_send_skb+0xb0a/0x1590 udp_sendmsg+0x13c9/0x1fc0 ... Allocated by task 1270 on cpu 5 at 44.558414s: ... alloc_skb_with_frags+0x84/0x7c0 sock_alloc_send_pskb+0x69a/0x830 __ip_append_data+0x1b86/0x48c0 ip_make_skb+0x1e8/0x2b0 udp_sendmsg+0x13a6/0x1fc0 ... Freed by task 1306 on cpu 3 at 44.558445s: ... kmem_cache_free+0x117/0x5e0 pfifo_fast_reset+0x14d/0x580 qdisc_reset+0x9e/0x5f0 netif_set_real_num_tx_queues+0x303/0x840 virtnet_set_channels+0x1bf/0x260 [virtio_net] ethnl_set_channels+0x684/0xae0 ethnl_default_set_doit+0x31a/0x890 ...Serialize qdisc_reset_all_tx_gt() against the lockless dequeue path bytaking qdisc->seqlock for TCQ_F_NOLOCK qdiscs, matching theserialization model already used by dev_reset_queue().Additionally clear QDISC_STATE_NON_EMPTY after reset so the qdisc statereflects an empty queue, avoiding needless re-scheduling.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31395 Severity: Moderate CVSS3 score: 6.4

Description: In the Linux kernel, the following vulnerability has been resolved:bnxt_en: fix OOB access in DBG_BUF_PRODUCER async event handlerThe ASYNC_EVENT_CMPL_EVENT_ID_DBG_BUF_PRODUCER handler inbnxt_async_event_process() uses a firmware-supplied 'type' fielddirectly as an index into bp->bs_trace[] without bounds validation.The 'type' field is a 16-bit value extracted from DMA-mapped completionring memory that the NIC writes directly to host RAM. A malicious orcompromised NIC can supply any value from 0 to 65535, causing anout-of-bounds access into kernel heap memory.The bnxt_bs_trace_check_wrap() call then dereferences bs_trace->magic_byteand writes to bs_trace->last_offset and bs_trace->wrapped, leading tokernel memory corruption or a crash.Fix by adding a bounds check and defining BNXT_TRACE_MAX asDBG_LOG_BUFFER_FLUSH_REQ_TYPE_ERR_QPC_TRACE + 1 to cover all currentlydefined firmware trace types (0x0 through 0xc).

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31493 Severity: Moderate CVSS3 score: 6.4

Description: In the Linux kernel, the following vulnerability has been resolved:RDMA/efa: Fix use of completion ctx after freeOn admin queue completion handling, if the admin command completed witherror we print data from the completion context. The issue is that wealready freed the completion context in polling/interrupts handler whichmeans we print data from context in an unknown state (it might bealready used again).Change the admin submission flow so alloc/dealloc of the context will besymmetric and dealloc will be called after any potential use of thecontext.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31502 Severity: Moderate CVSS3 score: 6.4

Description: In the Linux kernel, the following vulnerability has been resolved:team: fix header_ops type confusion with non-Ethernet portsSimilar to commit 950803f72547 ("bonding: fix type confusion inbond_setup_by_slave()") team has the same class of header_ops typeconfusion.For non-Ethernet ports, team_setup_by_port() copies port_dev->header_opsdirectly. When the team device later calls dev_hard_header() ordev_parse_header(), these callbacks can run with the team net_deviceinstead of the real lower device, so netdev_priv(dev) is interpreted asthe wrong private type and can crash.The syzbot report shows a crash in bond_header_create(), but the rootcause is in team: the topology is gre -> bond -> team, and team callsthe inherited header_ops with its own net_device instead of the lowerdevice, so bond_header_create() receives a team device and interpretsnetdev_priv() as bonding private data, causing a type confusion crash.Fix this by introducing team header_ops wrappers for create/parse,selecting a team port under RCU, and calling the lower device callbackswith port->dev, so each callback always sees the correct net_devicecontext.Also pass the selected lower device to the lower parse callback, sorecursion is bounded in stacked non-Ethernet topologies and parsecallbacks always run with the correct device context.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31516 Severity: Moderate CVSS3 score: 6.4

Description: In the Linux kernel, the following vulnerability has been resolved:xfrm: prevent policy_hthresh.work from racing with netns teardownA XFRM_MSG_NEWSPDINFO request can queue the per-net work itempolicy_hthresh.work onto the system workqueue.The queued callback, xfrm_hash_rebuild(), retrieves the enclosingstruct net via container_of(). If the net namespace is torn downbefore that work runs, the associated struct net may already havebeen freed, and xfrm_hash_rebuild() may then dereference stale memory.xfrm_policy_fini() already flushes policy_hash_work during teardown,but it does not synchronize policy_hthresh.work.Synchronize policy_hthresh.work in xfrm_policy_fini() as well, so thequeued work cannot outlive the net namespace teardown and access afreed struct net.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31525 Severity: Moderate CVSS3 score: 6.4

Description: In the Linux kernel, the following vulnerability has been resolved:bpf: Fix undefined behavior in interpreter sdiv/smod for INT_MINThe BPF interpreter's signed 32-bit division and modulo handlers usethe kernel abs() macro on s32 operands. The abs() macro documentation(include/linux/math.h) explicitly states the result is undefined whenthe input is the type minimum. When DST contains S32_MIN (0x80000000),abs((s32)DST) triggers undefined behavior and returns S32_MIN unchangedon arm64/x86. This value is then sign-extended to u64 as0xFFFFFFFF80000000, causing do_div() to compute the wrong result.The verifier's abstract interpretation (scalar32_min_max_sdiv) computesthe mathematically correct result for range tracking, creating averifier/interpreter mismatch that can be exploited for out-of-boundsmap value access.Introduce abs_s32() which handles S32_MIN correctly by casting to u32before negating, avoiding signed overflow entirely. Replace all 8abs((s32)...) call sites in the interpreter's sdiv32/smod32 handlers.s32 is the only affected case -- the s64 division/modulo handlers donot use abs().

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31527 Severity: Moderate CVSS3 score: 6.4

Description: In the Linux kernel, the following vulnerability has been resolved:driver core: platform: use generic driver_override infrastructureWhen a driver is probed through __driver_attach(), the bus' match()callback is called without the device lock held, thus accessing thedriver_override field without a lock, which can cause a UAF.Fix this by using the driver-core driver_override infrastructure takingcare of proper locking internally.Note that calling match() from __driver_attach() without the device lockheld is intentional. [1]

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31530 Severity: Moderate CVSS3 score: 6.4

Description: In the Linux kernel, the following vulnerability has been resolved:cxl/port: Fix use after free of parent_port in cxl_detach_ep()cxl_detach_ep() is called during bottom-up removal when all CXL memorydevices beneath a switch port have been removed. For each port in thehierarchy it locks both the port and its parent, removes the endpoint,and if the port is now empty, marks it dead and unregisters the portby calling delete_switch_port(). There are two places during this workwhere the parent_port may be used after freeing:First, a concurrent detach may have already processed a port by thetime a second worker finds it via bus_find_device(). Without pinningparent_port, it may already be freed when we discover port->dead andattempt to unlock the parent_port. In a production kernel that's asilent memory corruption, with lock debug, it looks like this:[]DEBUG_LOCKS_WARN_ON(__owner_task(owner) != get_current())[]WARNING: kernel/locking/mutex.c:949 at __mutex_unlock_slowpath+0x1ee/0x310[]Call Trace:[]mutex_unlock+0xd/0x20[]cxl_detach_ep+0x180/0x400 [cxl_core][]devm_action_release+0x10/0x20[]devres_release_all+0xa8/0xe0[]device_unbind_cleanup+0xd/0xa0[]really_probe+0x1a6/0x3e0Second, delete_switch_port() releases three devm actions registeredagainst parent_port. The last of those is unregister_port() and itcalls device_unregister() on the child port, which can cascade. Ifparent_port is now also empty the device core may unregister and freeit too. So by the time delete_switch_port() returns, parent_port maybe free, and the subsequent device_unlock(&parent_port->dev) operateson freed memory. The kernel log looks same as above, with a differentoffset in cxl_detach_ep().Both of these issues stem from the absence of a lifetime guaranteebetween a child port and its parent port.Establish a lifetime rule for ports: child ports hold a reference totheir parent device until release. Take the reference when the portis allocated and drop it when released. This ensures the parent isvalid for the full lifetime of the child and eliminates the use afterfree window in cxl_detach_ep().This is easily reproduced with a reload of cxl_acpi in QEMU with CXLdevices present.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31581 Severity: Moderate CVSS3 score: 6.4

Description: In the Linux kernel, the following vulnerability has been resolved:ALSA: 6fire: fix use-after-free on disconnectIn usb6fire_chip_abort(), the chip struct is allocated as the card'sprivate data (via snd_card_new with sizeof(struct sfire_chip)). Whensnd_card_free_when_closed() is called and no file handles are open, thecard and embedded chip are freed synchronously. The subsequentchip->card = NULL write then hits freed slab memory.Call trace: usb6fire_chip_abort sound/usb/6fire/chip.c:59 [inline] usb6fire_chip_disconnect+0x348/0x358 sound/usb/6fire/chip.c:182 usb_unbind_interface+0x1a8/0x88c drivers/usb/core/driver.c:458 ... hub_event+0x1a04/0x4518 drivers/usb/core/hub.c:5953Fix by moving the card lifecycle out of usb6fire_chip_abort() and intousb6fire_chip_disconnect(). The card pointer is saved in a localbefore any teardown, snd_card_disconnect() is called first to preventnew opens, URBs are aborted while chip is still valid, andsnd_card_free_when_closed() is called last so chip is never accessedafter the card may be freed.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31663 Severity: Moderate CVSS3 score: 6.4

Description: In the Linux kernel, the following vulnerability has been resolved:xfrm: hold dev ref until after transport_finish NF_HOOKAfter async crypto completes, xfrm_input_resume() calls dev_put()immediately on re-entry before the skb reaches transport_finish.The skb->dev pointer is then used inside NF_HOOK and its okfn,which can race with device teardown.Remove the dev_put from the async resumption entry and insteaddrop the reference after the NF_HOOK call in transport_finish,using a saved device pointer since NF_HOOK may consume the skb.This covers NF_DROP, NF_QUEUE and NF_STOLEN paths that skipthe okfn.For non-transport exits (decaps, gro, drop) and secondaryasync return points, release the reference inline whenasync is set.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31665 Severity: Moderate CVSS3 score: 6.4

Description: In the Linux kernel, the following vulnerability has been resolved:netfilter: nft_ct: fix use-after-free in timeout object destroynft_ct_timeout_obj_destroy() frees the timeout object with kfree()immediately after nf_ct_untimeout(), without waiting for an RCU graceperiod. Concurrent packet processing on other CPUs may still holdRCU-protected references to the timeout object obtained viarcu_dereference() in nf_ct_timeout_data().Add an rcu_head to struct nf_ct_timeout and use kfree_rcu() to deferfreeing until after an RCU grace period, matching the approach alreadyused in nfnetlink_cttimeout.c.KASAN report: BUG: KASAN: slab-use-after-free in nf_conntrack_tcp_packet+0x1381/0x29d0 Read of size 4 at addr ffff8881035fe19c by task exploit/80 Call Trace: nf_conntrack_tcp_packet+0x1381/0x29d0 nf_conntrack_in+0x612/0x8b0 nf_hook_slow+0x70/0x100 __ip_local_out+0x1b2/0x210 tcp_sendmsg_locked+0x722/0x1580 __sys_sendto+0x2d8/0x320 Allocated by task 75: nft_ct_timeout_obj_init+0xf6/0x290 nft_obj_init+0x107/0x1b0 nf_tables_newobj+0x680/0x9c0 nfnetlink_rcv_batch+0xc29/0xe00 Freed by task 26: nft_obj_destroy+0x3f/0xa0 nf_tables_trans_destroy_work+0x51c/0x5c0 process_one_work+0x2c4/0x5a0

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31678 Severity: Moderate CVSS3 score: 6.4

Description: In the Linux kernel, the following vulnerability has been resolved:openvswitch: defer tunnel netdev_put to RCU releaseovs_netdev_tunnel_destroy() may run after NETDEV_UNREGISTER alreadydetached the device. Dropping the netdev reference in destroy can racewith concurrent readers that still observe vport->dev.Do not release vport->dev in ovs_netdev_tunnel_destroy(). Instead, letvport_netdev_free() drop the reference from the RCU callback, matchingthe non-tunnel destroy path and avoiding additional synchronizationunder RTNL.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31688 Severity: Moderate CVSS3 score: 6.4

Description: In the Linux kernel, the following vulnerability has been resolved:driver core: enforce device_lock for driver_match_device()Currently, driver_match_device() is called from three sites. One site(__device_attach_driver) holds device_lock(dev), but the other two(bind_store and __driver_attach) do not. This inconsistency means thatbus match() callbacks are not guaranteed to be called with the lockheld.Fix this by introducing driver_match_device_locked(), which guaranteesholding the device lock using a scoped guard. Replace the unlocked callsin bind_store() and __driver_attach() with this new helper. Also add alock assertion to driver_match_device() to enforce this guarantee.This consistency also fixes a known race condition. The driver_overrideimplementation relies on the device_lock, so the missing lock led to theuse-after-free (UAF) reported in Bugzilla for buses using this field.Stress testing the two newly locked paths for 24 hours withCONFIG_PROVE_LOCKING and CONFIG_LOCKDEP enabled showed no UAF recurrenceand no lockdep warnings.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31729 Severity: Moderate CVSS3 score: 6.4

Description: In the Linux kernel, the following vulnerability has been resolved:usb: typec: ucsi: validate connector number in ucsi_notify_common()The connector number extracted from CCI via UCSI_CCI_CONNECTOR() is a7-bit field (0-127) that is used to index into the connector array inucsi_connector_change(). However, the array is only allocated for thenumber of connectors reported by the device (typically 2-4 entries).A malicious or malfunctioning device could report an out-of-rangeconnector number in the CCI, causing an out-of-bounds array access inucsi_connector_change().Add a bounds check in ucsi_notify_common(), the central point where CCIis parsed after arriving from hardware, so that bogus connector numbersare rejected before they propagate further.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-34980 Severity: Moderate CVSS3 score: 6.4

Description: OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, in a network-exposed cupsd with a shared target queue, an unauthorized client can send a Print-Job to that shared PostScript queue without authentication. The server accepts a page-border value supplied as textWithoutLanguage, preserves an embedded newline through option escaping and reparse, and then reparses the resulting second-line PPD: text as a trusted scheduler control record. A follow-up raw print job can therefore make the server execute an attacker-chosen existing binary such as /usr/bin/vim as lp. At time of publication, there are no publicly available patches.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
cups-config > 0-0 (version in image is 2.2.7-150000.3.86.1).

CVE-2026-40226 Severity: Moderate CVSS3 score: 6.4

Description: In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
libsystemd0 > 0-0 (version in image is 254.27-150600.4.62.1).

CVE-2024-42084 Severity: Moderate CVSS3 score: 6.3

Description: In the Linux kernel, the following vulnerability has been resolved:ftruncate: pass a signed offsetThe old ftruncate() syscall, using the 32-bit off_t misses a signextension when called in compat mode on 64-bit architectures. As aresult, passing a negative length accidentally succeeds in truncatingto file size between 2GiB and 4GiB.Changing the type of the compat syscall to the signed compat_off_tchanges the behavior so it instead returns -EINVAL.The native entry point, the truncate() syscall and the correspondingloff_t based variants are all correct already and do not sufferfrom this mistake.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2025-71152 Severity: Moderate CVSS3 score: 6.3

Description: In the Linux kernel, the following vulnerability has been resolved:net: dsa: properly keep track of conduit referenceProblem description-------------------DSA has a mumbo-jumbo of reference handling of the conduit net deviceand its kobject which, sadly, is just wrong and doesn't make sense.There are two distinct problems.1. The OF path, which uses of_find_net_device_by_node(), never releases the elevated refcount on the conduit's kobject. Nominally, the OF and non-OF paths should result in objects having identical reference counts taken, and it is already suspicious that dsa_dev_to_net_device() has a put_device() call which is missing in dsa_port_parse_of(), but we can actually even verify that an issue exists. With CONFIG_DEBUG_KOBJECT_RELEASE=y, if we run this command "before" and "after" applying this patch:(unbind the conduit driver for net device eno2)echo 0000:00:00.2 > /sys/bus/pci/drivers/fsl_enetc/unbindwe see these lines in the output diff which appear only with the patchapplied:kobject: 'eno2' (ffff002009a3a6b8): kobject_release, parent 0000000000000000 (delayed 1000)kobject: '109' (ffff0020099d59a0): kobject_release, parent 0000000000000000 (delayed 1000)2. After we find the conduit interface one way (OF) or another (non-OF), it can get unregistered at any time, and DSA remains with a long-lived, but in this case stale, cpu_dp->conduit pointer. Holding the net device's underlying kobject isn't actually of much help, it just prevents it from being freed (but we never need that kobject directly). What helps us to prevent the net device from being unregistered is the parallel netdev reference mechanism (dev_hold() and dev_put()).Actually we actually use that netdev tracker mechanism implicitly onuser ports since commit 2f1e8ea726e9 ("net: dsa: link interfaces withthe DSA master to get rid of lockdep warnings"), via netdev_upper_dev_link().But time still passes at DSA switch probe time between the initialof_find_net_device_by_node() code and the user port creation time, timeduring which the conduit could unregister itself and DSA wouldn't knowabout it.So we have to run of_find_net_device_by_node() under rtnl_lock() toprevent that from happening, and release the lock only with the netdevtracker having acquired the reference.Do we need to keep the reference until dsa_unregister_switch() /dsa_switch_shutdown()?1: Maybe yes. A switch device will still be registered even if all user ports failed to probe, see commit 86f8b1c01a0a ("net: dsa: Do not make user port errors fatal"), and the cpu_dp->conduit pointers remain valid. I haven't audited all call paths to see whether they will actually use the conduit in lack of any user port, but if they do, it seems safer to not rely on user ports for that reference.2. Definitely yes. We support changing the conduit which a user port is associated to, and we can get into a situation where we've moved all user ports away from a conduit, thus no longer hold any reference to it via the net device tracker. But we shouldn't let it go nonetheless - see the next change in relation to dsa_tree_find_first_conduit() and LAG conduits which disappear. We have to be prepared to return to the physical conduit, so the CPU port must explicitly keep another reference to it. This is also to say: the user ports and their CPU ports may not always keep a reference to the same conduit net device, and both are needed.As for the conduit's kobject for the /sys/class/net/ entry, we don'tcare about it, we can release it as soon as we hold the net deviceobject itself.History and blame attribution-----------------------------The code has been refactored so many times, it is very difficult tofollow and properly attribute a blame, but I'll try to make a shorthistory which I hope to be correct.We have two distinct probing paths:- one for OF, introduced in 2016 i---truncated---

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23262 Severity: Moderate CVSS3 score: 6.3

Description: In the Linux kernel, the following vulnerability has been resolved:gve: Fix stats report corruption on queue count changeThe driver and the NIC share a region in memory for stats reporting.The NIC calculates its offset into this region based on the total sizeof the stats region and the size of the NIC's stats.When the number of queues is changed, the driver's stats region isresized. If the queue count is increased, the NIC can write pastthe end of the allocated stats region, causing memory corruption.If the queue count is decreased, there is a gap between the driverand NIC stats, leading to incorrect stats reporting.This change fixes the issue by allocating stats region with maximumsize, and the offset calculation for NIC stats is changed to matchwith the calculation of the NIC.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23356 Severity: Moderate CVSS3 score: 6.3

Description: In the Linux kernel, the following vulnerability has been resolved:drbd: fix "LOGIC BUG" in drbd_al_begin_io_nonblock()Even though we check that we "should" be able to do lc_get_cumulative()while holding the device->al_lock spinlock, it may still fail,if some other code path decided to do lc_try_lock() with bad timing.If that happened, we logged "LOGIC BUG for enr=...",but still did not return an error.The rest of the code now assumed that this request has referencesfor the relevant activity log extents.The implcations are that during an active resync, mutual exclusivity ofresync versus application IO is not guaranteed. And a potential crashat this point may not realizs that these extents could have been targetof in-flight IO and would need to be resynced just in case.Also, once the request completes, it will give up activity log references itdoes not even hold, which will trigger a BUG_ON(refcnt == 0) in lc_put().Fix:Do not crash the kernel for a condition that is harmless during normaloperation: also catch "e->refcnt == 0", not only "e == NULL"when being noisy about "al_complete_io() called on inactive extent %u\n".And do not try to be smart and "guess" whether something will work, thenbe surprised when it does not.Deal with the fact that it may or may not work. If it does not, remember apossible "partially in activity log" state (only possible for requests thatcross extent boundaries), and return an error code fromdrbd_al_begin_io_nonblock().A latter call for the same request will then resume from where we left off.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23378 Severity: Moderate CVSS3 score: 6.3

Description: In the Linux kernel, the following vulnerability has been resolved:net/sched: act_ife: Fix metalist update behaviorWhenever an ife action replace changes the metalist, instead ofreplacing the old data on the metalist, the current ife code is appendingthe new metadata. Aside from being innapropriate behavior, this may leadto an unbounded addition of metadata to the metalist which might cause anout of bounds error when running the encode op:[ 138.423369][ C1] ==================================================================[ 138.424317][ C1] BUG: KASAN: slab-out-of-bounds in ife_tlv_meta_encode (net/ife/ife.c:168)[ 138.424906][ C1] Write of size 4 at addr ffff8880077f4ffe by task ife_out_out_bou/255[ 138.425778][ C1] CPU: 1 UID: 0 PID: 255 Comm: ife_out_out_bou Not tainted 7.0.0-rc1-00169-gfbdfa8da05b6 #624 PREEMPT(full)[ 138.425795][ C1] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011[ 138.425800][ C1] Call Trace:[ 138.425804][ C1] [ 138.425808][ C1] dump_stack_lvl (lib/dump_stack.c:122)[ 138.425828][ C1] print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)[ 138.425839][ C1] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)[ 138.425844][ C1] ? __virt_addr_valid (./arch/x86/include/asm/preempt.h:95 (discriminator 1) ./include/linux/rcupdate.h:975 (discriminator 1) ./include/linux/mmzone.h:2207 (discriminator 1) arch/x86/mm/physaddr.c:54 (discriminator 1))[ 138.425853][ C1] ? ife_tlv_meta_encode (net/ife/ife.c:168)[ 138.425859][ C1] kasan_report (mm/kasan/report.c:221 mm/kasan/report.c:597)[ 138.425868][ C1] ? ife_tlv_meta_encode (net/ife/ife.c:168)[ 138.425878][ C1] kasan_check_range (mm/kasan/generic.c:186 (discriminator 1) mm/kasan/generic.c:200 (discriminator 1))[ 138.425884][ C1] __asan_memset (mm/kasan/shadow.c:84 (discriminator 2))[ 138.425889][ C1] ife_tlv_meta_encode (net/ife/ife.c:168)[ 138.425893][ C1] ? ife_tlv_meta_encode (net/ife/ife.c:171)[ 138.425898][ C1] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)[ 138.425903][ C1] ife_encode_meta_u16 (net/sched/act_ife.c:57)[ 138.425910][ C1] ? __pfx_do_raw_spin_lock (kernel/locking/spinlock_debug.c:114)[ 138.425916][ C1] ? __asan_memcpy (mm/kasan/shadow.c:105 (discriminator 3))[ 138.425921][ C1] ? __pfx_ife_encode_meta_u16 (net/sched/act_ife.c:45)[ 138.425927][ C1] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)[ 138.425931][ C1] tcf_ife_act (net/sched/act_ife.c:847 net/sched/act_ife.c:879)To solve this issue, fix the replace behavior by adding the metalist tothe ife rcu data structure.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23388 Severity: Moderate CVSS3 score: 6.3

Description: In the Linux kernel, the following vulnerability has been resolved:Squashfs: check metadata block offset is within rangeSyzkaller reports a "general protection fault in squashfs_copy_data"This is ultimately caused by a corrupted index look-up table, whichproduces a negative metadata block offset.This is subsequently passed to squashfs_copy_data (viasquashfs_read_metadata) where the negative offset causes an out of boundsaccess.The fix is to check that the offset is within range insquashfs_read_metadata. This will trap this and other cases.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23455 Severity: Moderate CVSS3 score: 6.3

Description: In the Linux kernel, the following vulnerability has been resolved:netfilter: nf_conntrack_h323: check for zero length in DecodeQ931()In DecodeQ931(), the UserUserIE code path reads a 16-bit length fromthe packet, then decrements it by 1 to skip the protocol discriminatorbyte before passing it to DecodeH323_UserInformation(). If the encodedlength is 0, the decrement wraps to -1, which is then passed as alarge value to the decoder, leading to an out-of-bounds read.Add a check to ensure len is positive after the decrement.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31725 Severity: Moderate CVSS3 score: 6.3

Description: In the Linux kernel, the following vulnerability has been resolved:usb: gadget: f_ecm: Fix net_device lifecycle with device_moveThe net_device is allocated during function instance creation andregistered during the bind phase with the gadget device as its sysfsparent. When the function unbinds, the parent device is destroyed, butthe net_device survives, resulting in dangling sysfs symlinks: console:/ # ls -l /sys/class/net/usb0 lrwxrwxrwx ... /sys/class/net/usb0 -> /sys/devices/platform/.../gadget.0/net/usb0 console:/ # ls -l /sys/devices/platform/.../gadget.0/net/usb0 ls: .../gadget.0/net/usb0: No such file or directoryUse device_move() to reparent the net_device between the gadget devicetree and /sys/devices/virtual across bind and unbind cycles. During thefinal unbind, calling device_move(NULL) moves the net_device to thevirtual device tree before the gadget device is destroyed. On rebinding,device_move() reparents the device back under the new gadget, ensuringproper sysfs topology and power management ordering.To maintain compatibility with legacy composite drivers (e.g., multi.c),the bound flag is used to indicate whether the network device is sharedand pre-registered during the legacy driver's bind phase.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-41989 Severity: Moderate CVSS3 score: 6.3

Description: Libgcrypt before 1.12.2 sometimes allows a heap-based buffer overflow and denial of service via crafted ECDH ciphertext to gcry_pk_decrypt.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
grub2 > 0-0 (version in image is 2.12-150700.19.29.1).

CVE-2026-43068 Severity: Moderate CVSS3 score: 6.3

Description: In the Linux kernel, the following vulnerability has been resolved:ext4: avoid allocate block from corrupted group in ext4_mb_find_by_goal()There's issue as follows:...EXT4-fs (mmcblk0p1): Delayed block allocation failed for inode 206 at logical offset 0 with max blocks 1 with error 117EXT4-fs (mmcblk0p1): This should not happen!! Data will be lostEXT4-fs (mmcblk0p1): Delayed block allocation failed for inode 206 at logical offset 0 with max blocks 1 with error 117EXT4-fs (mmcblk0p1): This should not happen!! Data will be lostEXT4-fs (mmcblk0p1): Delayed block allocation failed for inode 206 at logical offset 0 with max blocks 1 with error 117EXT4-fs (mmcblk0p1): This should not happen!! Data will be lostEXT4-fs (mmcblk0p1): Delayed block allocation failed for inode 206 at logical offset 0 with max blocks 1 with error 117EXT4-fs (mmcblk0p1): This should not happen!! Data will be lostEXT4-fs (mmcblk0p1): Delayed block allocation failed for inode 2243 at logical offset 0 with max blocks 1 with error 117EXT4-fs (mmcblk0p1): This should not happen!! Data will be lostEXT4-fs (mmcblk0p1): Delayed block allocation failed for inode 2239 at logical offset 0 with max blocks 1 with error 117EXT4-fs (mmcblk0p1): This should not happen!! Data will be lostEXT4-fs (mmcblk0p1): error count since last fsck: 1EXT4-fs (mmcblk0p1): initial error at time 1765597433: ext4_mb_generate_buddy:760EXT4-fs (mmcblk0p1): last error at time 1765597433: ext4_mb_generate_buddy:760...According to the log analysis, blocks are always requested from thecorrupted block group. This may happen as follows:ext4_mb_find_by_goal ext4_mb_load_buddy ext4_mb_load_buddy_gfp ext4_mb_init_cache ext4_read_block_bitmap_nowait ext4_wait_block_bitmap ext4_validate_block_bitmap if (!grp || EXT4_MB_GRP_BBITMAP_CORRUPT(grp)) return -EFSCORRUPTED; // There's no logs. if (err) return err; // Will return errorext4_lock_group(ac->ac_sb, group); if (unlikely(EXT4_MB_GRP_BBITMAP_CORRUPT(e4b->bd_info))) // Unreachable goto out;After commit 9008a58e5dce ("ext4: make the bitmap read routines returnreal error codes") merged, Commit 163a203ddb36 ("ext4: mark block groupas corrupt on block bitmap error") is no real solution for allocatingblocks from corrupted block groups. This is because if'EXT4_MB_GRP_BBITMAP_CORRUPT(e4b->bd_info)' is true, then'ext4_mb_load_buddy()' may return an error. This means that the blockallocation will fail.Therefore, check block group if corrupted when ext4_mb_load_buddy()returns error.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43073 Severity: Moderate CVSS3 score: 6.3

Description: In the Linux kernel, the following vulnerability has been resolved:x86-64: rename misleadingly named '__copy_user_nocache()' functionThis function was a masterclass in bad naming, for various historicalreasons.It claimed to be a non-cached user copy. It is literally _neither_ ofthose things. It's a specialty memory copy routine that usesnon-temporal stores for the destination (but not the source), and thatdoes exception handling for both source and destination accesses.Also note that while it works for unaligned targets, any unaligned parts(whether at beginning or end) will not use non-temporal stores, sinceonly words and quadwords can be non-temporal on x86.The exception handling means that it _can_ be used for user spaceaccesses, but not on its own - it needs all the normal "start user spaceaccess" logic around it.But typically the user space access would be the source, not thenon-temporal destination. That was the original intention of this,where the destination was some fragile persistent memory target thatneeded non-temporal stores in order to catch machine check exceptionssynchronously and deal with them gracefully.Thus that non-descriptive name: one use case was to copy from user spaceinto a non-cached kernel buffer. However, the existing users are a mixof that intended use-case, and a couple of random drivers that just didthis as a performance tweak.Some of those random drivers then actively misused the user copyingversion (with STAC/CLAC and all) to do kernel copies without ever evencaring about the exception handling, _just_ for the non-temporaldestination.Rename it as a first small step to actually make it halfway sane, andchange the prototype to be more normal: it doesn't take a user pointerunless the caller has done the proper conversion, and the argument sizeis the full size_t (it still won't actually copy more than 4GB in onego, but there's also no reason to silently truncate the size argument inthe caller).Finally, use this now sanely named function in the NTB code, whichmis-used a user copy version (with STAC/CLAC and all) of this interfacedespite it not actually being a user copy at all.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43158 Severity: Moderate CVSS3 score: 6.3

Description: In the Linux kernel, the following vulnerability has been resolved:xfs: fix freemap adjustments when adding xattrs to leaf blocksxfs/592 and xfs/794 both trip this assertion in the leaf block freemapadjustment code after ~20 minutes of running on my test VMs: ASSERT(ichdr->firstused >= ichdr->count * sizeof(xfs_attr_leaf_entry_t) + xfs_attr3_leaf_hdr_size(leaf));Upon enabling quite a lot more debugging code, I narrowed this down tofsstress trying to set a local extended attribute with namelen=3 andvaluelen=71. This results in an entry size of 80 bytes.At the start of xfs_attr3_leaf_add_work, the freemap looks like this:i 0 base 448 size 0 rhs 448 count 46i 1 base 388 size 132 rhs 448 count 46i 2 base 2120 size 4 rhs 448 count 46firstused = 520where "rhs" is the first byte past the end of the leaf entry array.This is inconsistent -- the entries array ends at byte 448, butfreemap[1] says there's free space starting at byte 388!By the end of the function, the freemap is in worse shape:i 0 base 456 size 0 rhs 456 count 47i 1 base 388 size 52 rhs 456 count 47i 2 base 2120 size 4 rhs 456 count 47firstused = 440Important note: 388 is not aligned with the entries array element sizeof 8 bytes.Based on the incorrect freemap, the name area starts at byte 440, whichis below the end of the entries array! That's why the assertiontriggers and the filesystem shuts down.How did we end up here? First, recall from the previous patch that thefreemap array in an xattr leaf block is not intended to be acomprehensive map of all free space in the leaf block. In other words,it's perfectly legal to have a leaf block with: * 376 bytes in use by the entries array * freemap[0] has [base = 376, size = 8] * freemap[1] has [base = 388, size = 1500] * the space between 376 and 388 is free, but the freemap stopped tracking that some time agoIf we add one xattr, the entries array grows to 384 bytes, andfreemap[0] becomes [base = 384, size = 0]. So far, so good. But if weadd a second xattr, the entries array grows to 392 bytes, and freemap[0]gets pushed up to [base = 392, size = 0]. This is bad, becausefreemap[1] hasn't been updated, and now the entries array and the freespace claim the same space.The fix here is to adjust all freemap entries so that none of themcollide with the entries array. Note that this fix relies on commit2a2b5932db6758 ("xfs: fix attr leaf header freemap.size underflow") andthe previous patch that resets zero length freemap entries to havebase = 0.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43187 Severity: Moderate CVSS3 score: 6.3

Description: In the Linux kernel, the following vulnerability has been resolved:xfs: delete attr leaf freemap entries when emptyBack in commit 2a2b5932db6758 ("xfs: fix attr leaf header freemap.sizeunderflow"), Brian Foster observed that it's possible for a smallfreemap at the end of the end of the xattr entries array to experiencea size underflow when subtracting the space consumed by an expansion ofthe entries array. There are only three freemap entries, which meansthat it is not a complete index of all free space in the leaf block.This code can leave behind a zero-length freemap entry with a nonzerobase. Subsequent setxattr operations can increase the base up to thepoint that it overlaps with another freemap entry. This isn't in and ofitself a problem because the code in _leaf_add that finds free spaceignores any freemap entry with zero size.However, there's another bug in the freemap update code in _leaf_add,which is that it fails to update a freemap entry that begins midwaythrough the xattr entry that was just appended to the array. That canresult in the freemap containing two entries with the same base butdifferent sizes (0 for the "pushed-up" entry, nonzero for the entrythat's actually tracking free space). A subsequent _leaf_add can thenallocate xattr namevalue entries on top of the entries array, leading todata loss. But fixing that is for later.For now, eliminate the possibility of confusion by zeroing out the baseof any freemap entry that has zero size. Because the freemap is notintended to be a complete index of free space, a subsequent failure tofind any free space for a new xattr will trigger block compaction, whichregenerates the freemap.It looks like this bug has been in the codebase for quite a long time.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43249 Severity: Moderate CVSS3 score: 6.3

Description: In the Linux kernel, the following vulnerability has been resolved:9p/xen: protect xen_9pfs_front_free against concurrent callsThe xenwatch thread can race with other back-end change notificationsand call xen_9pfs_front_free() twice, hitting the observed generalprotection fault due to a double-free. Guard the teardown path so onlyone caller can release the front-end state at a time, preventing thecrash.This is a fix for the following double-free:[ 27.052347] Oops: general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b6b: 0000 [#1] SMP DEBUG_PAGEALLOC NOPTI[ 27.052357] CPU: 0 UID: 0 PID: 32 Comm: xenwatch Not tainted 6.18.0-02087-g51ab33fc0a8b-dirty #60 PREEMPT(none)[ 27.052363] RIP: e030:xen_9pfs_front_free+0x1d/0x150[ 27.052368] Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 41 55 41 54 55 48 89 fd 48 c7 c7 48 d0 92 85 53 e8 cb cb 05 00 48 8b 45 08 48 8b 55 00 <48> 3b 28 0f 85 f9 28 35 fe 48 3b 6a 08 0f 85 ef 28 35 fe 48 89 42[ 27.052377] RSP: e02b:ffffc9004016fdd0 EFLAGS: 00010246[ 27.052381] RAX: 6b6b6b6b6b6b6b6b RBX: ffff88800d66e400 RCX: 0000000000000000[ 27.052385] RDX: 6b6b6b6b6b6b6b6b RSI: 0000000000000000 RDI: 0000000000000000[ 27.052389] RBP: ffff88800a887040 R08: 0000000000000000 R09: 0000000000000000[ 27.052393] R10: 0000000000000000 R11: 0000000000000000 R12: ffff888009e46b68[ 27.052397] R13: 0000000000000200 R14: 0000000000000000 R15: ffff88800a887040[ 27.052404] FS: 0000000000000000(0000) GS:ffff88808ca57000(0000) knlGS:0000000000000000[ 27.052408] CS: e030 DS: 0000 ES: 0000 CR0: 0000000080050033[ 27.052412] CR2: 00007f9714004360 CR3: 0000000004834000 CR4: 0000000000050660[ 27.052418] Call Trace:[ 27.052420] [ 27.052422] xen_9pfs_front_changed+0x5d5/0x720[ 27.052426] ? xenbus_otherend_changed+0x72/0x140[ 27.052430] ? __pfx_xenwatch_thread+0x10/0x10[ 27.052434] xenwatch_thread+0x94/0x1c0[ 27.052438] ? __pfx_autoremove_wake_function+0x10/0x10[ 27.052442] kthread+0xf8/0x240[ 27.052445] ? __pfx_kthread+0x10/0x10[ 27.052449] ? __pfx_kthread+0x10/0x10[ 27.052452] ret_from_fork+0x16b/0x1a0[ 27.052456] ? __pfx_kthread+0x10/0x10[ 27.052459] ret_from_fork_asm+0x1a/0x30[ 27.052463] [ 27.052465] Modules linked in:[ 27.052471] ---[ end trace 0000000000000000 ]---

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43250 Severity: Moderate CVSS3 score: 6.3

Description: In the Linux kernel, the following vulnerability has been resolved:usb: chipidea: udc: fix DMA and SG cleanup in _ep_nuke()The ChipIdea UDC driver can encounter "not page aligned sg buffer"errors when a USB device is reconnected after being disconnectedduring an active transfer. This occurs because _ep_nuke() returnsrequests to the gadget layer without properly unmapping DMA buffersor cleaning up scatter-gather bounce buffers.Root cause:When a disconnect happens during a multi-segment DMA transfer, therequest's num_mapped_sgs field and sgt.sgl pointer remain set withstale values. The request is returned to the gadget driver with status-ESHUTDOWN but still has active DMA state. If the gadget driver reusesthis request on reconnect without reinitializing it, the stale DMAstate causes _hardware_enqueue() to skip DMA mapping (seeing non-zeronum_mapped_sgs) and attempt to use freed/invalid DMA addresses,leading to alignment errors and potential memory corruption.The normal completion path via _hardware_dequeue() properly callsusb_gadget_unmap_request_by_dev() and sglist_do_debounce() beforereturning the request. The _ep_nuke() path must do the same cleanupto ensure requests are returned in a clean, reusable state.Fix:Add DMA unmapping and bounce buffer cleanup to _ep_nuke() to mirrorthe cleanup sequence in _hardware_dequeue():- Call usb_gadget_unmap_request_by_dev() if num_mapped_sgs is set- Call sglist_do_debounce() with copy=false if bounce buffer existsThis ensures that when requests are returned due to endpoint shutdown,they don't retain stale DMA mappings. The 'false' parameter tosglist_do_debounce() prevents copying data back (appropriate forshutdown path where transfer was aborted).

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2025-39716 Severity: Moderate CVSS3 score: 6.1

Description: In the Linux kernel, the following vulnerability has been resolved:parisc: Revise __get_user() to probe user read accessBecause of the way read access support is implemented, read accessinterruptions are only triggered at privilege levels 2 and 3. Thekernel executes at privilege level 0, so __get_user() never triggersa read access interruption (code 26). Thus, it is currently possiblefor user code to access a read protected address via a system call.Fix this by probing read access rights at privilege level 3 (PRIV_USER)and setting __gu_err to -EFAULT (-14) if access isn't allowed.Note the cmpiclr instruction does a 32-bit compare because COND macrodoesn't work inside asm.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23269 Severity: Moderate CVSS3 score: 6.1

Description: In the Linux kernel, the following vulnerability has been resolved:apparmor: validate DFA start states are in bounds in unpack_pdbStart states are read from untrusted data and used as indexes into theDFA state tables. The aa_dfa_next() function call in unpack_pdb() willaccess dfa->tables[YYTD_ID_BASE][start], and if the start state exceedsthe number of states in the DFA, this results in an out-of-bound read.================================================================== BUG: KASAN: slab-out-of-bounds in aa_dfa_next+0x2a1/0x360 Read of size 4 at addr ffff88811956fb90 by task su/1097 ...Reject policies with out-of-bounds start states during unpackingto prevent the issue.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31396 Severity: Moderate CVSS3 score: 6.1

Description: In the Linux kernel, the following vulnerability has been resolved:net: macb: fix use-after-free access to PTP clockPTP clock is registered on every opening of the interface and destroyed onevery closing. However it may be accessed via get_ts_info ethtool callwhich is possible while the interface is just present in the kernel.BUG: KASAN: use-after-free in ptp_clock_index+0x47/0x50 drivers/ptp/ptp_clock.c:426Read of size 4 at addr ffff8880194345cc by task syz.0.6/948CPU: 1 PID: 948 Comm: syz.0.6 Not tainted 6.1.164+ #109Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.1-0-g3208b098f51a-prebuilt.qemu.org 04/01/2014Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x8d/0xba lib/dump_stack.c:106 print_address_description mm/kasan/report.c:316 [inline] print_report+0x17f/0x496 mm/kasan/report.c:420 kasan_report+0xd9/0x180 mm/kasan/report.c:524 ptp_clock_index+0x47/0x50 drivers/ptp/ptp_clock.c:426 gem_get_ts_info+0x138/0x1e0 drivers/net/ethernet/cadence/macb_main.c:3349 macb_get_ts_info+0x68/0xb0 drivers/net/ethernet/cadence/macb_main.c:3371 __ethtool_get_ts_info+0x17c/0x260 net/ethtool/common.c:558 ethtool_get_ts_info net/ethtool/ioctl.c:2367 [inline] __dev_ethtool net/ethtool/ioctl.c:3017 [inline] dev_ethtool+0x2b05/0x6290 net/ethtool/ioctl.c:3095 dev_ioctl+0x637/0x1070 net/core/dev_ioctl.c:510 sock_do_ioctl+0x20d/0x2c0 net/socket.c:1215 sock_ioctl+0x577/0x6d0 net/socket.c:1320 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x18c/0x210 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:46 [inline] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:76 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 Allocated by task 457: kmalloc include/linux/slab.h:563 [inline] kzalloc include/linux/slab.h:699 [inline] ptp_clock_register+0x144/0x10e0 drivers/ptp/ptp_clock.c:235 gem_ptp_init+0x46f/0x930 drivers/net/ethernet/cadence/macb_ptp.c:375 macb_open+0x901/0xd10 drivers/net/ethernet/cadence/macb_main.c:2920 __dev_open+0x2ce/0x500 net/core/dev.c:1501 __dev_change_flags+0x56a/0x740 net/core/dev.c:8651 dev_change_flags+0x92/0x170 net/core/dev.c:8722 do_setlink+0xaf8/0x3a80 net/core/rtnetlink.c:2833 __rtnl_newlink+0xbf4/0x1940 net/core/rtnetlink.c:3608 rtnl_newlink+0x63/0xa0 net/core/rtnetlink.c:3655 rtnetlink_rcv_msg+0x3c6/0xed0 net/core/rtnetlink.c:6150 netlink_rcv_skb+0x15d/0x430 net/netlink/af_netlink.c:2511 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x6d7/0xa30 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x97e/0xeb0 net/netlink/af_netlink.c:1872 sock_sendmsg_nosec net/socket.c:718 [inline] __sock_sendmsg+0x14b/0x180 net/socket.c:730 __sys_sendto+0x320/0x3b0 net/socket.c:2152 __do_sys_sendto net/socket.c:2164 [inline] __se_sys_sendto net/socket.c:2160 [inline] __x64_sys_sendto+0xdc/0x1b0 net/socket.c:2160 do_syscall_x64 arch/x86/entry/common.c:46 [inline] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:76 entry_SYSCALL_64_after_hwframe+0x6e/0xd8Freed by task 938: kasan_slab_free include/linux/kasan.h:177 [inline] slab_free_hook mm/slub.c:1729 [inline] slab_free_freelist_hook mm/slub.c:1755 [inline] slab_free mm/slub.c:3687 [inline] __kmem_cache_free+0xbc/0x320 mm/slub.c:3700 device_release+0xa0/0x240 drivers/base/core.c:2507 kobject_cleanup lib/kobject.c:681 [inline] kobject_release lib/kobject.c:712 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x1cd/0x350 lib/kobject.c:729 put_device+0x1b/0x30 drivers/base/core.c:3805 ptp_clock_unregister+0x171/0x270 drivers/ptp/ptp_clock.c:391 gem_ptp_remove+0x4e/0x1f0 drivers/net/ethernet/cadence/macb_ptp.c:404 macb_close+0x1c8/0x270 drivers/net/ethernet/cadence/macb_main.c:2966 __dev_close_many+0x1b9/0x310 net/core/dev.c:1585 __dev_close net/core/dev.c:1597 [inline] __dev_change_flags+0x2bb/0x740 net/core/dev.c:8649 dev_change_fl---truncated---

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31503 Severity: Moderate CVSS3 score: 6.1

Description: In the Linux kernel, the following vulnerability has been resolved:udp: Fix wildcard bind conflict check when using hash2When binding a udp_sock to a local address and port, UDP usestwo hashes (udptable->hash and udptable->hash2) for collisiondetection. The current code switches to "hash2" whenhslot->count > 10."hash2" is keyed by local address and local port."hash" is keyed by local port only.The issue can be shown in the following bind sequence (pseudo code):bind(fd1, "[fd00::1]:8888")bind(fd2, "[fd00::2]:8888")bind(fd3, "[fd00::3]:8888")bind(fd4, "[fd00::4]:8888")bind(fd5, "[fd00::5]:8888")bind(fd6, "[fd00::6]:8888")bind(fd7, "[fd00::7]:8888")bind(fd8, "[fd00::8]:8888")bind(fd9, "[fd00::9]:8888")bind(fd10, "[fd00::10]:8888")/* Correctly return -EADDRINUSE because "hash" is used * instead of "hash2". udp_lib_lport_inuse() detects the * conflict. */bind(fail_fd, "[::]:8888")/* After one more socket is bound to "[fd00::11]:8888", * hslot->count exceeds 10 and "hash2" is used instead. */bind(fd11, "[fd00::11]:8888")bind(fail_fd, "[::]:8888") /* succeeds unexpectedly */The same issue applies to the IPv4 wildcard address "0.0.0.0"and the IPv4-mapped wildcard address "::ffff:0.0.0.0". Forexample, if there are existing sockets bound to"192.168.1.[1-11]:8888", then binding "0.0.0.0:8888" or"[::ffff:0.0.0.0]:8888" can also miss the conflict whenhslot->count > 10.TCP inet_csk_get_port() already has the correct check ininet_use_bhash2_on_bind(). Rename it toinet_use_hash2_on_bind() and move it to inet_hashtables.hso udp.c can reuse it in this fix.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31593 Severity: Moderate CVSS3 score: 6.1

Description: In the Linux kernel, the following vulnerability has been resolved:KVM: SEV: Reject attempts to sync VMSA of an already-launched/encrypted vCPUReject synchronizing vCPU state to its associated VMSA if the vCPU hasalready been launched, i.e. if the VMSA has already been encrypted. On ahost with SNP enabled, accessing guest-private memory generates an RMP #PFand panics the host. BUG: unable to handle page fault for address: ff1276cbfdf36000 #PF: supervisor write access in kernel mode #PF: error_code(0x80000003) - RMP violation PGD 5a31801067 P4D 5a31802067 PUD 40ccfb5063 PMD 40e5954063 PTE 80000040fdf36163 SEV-SNP: PFN 0x40fdf36, RMP entry: [0x6010fffffffff001 - 0x000000000000001f] Oops: Oops: 0003 [#1] SMP NOPTI CPU: 33 UID: 0 PID: 996180 Comm: qemu-system-x86 Tainted: G OE Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE Hardware name: Dell Inc. PowerEdge R7625/0H1TJT, BIOS 1.5.8 07/21/2023 RIP: 0010:sev_es_sync_vmsa+0x54/0x4c0 [kvm_amd] Call Trace: snp_launch_update_vmsa+0x19d/0x290 [kvm_amd] snp_launch_finish+0xb6/0x380 [kvm_amd] sev_mem_enc_ioctl+0x14e/0x720 [kvm_amd] kvm_arch_vm_ioctl+0x837/0xcf0 [kvm] kvm_vm_ioctl+0x3fd/0xcc0 [kvm] __x64_sys_ioctl+0xa3/0x100 x64_sys_call+0xfe0/0x2350 do_syscall_64+0x81/0x10f0 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7ffff673287d Note, the KVM flaw has been present since commit ad73109ae7ec ("KVM: SVM:Provide support to launch and run an SEV-ES guest"), but has only beenactively dangerous for the host since SNP support was added. With SEV-ES,KVM would "just" clobber guest state, which is totally fine from a hostkernel perspective since userspace can clobber guest state any time beforesev_launch_update_vmsa().

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31606 Severity: Moderate CVSS3 score: 6.1

Description: In the Linux kernel, the following vulnerability has been resolved:usb: gadget: f_hid: don't call cdev_init while cdev in useWhen calling unbind, then bind again, cdev_init reinitialized the cdev,even though there may still be references to it. That's the case whenthe /dev/hidg* device is still opened. This obviously unsafe behaviorlike oopes.This fixes this by using cdev_alloc to put the cdev on the heap. Thatway, we can simply allocate a new one in hidg_bind.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31616 Severity: Moderate CVSS3 score: 6.1

Description: In the Linux kernel, the following vulnerability has been resolved:usb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete()A broken/bored/mean USB host can overflow the skb_shared_info->frags[]array on a Linux gadget exposing a Phonet function by sending anunbounded sequence of full-page OUT transfers.pn_rx_complete() finalizes the skb only when req->actual < req->length,where req->length is set to PAGE_SIZE by the gadget. If the host alwayssends exactly PAGE_SIZE bytes per transfer, fp->rx.skb will never bereset and each completion will add another fragment viaskb_add_rx_frag(). Once nr_frags exceeds MAX_SKB_FRAGS (default 17),subsequent frag stores overwrite memory adjacent to the shinfo on theheap.Drop the skb and account a length error when the frag limit is reached,matching the fix applied in t7xx by commit f0813bcd2d9d ("net: wwan:t7xx: fix potential skb->frags overflow in RX path").

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31722 Severity: Moderate CVSS3 score: 6.1

Description: In the Linux kernel, the following vulnerability has been resolved:usb: gadget: f_rndis: Fix net_device lifecycle with device_moveThe net_device is allocated during function instance creation andregistered during the bind phase with the gadget device as its sysfsparent. When the function unbinds, the parent device is destroyed, butthe net_device survives, resulting in dangling sysfs symlinks: console:/ # ls -l /sys/class/net/usb0 lrwxrwxrwx ... /sys/class/net/usb0 -> /sys/devices/platform/.../gadget.0/net/usb0 console:/ # ls -l /sys/devices/platform/.../gadget.0/net/usb0 ls: .../gadget.0/net/usb0: No such file or directoryUse device_move() to reparent the net_device between the gadget devicetree and /sys/devices/virtual across bind and unbind cycles. During thefinal unbind, calling device_move(NULL) moves the net_device to thevirtual device tree before the gadget device is destroyed. On rebinding,device_move() reparents the device back under the new gadget, ensuringproper sysfs topology and power management ordering.To maintain compatibility with legacy composite drivers (e.g., multi.c),the borrowed_net flag is used to indicate whether the network device isshared and pre-registered during the legacy driver's bind phase.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31723 Severity: Moderate CVSS3 score: 6.1

Description: In the Linux kernel, the following vulnerability has been resolved:usb: gadget: f_subset: Fix net_device lifecycle with device_moveThe net_device is allocated during function instance creation andregistered during the bind phase with the gadget device as its sysfsparent. When the function unbinds, the parent device is destroyed, butthe net_device survives, resulting in dangling sysfs symlinks: console:/ # ls -l /sys/class/net/usb0 lrwxrwxrwx ... /sys/class/net/usb0 -> /sys/devices/platform/.../gadget.0/net/usb0 console:/ # ls -l /sys/devices/platform/.../gadget.0/net/usb0 ls: .../gadget.0/net/usb0: No such file or directoryUse device_move() to reparent the net_device between the gadget devicetree and /sys/devices/virtual across bind and unbind cycles. During thefinal unbind, calling device_move(NULL) moves the net_device to thevirtual device tree before the gadget device is destroyed. On rebinding,device_move() reparents the device back under the new gadget, ensuringproper sysfs topology and power management ordering.To maintain compatibility with legacy composite drivers (e.g., multi.c),the bound flag is used to indicate whether the network device is sharedand pre-registered during the legacy driver's bind phase.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31724 Severity: Moderate CVSS3 score: 6.1

Description: In the Linux kernel, the following vulnerability has been resolved:usb: gadget: f_eem: Fix net_device lifecycle with device_moveThe net_device is allocated during function instance creation andregistered during the bind phase with the gadget device as its sysfsparent. When the function unbinds, the parent device is destroyed, butthe net_device survives, resulting in dangling sysfs symlinks:console:/ # ls -l /sys/class/net/usb0lrwxrwxrwx ... /sys/class/net/usb0 ->/sys/devices/platform/.../gadget.0/net/usb0console:/ # ls -l /sys/devices/platform/.../gadget.0/net/usb0ls: .../gadget.0/net/usb0: No such file or directoryUse device_move() to reparent the net_device between the gadget devicetree and /sys/devices/virtual across bind and unbind cycles. During thefinal unbind, calling device_move(NULL) moves the net_device to thevirtual device tree before the gadget device is destroyed. On rebinding,device_move() reparents the device back under the new gadget, ensuringproper sysfs topology and power management ordering.To maintain compatibility with legacy composite drivers (e.g., multi.c),the bound flag is used to indicate whether the network device is sharedand pre-registered during the legacy driver's bind phase.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31741 Severity: Moderate CVSS3 score: 6.1

Description: In the Linux kernel, the following vulnerability has been resolved:counter: rz-mtu3-cnt: prevent counter from being toggled multiple timesRuntime PM counter is incremented / decremented each time the sysfsenable file is written to.If user writes 0 to the sysfs enable file multiple times, runtime PMusage count underflows, generating the following message.rz-mtu3-counter rz-mtu3-counter.0: Runtime PM usage count underflow!At the same time, hardware registers end up being accessed with clocksoff in rz_mtu3_terminate_counter() to disable an already disabledchannel.If user writes 1 to the sysfs enable file multiple times, runtime PMusage count will be incremented each time, requiring the same number of0 writes to get it back to 0.If user writes 0 to the sysfs enable file while PWM is in progress, PWMis stopped without counter being the owner of the underlying MTU3channel.Check against the cached count_is_enabled value and exit if the useris trying to set the same enable value.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-3441 Severity: Moderate CVSS3 score: 6.1

Description: A flaw was found in GNU Binutils. This heap-based buffer overflow vulnerability, specifically an out-of-bounds read in the bfd linker, allows an attacker to gain access to sensitive information. By convincing a user to process a specially crafted XCOFF object file, an attacker can trigger this flaw, potentially leading to information disclosure or an application level denial of service.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
binutils > 0-0 (version in image is 2.45-150100.7.57.1).

CVE-2026-3442 Severity: Moderate CVSS3 score: 6.1

Description: A flaw was found in GNU Binutils. This vulnerability, a heap-based buffer overflow, specifically an out-of-bounds read, exists in the bfd linker component. An attacker could exploit this by convincing a user to process a specially crafted malicious XCOFF object file. Successful exploitation may lead to the disclosure of sensitive information or cause the application to crash, resulting in an application level denial of service.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
binutils > 0-0 (version in image is 2.45-150100.7.57.1).

CVE-2026-39979 Severity: Moderate CVSS3 score: 6.1

Description: jq is a command-line JSON processor. In commits before 2f09060afab23fe9390cce7cb860b10416e1bf5f, the jv_parse_sized() API in libjq accepts a counted buffer with an explicit length parameter, but its error-handling path formats the input buffer using %s in jv_string_fmt(), which reads until a NUL terminator is found rather than respecting the caller-supplied length. This means that when malformed JSON is passed in a non-NUL-terminated buffer, the error construction logic performs an out-of-bounds read past the end of the buffer. The vulnerability is reachable by any libjq consumer calling jv_parse_sized() with untrusted input, and depending on memory layout, can result in memory disclosure or process termination. The issue has been patched in commit 2f09060afab23fe9390cce7cb860b10416e1bf5f.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
jq > 0-0 (version in image is 1.6-150000.3.12.1).

CVE-2026-42015 Severity: Moderate CVSS3 score: 6.1

Description: Unknown.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
libgnutls30 > 0-0 (version in image is 3.8.3-150600.4.17.1).

CVE-2026-43071 Severity: Moderate CVSS3 score: 6.1

Description: In the Linux kernel, the following vulnerability has been resolved:dcache: Limit the minimal number of bucket to twoThere is an OOB read problem on dentry_hashtable when user sets'dhash_entries=1': BUG: unable to handle page fault for address: ffff888b30b774b0 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page Oops: Oops: 0000 [#1] SMP PTI RIP: 0010:__d_lookup+0x56/0x120 Call Trace: d_lookup.cold+0x16/0x5d lookup_dcache+0x27/0xf0 lookup_one_qstr_excl+0x2a/0x180 start_dirop+0x55/0xa0 simple_start_creating+0x8d/0xa0 debugfs_start_creating+0x8c/0x180 debugfs_create_dir+0x1d/0x1c0 pinctrl_init+0x6d/0x140 do_one_initcall+0x6d/0x3d0 kernel_init_freeable+0x39f/0x460 kernel_init+0x2a/0x260There will be only one bucket in dentry_hashtable when dhash_entries isset as one, and d_hash_shift is calculated as 32 by dcache_init(). Then,following process will access more than one buckets(which memory regionis not allocated) in dentry_hashtable: d_lookup b = d_hash(hash) dentry_hashtable + ((u32)hashlen >> d_hash_shift) // The C standard defines the behavior of right shift amounts // exceeding the bit width of the operand as undefined. The // result of '(u32)hashlen >> d_hash_shift' becomes 'hashlen', // so 'b' will point to an unallocated memory region. hlist_bl_for_each_entry_rcu(b) hlist_bl_first_rcu(head) h->first // read OOB!Fix it by limiting the minimal number of dentry_hashtable bucket to two,so that 'd_hash_shift' won't exceeds the bit width of type u32.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-4647 Severity: Moderate CVSS3 score: 6.1

Description: A flaw was found in the GNU Binutils BFD library, a widely used component for handling binary files such as object files and executables. The issue occurs when processing specially crafted XCOFF object files, where a relocation type value is not properly validated before being used. This can cause the program to read memory outside of intended bounds. As a result, affected tools may crash or expose unintended memory contents, leading to denial-of-service or limited information disclosure risks.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
binutils > 0-0 (version in image is 2.45-150100.7.57.1).

CVE-2025-68741 Severity: Moderate CVSS3 score: 6.0

Description: In the Linux kernel, the following vulnerability has been resolved:scsi: qla2xxx: Fix improper freeing of purex itemIn qla2xxx_process_purls_iocb(), an item is allocated viaqla27xx_copy_multiple_pkt(), which internally callsqla24xx_alloc_purex_item().The qla24xx_alloc_purex_item() function may return a pre-allocated itemfrom a per-adapter pool for small allocations, instead of dynamicallyallocating memory with kzalloc().An error handling path in qla2xxx_process_purls_iocb() incorrectly useskfree() to release the item. If the item was from the pre-allocatedpool, calling kfree() on it is a bug that can lead to memory corruption.Fix this by using the correct deallocation function,qla24xx_free_purex_item(), which properly handles both dynamicallyallocated and pre-allocated items.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23306 Severity: Moderate CVSS3 score: 6.0

Description: In the Linux kernel, the following vulnerability has been resolved:scsi: pm8001: Fix use-after-free in pm8001_queue_command()Commit e29c47fe8946 ("scsi: pm8001: Simplify pm8001_task_exec()") refactorspm8001_queue_command(), however it introduces a potential cause of a doublefree scenario when it changes the function to return -ENODEV in case of phydown/device gone state.In this path, pm8001_queue_command() updates task status and callstask_done to indicate to upper layer that the task has been handled.However, this also frees the underlying SAS task. A -ENODEV is thenreturned to the caller. When libsas sas_ata_qc_issue() receives this errorvalue, it assumes the task wasn't handled/queued by LLDD and proceeds toclean up and free the task again, resulting in a double free.Since pm8001_queue_command() handles the SAS task in this case, it shouldreturn 0 to the caller indicating that the task has been handled.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-39881 Severity: Moderate CVSS3 score: 6.0

Description: Vim is an open source, command line text editor. Prior to 9.2.0316, a command injection vulnerability in Vim's netbeans interface allows a malicious netbeans server to execute arbitrary Ex commands when Vim connects to it, via unsanitized strings in the defineAnnoType and specialKeys protocol messages. This vulnerability is fixed in 9.2.0316.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
vim > 0-0 (version in image is 9.2.0280-150500.20.46.1).

CVE-2025-68972 Severity: Moderate CVSS3 score: 5.9

Description: In GnuPG through 2.4.8, if a signed message has \f at the end of a plaintext line, an adversary can construct a modified message that places additional text after the signed material, such that signature verification of the modified message succeeds (although an "invalid armor" message is printed during verification). This is related to use of \f as a marker to denote truncation of a long plaintext line.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
gpg2 > 0-0 (version in image is 2.4.4-150600.3.15.1).

CVE-2026-31638 Severity: Moderate CVSS3 score: 5.9

Description: In the Linux kernel, the following vulnerability has been resolved:rxrpc: Only put the call ref if one was acquiredrxrpc_input_packet_on_conn() can process a to-client packet after thecurrent client call on the channel has already been torn down. In thatcase chan->call is NULL, rxrpc_try_get_call() returns NULL and there isno reference to drop.The client-side implicit-end error path does not account for that andunconditionally calls rxrpc_put_call(). This turns a protocol errorpath into a kernel crash instead of rejecting the packet.Only drop the call reference if one was actually acquired. Keep theexisting protocol error handling unchanged.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-40355 Severity: Moderate CVSS3 score: 5.9

Description: In MIT Kerberos 5 (aka krb5) before 1.22.3, there is a NULL pointer dereference if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, causing the process to terminate in parse_nego_message.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
krb5 > 0-0 (version in image is 1.20.1-150600.11.14.1).

CVE-2026-40356 Severity: Moderate CVSS3 score: 5.9

Description: In MIT Kerberos 5 (aka krb5) before 1.22.3, there is an integer underflow and resultant out-of-bounds read if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, possibly causing the process to terminate in parse_message.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
krb5 > 0-0 (version in image is 1.20.1-150600.11.14.1).

CVE-2026-41066 Severity: Moderate CVSS3 score: 5.9

Description: lxml is a library for processing XML and HTML in the Python language. Prior to 6.1.0, using either of the two parsers in the default configuration (with resolve_entities=True) allows untrusted XML input to read local files. Setting the resolve_entities option explicitly to resolve_entities='internal' or resolve_entities=False disables the local file access. This vulnerability is fixed in 6.1.0.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
python3-lxml > 0-0 (version in image is 4.9.1-150500.3.4.3).

CVE-2026-43411 Severity: Moderate CVSS3 score: 5.9

Description: In the Linux kernel, the following vulnerability has been resolved:tipc: fix divide-by-zero in tipc_sk_filter_connect()A user can set conn_timeout to any value viasetsockopt(TIPC_CONN_TIMEOUT), including values less than 4. When aSYN is rejected with TIPC_ERR_OVERLOAD and the retry path intipc_sk_filter_connect() executes: delay %= (tsk->conn_timeout / 4);If conn_timeout is in the range [0, 3], the integer division yields 0,and the modulo operation triggers a divide-by-zero exception, causing akernel oops/panic.Fix this by clamping conn_timeout to a minimum of 4 at the point of usein tipc_sk_filter_connect().Oops: divide error: 0000 [#1] SMP KASAN NOPTICPU: 0 UID: 0 PID: 119 Comm: poc-F144 Not tainted 7.0.0-rc2+RIP: 0010:tipc_sk_filter_rcv (net/tipc/socket.c:2236 net/tipc/socket.c:2362)Call Trace: tipc_sk_backlog_rcv (include/linux/instrumented.h:82 include/linux/atomic/atomic-instrumented.h:32 include/net/sock.h:2357 net/tipc/socket.c:2406) __release_sock (include/net/sock.h:1185 net/core/sock.c:3213) release_sock (net/core/sock.c:3797) tipc_connect (net/tipc/socket.c:2570) __sys_connect (include/linux/file.h:62 include/linux/file.h:83 net/socket.c:2098)

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43441 Severity: Moderate CVSS3 score: 5.9

Description: In the Linux kernel, the following vulnerability has been resolved:net: bonding: Fix nd_tbl NULL dereference when IPv6 is disabledWhen booting with the 'ipv6.disable=1' parameter, the nd_tbl is neverinitialized because inet6_init() exits before ndisc_init() is calledwhich initializes it. If bonding ARP/NS validation is enabled, an IPv6NS/NA packet received on a slave can reach bond_validate_na(), whichcalls bond_has_this_ip6(). That path calls ipv6_chk_addr() and cancrash in __ipv6_chk_addr_and_flags(). BUG: kernel NULL pointer dereference, address: 00000000000005d8 Oops: Oops: 0000 [#1] SMP NOPTI RIP: 0010:__ipv6_chk_addr_and_flags+0x69/0x170 Call Trace: ipv6_chk_addr+0x1f/0x30 bond_validate_na+0x12e/0x1d0 [bonding] ? __pfx_bond_handle_frame+0x10/0x10 [bonding] bond_rcv_validate+0x1a0/0x450 [bonding] bond_handle_frame+0x5e/0x290 [bonding] ? srso_alias_return_thunk+0x5/0xfbef5 __netif_receive_skb_core.constprop.0+0x3e8/0xe50 ? srso_alias_return_thunk+0x5/0xfbef5 ? update_cfs_rq_load_avg+0x1a/0x240 ? srso_alias_return_thunk+0x5/0xfbef5 ? __enqueue_entity+0x5e/0x240 __netif_receive_skb_one_core+0x39/0xa0 process_backlog+0x9c/0x150 __napi_poll+0x30/0x200 ? srso_alias_return_thunk+0x5/0xfbef5 net_rx_action+0x338/0x3b0 handle_softirqs+0xc9/0x2a0 do_softirq+0x42/0x60 __local_bh_enable_ip+0x62/0x70 __dev_queue_xmit+0x2d3/0x1000 ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 ? packet_parse_headers+0x10a/0x1a0 packet_sendmsg+0x10da/0x1700 ? kick_pool+0x5f/0x140 ? srso_alias_return_thunk+0x5/0xfbef5 ? __queue_work+0x12d/0x4f0 __sys_sendto+0x1f3/0x220 __x64_sys_sendto+0x24/0x30 do_syscall_64+0x101/0xf80 ? exc_page_fault+0x6e/0x170 ? srso_alias_return_thunk+0x5/0xfbef5 entry_SYSCALL_64_after_hwframe+0x77/0x7f Fix this by checking ipv6_mod_enabled() before dispatching IPv6 packets tobond_na_rcv(). If IPv6 is disabled, return early from bond_rcv_validate()and avoid the path to ipv6_chk_addr().

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-5260 Severity: Moderate CVSS3 score: 5.9

Description: Unknown.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
libgnutls30 > 0-0 (version in image is 3.8.3-150600.4.17.1).

CVE-2026-5450 Severity: Moderate CVSS3 score: 5.9

Description: Calling the scanf family of functions with a %mc (malloc'd character match) in the GNU C Library version 2.7 to version 2.43 with a format width specifier with an explicit width greater than 1024 could result in a one byte heap buffer overflow.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
glibc > 0-0 (version in image is 2.38-150600.14.46.1).

CVE-2026-6253 Severity: Moderate CVSS3 score: 5.9

Description: curl might erroneously pass on credentials for a first proxy to a secondproxy.This can happen when the following conditions are true:1. curl is setup to use specific different proxies for different URL schemes2. the first proxy needs credentials3. the second proxy uses no credentials4. while using the first proxy (using say `http://`), curl is asked to follow a redirect to a URL using another scheme (say `https://`), accessed using a second, different, proxy

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
curl > 0-0 (version in image is 8.14.1-150700.7.14.1).

CVE-2026-6429 Severity: Moderate CVSS3 score: 5.9

Description: When asked to both use a `.netrc` file for credentials and to follow HTTPredirects, libcurl could leak the password used for the first host to thefollowed-to host under certain circumstances.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
curl > 0-0 (version in image is 8.14.1-150700.7.14.1).

CVE-2026-7168 Severity: Moderate CVSS3 score: 5.9

Description: Successfully using libcurl to do a transfer over a specific HTTP proxy(`proxyA`) with **Digest** authentication and then changing the proxy host toa second one (`proxyB`) for a second transfer, reusing the same handle, makeslibcurl wrongly pass on the `Proxy-Authorization:` header field meant for`proxyA`, to `proxyB`.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
curl > 0-0 (version in image is 8.14.1-150700.7.14.1).

CVE-2025-68265 Severity: Moderate CVSS3 score: 5.8

Description: In the Linux kernel, the following vulnerability has been resolved:nvme: fix admin request_queue lifetimeThe namespaces can access the controller's admin request_queue, andstale references on the namespaces may exist after tearing down thecontroller. Ensure the admin request_queue is active by moving thecontroller's 'put' to after all controller references have been releasedto ensure no one is can access the request_queue. This fixes a reporteduse-after-free bug: BUG: KASAN: slab-use-after-free in blk_queue_enter+0x41c/0x4a0 Read of size 8 at addr ffff88c0a53819f8 by task nvme/3287 CPU: 67 UID: 0 PID: 3287 Comm: nvme Tainted: G E 6.13.2-ga1582f1a031e #15 Tainted: [E]=UNSIGNED_MODULE Hardware name: Jabil /EGS 2S MB1, BIOS 1.00 06/18/2025 Call Trace: dump_stack_lvl+0x4f/0x60 print_report+0xc4/0x620 ? _raw_spin_lock_irqsave+0x70/0xb0 ? _raw_read_unlock_irqrestore+0x30/0x30 ? blk_queue_enter+0x41c/0x4a0 kasan_report+0xab/0xe0 ? blk_queue_enter+0x41c/0x4a0 blk_queue_enter+0x41c/0x4a0 ? __irq_work_queue_local+0x75/0x1d0 ? blk_queue_start_drain+0x70/0x70 ? irq_work_queue+0x18/0x20 ? vprintk_emit.part.0+0x1cc/0x350 ? wake_up_klogd_work_func+0x60/0x60 blk_mq_alloc_request+0x2b7/0x6b0 ? __blk_mq_alloc_requests+0x1060/0x1060 ? __switch_to+0x5b7/0x1060 nvme_submit_user_cmd+0xa9/0x330 nvme_user_cmd.isra.0+0x240/0x3f0 ? force_sigsegv+0xe0/0xe0 ? nvme_user_cmd64+0x400/0x400 ? vfs_fileattr_set+0x9b0/0x9b0 ? cgroup_update_frozen_flag+0x24/0x1c0 ? cgroup_leave_frozen+0x204/0x330 ? nvme_ioctl+0x7c/0x2c0 blkdev_ioctl+0x1a8/0x4d0 ? blkdev_common_ioctl+0x1930/0x1930 ? fdget+0x54/0x380 __x64_sys_ioctl+0x129/0x190 do_syscall_64+0x5b/0x160 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7f765f703b0b Code: ff ff ff 85 c0 79 9b 49 c7 c4 ff ff ff ff 5b 5d 4c 89 e0 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d dd 52 0f 00 f7 d8 64 89 01 48 RSP: 002b:00007ffe2cefe808 EFLAGS: 00000202 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007ffe2cefe860 RCX: 00007f765f703b0b RDX: 00007ffe2cefe860 RSI: 00000000c0484e41 RDI: 0000000000000003 RBP: 0000000000000000 R08: 0000000000000003 R09: 0000000000000000 R10: 00007f765f611d50 R11: 0000000000000202 R12: 0000000000000003 R13: 00000000c0484e41 R14: 0000000000000001 R15: 00007ffe2cefea60

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2025-68310 Severity: Moderate CVSS3 score: 5.8

Description: In the Linux kernel, the following vulnerability has been resolved:s390/pci: Avoid deadlock between PCI error recovery and mlx5 crdumpDo not block PCI config accesses through pci_cfg_access_lock() whenexecuting the s390 variant of PCI error recovery: Acquire justdevice_lock() instead of pci_dev_lock() as powerpc's EEH andgenerig PCI AER processing do.During error recovery testing a pair of tasks was reported to be hung:mlx5_core 0000:00:00.1: mlx5_health_try_recover:338:(pid 5553): health recovery flow aborted, PCI reads still not workingINFO: task kmcheck:72 blocked for more than 122 seconds. Not tainted 5.14.0-570.12.1.bringup7.el9.s390x #1"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.task:kmcheck state:D stack:0 pid:72 tgid:72 ppid:2 flags:0x00000000Call Trace: [<000000065256f030>] __schedule+0x2a0/0x590 [<000000065256f356>] schedule+0x36/0xe0 [<000000065256f572>] schedule_preempt_disabled+0x22/0x30 [<0000000652570a94>] __mutex_lock.constprop.0+0x484/0x8a8 [<000003ff800673a4>] mlx5_unload_one+0x34/0x58 [mlx5_core] [<000003ff8006745c>] mlx5_pci_err_detected+0x94/0x140 [mlx5_core] [<0000000652556c5a>] zpci_event_attempt_error_recovery+0xf2/0x398 [<0000000651b9184a>] __zpci_event_error+0x23a/0x2c0INFO: task kworker/u1664:6:1514 blocked for more than 122 seconds. Not tainted 5.14.0-570.12.1.bringup7.el9.s390x #1"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.task:kworker/u1664:6 state:D stack:0 pid:1514 tgid:1514 ppid:2 flags:0x00000000Workqueue: mlx5_health0000:00:00.0 mlx5_fw_fatal_reporter_err_work [mlx5_core]Call Trace: [<000000065256f030>] __schedule+0x2a0/0x590 [<000000065256f356>] schedule+0x36/0xe0 [<0000000652172e28>] pci_wait_cfg+0x80/0xe8 [<0000000652172f94>] pci_cfg_access_lock+0x74/0x88 [<000003ff800916b6>] mlx5_vsc_gw_lock+0x36/0x178 [mlx5_core] [<000003ff80098824>] mlx5_crdump_collect+0x34/0x1c8 [mlx5_core] [<000003ff80074b62>] mlx5_fw_fatal_reporter_dump+0x6a/0xe8 [mlx5_core] [<0000000652512242>] devlink_health_do_dump.part.0+0x82/0x168 [<0000000652513212>] devlink_health_report+0x19a/0x230 [<000003ff80075a12>] mlx5_fw_fatal_reporter_err_work+0xba/0x1b0 [mlx5_core]No kernel log of the exact same error with an upstream kernel isavailable - but the very same deadlock situation can be constructed there,too:- task: kmcheck mlx5_unload_one() tries to acquire devlink lock while the PCI error recovery code has set pdev->block_cfg_access by way of pci_cfg_access_lock()- task: kworker mlx5_crdump_collect() tries to set block_cfg_access through pci_cfg_access_lock() while devlink_health_report() had acquired the devlink lock.A similar deadlock situation can be reproduced by requesting acrdump with > devlink health dump show pci/ reporter fw_fatalwhile PCI error recovery is executed on the same physical functionby mlx5_core's pci_error_handlers. On s390 this can be injected with > zpcictl --reset-fw Tests with this patch failed to reproduce that second deadlock situation,the devlink command is rejected with "kernel answers: Permission denied" -and we get a kernel log message of:mlx5_core 1ed0:00:00.1: mlx5_crdump_collect:50:(pid 254382): crdump: failed to lock vsc gw err -5because the config read of VSC_SEMAPHORE is rejected by the underlyinghardware.Two prior attempts to address this issue have been discussed andultimately rejected [see link], with the primary argument that s390'simplementation of PCI error recovery is imposing restrictions thatneither powerpc's EEH nor PCI AER handling need. Tests show that PCIerror recovery on s390 is running to completion even without blockingaccess to PCI config space.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43119 Severity: Moderate CVSS3 score: 5.8

Description: In the Linux kernel, the following vulnerability has been resolved:Bluetooth: hci_sync: annotate data-races around hdev->req_status__hci_cmd_sync_sk() sets hdev->req_status under hdev->req_lock: hdev->req_status = HCI_REQ_PEND;However, several other functions read or write hdev->req_status withoutholding any lock: - hci_send_cmd_sync() reads req_status in hci_cmd_work (workqueue) - hci_cmd_sync_complete() reads/writes from HCI event completion - hci_cmd_sync_cancel() / hci_cmd_sync_cancel_sync() read/write - hci_abort_conn() reads in connection abort pathSince __hci_cmd_sync_sk() runs on hdev->req_workqueue whilehci_send_cmd_sync() runs on hdev->workqueue, these are differentworkqueues that can execute concurrently on different CPUs. The plainC accesses constitute a data race.Add READ_ONCE()/WRITE_ONCE() annotations on all concurrent accessesto hdev->req_status to prevent potential compiler optimizations thatcould affect correctness (e.g., load fusing in the wait_eventcondition or store reordering).

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43361 Severity: Moderate CVSS3 score: 5.8

Description: In the Linux kernel, the following vulnerability has been resolved:btrfs: fix transaction abort when snapshotting received subvolumesCurrently a user can trigger a transaction abort by snapshotting apreviously received snapshot a bunch of times until we reach aBTRFS_UUID_KEY_RECEIVED_SUBVOL item overflow (the maximum item size wecan store in a leaf). This is very likely not common in practice, butif it happens, it turns the filesystem into RO mode. The snapshot, sendand set_received_subvol and subvol_setflags (used by receive) don'trequire CAP_SYS_ADMIN, just inode_owner_or_capable(). A malicious usercould use this to turn a filesystem into RO mode and disrupt a system.Reproducer script: $ cat test.sh #!/bin/bash DEV=/dev/sdi MNT=/mnt/sdi # Use smallest node size to make the test faster. mkfs.btrfs -f --nodesize 4K $DEV mount $DEV $MNT # Create a subvolume and set it to RO so that it can be used for send. btrfs subvolume create $MNT/sv touch $MNT/sv/foo btrfs property set $MNT/sv ro true # Send and receive the subvolume into snaps/sv. mkdir $MNT/snaps btrfs send $MNT/sv | btrfs receive $MNT/snaps # Now snapshot the received subvolume, which has a received_uuid, a # lot of times to trigger the leaf overflow. total=500 for ((i = 1; i <= $total; i++)); do echo -ne "\rCreating snapshot $i/$total" btrfs subvolume snapshot -r $MNT/snaps/sv $MNT/snaps/sv_$i > /dev/null done echo umount $MNTWhen running the test: $ ./test.sh (...) Create subvolume '/mnt/sdi/sv' At subvol /mnt/sdi/sv At subvol sv Creating snapshot 496/500ERROR: Could not create subvolume: Value too large for defined data type Creating snapshot 497/500ERROR: Could not create subvolume: Read-only file system Creating snapshot 498/500ERROR: Could not create subvolume: Read-only file system Creating snapshot 499/500ERROR: Could not create subvolume: Read-only file system Creating snapshot 500/500ERROR: Could not create subvolume: Read-only file systemAnd in dmesg/syslog: $ dmesg (...) [251067.627338] BTRFS warning (device sdi): insert uuid item failed -75 (0x4628b21c4ac8d898, 0x2598bee2b1515c91) type 252! [251067.629212] ------------[ cut here ]------------ [251067.630033] BTRFS: Transaction aborted (error -75) [251067.630871] WARNING: fs/btrfs/transaction.c:1907 at create_pending_snapshot.cold+0x52/0x465 [btrfs], CPU#10: btrfs/615235 [251067.632851] Modules linked in: btrfs dm_zero (...) [251067.644071] CPU: 10 UID: 0 PID: 615235 Comm: btrfs Tainted: G W 6.19.0-rc8-btrfs-next-225+ #1 PREEMPT(full) [251067.646165] Tainted: [W]=WARN [251067.646733] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014 [251067.648735] RIP: 0010:create_pending_snapshot.cold+0x55/0x465 [btrfs] [251067.649984] Code: f0 48 0f (...) [251067.653313] RSP: 0018:ffffce644908fae8 EFLAGS: 00010292 [251067.653987] RAX: 00000000ffffff01 RBX: ffff8e5639e63a80 RCX: 00000000ffffffd3 [251067.655042] RDX: ffff8e53faa76b00 RSI: 00000000ffffffb5 RDI: ffffffffc0919750 [251067.656077] RBP: ffffce644908fbd8 R08: 0000000000000000 R09: ffffce644908f820 [251067.657068] R10: ffff8e5adc1fffa8 R11: 0000000000000003 R12: ffff8e53c0431bd0 [251067.658050] R13: ffff8e5414593600 R14: ffff8e55efafd000 R15: 00000000ffffffb5 [251067.659019] FS: 00007f2a4944b3c0(0000) GS:ffff8e5b27dae000(0000) knlGS:0000000000000000 [251067.660115] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [251067.660943] CR2: 00007ffc5aa57898 CR3: 00000005813a2003 CR4: 0000000000370ef0 [251067.661972] Call Trace: [251067.662292] [251067.662653] create_pending_snapshots+0x97/0xc0 [btrfs] [251067.663413] btrfs_commit_transaction+0x26e/0xc00 [btrfs] [251067.664257] ? btrfs_qgroup_convert_reserved_meta+0x35/0x390 [btrfs] [251067.665238] ? _raw_spin_unlock+0x15/0x30 [251067.665837] ? record_root_---truncated---

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-6357 Severity: Moderate CVSS3 score: 5.8

Description: pip prior to version 26.1 would run self-update check functionality after installing wheel files which required importing well-known Python modules names. These module imports were intentionally deferred to increase startup time of the pip CLI. The patch changes self-update functionality to run before wheels are installed to prevent newly-installed modules from being imported shortly after the installation of a wheel package. Users should still review package contents prior to installation.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
python3 > 0-0 (version in image is 3.6.15-150300.10.109.1).

CVE-2026-5928 Severity: Moderate CVSS3 score: 5.7

Description: Calling the ungetwc function on a FILE stream with wide characters encoded in a character set that has overlaps between its single byte and multi-byte character encodings, in the GNU C Library version 2.43 or earlier, may result in an attempt to read bytes before an allocated buffer, potentially resulting in unintentional disclosure of neighboring data in the heap, or a program crash.A bug in the wide character pushback implementation (_IO_wdefault_pbackfail in libio/wgenops.c) causes ungetwc() to operate on the regular character buffer (fp->_IO_read_ptr) instead of the actual wide-stream read pointer (fp->_wide_data->_IO_read_ptr). The program crash may happen in cases where fp->_IO_read_ptr is not initialized and hence points to NULL. The buffer under-read requires a special situation where the input character encoding is such that there are overlaps between single byte representations and multibyte representations in that encoding, resulting in spurious matches. The spurious match case is not possible in the standard Unicode character sets.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
glibc > 0-0 (version in image is 2.38-150600.14.46.1).

CVE-2026-23359 Severity: Moderate CVSS3 score: 5.6

Description: In the Linux kernel, the following vulnerability has been resolved:bpf: Fix stack-out-of-bounds write in devmapget_upper_ifindexes() iterates over all upper devices and writes theirindices into an array without checking bounds.Also the callers assume that the max number of upper devices isMAX_NEST_DEV and allocate excluded_devices[1+MAX_NEST_DEV] on the stack,but that assumption is not correct and the number of upper devices couldbe larger than MAX_NEST_DEV (e.g., many macvlans), causing astack-out-of-bounds write.Add a max parameter to get_upper_ifindexes() to avoid the issue.When there are too many upper devices, return -EOVERFLOW and abort theredirect.To reproduce, create more than MAX_NEST_DEV(8) macvlans on a device withan XDP program attached using BPF_F_BROADCAST | BPF_F_EXCLUDE_INGRESS.Then send a packet to the device to trigger the XDP redirect path.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31675 Severity: Moderate CVSS3 score: 5.6

Description: In the Linux kernel, the following vulnerability has been resolved:net/sched: sch_netem: fix out-of-bounds access in packet corruptionIn netem_enqueue(), the packet corruption logic usesget_random_u32_below(skb_headlen(skb)) to select an index formodifying skb->data. When an AF_PACKET TX_RING sends fully non-linearpackets over an IPIP tunnel, skb_headlen(skb) evaluates to 0.Passing 0 to get_random_u32_below() takes the variable-ceil slow pathwhich returns an unconstrained 32-bit random integer. Using thisunconstrained value as an offset into skb->data results in anout-of-bounds memory access.Fix this by verifying skb_headlen(skb) is non-zero before attemptingto corrupt the linear data area. Fully non-linear packets will silentlybypass the corruption logic.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31676 Severity: Moderate CVSS3 score: 5.6

Description: In the Linux kernel, the following vulnerability has been resolved:rxrpc: only handle RESPONSE during service challengeOnly process RESPONSE packets while the service connection is still inRXRPC_CONN_SERVICE_CHALLENGING. Check that state under state_lock beforerunning response verification and security initialization, then use a localsecured flag to decide whether to queue the secured-connection work afterthe state transition. This keeps duplicate or late RESPONSE packets fromre-running the setup path and removes the unlocked post-transition statetest.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43333 Severity: Moderate CVSS3 score: 5.6

Description: In the Linux kernel, the following vulnerability has been resolved:bpf: reject direct access to nullable PTR_TO_BUF pointerscheck_mem_access() matches PTR_TO_BUF via base_type() which stripsPTR_MAYBE_NULL, allowing direct dereference without a null check.Map iterator ctx->key and ctx->value are PTR_TO_BUF | PTR_MAYBE_NULL.On stop callbacks these are NULL, causing a kernel NULL dereference.Add a type_may_be_null() guard to the PTR_TO_BUF branch, matching theexisting PTR_TO_BTF_ID pattern.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2016-5410 Severity: Moderate CVSS3 score: 5.5

Description: firewalld.py in firewalld before 0.4.3.3 allows local users to bypass authentication and modify firewall configurations via the (1) addPassthrough, (2) removePassthrough, (3) addEntry, (4) removeEntry, or (5) setEntries D-Bus API method.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
firewalld < 2.0.1-150600.3.5.1 (version in image is 1.3.4-150600.13.3.1).

CVE-2024-14027 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:fs/xattr: missing fdput() in fremovexattr error pathIn the Linux kernel, the fremovexattr() syscall calls fdget() to acquire afile reference but returns early without calling fdput() whenstrncpy_from_user() fails on the name argument. In multi-threaded processeswhere fdget() takes the slow path, this permanently leaks onefile reference per call, pinning the struct file and associated kernelobjects in memory. An unprivileged local user can exploit this to causekernel memory exhaustion. The issue was inadvertently fixed by commita71874379ec8 ("xattr: switch to CLASS(fd)").

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2024-53219 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:virtiofs: use pages instead of pointer for kernel direct IOWhen trying to insert a 10MB kernel module kept in a virtio-fs with cachedisabled, the following warning was reported: ------------[ cut here ]------------ WARNING: CPU: 1 PID: 404 at mm/page_alloc.c:4551 ...... Modules linked in: CPU: 1 PID: 404 Comm: insmod Not tainted 6.9.0-rc5+ #123 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) ...... RIP: 0010:__alloc_pages+0x2bf/0x380 ...... Call Trace: ? __warn+0x8e/0x150 ? __alloc_pages+0x2bf/0x380 __kmalloc_large_node+0x86/0x160 __kmalloc+0x33c/0x480 virtio_fs_enqueue_req+0x240/0x6d0 virtio_fs_wake_pending_and_unlock+0x7f/0x190 queue_request_and_unlock+0x55/0x60 fuse_simple_request+0x152/0x2b0 fuse_direct_io+0x5d2/0x8c0 fuse_file_read_iter+0x121/0x160 __kernel_read+0x151/0x2d0 kernel_read+0x45/0x50 kernel_read_file+0x1a9/0x2a0 init_module_from_file+0x6a/0xe0 idempotent_init_module+0x175/0x230 __x64_sys_finit_module+0x5d/0xb0 x64_sys_call+0x1c3/0x9e0 do_syscall_64+0x3d/0xc0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 ...... ---[ end trace 0000000000000000 ]---The warning is triggered as follows:1) syscall finit_module() handles the module insertion and it invokeskernel_read_file() to read the content of the module first.2) kernel_read_file() allocates a 10MB buffer by using vmalloc() andpasses it to kernel_read(). kernel_read() constructs a kvec iter byusing iov_iter_kvec() and passes it to fuse_file_read_iter().3) virtio-fs disables the cache, so fuse_file_read_iter() invokesfuse_direct_io(). As for now, the maximal read size for kvec iter isonly limited by fc->max_read. For virtio-fs, max_read is UINT_MAX, sofuse_direct_io() doesn't split the 10MB buffer. It saves the address andthe size of the 10MB-sized buffer in out_args[0] of a fuse request andpasses the fuse request to virtio_fs_wake_pending_and_unlock().4) virtio_fs_wake_pending_and_unlock() uses virtio_fs_enqueue_req() toqueue the request. Because virtiofs need DMA-able address, sovirtio_fs_enqueue_req() uses kmalloc() to allocate a bounce buffer forall fuse args, copies these args into the bounce buffer and passed thephysical address of the bounce buffer to virtiofsd. The total length ofthese fuse args for the passed fuse request is about 10MB, socopy_args_to_argbuf() invokes kmalloc() with a 10MB size parameter andit triggers the warning in __alloc_pages(): if (WARN_ON_ONCE_GFP(order > MAX_PAGE_ORDER, gfp)) return NULL;5) virtio_fs_enqueue_req() will retry the memory allocation in akworker, but it won't help, because kmalloc() will always return NULLdue to the abnormal size and finit_module() will hang forever.A feasible solution is to limit the value of max_read for virtio-fs, sothe length passed to kmalloc() will be limited. However it will affectthe maximal read size for normal read. And for virtio-fs write initiatedfrom kernel, it has the similar problem but now there is no way to limitfc->max_write in kernel.So instead of limiting both the values of max_read and max_write inkernel, introducing use_pages_for_kvec_io in fuse_conn and setting it astrue in virtiofs. When use_pages_for_kvec_io is enabled, fuse will usepages instead of pointer to pass the KVEC_IO data.After switching to pages for KVEC_IO data, these pages will be used forDMA through virtio-fs. If these pages are backed by vmalloc(),{flush|invalidate}_kernel_vmap_range() are necessary to flush orinvalidate the cache before the DMA operation. So add two new fields infuse_args_pages to record the base address of vmalloc area and thecondition indicating whether invalidation is needed. Perform the flushin fuse_get_user_pages() for write operations and the invalidation infuse_release_user_pages() for read operations.It may seem necessary to introduce another fie---truncated---

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2024-58241 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:Bluetooth: hci_core: Disable works on hci_unregister_devThis make use of disable_work_* on hci_unregister_dev since the hci_dev isabout to be freed new submissions are not disarable.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2025-21712 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:md/md-bitmap: Synchronize bitmap_get_stats() with bitmap lifetimeAfter commit ec6bb299c7c3 ("md/md-bitmap: add 'sync_size' into structmd_bitmap_stats"), following panic is reported:Oops: general protection fault, probably for non-canonical addressRIP: 0010:bitmap_get_stats+0x2b/0xa0Call Trace: md_seq_show+0x2d2/0x5b0 seq_read_iter+0x2b9/0x470 seq_read+0x12f/0x180 proc_reg_read+0x57/0xb0 vfs_read+0xf6/0x380 ksys_read+0x6c/0xf0 do_syscall_64+0x82/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7eRoot cause is that bitmap_get_stats() can be called at anytime if mddevis still there, even if bitmap is destroyed, or not fully initialized.Deferenceing bitmap in this case can crash the kernel. Meanwhile, theabove commit start to deferencing bitmap->storage, make the problemeasier to trigger.Fix the problem by protecting bitmap_get_stats() with bitmap_info.mutex.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2025-38036 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:drm/xe/vf: Perform early GT MMIO initialization to read GMDIDVFs need to communicate with the GuC to obtain the GMDID valueand existing GuC functions used for that assume that the GT hasit's MMIO members already setup. However, due to recent refactoringthe gt->mmio is initialized later, and any attempt by the VF to usexe_mmio_read|write() from GuC functions will lead to NPD crash dueto unset MMIO register address:[] xe 0000:00:02.1: [drm] Running in SR-IOV VF mode[] xe 0000:00:02.1: [drm] GT0: sending H2G MMIO 0x5507[] BUG: unable to handle page fault for address: 0000000000190240Since we are already tweaking the id and type of the primary GT tomimic it's a Media GT before initializing the GuC communication,we can also call xe_gt_mmio_init() to perform early setup of thegt->mmio which will make those GuC functions work again.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2025-38509 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:wifi: mac80211: reject VHT opmode for unsupported channel widthsVHT operating mode notifications are not defined for channel widthsbelow 20 MHz. In particular, 5 MHz and 10 MHz are not valid under theVHT specification and must be rejected.Without this check, malformed notifications using these widths mayreach ieee80211_chan_width_to_rx_bw(), leading to a WARN_ON due toinvalid input. This issue was reported by syzbot.Reject these unsupported widths early in sta_link_apply_parameters()when opmode_notif is used. The accepted set includes 20, 40, 80, 160,and 80+80 MHz, which are valid for VHT. While 320 MHz is not definedfor VHT, it is allowed to avoid rejecting HE or EHT clients that maystill send a VHT opmode notification.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2025-38675 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:xfrm: state: initialize state_ptrs earlier in xfrm_state_findIn case of preemption, xfrm_state_look_at will find a differentpcpu_id and look up states for that other CPU. If we matched a statefor CPU2 in the state_cache while the lookup started on CPU1, we willjump to "found", but the "best" state that we got will be ignored andwe will enter the "acquire" block. This block uses state_ptrs, whichisn't initialized at this point.Let's initialize state_ptrs just after taking rcu_read_lock. This willalso prevent a possible misuse in the future, if someone adjusts thisfunction.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2025-38688 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:iommufd: Prevent ALIGN() overflowWhen allocating IOVA the candidate range gets aligned to the targetalignment. If the range is close to ULONG_MAX then the ALIGN() canwrap resulting in a corrupted iova.Open code the ALIGN() using get_add_overflow() to prevent this.This simplifies the checks as we don't need to check for length earliereither.Consolidate the two copies of this code under a single helper.This bug would allow userspace to create a mapping that overlaps with someother mapping or a reserved range.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2025-38717 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net: kcm: Fix race condition in kcm_unattach()syzbot found a race condition when kcm_unattach(psock)and kcm_release(kcm) are executed at the same time.kcm_unattach() is missing a check of the flagkcm->tx_stopped before calling queue_work().If the kcm has a reserved psock, kcm_unattach() might get executedbetween cancel_work_sync() and unreserve_psock() in kcm_release(),requeuing kcm->tx_work right before kcm gets freed in kcm_done().Remove kcm->tx_stopped and replace it by the lesserror-prone disable_work_sync().

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2025-38723 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:LoongArch: BPF: Fix jump offset calculation in tailcallThe extra pass of bpf_int_jit_compile() skips JIT context initializationwhich essentially skips offset calculation leaving out_offset = -1, sothe jmp_offset in emit_bpf_tail_call is calculated by"#define jmp_offset (out_offset - (cur_offset))"is a negative number, which is wrong. The final generated assembly areas follow.54: bgeu $a2, $t1, -8 # 0x0000004c58: addi.d $a6, $s5, -15c: bltz $a6, -16 # 0x0000004c60: alsl.d $t2, $a2, $a1, 0x364: ld.d $t2, $t2, 26468: beq $t2, $zero, -28 # 0x0000004cBefore apply this patch, the follow test case will reveal soft lock issues.cd tools/testing/selftests/bpf/./test_progs --allow=tailcalls/tailcall_bpf2bpf_1dmesg:watchdog: BUG: soft lockup - CPU#2 stuck for 26s! [test_progs:25056]

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2025-39687 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:iio: light: as73211: Ensure buffer holes are zeroedGiven that the buffer is copied to a kfifo that ultimately user spacecan read, ensure we zero it.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2025-39775 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:mm/mremap: fix WARN with uffd that has remap events disabledRegistering userfaultd on a VMA that spans at least one PMD and thenmremap()'ing that VMA can trigger a WARN when recovering from a failedpage table move due to a page table allocation error.The code ends up doing the right thing (recurse, avoiding moving actualpage tables), but triggering that WARN is unpleasant:WARNING: CPU: 2 PID: 6133 at mm/mremap.c:357 move_normal_pmd mm/mremap.c:357 [inline]WARNING: CPU: 2 PID: 6133 at mm/mremap.c:357 move_pgt_entry mm/mremap.c:595 [inline]WARNING: CPU: 2 PID: 6133 at mm/mremap.c:357 move_page_tables+0x3832/0x44a0 mm/mremap.c:852Modules linked in:CPU: 2 UID: 0 PID: 6133 Comm: syz.0.19 Not tainted 6.17.0-rc1-syzkaller-00004-g53e760d89498 #0 PREEMPT(full)Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014RIP: 0010:move_normal_pmd mm/mremap.c:357 [inline]RIP: 0010:move_pgt_entry mm/mremap.c:595 [inline]RIP: 0010:move_page_tables+0x3832/0x44a0 mm/mremap.c:852Code: ...RSP: 0018:ffffc900037a76d8 EFLAGS: 00010293RAX: 0000000000000000 RBX: 0000000032930007 RCX: ffffffff820c6645RDX: ffff88802e56a440 RSI: ffffffff820c7201 RDI: 0000000000000007RBP: ffff888037728fc0 R08: 0000000000000007 R09: 0000000000000000R10: 0000000032930007 R11: 0000000000000000 R12: 0000000000000000R13: ffffc900037a79a8 R14: 0000000000000001 R15: dffffc0000000000FS: 000055556316a500(0000) GS:ffff8880d68bc000(0000) knlGS:0000000000000000CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033CR2: 0000001b30863fff CR3: 0000000050171000 CR4: 0000000000352ef0Call Trace: copy_vma_and_data+0x468/0x790 mm/mremap.c:1215 move_vma+0x548/0x1780 mm/mremap.c:1282 mremap_to+0x1b7/0x450 mm/mremap.c:1406 do_mremap+0xfad/0x1f80 mm/mremap.c:1921 __do_sys_mremap+0x119/0x170 mm/mremap.c:1977 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7fRIP: 0033:0x7f00d0b8ebe9Code: ...RSP: 002b:00007ffe5ea5ee98 EFLAGS: 00000246 ORIG_RAX: 0000000000000019RAX: ffffffffffffffda RBX: 00007f00d0db5fa0 RCX: 00007f00d0b8ebe9RDX: 0000000000400000 RSI: 0000000000c00000 RDI: 0000200000000000RBP: 00007ffe5ea5eef0 R08: 0000200000c00000 R09: 0000000000000000R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000000002R13: 00007f00d0db5fa0 R14: 00007f00d0db5fa0 R15: 0000000000000005 The underlying issue is that we recurse during the original page tablemove, but not during the recovery move.Fix it by checking for both VMAs and performing the check before thepmd_none() sanity check.Add a new helper where we perform+document that check for the PMD and PUDlevel.Thanks to Harry for bisecting.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2025-39776 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:mm/debug_vm_pgtable: clear page table entries at destroy_args()The mm/debug_vm_pagetable test allocates manually page table entries forthe tests it runs, using also its manually allocated mm_struct. That initself is ok, but when it exits, at destroy_args() it fails to clear thoseentries with the *_clear functions.The problem is that leaves stale entries. If another process allocates anmm_struct with a pgd at the same address, it may end up running into thestale entry. This is happening in practice on a debug kernel withCONFIG_DEBUG_VM_PGTABLE=y, for example this is the output with some extradebugging I added (it prints a warning trace if pgtables_bytes goesnegative, in addition to the warning at check_mm() function):[ 2.539353] debug_vm_pgtable: [get_random_vaddr ]: random_vaddr is 0x7ea247140000[ 2.539366] kmem_cache info[ 2.539374] kmem_cachep 0x000000002ce82385 - freelist 0x0000000000000000 - offset 0x508[ 2.539447] debug_vm_pgtable: [init_args ]: args->mm is 0x000000002267cc9e(...)[ 2.552800] WARNING: CPU: 5 PID: 116 at include/linux/mm.h:2841 free_pud_range+0x8bc/0x8d0[ 2.552816] Modules linked in:[ 2.552843] CPU: 5 UID: 0 PID: 116 Comm: modprobe Not tainted 6.12.0-105.debug_vm2.el10.ppc64le+debug #1 VOLUNTARY[ 2.552859] Hardware name: IBM,9009-41A POWER9 (architected) 0x4e0202 0xf000005 of:IBM,FW910.00 (VL910_062) hv:phyp pSeries[ 2.552872] NIP: c0000000007eef3c LR: c0000000007eef30 CTR: c0000000003d8c90[ 2.552885] REGS: c0000000622e73b0 TRAP: 0700 Not tainted (6.12.0-105.debug_vm2.el10.ppc64le+debug)[ 2.552899] MSR: 800000000282b033 CR: 24002822 XER: 0000000a[ 2.552954] CFAR: c0000000008f03f0 IRQMASK: 0[ 2.552954] GPR00: c0000000007eef30 c0000000622e7650 c000000002b1ac00 0000000000000001[ 2.552954] GPR04: 0000000000000008 0000000000000000 c0000000007eef30 ffffffffffffffff[ 2.552954] GPR08: 00000000ffff00f5 0000000000000001 0000000000000048 0000000000004000[ 2.552954] GPR12: 00000003fa440000 c000000017ffa300 c0000000051d9f80 ffffffffffffffdb[ 2.552954] GPR16: 0000000000000000 0000000000000008 000000000000000a 60000000000000e0[ 2.552954] GPR20: 4080000000000000 c0000000113af038 00007fffcf130000 0000700000000000[ 2.552954] GPR24: c000000062a6a000 0000000000000001 8000000062a68000 0000000000000001[ 2.552954] GPR28: 000000000000000a c000000062ebc600 0000000000002000 c000000062ebc760[ 2.553170] NIP [c0000000007eef3c] free_pud_range+0x8bc/0x8d0[ 2.553185] LR [c0000000007eef30] free_pud_range+0x8b0/0x8d0[ 2.553199] Call Trace:[ 2.553207] [c0000000622e7650] [c0000000007eef30] free_pud_range+0x8b0/0x8d0 (unreliable)[ 2.553229] [c0000000622e7750] [c0000000007f40b4] free_pgd_range+0x284/0x3b0[ 2.553248] [c0000000622e7800] [c0000000007f4630] free_pgtables+0x450/0x570[ 2.553274] [c0000000622e78e0] [c0000000008161c0] exit_mmap+0x250/0x650[ 2.553292] [c0000000622e7a30] [c0000000001b95b8] __mmput+0x98/0x290[ 2.558344] [c0000000622e7a80] [c0000000001d1018] exit_mm+0x118/0x1b0[ 2.558361] [c0000000622e7ac0] [c0000000001d141c] do_exit+0x2ec/0x870[ 2.558376] [c0000000622e7b60] [c0000000001d1ca8] do_group_exit+0x88/0x150[ 2.558391] [c0000000622e7bb0] [c0000000001d1db8] sys_exit_group+0x48/0x50[ 2.558407] [c0000000622e7be0] [c00000000003d810] system_call_exception+0x1e0/0x4c0[ 2.558423] [c0000000622e7e50] [c00000000000d05c] system_call_vectored_common+0x15c/0x2ec(...)[ 2.558892] ---[ end trace 0000000000000000 ]---[ 2.559022] BUG: Bad rss-counter state mm:000000002267cc9e type:MM_ANONPAGES val:1[ 2.559037] BUG: non-zero pgtables_bytes on freeing mm: -6144Here the modprobe process ended up with an allocated mm_struct from themm_struct slab that was used before by the debug_vm_pgtable test. That isnot a problem, since the mm_stru---truncated---

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2025-39789 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:crypto: x86/aegis - Add missing error checksThe skcipher_walk functions can allocate memory and can fail, sochecking for errors is necessary.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2025-40155 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:iommu/vt-d: debugfs: Fix legacy mode page table dump logicIn legacy mode, SSPTPTR is ignored if TT is not 00b or 01b. SSPTPTRmaybe uninitialized or zero in that case and may cause oops like: Oops: general protection fault, probably for non-canonical address 0xf00087d3f000f000: 0000 [#1] SMP NOPTI CPU: 2 UID: 0 PID: 786 Comm: cat Not tainted 6.16.0 #191 PREEMPT(voluntary) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-5.fc42 04/01/2014 RIP: 0010:pgtable_walk_level+0x98/0x150 RSP: 0018:ffffc90000f279c0 EFLAGS: 00010206 RAX: 0000000040000000 RBX: ffffc90000f27ab0 RCX: 000000000000001e RDX: 0000000000000003 RSI: f00087d3f000f000 RDI: f00087d3f0010000 RBP: ffffc90000f27a00 R08: ffffc90000f27a98 R09: 0000000000000002 R10: 0000000000000000 R11: 0000000000000000 R12: f00087d3f000f000 R13: 0000000000000000 R14: 0000000040000000 R15: ffffc90000f27a98 FS: 0000764566dcb740(0000) GS:ffff8881f812c000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000764566d44000 CR3: 0000000109d81003 CR4: 0000000000772ef0 PKRU: 55555554 Call Trace: pgtable_walk_level+0x88/0x150 domain_translation_struct_show.isra.0+0x2d9/0x300 dev_domain_translation_struct_show+0x20/0x40 seq_read_iter+0x12d/0x490...Avoid walking the page table if TT is not 00b or 01b.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2025-40192 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:Revert "ipmi: fix msg stack when IPMI is disconnected"This reverts commit c608966f3f9c2dca596967501d00753282b395fc.This patch has a subtle bug that can cause the IPMI driver to go into aninfinite loop if the BMC misbehaves in a certain way. Apparentlycertain BMCs do misbehave this way because several reports have come inrecently about this.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2025-40341 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:futex: Don't leak robust_list pointer on exec racesys_get_robust_list() and compat_get_robust_list() use ptrace_may_access()to check if the calling task is allowed to access another task'srobust_list pointer. This check is racy against a concurrent exec() in thetarget process.During exec(), a task may transition from a non-privileged binary to aprivileged one (e.g., setuid binary) and its credentials/memory mappingsmay change. If get_robust_list() performs ptrace_may_access() beforethis transition, it may erroneously allow access to sensitive informationafter the target becomes privileged.A racy access allows an attacker to exploit a window during whichptrace_may_access() passes before a target process transitions to aprivileged state via exec().For example, consider a non-privileged task T that is about to execute asetuid-root binary. An attacker task A calls get_robust_list(T) while Tis still unprivileged. Since ptrace_may_access() checks permissionsbased on current credentials, it succeeds. However, if T begins execimmediately afterwards, it becomes privileged and may change its memorymappings. Because get_robust_list() proceeds to access T->robust_listwithout synchronizing with exec() it may read user-space pointers from anow-privileged process.This violates the intended post-exec access restrictions and couldexpose sensitive memory addresses or be used as a primitive in a largerexploit chain. Consequently, the race can lead to unauthorizeddisclosure of information across privilege boundaries and poses apotential security risk.Take a read lock on signal->exec_update_lock prior to invokingptrace_may_access() and accessing the robust_list/compat_robust_list.This ensures that the target task's exec state remains stable during thecheck, allowing for consistent and synchronized validation ofcredentials.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2025-54409 Severity: Moderate CVSS3 score: 5.5

Description: AIDE is an advanced intrusion detection environment. From versions 0.13 to 0.19.1, there is a null pointer dereference vulnerability in AIDE. An attacker can crash the program during report printing or database listing after setting extended file attributes with an empty attribute value or with a key containing a comma. A local user might exploit this to cause a local denial of service. This issue has been patched in version 0.19.2. A workaround involves removing xattrs group from rules matching files on affected file systems.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
aide > 0-0 (version in image is 0.16-24.1).

CVE-2025-54505 Severity: Moderate CVSS3 score: 5.5

Description: A transient execution vulnerability within AMD CPUs may allow a local user-privileged attacker to leak data via the floating point divisor unit, potentially resulting in loss of confidentiality.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2025-68173 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ftrace: Fix softlockup in ftrace_module_enableA soft lockup was observed when loading amdgpu module.If a module has a lot of tracable functions, multiple callsto kallsyms_lookup can spend too much time in RCU criticalsection and with disabled preemption, causing kernel panic.This is the same issue that was fixed incommit d0b24b4e91fc ("ftrace: Prevent RCU stall on PREEMPT_VOLUNTARYkernels") and commit 42ea22e754ba ("ftrace: Add cond_resched() toftrace_graph_set_hash()").Fix it the same way by adding cond_resched() in ftrace_module_enable.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2025-68175 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:media: nxp: imx8-isi: Fix streaming cleanup on releaseThe current implementation unconditionally callsmxc_isi_video_cleanup_streaming() in mxc_isi_video_release(). This canlead to situations where any release call (like from a simple"v4l2-ctl -l") may release a currently streaming queue when called onsuch a device.This is reproducible on an i.MX8MP board by streaming from an ISIcapture device using gstreamer: gst-launch-1.0 -v v4l2src device=/dev/videoX ! \ video/x-raw,format=GRAY8,width=1280,height=800,framerate=1/120 ! \ fakesinkWhile this stream is running, querying the caps of the same deviceprovokes the error state: v4l2-ctl -l -d /dev/videoXThis results in the following trace:[ 155.452152] ------------[ cut here ]------------[ 155.452163] WARNING: CPU: 0 PID: 1708 at drivers/media/platform/nxp/imx8-isi/imx8-isi-pipe.c:713 mxc_isi_pipe_irq_handler+0x19c/0x1b0 [imx8_isi][ 157.004248] Modules linked in: cfg80211 rpmsg_ctrl rpmsg_char rpmsg_tty virtio_rpmsg_bus rpmsg_ns rpmsg_core rfkill nft_ct nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables mcp251x6[ 157.053499] CPU: 0 UID: 0 PID: 1708 Comm: python3 Not tainted 6.15.4-00114-g1f61ca5cad76 #1 PREEMPT[ 157.064369] Hardware name: imx8mp_board_01 (DT)[ 157.068205] pstate: 400000c5 (nZcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)[ 157.075169] pc : mxc_isi_pipe_irq_handler+0x19c/0x1b0 [imx8_isi][ 157.081195] lr : mxc_isi_pipe_irq_handler+0x38/0x1b0 [imx8_isi][ 157.087126] sp : ffff800080003ee0[ 157.090438] x29: ffff800080003ee0 x28: ffff0000c3688000 x27: 0000000000000000[ 157.097580] x26: 0000000000000000 x25: ffff0000c1e7ac00 x24: ffff800081b5ad50[ 157.104723] x23: 00000000000000d1 x22: 0000000000000000 x21: ffff0000c25e4000[ 157.111866] x20: 0000000060000200 x19: ffff80007a0608d0 x18: 0000000000000000[ 157.119008] x17: ffff80006a4e3000 x16: ffff800080000000 x15: 0000000000000000[ 157.126146] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000[ 157.133287] x11: 0000000000000040 x10: ffff0000c01445f0 x9 : ffff80007a053a38[ 157.140425] x8 : ffff0000c04004b8 x7 : 0000000000000000 x6 : 0000000000000000[ 157.147567] x5 : ffff0000c0400490 x4 : ffff80006a4e3000 x3 : ffff0000c25e4000[ 157.154706] x2 : 0000000000000000 x1 : ffff8000825c0014 x0 : 0000000060000200[ 157.161850] Call trace:[ 157.164296] mxc_isi_pipe_irq_handler+0x19c/0x1b0 [imx8_isi] (P)[ 157.170319] __handle_irq_event_percpu+0x58/0x218[ 157.175029] handle_irq_event+0x54/0xb8[ 157.178867] handle_fasteoi_irq+0xac/0x248[ 157.182968] handle_irq_desc+0x48/0x68[ 157.186723] generic_handle_domain_irq+0x24/0x38[ 157.191346] gic_handle_irq+0x54/0x120[ 157.195098] call_on_irq_stack+0x24/0x30[ 157.199027] do_interrupt_handler+0x88/0x98[ 157.203212] el0_interrupt+0x44/0xc0[ 157.206792] __el0_irq_handler_common+0x18/0x28[ 157.211328] el0t_64_irq_handler+0x10/0x20[ 157.215429] el0t_64_irq+0x198/0x1a0[ 157.219009] ---[ end trace 0000000000000000 ]---Address this issue by moving the streaming preparation and cleanup tothe vb2 .prepare_streaming() and .unprepare_streaming() operations. Thisalso simplifies the driver by allowing direct usage of thevb2_ioctl_streamon() and vb2_ioctl_streamoff() helpers, and removal ofthe manual cleanup from mxc_isi_video_release().

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2025-68179 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:s390: Disable ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAPAs reported by Luiz Capitulino enabling HVO on s390 leads to reproduciblecrashes. The problem is that kernel page tables are modified withoutflushing corresponding TLB entries.Even if it looks like the empty flush_tlb_all() implementation on s390 isthe problem, it is actually a different problem: on s390 it is not allowedto replace an active/valid page table entry with another valid page tableentry without the detour over an invalid entry. A direct replacement maylead to random crashes and/or data corruption.In order to invalidate an entry special instructions have to be used(e.g. ipte or idte). Alternatively there are also special instructionsavailable which allow to replace a valid entry with a different validentry (e.g. crdte or cspg).Given that the HVO code currently does not provide the hooks to allow foran implementation which is compliant with the s390 architecturerequirements, disable ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP again, which isbasically a revert of the original patch which enabled it.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2025-68193 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:drm/xe/guc: Add devm release action to safely tear down CTWhen a buffer object (BO) is allocated with the XE_BO_FLAG_GGTT_INVALIDATEflag, the driver initiates TLB invalidation requests via the CTB mechanismwhile releasing the BO. However a premature release of the CTB BO can leadto system crashes, as observed in:Oops: Oops: 0000 [#1] SMP NOPTIRIP: 0010:h2g_write+0x2f3/0x7c0 [xe]Call Trace: guc_ct_send_locked+0x8b/0x670 [xe] xe_guc_ct_send_locked+0x19/0x60 [xe] send_tlb_invalidation+0xb4/0x460 [xe] xe_gt_tlb_invalidation_ggtt+0x15e/0x2e0 [xe] ggtt_invalidate_gt_tlb.part.0+0x16/0x90 [xe] ggtt_node_remove+0x110/0x140 [xe] xe_ggtt_node_remove+0x40/0xa0 [xe] xe_ggtt_remove_bo+0x87/0x250 [xe]Introduce a devm-managed release action during xe_guc_ct_init() andxe_guc_ct_init_post_hwconfig() to ensure proper CTB disablement beforeresource deallocation, preventing the use-after-free scenario.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2025-68211 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ksm: use range-walk function to jump over holes in scan_get_next_rmap_itemCurrently, scan_get_next_rmap_item() walks every page address in a VMA tolocate mergeable pages. This becomes highly inefficient when scanninglarge virtual memory areas that contain mostly unmapped regions, causingksmd to use large amount of cpu without deduplicating much pages.This patch replaces the per-address lookup with a range walk usingwalk_page_range(). The range walker allows KSM to skip over entireunmapped holes in a VMA, avoiding unnecessary lookups. This problem waspreviously discussed in [1].Consider the following test program which creates a 32 TiB mapping in thevirtual address space but only populates a single page:#include #include #include /* 32 TiB */const size_t size = 32ul * 1024 * 1024 * 1024 * 1024;int main() { char *area = mmap(NULL, size, PROT_READ | PROT_WRITE, MAP_NORESERVE | MAP_PRIVATE | MAP_ANON, -1, 0); if (area == MAP_FAILED) { perror("mmap() failed\n"); return -1; } /* Populate a single page such that we get an anon_vma. */ *area = 0; /* Enable KSM. */ madvise(area, size, MADV_MERGEABLE); pause(); return 0;}$ ./ksm-sparse &$ echo 1 > /sys/kernel/mm/ksm/run Without this patch ksmd uses 100% of the cpu for a long time (more then 1hour in my test machine) scanning all the 32 TiB virtual address spacethat contain only one mapped page. This makes ksmd essentially deadlockednot able to deduplicate anything of value. With this patch ksmd walksonly the one mapped page and skips the rest of the 32 TiB virtual addressspace, making the scan fast using little cpu.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2025-68214 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:timers: Fix NULL function pointer race in timer_shutdown_sync()There is a race condition between timer_shutdown_sync() and timerexpiration that can lead to hitting a WARN_ON in expire_timers().The issue occurs when timer_shutdown_sync() clears the timer functionto NULL while the timer is still running on another CPU. The racescenario looks like this:CPU0 CPU1 lock_timer_base() expire_timers() base->running_timer = timer; unlock_timer_base() [call_timer_fn enter] mod_timer() ...timer_shutdown_sync()lock_timer_base()// For now, will not detach the timer but only clear its function to NULLif (base->running_timer != timer) ret = detach_if_pending(timer, base, true);if (shutdown) timer->function = NULL;unlock_timer_base() [call_timer_fn exit] lock_timer_base() base->running_timer = NULL; unlock_timer_base() ... // Now timer is pending while its function set to NULL. // next timer trigger expire_timers() WARN_ON_ONCE(!fn) // hit ...lock_timer_base()// Now timer will detachif (base->running_timer != timer) ret = detach_if_pending(timer, base, true);if (shutdown) timer->function = NULL;unlock_timer_base()The problem is that timer_shutdown_sync() clears the timer functionregardless of whether the timer is currently running. This can leave apending timer with a NULL function pointer, which triggers theWARN_ON_ONCE(!fn) check in expire_timers().Fix this by only clearing the timer function when actually detaching thetimer. If the timer is running, leave the function pointer intact, which issafe because the timer will be properly detached when it finishes running.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2025-68219 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:cifs: fix memory leak in smb3_fs_context_parse_param error pathAdd proper cleanup of ctx->source and fc->source to thecifs_parse_mount_err error handler. This ensures that memory allocatedfor the source strings is correctly freed on all error paths, matchingthe cleanup already performed in the success path bysmb3_cleanup_fs_context_contents().Pointers are also set to NULL after freeing to prevent potentialdouble-free issues.This change fixes a memory leak originally detected by syzbot. Theleak occurred when processing Opt_source mount options if an errorhappened after ctx->source and fc->source were successfullyallocated but before the function completed.The specific leak sequence was:1. ctx->source = smb3_fs_context_fullpath(ctx, '/') allocates memory2. fc->source = kstrdup(ctx->source, GFP_KERNEL) allocates more memory3. A subsequent error jumps to cifs_parse_mount_err4. The old error handler freed passwords but not the source strings,causing the memory to leak.This issue was not addressed by commit e8c73eb7db0a ("cifs: client:fix memory leak in smb3_fs_context_parse_param"), which only fixedleaks from repeated fsconfig() calls but not this error path.Patch updated with minor change suggested by kernel test robot

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2025-68229 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:scsi: target: tcm_loop: Fix segfault in tcm_loop_tpg_address_show()If the allocation of tl_hba->sh fails in tcm_loop_driver_probe() and weattempt to dereference it in tcm_loop_tpg_address_show() we will get asegfault, see below for an example. So, check tl_hba->sh beforedereferencing it. Unable to allocate struct scsi_host BUG: kernel NULL pointer dereference, address: 0000000000000194 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 1 PID: 8356 Comm: tokio-runtime-w Not tainted 6.6.104.2-4.azl3 #1 Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 09/28/2024 RIP: 0010:tcm_loop_tpg_address_show+0x2e/0x50 [tcm_loop]... Call Trace: configfs_read_iter+0x12d/0x1d0 [configfs] vfs_read+0x1b5/0x300 ksys_read+0x6f/0xf0...

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2025-68251 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:erofs: avoid infinite loops due to corrupted subpage compact indexesRobert reported an infinite loop observed by two crafted images.The root cause is that `clusterofs` can be larger than `lclustersize`for !NONHEAD `lclusters` in corrupted subpage compact indexes, e.g.: blocksize = lclustersize = 512 lcn = 6 clusterofs = 515Move the corresponding check for full compress indexes to`z_erofs_load_lcluster_from_disk()` to also cover subpage compactcompress indexes.It also fixes the position of `m->type >= Z_EROFS_LCLUSTER_TYPE_MAX`check, since it should be placed right after`z_erofs_load_{compact,full}_lcluster()`.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2025-68282 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:usb: gadget: udc: fix use-after-free in usb_gadget_state_workA race condition during gadget teardown can lead to a use-after-freein usb_gadget_state_work(), as reported by KASAN: BUG: KASAN: invalid-access in sysfs_notify+0x2c/0xd0 Workqueue: events usb_gadget_state_workThe fundamental race occurs because a concurrent event (e.g., aninterrupt) can call usb_gadget_set_state() and schedule gadget->workat any time during the cleanup process in usb_del_gadget().Commit 399a45e5237c ("usb: gadget: core: flush gadget workqueue afterdevice removal") attempted to fix this by moving flush_work() to afterdevice_del(). However, this does not fully solve the race, as a newwork item can still be scheduled *after* flush_work() completes butbefore the gadget's memory is freed, leading to the same use-after-free.This patch fixes the race condition robustly by introducing a 'teardown'flag and a 'state_lock' spinlock to the usb_gadget struct. The flag isset during cleanup in usb_del_gadget() *before* calling flush_work() toprevent any new work from being scheduled once cleanup has commenced.The scheduling site, usb_gadget_set_state(), now checks this flag underthe lock before queueing the work, thus safely closing the race window.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2025-68304 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:Bluetooth: hci_core: lookup hci_conn on RX path on protocol sideThe hdev lock/lookup/unlock/use pattern in the packet RX path doesn'tensure hci_conn* is not concurrently modified/deleted. This lockingappears to be leftover from before conn_hash started using RCUcommit bf4c63252490b ("Bluetooth: convert conn hash to RCU")and not clear if it had purpose since then.Currently, there are code paths that delete hci_conn* from elsewherethan the ordered hdev->workqueue where the RX work runs in. E.g.commit 5af1f84ed13a ("Bluetooth: hci_sync: Fix UAF on hci_abort_conn_sync")introduced some of these, and there probably were a few others beforeit. It's better to do the locking so that even if these runconcurrently no UAF is possible.Move the lookup of hci_conn and associated socket-specific conn toprotocol recv handlers, and do them within a single critical sectionto cover hci_conn* usage and lookup.syzkaller has reported a crash that appears to be this issue: [Task hdev->workqueue] [Task 2] hci_disconnect_all_sync l2cap_recv_acldata(hcon) hci_conn_get(hcon) hci_abort_conn_sync(hcon) hci_dev_lock hci_dev_lock hci_conn_del(hcon) v-------------------------------- hci_dev_unlock hci_conn_put(hcon) conn = hcon->l2cap_data (UAF)

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2025-68336 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:locking/spinlock/debug: Fix data-race in do_raw_write_lockKCSAN reports:BUG: KCSAN: data-race in do_raw_write_lock / do_raw_write_lockwrite (marked) to 0xffff800009cf504c of 4 bytes by task 1102 on cpu 1: do_raw_write_lock+0x120/0x204 _raw_write_lock_irq do_exit call_usermodehelper_exec_async ret_from_forkread to 0xffff800009cf504c of 4 bytes by task 1103 on cpu 0: do_raw_write_lock+0x88/0x204 _raw_write_lock_irq do_exit call_usermodehelper_exec_async ret_from_forkvalue changed: 0xffffffff -> 0x00000001Reported by Kernel Concurrency Sanitizer on:CPU: 0 PID: 1103 Comm: kworker/u4:1 6.1.111Commit 1a365e822372 ("locking/spinlock/debug: Fix various data races") hasadressed most of these races, but seems to be not consistent/not complete.>From do_raw_write_lock() only debug_write_lock_after() part has beenconverted to WRITE_ONCE(), but not debug_write_lock_before() part.Do it now.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2025-68358 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:btrfs: fix racy bitfield write in btrfs_clear_space_info_full()From the memory-barriers.txt document regarding memory barrier orderingguarantees: (*) These guarantees do not apply to bitfields, because compilers often generate code to modify these using non-atomic read-modify-write sequences. Do not attempt to use bitfields to synchronize parallel algorithms. (*) Even in cases where bitfields are protected by locks, all fields in a given bitfield must be protected by one lock. If two fields in a given bitfield are protected by different locks, the compiler's non-atomic read-modify-write sequences can cause an update to one field to corrupt the value of an adjacent field.btrfs_space_info has a bitfield sharing an underlying word consisting ofthe fields full, chunk_alloc, and flush:struct btrfs_space_info { struct btrfs_fs_info * fs_info; /* 0 8 */ struct btrfs_space_info * parent; /* 8 8 */ ... int clamp; /* 172 4 */ unsigned int full:1; /* 176: 0 4 */ unsigned int chunk_alloc:1; /* 176: 1 4 */ unsigned int flush:1; /* 176: 2 4 */ ...Therefore, to be safe from parallel read-modify-writes losing a write toone of the bitfield members protected by a lock, all writes to all thebitfields must use the lock. They almost universally do, except forbtrfs_clear_space_info_full() which iterates over the space_infos andwrites out found->full = 0 without a lock.Imagine that we have one thread completing a transaction in which wefinished deleting a block_group and are thus callingbtrfs_clear_space_info_full() while simultaneously the data reclaimticket infrastructure is running do_async_reclaim_data_space(): T1 T2btrfs_commit_transaction btrfs_clear_space_info_full data_sinfo->full = 0 READ: full:0, chunk_alloc:0, flush:1 do_async_reclaim_data_space(data_sinfo) spin_lock(&space_info->lock); if(list_empty(tickets)) space_info->flush = 0; READ: full: 0, chunk_alloc:0, flush:1 MOD/WRITE: full: 0, chunk_alloc:0, flush:0 spin_unlock(&space_info->lock); return; MOD/WRITE: full:0, chunk_alloc:0, flush:1and now data_sinfo->flush is 1 but the reclaim worker has exited. Thisbreaks the invariant that flush is 0 iff there is no work queued orrunning. Once this invariant is violated, future allocations that gointo __reserve_bytes() will add tickets to space_info->tickets but willsee space_info->flush is set to 1 and not queue the work. After this,they will block forever on the resulting ticket, as it is now impossibleto kick the worker again.I also confirmed by looking at the assembly of the affected kernel thatit is doing RMW operations. For example, to set the flush (3rd) bit to 0,the assembly is: andb $0xfb,0x60(%rbx)and similarly for setting the full (1st) bit to 0: andb $0xfe,-0x20(%rax)So I think this is really a bug on practical systems. I have observeda number of systems in this exact state, but am currently unable toreproduce it.Rather than leaving this footgun lying around for the future, takeadvantage of the fact that there is room in the struct anyway, and thatit is already quite large and simply change the three bitfield members tobools. This avoids writes to space_info->full having any effect on---truncated---

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2025-68364 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ocfs2: relax BUG() to ocfs2_error() in __ocfs2_move_extent()In '__ocfs2_move_extent()', relax 'BUG()' to 'ocfs2_error()' justto avoid crashing the whole kernel due to a filesystem corruption.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2025-68371 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:scsi: smartpqi: Fix device resources accessed after device removalCorrect possible race conditions during device removal.Previously, a scheduled work item to reset a LUN could still executeafter the device was removed, leading to use-after-free and otherresource access issues.This race condition occurs because the abort handler may schedule a LUNreset concurrently with device removal via sdev_destroy(), leading touse-after-free and improper access to freed resources. - Check in the device reset handler if the device is still present in the controller's SCSI device list before running; if not, the reset is skipped. - Cancel any pending TMF work that has not started in sdev_destroy(). - Ensure device freeing in sdev_destroy() is done while holding the LUN reset mutex to avoid races with ongoing resets.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2025-68730 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:accel/ivpu: Fix page fault in ivpu_bo_unbind_all_bos_from_context()Don't add BO to the vdev->bo_list in ivpu_gem_create_object().When failure happens inside drm_gem_shmem_create(), the BO is notfully created and ivpu_gem_bo_free() callback will not be calledcausing a deleted BO to be left on the list.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2025-68780 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:sched/deadline: only set free_cpus for online runqueuesCommit 16b269436b72 ("sched/deadline: Modify cpudl::free_cpusto reflect rd->online") introduced the cpudl_set/clear_freecpufunctions to allow the cpu_dl::free_cpus mask to be manipulatedby the deadline scheduler class rq_on/offline callbacks so themask would also reflect this state.Commit 9659e1eeee28 ("sched/deadline: Remove cpu_active_maskfrom cpudl_find()") removed the check of the cpu_active_mask tosave some processing on the premise that the cpudl::free_cpusmask already reflected the runqueue online state.Unfortunately, there are cases where it is possible for thecpudl_clear function to set the free_cpus bit for a CPU when thedeadline runqueue is offline. When this occurs while a CPU isconnected to the default root domain the flag may retain the badstate after the CPU has been unplugged. Later, a different CPUthat is transitioning through the default root domain may push adeadline task to the powered down CPU when cpudl_find sees itsfree_cpus bit is set. If this happens the task will not have theopportunity to run.One example is outlined here:https://lore.kernel.org/lkml/20250110233010.2339521-1-opendmb@gmail.comAnother occurs when the last deadline task is migrated from aCPU that has an offlined runqueue. The dequeue_task member ofthe deadline scheduler class will eventually call cpudl_clearand set the free_cpus bit for the CPU.This commit modifies the cpudl_clear function to be aware of theonline state of the deadline runqueue so that the free_cpus maskcan be updated appropriately.It is no longer necessary to manage the mask outside of thecpudl_set/clear functions so the cpudl_set/clear_freecpufunctions are removed. In addition, since the free_cpus mask isnow only updated under the cpudl lock the code was changed touse the non-atomic __cpumask functions.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2025-68782 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:scsi: target: Reset t_task_cdb pointer in error caseIf allocation of cmd->t_task_cdb fails, it remains NULL but is laterdereferenced in the 'err' path.In case of error, reset NULL t_task_cdb value to point at the defaultfixed-size buffer.Found by Linux Verification Center (linuxtesting.org) with SVACE.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2025-68818 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:scsi: Revert "scsi: qla2xxx: Perform lockless command completion in abort path"This reverts commit 0367076b0817d5c75dfb83001ce7ce5c64d803a9.The commit being reverted added code to __qla2x00_abort_all_cmds() tocall sp->done() without holding a spinlock. But unlike the older codebelow it, this new code failed to check sp->cmd_type and just assumedTYPE_SRB, which results in a jump to an invalid pointer in target-modewith TYPE_TGT_CMD:qla2xxx [0000:65:00.0]-d034:8: qla24xx_do_nack_work create sess success 0000000009f7a79bqla2xxx [0000:65:00.0]-5003:8: ISP System Error - mbx1=1ff5h mbx2=10h mbx3=0h mbx4=0h mbx5=191h mbx6=0h mbx7=0h.qla2xxx [0000:65:00.0]-d01e:8: -> fwdump no bufferqla2xxx [0000:65:00.0]-f03a:8: qla_target(0): System error async event 0x8002 occurredqla2xxx [0000:65:00.0]-00af:8: Performing ISP error recovery - ha=0000000058183fda.BUG: kernel NULL pointer dereference, address: 0000000000000000PF: supervisor instruction fetch in kernel modePF: error_code(0x0010) - not-present pagePGD 0 P4D 0Oops: 0010 [#1] SMPCPU: 2 PID: 9446 Comm: qla2xxx_8_dpc Tainted: G O 6.1.133 #1Hardware name: Supermicro Super Server/X11SPL-F, BIOS 4.2 12/15/2023RIP: 0010:0x0Code: Unable to access opcode bytes at 0xffffffffffffffd6.RSP: 0018:ffffc90001f93dc8 EFLAGS: 00010206RAX: 0000000000000282 RBX: 0000000000000355 RCX: ffff88810d16a000RDX: ffff88810dbadaa8 RSI: 0000000000080000 RDI: ffff888169dc38c0RBP: ffff888169dc38c0 R08: 0000000000000001 R09: 0000000000000045R10: ffffffffa034bdf0 R11: 0000000000000000 R12: ffff88810800bb40R13: 0000000000001aa8 R14: ffff888100136610 R15: ffff8881070f7400FS: 0000000000000000(0000) GS:ffff88bf80080000(0000) knlGS:0000000000000000CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033CR2: ffffffffffffffd6 CR3: 000000010c8ff006 CR4: 00000000003706e0DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400Call Trace: ? __die+0x4d/0x8b ? page_fault_oops+0x91/0x180 ? trace_buffer_unlock_commit_regs+0x38/0x1a0 ? exc_page_fault+0x391/0x5e0 ? asm_exc_page_fault+0x22/0x30 __qla2x00_abort_all_cmds+0xcb/0x3e0 [qla2xxx_scst] qla2x00_abort_all_cmds+0x50/0x70 [qla2xxx_scst] qla2x00_abort_isp_cleanup+0x3b7/0x4b0 [qla2xxx_scst] qla2x00_abort_isp+0xfd/0x860 [qla2xxx_scst] qla2x00_do_dpc+0x581/0xa40 [qla2xxx_scst] kthread+0xa8/0xd0 Then commit 4475afa2646d ("scsi: qla2xxx: Complete command early withinlock") added the spinlock back, because not having the lock caused arace and a crash. But qla2x00_abort_srb() in the switch below alreadychecks for qla2x00_chip_is_down() and handles it the same way, so thecode above the switch is now redundant and still buggy in target-mode.Remove it.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2025-68822 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:Input: alps - fix use-after-free bugs caused by dev3_register_workThe dev3_register_work delayed work item is initialized withinalps_reconnect() and scheduled upon receipt of the first barePS/2 packet from an external PS/2 device connected to the ALPStouchpad. During device detachment, the original implementationcalls flush_workqueue() in psmouse_disconnect() to ensurecompletion of dev3_register_work. However, the flush_workqueue()in psmouse_disconnect() only blocks and waits for work items thatwere already queued to the workqueue prior to its invocation. Anywork items submitted after flush_workqueue() is called are notincluded in the set of tasks that the flush operation awaits.This means that after flush_workqueue() has finished executing,the dev3_register_work could still be scheduled. Although thepsmouse state is set to PSMOUSE_CMD_MODE in psmouse_disconnect(),the scheduling of dev3_register_work remains unaffected.The race condition can occur as follows:CPU 0 (cleanup path) | CPU 1 (delayed work)psmouse_disconnect() | psmouse_set_state() | flush_workqueue() | alps_report_bare_ps2_packet() alps_disconnect() | psmouse_queue_work() kfree(priv); // FREE | alps_register_bare_ps2_mouse() | priv = container_of(work...); // USE | priv->dev3 // USEAdd disable_delayed_work_sync() in alps_disconnect() to ensurethat dev3_register_work is properly canceled and prevented fromexecuting after the alps_data structure has been deallocated.This bug is identified by static analysis.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2025-69644 Severity: Moderate CVSS3 score: 5.5

Description: An issue was discovered in Binutils before 2.46. The objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed debug information. A logic flaw in the handling of DWARF location list headers can cause objdump to enter an unbounded loop and produce endless output until manually interrupted. This issue affects versions prior to the upstream fix and allows a local attacker to cause excessive resource consumption by supplying a malicious input file.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
binutils > 0-0 (version in image is 2.45-150100.7.57.1).

CVE-2025-69646 Severity: Moderate CVSS3 score: 5.5

Description: Binutils objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF debug_rnglists data. A logic error in the handling of the debug_rnglists header can cause objdump to repeatedly print the same warning message and fail to terminate, resulting in an unbounded logging loop until the process is interrupted. The issue was observed in binutils 2.44. A local attacker can exploit this vulnerability by supplying a malicious input file, leading to excessive CPU and I/O usage and preventing completion of the objdump analysis.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
binutils > 0-0 (version in image is 2.45-150100.7.57.1).

CVE-2025-69647 Severity: Moderate CVSS3 score: 5.5

Description: GNU Binutils thru 2.45.1 readelf contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF loclists data. A logic flaw in the DWARF parsing code can cause readelf to repeatedly print the same table output without making forward progress, resulting in an unbounded output loop that never terminates unless externally interrupted. A local attacker can trigger this behavior by supplying a malicious input file, causing excessive CPU and I/O usage and preventing readelf from completing its analysis.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
binutils > 0-0 (version in image is 2.45-150100.7.57.1).

CVE-2025-69648 Severity: Moderate CVSS3 score: 5.5

Description: GNU Binutils thru 2.45.1 readelf contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF .debug_rnglists data. A logic flaw in the DWARF parsing path causes readelf to repeatedly print the same warning message without making forward progress, resulting in a non-terminating output loop that requires manual interruption. No evidence of memory corruption or code execution was observed.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
binutils > 0-0 (version in image is 2.45-150100.7.57.1).

CVE-2025-71068 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:svcrdma: bound check rq_pages index in inline pathsvc_rdma_copy_inline_range indexed rqstp->rq_pages[rc_curpage] withoutverifying rc_curpage stays within the allocated page array. Add guardsbefore the first use and after advancing to a new page.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2025-71074 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:functionfs: fix the open/removal racesffs_epfile_open() can race with removal, ending up with file->private_datapointing to freed object.There is a total count of opened files on functionfs (both ep0 anddynamic ones) and when it hits zero, dynamic files get removed.Unfortunately, that removal can happen while another thread isin ffs_epfile_open(), but has not incremented the count yet.In that case open will succeed, leaving us with UAF on any subsequentread() or write().The root cause is that ffs->opened is misused; atomic_dec_and_test() vs.atomic_add_return() is not a good idea, when object remains visible allalong.To untangle that * serialize openers on ffs->mutex (both for ep0 and for dynamic files) * have dynamic ones use atomic_inc_not_zero() and fail if we hadzero ->opened; in that case the file we are opening is doomed. * have the inodes of dynamic files marked on removal (from thecallback of simple_recursive_removal()) - clear ->i_private there. * have open of dynamic ones verify they hadn't been already removed,along with checking that state is FFS_ACTIVE.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2025-71075 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:scsi: aic94xx: fix use-after-free in device removal pathThe asd_pci_remove() function fails to synchronize with pending taskletsbefore freeing the asd_ha structure, leading to a potentialuse-after-free vulnerability.When a device removal is triggered (via hot-unplug or module unload),race condition can occur.The fix adds tasklet_kill() before freeing the asd_ha structure,ensuring all scheduled tasklets complete before cleanup proceeds.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2025-71127 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:wifi: mac80211: Discard Beacon frames to non-broadcast addressBeacon frames are required to be sent to the broadcast address, see IEEEStd 802.11-2020, 11.1.3.1 ("The Address 1 field of the Beacon .. frameshall be set to the broadcast address"). A unicast Beacon frame might beused as a targeted attack to get one of the associated STAs to dosomething (e.g., using CSA to move it to another channel). As such, itis better have strict filtering for this on the received side anddiscard all Beacon frames that are sent to an unexpected address.This is even more important for cases where beacon protection is used.The current implementation in mac80211 is correctly discarding unicastBeacon frames if the Protected Frame bit in the Frame Control field isset to 0. However, if that bit is set to 1, the logic used for checkingfor configured BIGTK(s) does not actually work. If the driver does nothave logic for dropping unicast Beacon frames with Protected Frame bit1, these frames would be accepted in mac80211 processing as valid Beaconframes even though they are not protected. This would allow beaconprotection to be bypassed. While the logic for checking beaconprotection could be extended to cover this corner case, a more genericcheck for discard all Beacon frames based on A1=unicast address coversthis without needing additional changes.Address all these issues by dropping received Beacon frames if they aresent to a non-broadcast address.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2025-71180 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:counter: interrupt-cnt: Drop IRQF_NO_THREAD flagAn IRQ handler can either be IRQF_NO_THREAD or acquire spinlock_t, asCONFIG_PROVE_RAW_LOCK_NESTING warns:=============================[ BUG: Invalid wait context ]6.18.0-rc1+git... #1-----------------------------some-user-space-process/1251 is trying to lock:(&counter->events_list_lock){....}-{3:3}, at: counter_push_event [counter]other info that might help us debug this:context-{2:2}no locks held by some-user-space-process/....stack backtrace:CPU: 0 UID: 0 PID: 1251 Comm: some-user-space-process 6.18.0-rc1+git... #1 PREEMPTCall trace: show_stack (C) dump_stack_lvl dump_stack __lock_acquire lock_acquire _raw_spin_lock_irqsave counter_push_event [counter] interrupt_cnt_isr [interrupt_cnt] __handle_irq_event_percpu handle_irq_event handle_simple_irq handle_irq_desc generic_handle_domain_irq gpio_irq_handler handle_irq_desc generic_handle_domain_irq gic_handle_irq call_on_irq_stack do_interrupt_handler el0_interrupt __el0_irq_handler_common el0t_64_irq_handler el0t_64_irq... and Sebastian correctly points out. Remove IRQF_NO_THREAD as analternative to switching to raw_spinlock_t, because the latter would limitall potential nested locks to raw_spinlock_t only.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2025-71183 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:btrfs: always detect conflicting inodes when logging inode refsAfter rename exchanging (either with the rename exchange operation orregular renames in multiple non-atomic steps) two inodes and at leastone of them is a directory, we can end up with a log tree that containsonly of the inodes and after a power failure that can result in an attemptto delete the other inode when it should not because it was not deletedbefore the power failure. In some case that delete attempt fails whenthe target inode is a directory that contains a subvolume inside it, sincethe log replay code is not prepared to deal with directory entries thatpoint to root items (only inode items).1) We have directories "dir1" (inode A) and "dir2" (inode B) under the same parent directory;2) We have a file (inode C) under directory "dir1" (inode A);3) We have a subvolume inside directory "dir2" (inode B);4) All these inodes were persisted in a past transaction and we are currently at transaction N;5) We rename the file (inode C), so at btrfs_log_new_name() we update inode C's last_unlink_trans to N;6) We get a rename exchange for "dir1" (inode A) and "dir2" (inode B), so after the exchange "dir1" is inode B and "dir2" is inode A. During the rename exchange we call btrfs_log_new_name() for inodes A and B, but because they are directories, we don't update their last_unlink_trans to N;7) An fsync against the file (inode C) is done, and because its inode has a last_unlink_trans with a value of N we log its parent directory (inode A) (through btrfs_log_all_parents(), called from btrfs_log_inode_parent()).8) So we end up with inode B not logged, which now has the old name of inode A. At copy_inode_items_to_log(), when logging inode A, we did not check if we had any conflicting inode to log because inode A has a generation lower than the current transaction (created in a past transaction);9) After a power failure, when replaying the log tree, since we find that inode A has a new name that conflicts with the name of inode B in the fs tree, we attempt to delete inode B... this is wrong since that directory was never deleted before the power failure, and because there is a subvolume inside that directory, attempting to delete it will fail since replay_dir_deletes() and btrfs_unlink_inode() are not prepared to deal with dir items that point to roots instead of inodes. When that happens the mount fails and we get a stack trace like the following: [87.2314] BTRFS info (device dm-0): start tree-log replay [87.2318] BTRFS critical (device dm-0): failed to delete reference to subvol, root 5 inode 256 parent 259 [87.2332] ------------[ cut here ]------------ [87.2338] BTRFS: Transaction aborted (error -2) [87.2346] WARNING: CPU: 1 PID: 638968 at fs/btrfs/inode.c:4345 __btrfs_unlink_inode+0x416/0x440 [btrfs] [87.2368] Modules linked in: btrfs loop dm_thin_pool (...) [87.2470] CPU: 1 UID: 0 PID: 638968 Comm: mount Tainted: G W 6.18.0-rc7-btrfs-next-218+ #2 PREEMPT(full) [87.2489] Tainted: [W]=WARN [87.2494] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014 [87.2514] RIP: 0010:__btrfs_unlink_inode+0x416/0x440 [btrfs] [87.2538] Code: c0 89 04 24 (...) [87.2568] RSP: 0018:ffffc0e741f4b9b8 EFLAGS: 00010286 [87.2574] RAX: 0000000000000000 RBX: ffff9d3ec8a6cf60 RCX: 0000000000000000 [87.2582] RDX: 0000000000000002 RSI: ffffffff84ab45a1 RDI: 00000000ffffffff [87.2591] RBP: ffff9d3ec8a6ef20 R08: 0000000000000000 R09: ffffc0e741f4b840 [87.2599] R10: ffff9d45dc1fffa8 R11: 0000000000000003 R12: ffff9d3ee26d77e0 [87.2608] R13: ffffc0e741f4ba98 R14: ffff9d4458040800 R15: ffff9d44b6b7ca10 [87.2618] FS: 00007f7b9603a840(0000) GS:ffff9d4658982000(0000) knlGS:0000000000000000 [87.---truncated---

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2025-71273 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:wifi: rtw88: Use devm_kmemdup() in rtw_set_supported_band()Simplify the code by using device managed memory allocations.This also fixes a memory leak in rtw_register_hw(). The supported bandswere not freed in the error path.Copied from commit 145df52a8671 ("wifi: rtw89: Convertrtw89_core_set_supported_band to use devm_*").

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2025-71285 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net: qrtr: Drop the MHI auto_queue feature for IPCR DL channelsMHI stack offers the 'auto_queue' feature, which allows the MHI stack toauto queue the buffers for the RX path (DL channel). Though this featuresimplifies the client driver design, it introduces race between the clientdrivers and the MHI stack. For instance, with auto_queue, the 'dl_callback'for the DL channel may get called before the client driver is fully probed.This means, by the time the dl_callback gets called, the client driver'sstructures might not be initialized, leading to NULL ptr dereference.Currently, the drivers have to workaround this issue by initializing theinternal structures before calling mhi_prepare_for_transfer_autoqueue().But even so, there is a chance that the client driver's internal code pathmay call the MHI queue APIs before mhi_prepare_for_transfer_autoqueue() iscalled, leading to similar NULL ptr dereference. This issue has beenreported on the Qcom X1E80100 CRD machines affecting boot.So to properly fix all these races, drop the MHI 'auto_queue' featurealtogether and let the client driver (QRTR) manage the RX buffers manually.In the QRTR driver, queue the RX buffers based on the ring length duringprobe and recycle the buffers in 'dl_callback' once they are consumed. Thisalso warrants removing the setting of 'auto_queue' flag from controllerdrivers.Currently, this 'auto_queue' feature is only enabled for IPCR DL channel.So only the QRTR client driver requires the modification.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2025-71287 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:memory: mtk-smi: fix device leak on larb probeMake sure to drop the reference taken when looking up the SMI deviceduring larb probe on late probe failure (e.g. probe deferral) and ondriver unbind.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2025-71288 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:memory: mtk-smi: fix device leaks on common probeMake sure to drop the reference taken when looking up the SMI deviceduring common probe on late probe failure (e.g. probe deferral) and ondriver unbind.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23075 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:can: esd_usb: esd_usb_read_bulk_callback(): fix URB memory leakFix similar memory leak as in commit 7352e1d5932a ("can: gs_usb:gs_usb_receive_bulk_callback(): fix URB memory leak").In esd_usb_open(), the URBs for USB-in transfers are allocated, added tothe dev->rx_submitted anchor and submitted. In the complete callbackesd_usb_read_bulk_callback(), the URBs are processed and resubmitted. Inesd_usb_close() the URBs are freed by callingusb_kill_anchored_urbs(&dev->rx_submitted).However, this does not take into account that the USB framework unanchorsthe URB before the complete function is called. This means that once anin-URB has been completed, it is no longer anchored and is ultimately notreleased in esd_usb_close().Fix the memory leak by anchoring the URB in theesd_usb_read_bulk_callback() to the dev->rx_submitted anchor.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23087 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:scsi: xen: scsiback: Fix potential memory leak in scsiback_remove()Memory allocated for struct vscsiblk_info in scsiback_probe() is notfreed in scsiback_remove() leading to potential memory leaks on remove,as well as in the scsiback_probe() error paths. Fix that by freeing itin scsiback_remove().

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23097 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:migrate: correct lock ordering for hugetlb file foliosSyzbot has found a deadlock (analyzed by Lance Yang):1) Task (5749): Holds folio_lock, then tries to acquire i_mmap_rwsem(read lock).2) Task (5754): Holds i_mmap_rwsem(write lock), then tries to acquirefolio_lock.migrate_pages() -> migrate_hugetlbs() -> unmap_and_move_huge_page() <- Takes folio_lock! -> remove_migration_ptes() -> __rmap_walk_file() -> i_mmap_lock_read() <- Waits for i_mmap_rwsem(read lock)!hugetlbfs_fallocate() -> hugetlbfs_punch_hole() <- Takes i_mmap_rwsem(write lock)! -> hugetlbfs_zero_partial_page() -> filemap_lock_hugetlb_folio() -> filemap_lock_folio() -> __filemap_get_folio <- Waits for folio_lock!The migration path is the one taking locks in the wrong order according tothe documentation at the top of mm/rmap.c. So expand the scope of theexisting i_mmap_lock to cover the calls to remove_migration_ptes() too.This is (mostly) how it used to be after commit c0d0381ade79. That wasremoved by 336bf30eb765 for both file & anon hugetlb pages when it shouldonly have been removed for anon hugetlb pages.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23118 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:rxrpc: Fix data-race warning and potential load/store tearingFix the following: BUG: KCSAN: data-race in rxrpc_peer_keepalive_worker / rxrpc_send_data_packetwhich is reporting an issue with the reads and writes to ->last_tx_at in: conn->peer->last_tx_at = ktime_get_seconds();and: keepalive_at = peer->last_tx_at + RXRPC_KEEPALIVE_TIME;The lockless accesses to these to values aren't actually a problem as theread only needs an approximate time of last transmission for the purposesof deciding whether or not the transmission of a keepalive packet iswarranted yet.Also, as ->last_tx_at is a 64-bit value, tearing can occur on a 32-bitarch.Fix both of these by switching to an unsigned int for ->last_tx_at and onlystoring the LSW of the time64_t. It can then be reconstructed at needprovided no more than 68 years has elapsed since the last transmission.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23124 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ipv6: annotate data-race in ndisc_router_discovery()syzbot found that ndisc_router_discovery() could read and writein6_dev->ra_mtu without holding a lock [1]This looks fine, IFLA_INET6_RA_MTU is best effort.Add READ_ONCE()/WRITE_ONCE() to document the race.Note that we might also reject illegal MTU values(mtu < IPV6_MIN_MTU || mtu > skb->dev->mtu) in a future patch.[1]BUG: KCSAN: data-race in ndisc_router_discovery / ndisc_router_discoveryread to 0xffff888119809c20 of 4 bytes by task 25817 on cpu 1: ndisc_router_discovery+0x151d/0x1c90 net/ipv6/ndisc.c:1558 ndisc_rcv+0x2ad/0x3d0 net/ipv6/ndisc.c:1841 icmpv6_rcv+0xe5a/0x12f0 net/ipv6/icmp.c:989 ip6_protocol_deliver_rcu+0xb2a/0x10d0 net/ipv6/ip6_input.c:438 ip6_input_finish+0xf0/0x1d0 net/ipv6/ip6_input.c:489 NF_HOOK include/linux/netfilter.h:318 [inline] ip6_input+0x5e/0x140 net/ipv6/ip6_input.c:500 ip6_mc_input+0x27c/0x470 net/ipv6/ip6_input.c:590 dst_input include/net/dst.h:474 [inline] ip6_rcv_finish+0x336/0x340 net/ipv6/ip6_input.c:79...write to 0xffff888119809c20 of 4 bytes by task 25816 on cpu 0: ndisc_router_discovery+0x155a/0x1c90 net/ipv6/ndisc.c:1559 ndisc_rcv+0x2ad/0x3d0 net/ipv6/ndisc.c:1841 icmpv6_rcv+0xe5a/0x12f0 net/ipv6/icmp.c:989 ip6_protocol_deliver_rcu+0xb2a/0x10d0 net/ipv6/ip6_input.c:438 ip6_input_finish+0xf0/0x1d0 net/ipv6/ip6_input.c:489 NF_HOOK include/linux/netfilter.h:318 [inline] ip6_input+0x5e/0x140 net/ipv6/ip6_input.c:500 ip6_mc_input+0x27c/0x470 net/ipv6/ip6_input.c:590 dst_input include/net/dst.h:474 [inline] ip6_rcv_finish+0x336/0x340 net/ipv6/ip6_input.c:79...value changed: 0x00000000 -> 0xe5400659

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23126 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:netdevsim: fix a race issue related to the operation on bpf_bound_progs listThe netdevsim driver lacks a protection mechanism for operations on thebpf_bound_progs list. When the nsim_bpf_create_prog() performslist_add_tail, it is possible that nsim_bpf_destroy_prog() issimultaneously performs list_del. Concurrent operations on the list maylead to list corruption and trigger a kernel crash as follows:[ 417.290971] kernel BUG at lib/list_debug.c:62![ 417.290983] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI[ 417.290992] CPU: 10 PID: 168 Comm: kworker/10:1 Kdump: loaded Not tainted 6.19.0-rc5 #1[ 417.291003] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014[ 417.291007] Workqueue: events bpf_prog_free_deferred[ 417.291021] RIP: 0010:__list_del_entry_valid_or_report+0xa7/0xc0[ 417.291034] Code: a8 ff 0f 0b 48 89 fe 48 89 ca 48 c7 c7 48 a1 eb ae e8 ed fb a8 ff 0f 0b 48 89 fe 48 89 c2 48 c7 c7 80 a1 eb ae e8 d9 fb a8 ff <0f> 0b 48 89 d1 48 c7 c7 d0 a1 eb ae 48 89 f2 48 89 c6 e8 c2 fb a8[ 417.291040] RSP: 0018:ffffb16a40807df8 EFLAGS: 00010246[ 417.291046] RAX: 000000000000006d RBX: ffff8e589866f500 RCX: 0000000000000000[ 417.291051] RDX: 0000000000000000 RSI: ffff8e59f7b23180 RDI: ffff8e59f7b23180[ 417.291055] RBP: ffffb16a412c9000 R08: 0000000000000000 R09: 0000000000000003[ 417.291059] R10: ffffb16a40807c80 R11: ffffffffaf9edce8 R12: ffff8e594427ac20[ 417.291063] R13: ffff8e59f7b44780 R14: ffff8e58800b7a05 R15: 0000000000000000[ 417.291074] FS: 0000000000000000(0000) GS:ffff8e59f7b00000(0000) knlGS:0000000000000000[ 417.291079] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033[ 417.291083] CR2: 00007fc4083efe08 CR3: 00000001c3626006 CR4: 0000000000770ee0[ 417.291088] PKRU: 55555554[ 417.291091] Call Trace:[ 417.291096] [ 417.291103] nsim_bpf_destroy_prog+0x31/0x80 [netdevsim][ 417.291154] __bpf_prog_offload_destroy+0x2a/0x80[ 417.291163] bpf_prog_dev_bound_destroy+0x6f/0xb0[ 417.291171] bpf_prog_free_deferred+0x18e/0x1a0[ 417.291178] process_one_work+0x18a/0x3a0[ 417.291188] worker_thread+0x27b/0x3a0[ 417.291197] ? __pfx_worker_thread+0x10/0x10[ 417.291207] kthread+0xe5/0x120[ 417.291214] ? __pfx_kthread+0x10/0x10[ 417.291221] ret_from_fork+0x31/0x50[ 417.291230] ? __pfx_kthread+0x10/0x10[ 417.291236] ret_from_fork_asm+0x1a/0x30[ 417.291246] Add a mutex lock, to prevent simultaneous addition and deletion operationson the list.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23138 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:tracing: Add recursion protection in kernel stack trace recordingA bug was reported about an infinite recursion caused by tracing the rcuevents with the kernel stack trace trigger enabled. The stack trace codecalled back into RCU which then called the stack trace again.Expand the ftrace recursion protection to add a set of bits to protectevents from recursion. Each bit represents the context that the event isin (normal, softirq, interrupt and NMI).Have the stack trace code use the interrupt context to protect againstrecursion.Note, the bug showed an issue in both the RCU code as well as the tracingstacktrace code. This only handles the tracing stack trace side of thebug. The RCU fix will be handled separately.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23160 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:octeon_ep: Fix memory leak in octep_device_setup()In octep_device_setup(), if octep_ctrl_net_init() fails, the functionreturns directly without unmapping the mapped resources and freeing theallocated configuration memory.Fix this by jumping to the unsupported_dev label, which performs thenecessary cleanup. This aligns with the error handling logic of otherpaths in this function.Compile tested only. Issue found using a prototype static analysis tooland code review.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23164 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:rocker: fix memory leak in rocker_world_port_post_fini()In rocker_world_port_pre_init(), rocker_port->wpriv is allocated withkzalloc(wops->port_priv_size, GFP_KERNEL). However, inrocker_world_port_post_fini(), the memory is only freed whenwops->port_post_fini callback is set: if (!wops->port_post_fini) return; wops->port_post_fini(rocker_port); kfree(rocker_port->wpriv);Since rocker_ofdpa_ops does not implement port_post_fini callback(it is NULL), the wpriv memory allocated for each port is never freedwhen ports are removed. This leads to a memory leak ofsizeof(struct ofdpa_port) bytes per port on every device removal.Fix this by always calling kfree(rocker_port->wpriv) regardless ofwhether the port_post_fini callback exists.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23168 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:flex_proportions: make fprop_new_period() hardirq safeBernd has reported a lockdep splat from flexible proportions code that isessentially complaining about the following race:run_timer_softirq - we are in softirq context call_timer_fn writeout_period fprop_new_period write_seqcount_begin(&p->sequence); ... blk_mq_end_request() blk_update_request() ext4_end_bio() folio_end_writeback() __wb_writeout_add() __fprop_add_percpu_max() if (unlikely(max_frac < FPROP_FRAC_BASE)) { fprop_fraction_percpu() seq = read_seqcount_begin(&p->sequence); - sees odd sequence so loops indefinitelyNote that a deadlock like this is only possible if the bdi has configuredmaximum fraction of writeout throughput which is very rare in general butfrequent for example for FUSE bdis. To fix this problem we have to makesure write section of the sequence counter is irqsafe.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23212 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:bonding: annotate data-races around slave->last_rxslave->last_rx and slave->target_last_arp_rx[...] can be read and writtenlocklessly. Add READ_ONCE() and WRITE_ONCE() annotations.syzbot reported:BUG: KCSAN: data-race in bond_rcv_validate / bond_rcv_validatewrite to 0xffff888149f0d428 of 8 bytes by interrupt on cpu 1: bond_rcv_validate+0x202/0x7a0 drivers/net/bonding/bond_main.c:3335 bond_handle_frame+0xde/0x5e0 drivers/net/bonding/bond_main.c:1533 __netif_receive_skb_core+0x5b1/0x1950 net/core/dev.c:6039 __netif_receive_skb_one_core net/core/dev.c:6150 [inline] __netif_receive_skb+0x59/0x270 net/core/dev.c:6265 netif_receive_skb_internal net/core/dev.c:6351 [inline] netif_receive_skb+0x4b/0x2d0 net/core/dev.c:6410...write to 0xffff888149f0d428 of 8 bytes by interrupt on cpu 0: bond_rcv_validate+0x202/0x7a0 drivers/net/bonding/bond_main.c:3335 bond_handle_frame+0xde/0x5e0 drivers/net/bonding/bond_main.c:1533 __netif_receive_skb_core+0x5b1/0x1950 net/core/dev.c:6039 __netif_receive_skb_one_core net/core/dev.c:6150 [inline] __netif_receive_skb+0x59/0x270 net/core/dev.c:6265 netif_receive_skb_internal net/core/dev.c:6351 [inline] netif_receive_skb+0x4b/0x2d0 net/core/dev.c:6410 br_netif_receive_skb net/bridge/br_input.c:30 [inline] NF_HOOK include/linux/netfilter.h:318 [inline]...value changed: 0x0000000100005365 -> 0x0000000100005366

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23244 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:nvme: fix memory allocation in nvme_pr_read_keys()nvme_pr_read_keys() takes num_keys from userspace and uses it tocalculate the allocation size for rse via struct_size(). The upperlimit is PR_KEYS_MAX (64K).A malicious or buggy userspace can pass a large num_keys value thatresults in a 4MB allocation attempt at most, causing a warning inthe page allocator when the order exceeds MAX_PAGE_ORDER.To fix this, use kvzalloc() instead of kzalloc().This bug has the same reasoning and fix with the patch below:https://lore.kernel.org/linux-block/20251212013510.3576091-1-kartikey406@gmail.com/Warning log:WARNING: mm/page_alloc.c:5216 at __alloc_frozen_pages_noprof+0x5aa/0x2300 mm/page_alloc.c:5216, CPU#1: syz-executor117/272Modules linked in:CPU: 1 UID: 0 PID: 272 Comm: syz-executor117 Not tainted 6.19.0 #1 PREEMPT(voluntary)Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014RIP: 0010:__alloc_frozen_pages_noprof+0x5aa/0x2300 mm/page_alloc.c:5216Code: ff 83 bd a8 fe ff ff 0a 0f 86 69 fb ff ff 0f b6 1d f9 f9 c4 04 80 fb 01 0f 87 3b 76 30 ff 83 e3 01 75 09 c6 05 e4 f9 c4 04 01 <0f> 0b 48 c7 85 70 fe ff ff 00 00 00 00 e9 8f fd ff ff 31 c0 e9 0dRSP: 0018:ffffc90000fcf450 EFLAGS: 00010246RAX: 0000000000000000 RBX: 0000000000000000 RCX: 1ffff920001f9ea0RDX: 0000000000000000 RSI: 000000000000000b RDI: 0000000000040dc0RBP: ffffc90000fcf648 R08: ffff88800b6c3380 R09: 0000000000000001R10: ffffc90000fcf840 R11: ffff88807ffad280 R12: 0000000000000000R13: 0000000000040dc0 R14: 0000000000000001 R15: ffffc90000fcf620FS: 0000555565db33c0(0000) GS:ffff8880be26c000(0000) knlGS:0000000000000000CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033CR2: 000000002000000c CR3: 0000000003b72000 CR4: 00000000000006f0Call Trace: alloc_pages_mpol+0x236/0x4d0 mm/mempolicy.c:2486 alloc_frozen_pages_noprof+0x149/0x180 mm/mempolicy.c:2557 ___kmalloc_large_node+0x10c/0x140 mm/slub.c:5598 __kmalloc_large_node_noprof+0x25/0xc0 mm/slub.c:5629 __do_kmalloc_node mm/slub.c:5645 [inline] __kmalloc_noprof+0x483/0x6f0 mm/slub.c:5669 kmalloc_noprof include/linux/slab.h:961 [inline] kzalloc_noprof include/linux/slab.h:1094 [inline] nvme_pr_read_keys+0x8f/0x4c0 drivers/nvme/host/pr.c:245 blkdev_pr_read_keys block/ioctl.c:456 [inline] blkdev_common_ioctl+0x1b71/0x29b0 block/ioctl.c:730 blkdev_ioctl+0x299/0x700 block/ioctl.c:786 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl fs/ioctl.c:583 [inline] __x64_sys_ioctl+0x1bf/0x220 fs/ioctl.c:583 x64_sys_call+0x1280/0x21b0 mnt/fuzznvme_1/fuzznvme/linux-build/v6.19/./arch/x86/include/generated/asm/syscalls_64.h:17 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x71/0x330 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7eRIP: 0033:0x7fb893d3108dCode: 28 c3 e8 46 1e 00 00 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48RSP: 002b:00007ffff61f2f38 EFLAGS: 00000246 ORIG_RAX: 0000000000000010RAX: ffffffffffffffda RBX: 00007ffff61f3138 RCX: 00007fb893d3108dRDX: 0000000020000040 RSI: 00000000c01070ce RDI: 0000000000000003RBP: 0000000000000001 R08: 0000000000000000 R09: 00007ffff61f3138R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001R13: 00007ffff61f3128 R14: 00007fb893dae530 R15: 0000000000000001

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23256 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net: liquidio: Fix off-by-one error in VF setup_nic_devices() cleanupIn setup_nic_devices(), the initialization loop jumps to the labelsetup_nic_dev_free on failure. The current cleanup loop while(i--)skip the failing index i, causing a memory leak.Fix this by changing the loop to iterate from the current index idown to 0.Compile tested only. Issue found using code review.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23257 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net: liquidio: Fix off-by-one error in PF setup_nic_devices() cleanupIn setup_nic_devices(), the initialization loop jumps to the labelsetup_nic_dev_free on failure. The current cleanup loop while(i--)skip the failing index i, causing a memory leak.Fix this by changing the loop to iterate from the current index idown to 0.Also, decrement i in the devlink_alloc failure path to point to thelast successfully allocated index.Compile tested only. Issue found using code review.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23289 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:IB/mthca: Add missed mthca_unmap_user_db() for mthca_create_srq()Fix a user triggerable leak on the system call failure path.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23302 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net: annotate data-races around sk->sk_{data_ready,write_space}skmsg (and probably other layers) are changing these pointerswhile other cpus might read them concurrently.Add corresponding READ_ONCE()/WRITE_ONCE() annotationsfor UDP, TCP and AF_UNIX.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23303 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:smb: client: Don't log plaintext credentials in cifs_set_cifscredsWhen debug logging is enabled, cifs_set_cifscreds() logs the keypayload and exposes the plaintext username and password. Remove thedebug log to avoid exposing credentials.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23313 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:i40e: Fix preempt count leak in napi poll tracepointUsing get_cpu() in the tracepoint assignment causes an obvious preemptcount leak because nothing invokes put_cpu() to undo it: softirq: huh, entered softirq 3 NET_RX with preempt_count 00000100, exited with 00000101?This clearly has seen a lot of testing in the last 3+ years...Use smp_processor_id() instead.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23327 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:cxl/mbox: validate payload size before accessing contents in cxl_payload_from_user_allowed()cxl_payload_from_user_allowed() casts and dereferences the inputpayload without first verifying its size. When a raw mailbox commandis sent with an undersized payload (ie: 1 byte for CXL_MBOX_OP_CLEAR_LOG,which expects a 16-byte UUID), uuid_equal() reads past the allocated buffer,triggering a KASAN splat:BUG: KASAN: slab-out-of-bounds in memcmp+0x176/0x1d0 lib/string.c:683Read of size 8 at addr ffff88810130f5c0 by task syz.1.62/2258CPU: 2 UID: 0 PID: 2258 Comm: syz.1.62 Not tainted 6.19.0-dirty #3 PREEMPT(voluntary)Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0xab/0xe0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xce/0x650 mm/kasan/report.c:482 kasan_report+0xce/0x100 mm/kasan/report.c:595 memcmp+0x176/0x1d0 lib/string.c:683 uuid_equal include/linux/uuid.h:73 [inline] cxl_payload_from_user_allowed drivers/cxl/core/mbox.c:345 [inline] cxl_mbox_cmd_ctor drivers/cxl/core/mbox.c:368 [inline] cxl_validate_cmd_from_user drivers/cxl/core/mbox.c:522 [inline] cxl_send_cmd+0x9c0/0xb50 drivers/cxl/core/mbox.c:643 __cxl_memdev_ioctl drivers/cxl/core/memdev.c:698 [inline] cxl_memdev_ioctl+0x14f/0x190 drivers/cxl/core/memdev.c:713 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl fs/ioctl.c:583 [inline] __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xa8/0x330 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7fRIP: 0033:0x7fdaf331ba79Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48RSP: 002b:00007fdaf1d77038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010RAX: ffffffffffffffda RBX: 00007fdaf3585fa0 RCX: 00007fdaf331ba79RDX: 00002000000001c0 RSI: 00000000c030ce02 RDI: 0000000000000003RBP: 00007fdaf33749df R08: 0000000000000000 R09: 0000000000000000R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000R13: 00007fdaf3586038 R14: 00007fdaf3585fa0 R15: 00007ffced2af768 Add 'in_size' parameter to cxl_payload_from_user_allowed() and validatethe payload is large enough.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23343 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:xdp: produce a warning when calculated tailroom is negativeMany ethernet drivers report xdp Rx queue frag size as being the same asDMA write size. However, the only user of this field, namelybpf_xdp_frags_increase_tail(), clearly expects a truesize.Such difference leads to unspecific memory corruption issues under certaincircumstances, e.g. in ixgbevf maximum DMA write size is 3 KB, so whenrunning xskxceiver's XDP_ADJUST_TAIL_GROW_MULTI_BUFF, 6K packet fully usesall DMA-writable space in 2 buffers. This would be fine, if onlyrxq->frag_size was properly set to 4K, but value of 3K results in anegative tailroom, because there is a non-zero page offset.We are supposed to return -EINVAL and be done with it in such case, but dueto tailroom being stored as an unsigned int, it is reported to be somewherenear UINT_MAX, resulting in a tail being grown, even if the requestedoffset is too much (it is around 2K in the abovementioned test). This laterleads to all kinds of unspecific calltraces.[ 7340.337579] xskxceiver[1440]: segfault at 1da718 ip 00007f4161aeac9d sp 00007f41615a6a00 error 6[ 7340.338040] xskxceiver[1441]: segfault at 7f410000000b ip 00000000004042b5 sp 00007f415bffecf0 error 4[ 7340.338179] in libc.so.6[61c9d,7f4161aaf000+160000][ 7340.339230] in xskxceiver[42b5,400000+69000][ 7340.340300] likely on CPU 6 (core 0, socket 6)[ 7340.340302] Code: ff ff 01 e9 f4 fe ff ff 0f 1f 44 00 00 4c 39 f0 74 73 31 c0 ba 01 00 00 00 f0 0f b1 17 0f 85 ba 00 00 00 49 8b 87 88 00 00 00 <4c> 89 70 08 eb cc 0f 1f 44 00 00 48 8d bd f0 fe ff ff 89 85 ec fe[ 7340.340888] likely on CPU 3 (core 0, socket 3)[ 7340.345088] Code: 00 00 00 ba 00 00 00 00 be 00 00 00 00 89 c7 e8 31 ca ff ff 89 45 ec 8b 45 ec 85 c0 78 07 b8 00 00 00 00 eb 46 e8 0b c8 ff ff <8b> 00 83 f8 69 74 24 e8 ff c7 ff ff 8b 00 83 f8 0b 74 18 e8 f3 c7[ 7340.404334] Oops: general protection fault, probably for non-canonical address 0x6d255010bdffc: 0000 [#1] SMP NOPTI[ 7340.405972] CPU: 7 UID: 0 PID: 1439 Comm: xskxceiver Not tainted 6.19.0-rc1+ #21 PREEMPT(lazy)[ 7340.408006] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-5.fc42 04/01/2014[ 7340.409716] RIP: 0010:lookup_swap_cgroup_id+0x44/0x80[ 7340.410455] Code: 83 f8 1c 73 39 48 ba ff ff ff ff ff ff ff 03 48 8b 04 c5 20 55 fa bd 48 21 d1 48 89 ca 83 e1 01 48 d1 ea c1 e1 04 48 8d 04 90 <8b> 00 48 83 c4 10 d3 e8 c3 cc cc cc cc 31 c0 e9 98 b7 dd 00 48 89[ 7340.412787] RSP: 0018:ffffcc5c04f7f6d0 EFLAGS: 00010202[ 7340.413494] RAX: 0006d255010bdffc RBX: ffff891f477895a8 RCX: 0000000000000010[ 7340.414431] RDX: 0001c17e3fffffff RSI: 00fa070000000000 RDI: 000382fc7fffffff[ 7340.415354] RBP: 00fa070000000000 R08: ffffcc5c04f7f8f8 R09: ffffcc5c04f7f7d0[ 7340.416283] R10: ffff891f4c1a7000 R11: ffffcc5c04f7f9c8 R12: ffffcc5c04f7f7d0[ 7340.417218] R13: 03ffffffffffffff R14: 00fa06fffffffe00 R15: ffff891f47789500[ 7340.418229] FS: 0000000000000000(0000) GS:ffff891ffdfaa000(0000) knlGS:0000000000000000[ 7340.419489] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033[ 7340.420286] CR2: 00007f415bfffd58 CR3: 0000000103f03002 CR4: 0000000000772ef0[ 7340.421237] PKRU: 55555554[ 7340.421623] Call Trace:[ 7340.421987] [ 7340.422309] ? softleaf_from_pte+0x77/0xa0[ 7340.422855] swap_pte_batch+0xa7/0x290[ 7340.423363] zap_nonpresent_ptes.constprop.0.isra.0+0xd1/0x270[ 7340.424102] zap_pte_range+0x281/0x580[ 7340.424607] zap_pmd_range.isra.0+0xc9/0x240[ 7340.425177] unmap_page_range+0x24d/0x420[ 7340.425714] unmap_vmas+0xa1/0x180[ 7340.426185] exit_mmap+0xe1/0x3b0[ 7340.426644] __mmput+0x41/0x150[ 7340.427098] exit_mm+0xb1/0x110[ 7340.427539] do_exit+0x1b2/0x460[ 7340.427992] do_group_exit+0x2d/0xc0[ 7340.428477] get_signal+0x79d/0x7e0[ 7340.428957] arch_do_signal_or_restart+0x34/0x100[ 7340.429571] exit_to_user_mode_loop+0x8e/0x4c0[ 7340.430159] do_syscall_64+0x188/---truncated---

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23346 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:arm64: io: Extract user memory type in ioremap_prot()The only caller of ioremap_prot() outside of the generic ioremap()implementation is generic_access_phys(), which passes a 'pgprot_t' valuedetermined from the user mapping of the target 'pfn' being accessed bythe kernel. On arm64, the 'pgprot_t' contains all of the non-addressbits from the pte, including the permission controls, and so we end upreturning a new user mapping from ioremap_prot() which faults whenaccessed from the kernel on systems with PAN: | Unable to handle kernel read from unreadable memory at virtual address ffff80008ea89000 | ... | Call trace: | __memcpy_fromio+0x80/0xf8 | generic_access_phys+0x20c/0x2b8 | __access_remote_vm+0x46c/0x5b8 | access_remote_vm+0x18/0x30 | environ_read+0x238/0x3e8 | vfs_read+0xe4/0x2b0 | ksys_read+0xcc/0x178 | __arm64_sys_read+0x4c/0x68Extract only the memory type from the user 'pgprot_t' in ioremap_prot()and assert that we're being passed a user mapping, to protect us againstany changes in future that may require additional handling. To avoidfalsely flagging users of ioremap(), provide our own ioremap() macrowhich simply wraps __ioremap_prot().

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23348 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:cxl: Fix race of nvdimm_bus object when creating nvdimm objectsFound issue during running of cxl-translate.sh unit test. Adding a 3ssleep right before the test seems to make the issue reproduce fairlyconsistently. The cxl_translate module has dependency on cxl_acpi andcauses orphaned nvdimm objects to reprobe after cxl_acpi is removed.The nvdimm_bus object is registered by the cxl_nvb object whencxl_acpi_probe() is called. With the nvdimm_bus object missing,__nd_device_register() will trigger NULL pointer dereference whenaccessing the dev->parent that points to &nvdimm_bus->dev.[ 192.884510] BUG: kernel NULL pointer dereference, address: 000000000000006c[ 192.895383] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20250812-19.fc42 08/12/2025[ 192.897721] Workqueue: cxl_port cxl_bus_rescan_queue [cxl_core][ 192.899459] RIP: 0010:kobject_get+0xc/0x90[ 192.924871] Call Trace:[ 192.925959] [ 192.926976] ? pm_runtime_init+0xb9/0xe0[ 192.929712] __nd_device_register.part.0+0x4d/0xc0 [libnvdimm][ 192.933314] __nvdimm_create+0x206/0x290 [libnvdimm][ 192.936662] cxl_nvdimm_probe+0x119/0x1d0 [cxl_pmem][ 192.940245] cxl_bus_probe+0x1a/0x60 [cxl_core][ 192.943349] really_probe+0xde/0x380This patch also relies on the previous change wheredevm_cxl_add_nvdimm_bridge() is called from drivers/cxl/pmem.c insteadof drivers/cxl/core.c to ensure the dependency of cxl_acpi on cxl_pmem.1. Set probe_type of cxl_nvb to PROBE_FORCE_SYNCHRONOUS to ensure the driver is probed synchronously when add_device() is called.2. Add a check in __devm_cxl_add_nvdimm_bridge() to ensure that the cxl_nvb driver is attached during cxl_acpi_probe().3. Take the cxl_root uport_dev lock and the cxl_nvb->dev lock in devm_cxl_add_nvdimm() before checking nvdimm_bus is valid.4. Set cxl_nvdimm flag to CXL_NVD_F_INVALIDATED so cxl_nvdimm_probe() will exit with -EBUSY.The removal of cxl_nvdimm devices should prevent any orphaned devicesfrom probing once the nvdimm_bus is gone.[ dj: Fixed 0-day reported kdoc issue. ][ dj: Fix cxl_nvb reference leak on error. Gregory (kreview-0811365) ]

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23351 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:netfilter: nft_set_pipapo: split gc into unlink and reclaim phaseYiming Qian reports Use-after-free in the pipapo set type: Under a large number of expired elements, commit-time GC can run for a very long time in a non-preemptible context, triggering soft lockup warnings and RCU stall reports (local denial of service).We must split GC in an unlink and a reclaim phase.We cannot queue elements for freeing until pointers have been swapped.Expired elements are still exposed to both the packet path and userspacedumpers via the live copy of the data structure.call_rcu() does not protect us: dump operations or element lookups startingafter call_rcu has fired can still observe the free'd element, unless thecommit phase has made enough progress to swap the clone and live pointersbefore any new reader has picked up the old version.This a similar approach as done recently for the rbtree backend in commit35f83a75529a ("netfilter: nft_set_rbtree: don't gc elements on insert").

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23352 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:x86/efi: defer freeing of boot services memoryefi_free_boot_services() frees memory occupied by EFI_BOOT_SERVICES_CODEand EFI_BOOT_SERVICES_DATA using memblock_free_late().There are two issue with that: memblock_free_late() should be used formemory allocated with memblock_alloc() while the memory reserved withmemblock_reserve() should be freed with free_reserved_area().More acutely, with CONFIG_DEFERRED_STRUCT_PAGE_INIT=yefi_free_boot_services() is called before deferred initialization of thememory map is complete.Benjamin Herrenschmidt reports that this causes a leak of ~140MB ofRAM on EC2 t3a.nano instances which only have 512MB or RAM.If the freed memory resides in the areas that memory map for them isstill uninitialized, they won't be actually freed becausememblock_free_late() calls memblock_free_pages() and the latter skipsuninitialized pages.Using free_reserved_area() at this point is also problematic because__free_page() accesses the buddy of the freed page and that again mightend up in uninitialized part of the memory map.Delaying the entire efi_free_boot_services() could be problematicbecause in addition to freeing boot services memory it updatesefi.memmap without any synchronization and that's undesirable late inboot when there is concurrency.More robust approach is to only defer freeing of the EFI boot servicesmemory.Split efi_free_boot_services() in two. First efi_unmap_boot_services()collects ranges that should be freed into an array thenefi_free_boot_services() later frees them after deferred init is complete.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23354 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:x86/fred: Correct speculative safety in fred_extint()array_index_nospec() is no use if the result gets spilled to the stack, asit makes the believed safe-under-speculation value subject to memorypredictions.For all practical purposes, this means array_index_nospec() must be used inthe expression that accesses the array.As the code currently stands, it's the wrong side of irqentry_enter(), and'index' is put into %ebp across the function call.Remove the index variable and reposition array_index_nospec(), so it'scalculated immediately before the array access.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23368 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net: phy: register phy led_triggers during probe to avoid AB-BA deadlockThere is an AB-BA deadlock when both LEDS_TRIGGER_NETDEV andLED_TRIGGER_PHY are enabled:[ 1362.049207] [<8054e4b8>] led_trigger_register+0x5c/0x1fc <-- Trying to get lock "triggers_list_lock" via down_write(&triggers_list_lock);[ 1362.054536] [<80662830>] phy_led_triggers_register+0xd0/0x234[ 1362.060329] [<8065e200>] phy_attach_direct+0x33c/0x40c[ 1362.065489] [<80651fc4>] phylink_fwnode_phy_connect+0x15c/0x23c[ 1362.071480] [<8066ee18>] mtk_open+0x7c/0xba0[ 1362.075849] [<806d714c>] __dev_open+0x280/0x2b0[ 1362.080384] [<806d7668>] __dev_change_flags+0x244/0x24c[ 1362.085598] [<806d7698>] dev_change_flags+0x28/0x78[ 1362.090528] [<807150e4>] dev_ioctl+0x4c0/0x654 <-- Hold lock "rtnl_mutex" by calling rtnl_lock();[ 1362.094985] [<80694360>] sock_ioctl+0x2f4/0x4e0[ 1362.099567] [<802e9c4c>] sys_ioctl+0x32c/0xd8c[ 1362.104022] [<80014504>] syscall_common+0x34/0x58Here LED_TRIGGER_PHY is registering LED triggers during phy_attachwhile holding RTNL and then taking triggers_list_lock.[ 1362.191101] [<806c2640>] register_netdevice_notifier+0x60/0x168 <-- Trying to get lock "rtnl_mutex" via rtnl_lock();[ 1362.197073] [<805504ac>] netdev_trig_activate+0x194/0x1e4[ 1362.202490] [<8054e28c>] led_trigger_set+0x1d4/0x360 <-- Hold lock "triggers_list_lock" by down_read(&triggers_list_lock);[ 1362.207511] [<8054eb38>] led_trigger_write+0xd8/0x14c[ 1362.212566] [<80381d98>] sysfs_kf_bin_write+0x80/0xbc[ 1362.217688] [<8037fcd8>] kernfs_fop_write_iter+0x17c/0x28c[ 1362.223174] [<802cbd70>] vfs_write+0x21c/0x3c4[ 1362.227712] [<802cc0c4>] ksys_write+0x78/0x12c[ 1362.232164] [<80014504>] syscall_common+0x34/0x58Here LEDS_TRIGGER_NETDEV is being enabled on an LED. It first takestriggers_list_lock and then RTNL. A classical AB-BA deadlock.phy_led_triggers_registers() does not require the RTNL, it does notmake any calls into the network stack which require protection. Thereis also no requirement the PHY has been attached to a MAC, thetriggers only make use of phydev state. This allows the call tophy_led_triggers_registers() to be placed elsewhere. PHY probe() andrelease() don't hold RTNL, so solving the AB-BA deadlock.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23374 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:blktrace: fix __this_cpu_read/write in preemptible contexttracing_record_cmdline() internally uses __this_cpu_read() and__this_cpu_write() on the per-CPU variable trace_cmdline_save, andtrace_save_cmdline() explicitly asserts preemption is disabled vialockdep_assert_preemption_disabled(). These operations are only safewhen preemption is off, as they were designed to be called from thescheduler context (probe_wakeup_sched_switch() / probe_wakeup()).__blk_add_trace() was calling tracing_record_cmdline(current) early inthe blk_tracer path, before ring buffer reservation, from processcontext where preemption is fully enabled. This triggers the followingusing blktests/blktrace/002:blktrace/002 (blktrace ftrace corruption with sysfs trace) [failed] runtime 0.367s ... 0.437s something found in dmesg: [ 81.211018] run blktests blktrace/002 at 2026-02-25 22:24:33 [ 81.239580] null_blk: disk nullb1 created [ 81.357294] BUG: using __this_cpu_read() in preemptible [00000000] code: dd/2516 [ 81.362842] caller is tracing_record_cmdline+0x10/0x40 [ 81.362872] CPU: 16 UID: 0 PID: 2516 Comm: dd Tainted: G N 7.0.0-rc1lblk+ #84 PREEMPT(full) [ 81.362877] Tainted: [N]=TEST [ 81.362878] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014 [ 81.362881] Call Trace: [ 81.362884] [ 81.362886] dump_stack_lvl+0x8d/0xb0 ... (See '/mnt/sda/blktests/results/nodev/blktrace/002.dmesg' for the entire message)[ 81.211018] run blktests blktrace/002 at 2026-02-25 22:24:33[ 81.239580] null_blk: disk nullb1 created[ 81.357294] BUG: using __this_cpu_read() in preemptible [00000000] code: dd/2516[ 81.362842] caller is tracing_record_cmdline+0x10/0x40[ 81.362872] CPU: 16 UID: 0 PID: 2516 Comm: dd Tainted: G N 7.0.0-rc1lblk+ #84 PREEMPT(full)[ 81.362877] Tainted: [N]=TEST[ 81.362878] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014[ 81.362881] Call Trace:[ 81.362884] [ 81.362886] dump_stack_lvl+0x8d/0xb0[ 81.362895] check_preemption_disabled+0xce/0xe0[ 81.362902] tracing_record_cmdline+0x10/0x40[ 81.362923] __blk_add_trace+0x307/0x5d0[ 81.362934] ? lock_acquire+0xe0/0x300[ 81.362940] ? iov_iter_extract_pages+0x101/0xa30[ 81.362959] blk_add_trace_bio+0x106/0x1e0[ 81.362968] submit_bio_noacct_nocheck+0x24b/0x3a0[ 81.362979] ? lockdep_init_map_type+0x58/0x260[ 81.362988] submit_bio_wait+0x56/0x90[ 81.363009] __blkdev_direct_IO_simple+0x16c/0x250[ 81.363026] ? __pfx_submit_bio_wait_endio+0x10/0x10[ 81.363038] ? rcu_read_lock_any_held+0x73/0xa0[ 81.363051] blkdev_read_iter+0xc1/0x140[ 81.363059] vfs_read+0x20b/0x330[ 81.363083] ksys_read+0x67/0xe0[ 81.363090] do_syscall_64+0xbf/0xf00[ 81.363102] entry_SYSCALL_64_after_hwframe+0x76/0x7e[ 81.363106] RIP: 0033:0x7f281906029d[ 81.363111] Code: 31 c0 e9 c6 fe ff ff 50 48 8d 3d 66 63 0a 00 e8 59 ff 01 00 66 0f 1f 84 00 00 00 00 00 80 3d 41 33 0e 00 00 74 17 31 c0 0f 05 <48> 3d 00 f0 ff ff 77 5b c3 66 2e 0f 1f 84 00 00 00 00 00 48 83 ec[ 81.363113] RSP: 002b:00007ffca127dd48 EFLAGS: 00000246 ORIG_RAX: 0000000000000000[ 81.363120] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f281906029d[ 81.363122] RDX: 0000000000001000 RSI: 0000559f8bfae000 RDI: 0000000000000000[ 81.363123] RBP: 0000000000001000 R08: 0000002863a10a81 R09: 00007f281915f000[ 81.363124] R10: 00007f2818f77b60 R11: 0000000000000246 R12: 0000559f8bfae000[ 81.363126] R13: 0000000000000000 R14: 0000000000000000 R15: 000000000000000a[ 81.363142] The same BUG fires from blk_add_trace_plug(), blk_add_trace_unplug(),and blk_add_trace_rq() paths as well.The purpose of tracin---truncated---

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23376 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:nvmet-fcloop: Check remoteport port_state before calling done callbackIn nvme_fc_handle_ls_rqst_work, the lsrsp->done callback is only set whenremoteport->port_state is FC_OBJSTATE_ONLINE. Otherwise, thenvme_fc_xmt_ls_rsp's LLDD call to lport->ops->xmt_ls_rsp is expected tofail and the nvme-fc transport layer itself will directly callnvme_fc_xmt_ls_rsp_free instead of relying on LLDD's done callback to freethe lsrsp resources.Update the fcloop_t2h_xmt_ls_rsp routine to check remoteport->port_state.If online, then lsrsp->done callback will free the lsrsp. Else, return-ENODEV to signal the nvme-fc transport to handle freeing lsrsp.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23377 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ice: change XDP RxQ frag_size from DMA write length to xdp.frame_szThe only user of frag_size field in XDP RxQ info isbpf_xdp_frags_increase_tail(). It clearly expects whole buff size insteadof DMA write size. Different assumptions in ice driver configuration leadto negative tailroom.This allows to trigger kernel panic, when usingXDP_ADJUST_TAIL_GROW_MULTI_BUFF xskxceiver test and changing packet size to6912 and the requested offset to a huge value, e.g.XSK_UMEM__MAX_FRAME_SIZE * 100.Due to other quirks of the ZC configuration in ice, panic is not observedin ZC mode, but tailroom growing still fails when it should not.Use fill queue buffer truesize instead of DMA write size in XDP RxQ info.Fix ZC mode too by using the new helper.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23382 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:HID: Add HID_CLAIMED_INPUT guards in raw_event callbacks missing themIn commit 2ff5baa9b527 ("HID: appleir: Fix potential NULL dereference atraw event handle"), we handle the fact that raw event callbackscan happen even for a HID device that has not been "claimed" causing acrash if a broken device were attempted to be connected to the system.Fix up the remaining in-tree HID drivers that forgot to add this samecheck to resolve the same issue.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23383 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:bpf, arm64: Force 8-byte alignment for JIT buffer to prevent atomic tearingstruct bpf_plt contains a u64 target field. Currently, the BPF JITallocator requests an alignment of 4 bytes (sizeof(u32)) for the JITbuffer.Because the base address of the JIT buffer can be 4-byte aligned (e.g.,ending in 0x4 or 0xc), the relative padding logic in build_plt() failsto ensure that target lands on an 8-byte boundary.This leads to two issues:1. UBSAN reports misaligned-access warnings when dereferencing the structure.2. More critically, target is updated concurrently via WRITE_ONCE() in bpf_arch_text_poke() while the JIT'd code executes ldr. On arm64, 64-bit loads/stores are only guaranteed to be single-copy atomic if they are 64-bit aligned. A misaligned target risks a torn read, causing the JIT to jump to a corrupted address.Fix this by increasing the allocation alignment requirement to 8 bytes(sizeof(u64)) in bpf_jit_binary_pack_alloc(). This anchors the base ofthe JIT buffer to an 8-byte boundary, allowing the relative padding mathin build_plt() to correctly align the target field.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23389 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ice: Fix memory leak in ice_set_ringparam()In ice_set_ringparam, tx_rings and xdp_rings are allocated beforerx_rings. If the allocation of rx_rings fails, the code jumps tothe done label leaking both tx_rings and xdp_rings. Furthermore, ifthe setup of an individual Rx ring fails during the loop, the code jumpsto the free_tx label which releases tx_rings but leaks xdp_rings.Fix this by introducing a free_xdp label and updating the error paths toensure both xdp_rings and tx_rings are properly freed if rx_ringsallocation or setup fails.Compile tested only. Issue found using a prototype static analysis tooland code review.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23391 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:netfilter: xt_CT: drop pending enqueued packets on template removalTemplates refer to objects that can go away while packets are sitting innfqueue refer to:- helper, this can be an issue on module removal.- timeout policy, nfnetlink_cttimeout might remove it.The use of templates with zone and event cache filter are safe, sincethis just copies values.Flush these enqueued packets in case the template rule gets removed.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23419 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net/rds: Fix circular locking dependency in rds_tcp_tunesyzbot reported a circular locking dependency in rds_tcp_tune() wheresk_net_refcnt_upgrade() is called while holding the socket lock:======================================================WARNING: possible circular locking dependency detected======================================================kworker/u10:8/15040 is trying to acquire lock:ffffffff8e9aaf80 (fs_reclaim){+.+.}-{0:0},at: __kmalloc_cache_noprof+0x4b/0x6f0but task is already holding lock:ffff88805a3c1ce0 (k-sk_lock-AF_INET6){+.+.}-{0:0},at: rds_tcp_tune+0xd7/0x930The issue occurs because sk_net_refcnt_upgrade() performs memoryallocation (via get_net_track() -> ref_tracker_alloc()) while thesocket lock is held, creating a circular dependency with fs_reclaim.Fix this by moving sk_net_refcnt_upgrade() outside the socket lockcritical section. This is safe because the fields modified by thesk_net_refcnt_upgrade() call (sk_net_refcnt, ns_tracker) are notaccessed by any concurrent code path at this point.v2: - Corrected fixes tag - check patch line wrap nits - ai commentary nits

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23438 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net: mvpp2: guard flow control update with global_tx_fc in buffer switchingmvpp2_bm_switch_buffers() unconditionally callsmvpp2_bm_pool_update_priv_fc() when switching between per-cpu andshared buffer pool modes. This function programs CM3 flow controlregisters via mvpp2_cm3_read()/mvpp2_cm3_write(), which dereferencepriv->cm3_base without any NULL check.When the CM3 SRAM resource is not present in the device tree (thethird reg entry added by commit 60523583b07c ("dts: marvell: add CM3SRAM memory to cp11x ethernet device tree")), priv->cm3_base remainsNULL and priv->global_tx_fc is false. Any operation that triggersmvpp2_bm_switch_buffers(), for example an MTU change that crossesthe jumbo frame threshold, will crash: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 Mem abort info: ESR = 0x0000000096000006 EC = 0x25: DABT (current EL), IL = 32 bits pc : readl+0x0/0x18 lr : mvpp2_cm3_read.isra.0+0x14/0x20 Call trace: readl+0x0/0x18 mvpp2_bm_pool_update_fc+0x40/0x12c mvpp2_bm_pool_update_priv_fc+0x94/0xd8 mvpp2_bm_switch_buffers.isra.0+0x80/0x1c0 mvpp2_change_mtu+0x140/0x380 __dev_set_mtu+0x1c/0x38 dev_set_mtu_ext+0x78/0x118 dev_set_mtu+0x48/0xa8 dev_ifsioc+0x21c/0x43c dev_ioctl+0x2d8/0x42c sock_ioctl+0x314/0x378Every other flow control call site in the driver already guardshardware access with either priv->global_tx_fc or port->tx_fc.mvpp2_bm_switch_buffers() is the only place that omits this check.Add the missing priv->global_tx_fc guard to both the disable andre-enable calls in mvpp2_bm_switch_buffers(), consistent with therest of the driver.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23439 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:udp_tunnel: fix NULL deref caused by udp_sock_create6 when CONFIG_IPV6=nWhen CONFIG_IPV6 is disabled, the udp_sock_create6() function returns 0(success) without actually creating a socket. Callers such asfou_create() then proceed to dereference the uninitialized socketpointer, resulting in a NULL pointer dereference.The captured NULL deref crash: BUG: kernel NULL pointer dereference, address: 0000000000000018 RIP: 0010:fou_nl_add_doit (net/ipv4/fou_core.c:590 net/ipv4/fou_core.c:764) [...] Call Trace: genl_family_rcv_msg_doit.constprop.0 (net/netlink/genetlink.c:1114) genl_rcv_msg (net/netlink/genetlink.c:1194 net/netlink/genetlink.c:1209) [...] netlink_rcv_skb (net/netlink/af_netlink.c:2550) genl_rcv (net/netlink/genetlink.c:1219) netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344) netlink_sendmsg (net/netlink/af_netlink.c:1894) __sock_sendmsg (net/socket.c:727 (discriminator 1) net/socket.c:742 (discriminator 1)) __sys_sendto (./include/linux/file.h:62 (discriminator 1) ./include/linux/file.h:83 (discriminator 1) net/socket.c:2183 (discriminator 1)) __x64_sys_sendto (net/socket.c:2213 (discriminator 1) net/socket.c:2209 (discriminator 1) net/socket.c:2209 (discriminator 1)) do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) entry_SYSCALL_64_after_hwframe (net/arch/x86/entry/entry_64.S:130)This patch makes udp_sock_create6 return -EPFNOSUPPORT instead, socallers correctly take their error paths. There is only one caller ofthe vulnerable function and only privileged users can trigger it.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23445 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:igc: fix page fault in XDP TX timestamps handlingIf an XDP application that requested TX timestamping is shutting downwhile the link of the interface in use is still up the following kernelsplat is reported:[ 883.803618] [ T1554] BUG: unable to handle page fault for address: ffffcfb6200fd008...[ 883.803650] [ T1554] Call Trace:[ 883.803652] [ T1554] [ 883.803654] [ T1554] igc_ptp_tx_tstamp_event+0xdf/0x160 [igc][ 883.803660] [ T1554] igc_tsync_interrupt+0x2d5/0x300 [igc]...During shutdown of the TX ring the xsk_meta pointers are left behind, sothat the IRQ handler is trying to touch them.This issue is now being fixed by cleaning up the stale xsk meta data onTX shutdown. TX timestamps on other queues remain unaffected.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23468 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:drm/amdgpu: Limit BO list entry count to prevent resource exhaustionUserspace can pass an arbitrary number of BO list entries via thebo_number field. Although the previous multiplication overflow checkprevents out-of-bounds allocation, a large number of entries could stillcause excessive memory allocation (up to potentially gigabytes) andunnecessarily long list processing times.Introduce a hard limit of 128k entries per BO list, which is more thansufficient for any realistic use case (e.g., a single list containing allbuffers in a large scene). This prevents memory exhaustion attacks andensures predictable performance.Return -EINVAL if the requested entry count exceeds the limit(cherry picked from commit 688b87d39e0aa8135105b40dc167d74b5ada5332)

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31411 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net: atm: fix crash due to unvalidated vcc pointer in sigd_send()Reproducer available at [1].The ATM send path (sendmsg -> vcc_sendmsg -> sigd_send) reads the vccpointer from msg->vcc and uses it directly without any validation. Thispointer comes from userspace via sendmsg() and can be arbitrarily forged: int fd = socket(AF_ATMSVC, SOCK_DGRAM, 0); ioctl(fd, ATMSIGD_CTRL); // become ATM signaling daemon struct msghdr msg = { .msg_iov = &iov, ... }; *(unsigned long *)(buf + 4) = 0xdeadbeef; // fake vcc pointer sendmsg(fd, &msg, 0); // kernel dereferences 0xdeadbeefIn normal operation, the kernel sends the vcc pointer to the signalingdaemon via sigd_enq() when processing operations like connect(), bind(),or listen(). The daemon is expected to return the same pointer whenresponding. However, a malicious daemon can send arbitrary pointer values.Fix this by introducing find_get_vcc() which validates the pointer bysearching through vcc_hash (similar to how sigd_close() iterates overall VCCs), and acquires a reference via sock_hold() if found.Since struct atm_vcc embeds struct sock as its first member, they sharethe same lifetime. Therefore using sock_hold/sock_put is sufficient tokeep the vcc alive while it is being used.Note that there may be a race with sigd_close() which could mark the vccwith various flags (e.g., ATM_VF_RELEASED) after find_get_vcc() returns.However, sock_hold() guarantees the memory remains valid, so this raceonly affects the logical state, not memory safety.[1]: https://gist.github.com/mrpre/1ba5949c45529c511152e2f4c755b0f3

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31414 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:netfilter: nf_conntrack_expect: use expect->helperUse expect->helper in ctnetlink and /proc to dump the helper name.Using nfct_help() without holding a reference to the master conntrackis unsafe.Use exp->master->helper in ctnetlink path if userspace does not providean explicit helper when creating an expectation to retain the existingbehaviour. The ctnetlink expectation path holds the reference on themaster conntrack and nf_conntrack_expect lock and the nfnetlink gluepath refers to the master ct that is attached to the skb.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31418 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:netfilter: ipset: drop logically empty buckets in mtype_delmtype_del() counts empty slots below n->pos in k, but it only drops thebucket when both n->pos and k are zero. This misses buckets whose liveentries have all been removed while n->pos still points past deleted slots.Treat a bucket as empty when all positions below n->pos are unused andrelease it directly instead of shrinking it further.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31420 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:bridge: mrp: reject zero test interval to avoid OOM panicbr_mrp_start_test() and br_mrp_start_in_test() accept the user-suppliedinterval value from netlink without validation. When interval is 0,usecs_to_jiffies(0) yields 0, causing the delayed work(br_mrp_test_work_expired / br_mrp_in_test_work_expired) to rescheduleitself with zero delay. This creates a tight loop on system_percpu_wqthat allocates and transmits MRP test frames at maximum rate, exhaustingall system memory and causing a kernel panic via OOM deadlock.The same zero-interval issue applies to br_mrp_start_in_test_parse()for interconnect test frames.Use NLA_POLICY_MIN(NLA_U32, 1) in the nla_policy tables for bothIFLA_BRIDGE_MRP_START_TEST_INTERVAL andIFLA_BRIDGE_MRP_START_IN_TEST_INTERVAL, so zero is rejected at thenetlink attribute parsing layer before the value ever reaches theworkqueue scheduling code. This is consistent with how other bridgesubsystems (br_fdb, br_mst) enforce range constraints on netlinkattributes.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31421 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net/sched: cls_fw: fix NULL pointer dereference on shared blocksThe old-method path in fw_classify() calls tcf_block_q() anddereferences q->handle. Shared blocks leave block->q NULL, causing aNULL deref when an empty cls_fw filter is attached to a shared blockand a packet with a nonzero major skb mark is classified.Reject the configuration in fw_change() when the old method (noTCA_OPTIONS) is used on a shared block, since fw_classify()'sold-method path needs block->q which is NULL for shared blocks.The fixed null-ptr-deref calling stack: KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f] RIP: 0010:fw_classify (net/sched/cls_fw.c:81) Call Trace: tcf_classify (./include/net/tc_wrapper.h:197 net/sched/cls_api.c:1764 net/sched/cls_api.c:1860) tc_run (net/core/dev.c:4401) __dev_queue_xmit (net/core/dev.c:4535 net/core/dev.c:4790)

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31422 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net/sched: cls_flow: fix NULL pointer dereference on shared blocksflow_change() calls tcf_block_q() and dereferences q->handle to derivea default baseclass. Shared blocks leave block->q NULL, causing a NULLderef when a flow filter without a fully qualified baseclass is createdon a shared block.Check tcf_block_shared() before accessing block->q and return -EINVALfor shared blocks. This avoids the null-deref shown below:=======================================================================KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f]RIP: 0010:flow_change (net/sched/cls_flow.c:508)Call Trace: tc_new_tfilter (net/sched/cls_api.c:2432) rtnetlink_rcv_msg (net/core/rtnetlink.c:6980) [...]=======================================================================

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31423 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net/sched: sch_hfsc: fix divide-by-zero in rtsc_min()m2sm() converts a u32 slope to a u64 scaled value. For large inputs(e.g. m1=4000000000), the result can reach 2^32. rtsc_min() storesthe difference of two such u64 values in a u32 variable `dsm` anduses it as a divisor. When the difference is exactly 2^32 thetruncation yields zero, causing a divide-by-zero oops in theconcave-curve intersection path: Oops: divide error: 0000 RIP: 0010:rtsc_min (net/sched/sch_hfsc.c:601) Call Trace: init_ed (net/sched/sch_hfsc.c:629) hfsc_enqueue (net/sched/sch_hfsc.c:1569) [...]Widen `dsm` to u64 and replace do_div() with div64_u64() so the fulldifference is preserved.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31424 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:netfilter: x_tables: restrict xt_check_match/xt_check_target extensions for NFPROTO_ARPWeiming Shi says:xt_match and xt_target structs registered with NFPROTO_UNSPEC can beloaded by any protocol family through nft_compat. When such amatch/target sets .hooks to restrict which hooks it may run on, thebitmask uses NF_INET_* constants. This is only correct for familieswhose hook layout matches NF_INET_*: IPv4, IPv6, INET, and bridgeall share the same five hooks (PRE_ROUTING ... POST_ROUTING).ARP only has three hooks (IN=0, OUT=1, FORWARD=2) with differentsemantics. Because NF_ARP_OUT == 1 == NF_INET_LOCAL_IN, the .hooksvalidation silently passes for the wrong reasons, allowing matches torun on ARP chains where the hook assumptions (e.g. state->in beingset on input hooks) do not hold. This leads to NULL pointerdereferences; xt_devgroup is one concrete example: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000044: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000220-0x0000000000000227] RIP: 0010:devgroup_mt+0xff/0x350 Call Trace: nft_match_eval (net/netfilter/nft_compat.c:407) nft_do_chain (net/netfilter/nf_tables_core.c:285) nft_do_chain_arp (net/netfilter/nft_chain_filter.c:61) nf_hook_slow (net/netfilter/core.c:623) arp_xmit (net/ipv4/arp.c:666) Kernel panic - not syncing: Fatal exception in interruptFix it by restricting arptables to NFPROTO_ARP extensions only.Note that arptables-legacy only supports:- arpt_CLASSIFY- arpt_mangle- arpt_MARKthat provide explicit NFPROTO_ARP match/target declarations.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31425 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:rds: ib: reject FRMR registration before IB connection is establishedrds_ib_get_mr() extracts the rds_ib_connection from conn->c_transport_dataand passes it to rds_ib_reg_frmr() for FRWR memory registration. On afresh outgoing connection, ic is allocated in rds_ib_conn_alloc() withi_cm_id = NULL because the connection worker has not yet calledrds_ib_conn_path_connect() to create the rdma_cm_id. When sendmsg() withRDS_CMSG_RDMA_MAP is called on such a connection, the sendmsg path parsesthe control message before any connection establishment, allowingrds_ib_post_reg_frmr() to dereference ic->i_cm_id->qp and crash thekernel.The existing guard in rds_ib_reg_frmr() only checks for !ic (added incommit 9e630bcb7701), which does not catch this case since ic is allocatedearly and is always non-NULL once the connection object exists. KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] RIP: 0010:rds_ib_post_reg_frmr+0x50e/0x920 Call Trace: rds_ib_post_reg_frmr (net/rds/ib_frmr.c:167) rds_ib_map_frmr (net/rds/ib_frmr.c:252) rds_ib_reg_frmr (net/rds/ib_frmr.c:430) rds_ib_get_mr (net/rds/ib_rdma.c:615) __rds_rdma_map (net/rds/rdma.c:295) rds_cmsg_rdma_map (net/rds/rdma.c:860) rds_sendmsg (net/rds/send.c:1363) ____sys_sendmsg do_syscall_64Add a check in rds_ib_get_mr() that verifies ic, i_cm_id, and qp are allnon-NULL before proceeding with FRMR registration, mirroring the guardalready present in rds_ib_post_inv(). Return -ENODEV when the connectionis not ready, which the existing error handling in rds_cmsg_send() convertsto -EAGAIN for userspace retry and triggers rds_conn_connect_if_down() tostart the connection worker.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31428 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:netfilter: nfnetlink_log: fix uninitialized padding leak in NFULA_PAYLOAD__build_packet_message() manually constructs the NFULA_PAYLOAD netlinkattribute using skb_put() and skb_copy_bits(), bypassing the standardnla_reserve()/nla_put() helpers. While nla_total_size(data_len) bytesare allocated (including NLA alignment padding), only data_len bytesof actual packet data are copied. The trailing nla_padlen(data_len)bytes (1-3 when data_len is not 4-byte aligned) are never initialized,leaking stale heap contents to userspace via the NFLOG netlink socket.Replace the manual attribute construction with nla_reserve(), whichhandles the tailroom check, header setup, and padding zeroing via__nla_reserve(). The subsequent skb_copy_bits() fills in the payloaddata on top of the properly initialized attribute.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31429 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net: skb: fix cross-cache free of KFENCE-allocated skb headSKB_SMALL_HEAD_CACHE_SIZE is intentionally set to a non-power-of-2value (e.g. 704 on x86_64) to avoid collisions with generic kmallocbucket sizes. This ensures that skb_kfree_head() can reliably useskb_end_offset to distinguish skb heads allocated fromskb_small_head_cache vs. generic kmalloc caches.However, when KFENCE is enabled, kfence_ksize() returns the exactrequested allocation size instead of the slab bucket size. If a caller(e.g. bpf_test_init) allocates skb head data via kzalloc() and therequested size happens to equal SKB_SMALL_HEAD_CACHE_SIZE, thenslab_build_skb() -> ksize() returns that exact value. After subtractingskb_shared_info overhead, skb_end_offset ends up matchingSKB_SMALL_HEAD_HEADROOM, causing skb_kfree_head() to incorrectly freethe object to skb_small_head_cache instead of back to the originalkmalloc cache, resulting in a slab cross-cache free: kmem_cache_free(skbuff_small_head): Wrong slab cache. Expected skbuff_small_head but got kmalloc-1kFix this by always calling kfree(head) in skb_kfree_head(). This keepsthe free path generic and avoids allocator-specific misclassificationfor KFENCE objects.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31444 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ksmbd: fix use-after-free and NULL deref in smb_grant_oplock()smb_grant_oplock() has two issues in the oplock publication sequence:1) opinfo is linked into ci->m_op_list (via opinfo_add) before add_lease_global_list() is called. If add_lease_global_list() fails (kmalloc returns NULL), the error path frees the opinfo via __free_opinfo() while it is still linked in ci->m_op_list. Concurrent m_op_list readers (opinfo_get_list, or direct iteration in smb_break_all_levII_oplock) dereference the freed node.2) opinfo->o_fp is assigned after add_lease_global_list() publishes the opinfo on the global lease list. A concurrent find_same_lease_key() can walk the lease list and dereference opinfo->o_fp->f_ci while o_fp is still NULL.Fix by restructuring the publication sequence to eliminate post-publishfailure:- Set opinfo->o_fp before any list publication (fixes NULL deref).- Preallocate lease_table via alloc_lease_table() before opinfo_add() so add_lease_global_list() becomes infallible after publication.- Keep the original m_op_list publication order (opinfo_add before lease list) so concurrent opens via same_client_has_lease() and opinfo_get_list() still see the in-flight grant.- Use opinfo_put() instead of __free_opinfo() on err_out so that the RCU-deferred free path is used.This also requires splitting add_lease_global_list() to take apreallocated lease_table and changing its return type from int to void,since it can no longer fail.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31447 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ext4: reject mount if bigalloc with s_first_data_block != 0bigalloc with s_first_data_block != 0 is not supported, reject mountingit.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31449 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ext4: validate p_idx bounds in ext4_ext_correct_indexesext4_ext_correct_indexes() walks up the extent tree correctingindex entries when the first extent in a leaf is modified. Beforeaccessing path[k].p_idx->ei_block, there is no validation thatp_idx falls within the valid range of index entries for thatlevel.If the on-disk extent header contains a corrupted or craftedeh_entries value, p_idx can point past the end of the allocatedbuffer, causing a slab-out-of-bounds read.Fix this by validating path[k].p_idx against EXT_LAST_INDEX() atboth access sites: before the while loop and inside it. Return-EFSCORRUPTED if the index pointer is out of range, consistentwith how other bounds violations are handled in the ext4 extenttree code.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31450 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ext4: publish jinode after initializationext4_inode_attach_jinode() publishes ei->jinode to concurrent users.It used to set ei->jinode before jbd2_journal_init_jbd_inode(),allowing a reader to observe a non-NULL jinode with i_vfs_inodestill unset.The fast commit flush path can then pass this jinode tojbd2_wait_inode_data(), which dereferences i_vfs_inode->i_mapping andmay crash.Below is the crash I observe:```BUG: unable to handle page fault for address: 000000010beb47f4PGD 110e51067 P4D 110e51067 PUD 0Oops: Oops: 0000 [#1] SMP NOPTICPU: 1 UID: 0 PID: 4850 Comm: fc_fsync_bench_ Not tainted 6.18.0-00764-g795a690c06a5 #1 PREEMPT(voluntary)Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.17.0-2-2 04/01/2014RIP: 0010:xas_find_marked+0x3d/0x2e0Code: e0 03 48 83 f8 02 0f 84 f0 01 00 00 48 8b 47 08 48 89 c3 48 39 c6 0f 82 fd 01 00 00 48 85 c9 74 3d 48 83 f9 03 77 63 4c 8b 0f <49> 8b 71 08 48 c7 47 18 00 00 00 00 48 89 f1 83 e1 03 48 83 f9 02RSP: 0018:ffffbbee806e7bf0 EFLAGS: 00010246RAX: 000000000010beb4 RBX: 000000000010beb4 RCX: 0000000000000003RDX: 0000000000000001 RSI: 0000002000300000 RDI: ffffbbee806e7c10RBP: 0000000000000001 R08: 0000002000300000 R09: 000000010beb47ecR10: ffff9ea494590090 R11: 0000000000000000 R12: 0000002000300000R13: ffffbbee806e7c90 R14: ffff9ea494513788 R15: ffffbbee806e7c88FS: 00007fc2f9e3e6c0(0000) GS:ffff9ea6b1444000(0000) knlGS:0000000000000000CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033CR2: 000000010beb47f4 CR3: 0000000119ac5000 CR4: 0000000000750ef0PKRU: 55555554Call Trace:filemap_get_folios_tag+0x87/0x2a0__filemap_fdatawait_range+0x5f/0xd0? srso_alias_return_thunk+0x5/0xfbef5? __schedule+0x3e7/0x10c0? srso_alias_return_thunk+0x5/0xfbef5? srso_alias_return_thunk+0x5/0xfbef5? srso_alias_return_thunk+0x5/0xfbef5? preempt_count_sub+0x5f/0x80? srso_alias_return_thunk+0x5/0xfbef5? cap_safe_nice+0x37/0x70? srso_alias_return_thunk+0x5/0xfbef5? preempt_count_sub+0x5f/0x80? srso_alias_return_thunk+0x5/0xfbef5filemap_fdatawait_range_keep_errors+0x12/0x40ext4_fc_commit+0x697/0x8b0? ext4_file_write_iter+0x64b/0x950? srso_alias_return_thunk+0x5/0xfbef5? preempt_count_sub+0x5f/0x80? srso_alias_return_thunk+0x5/0xfbef5? vfs_write+0x356/0x480? srso_alias_return_thunk+0x5/0xfbef5? preempt_count_sub+0x5f/0x80ext4_sync_file+0xf7/0x370do_fsync+0x3b/0x80? syscall_trace_enter+0x108/0x1d0__x64_sys_fdatasync+0x16/0x20do_syscall_64+0x62/0x2c0entry_SYSCALL_64_after_hwframe+0x76/0x7e...```Fix this by initializing the jbd2_inode first.Use smp_wmb() and WRITE_ONCE() to publish ei->jinode afterinitialization. Readers use READ_ONCE() to fetch the pointer.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31451 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ext4: replace BUG_ON with proper error handling in ext4_read_inline_folioReplace BUG_ON() with proper error handling when inline data sizeexceeds PAGE_SIZE. This prevents kernel panic and allows the system tocontinue running while properly reporting the filesystem corruption.The error is logged via ext4_error_inode(), the buffer head is releasedto prevent memory leak, and -EFSCORRUPTED is returned to indicatefilesystem corruption.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31452 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ext4: convert inline data to extents when truncate exceeds inline sizeAdd a check in ext4_setattr() to convert files from inline data storageto extent-based storage when truncate() grows the file size beyond theinline capacity. This prevents the filesystem from entering aninconsistent state where the inline data flag is set but the file sizeexceeds what can be stored inline.Without this fix, the following sequence causes a kernel BUG_ON():1. Mount filesystem with inode that has inline flag set and small size2. truncate(file, 50MB) - grows size but inline flag remains set3. sendfile() attempts to write data4. ext4_write_inline_data() hits BUG_ON(write_size > inline_capacity)The crash occurs because ext4_write_inline_data() expects inline storageto accommodate the write, but the actual inline capacity (~60 bytes fori_block + ~96 bytes for xattrs) is far smaller than the file size andwrite request.The fix checks if the new size from setattr exceeds the inode's actualinline capacity (EXT4_I(inode)->i_inline_size) and converts the file toextent-based storage before proceeding with the size change.This addresses the root cause by ensuring the inline data flag and filesize remain consistent during truncate operations.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31453 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:xfs: avoid dereferencing log items after push callbacksAfter xfsaild_push_item() calls iop_push(), the log item may have beenfreed if the AIL lock was dropped during the push. Background inodereclaim or the dquot shrinker can free the log item while the AIL lockis not held, and the tracepoints in the switch statement dereferencethe log item after iop_push() returns.Fix this by capturing the log item type, flags, and LSN before callingxfsaild_push_item(), and introducing a new xfs_ail_push_class traceevent class that takes these pre-captured values and the ailp pointerinstead of the log item pointer.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31454 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:xfs: save ailp before dropping the AIL lock in push callbacksIn xfs_inode_item_push() and xfs_qm_dquot_logitem_push(), the AIL lockis dropped to perform buffer IO. Once the cluster buffer no longerprotects the log item from reclaim, the log item may be freed bybackground reclaim or the dquot shrinker. The subsequent spin_lock()call dereferences lip->li_ailp, which is a use-after-free.Fix this by saving the ailp pointer in a local variable while the AILlock is held and the log item is guaranteed to be valid.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31455 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:xfs: stop reclaim before pushing AIL during unmountThe unmount sequence in xfs_unmount_flush_inodes() pushed the AIL whilebackground reclaim and inodegc are still running. This is brokenindependently of any use-after-free issues - background reclaim andinodegc should not be running while the AIL is being pushed duringunmount, as inodegc can dirty and insert inodes into the AIL during theflush, and background reclaim can race to abort and free dirty inodes.Reorder xfs_unmount_flush_inodes() to stop inodegc and cancel backgroundreclaim before pushing the AIL. Stop inodegc before cancellingm_reclaim_work because the inodegc worker can re-queue m_reclaim_workvia xfs_inodegc_set_reclaimable.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31458 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:mm/damon/sysfs: check contexts->nr before accessing contexts_arr[0]Multiple sysfs command paths dereference contexts_arr[0] without firstverifying that kdamond->contexts->nr == 1. A user can set nr_contexts to0 via sysfs while DAMON is running, causing NULL pointer dereferences.In more detail, the issue can be triggered by privileged users likebelow.First, start DAMON and make contexts directory empty(kdamond->contexts->nr == 0). # damo start # cd /sys/kernel/mm/damon/admin/kdamonds/0 # echo 0 > contexts/nr_contextsThen, each of below commands will cause the NULL pointer dereference. # echo update_schemes_stats > state # echo update_schemes_tried_regions > state # echo update_schemes_tried_bytes > state # echo update_schemes_effective_quotas > state # echo update_tuned_intervals > stateGuard all commands (except OFF) at the entry point ofdamon_sysfs_handle_cmd().

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31476 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ksmbd: do not expire session on binding failureWhen a multichannel session binding request fails (e.g. wrong password),the error path unconditionally sets sess->state = SMB2_SESSION_EXPIRED.However, during binding, sess points to the target session looked up viaksmbd_session_lookup_slowpath() -- which belongs to another connection'suser. This allows a remote attacker to invalidate any active session bysimply sending a binding request with a wrong password (DoS).Fix this by skipping session expiration when the failed request wasa binding attempt, since the session does not belong to the currentconnection. The reference taken by ksmbd_session_lookup_slowpath() isstill correctly released via ksmbd_user_session_put().

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31477 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ksmbd: fix memory leaks and NULL deref in smb2_lock()smb2_lock() has three error handling issues after list_del() detachessmb_lock from lock_list at no_check_cl:1) If vfs_lock_file() returns an unexpected error in the non-UNLOCK path, goto out leaks smb_lock and its flock because the out: handler only iterates lock_list and rollback_list, neither of which contains the detached smb_lock.2) If vfs_lock_file() returns -ENOENT in the UNLOCK path, goto out leaks smb_lock and flock for the same reason. The error code returned to the dispatcher is also stale.3) In the rollback path, smb_flock_init() can return NULL on allocation failure. The result is dereferenced unconditionally, causing a kernel NULL pointer dereference. Add a NULL check to prevent the crash and clean up the bookkeeping; the VFS lock itself cannot be rolled back without the allocation and will be released at file or connection teardown.Fix cases 1 and 2 by hoisting the locks_free_lock()/kfree() to beforethe if(!rc) check in the UNLOCK branch so all exit paths share onefree site, and by freeing smb_lock and flock before goto out in thenon-UNLOCK branch. Propagate the correct error code in both cases.Fix case 3 by wrapping the VFS unlock in an if(rlock) guard and addinga NULL check for locks_free_lock(rlock) in the shared cleanup.Found via call-graph analysis using sqry.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31479 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:drm/xe: always keep track of remap prev/nextDuring 3D workload, user is reporting hitting:[ 413.361679] WARNING: drivers/gpu/drm/xe/xe_vm.c:1217 at vm_bind_ioctl_ops_unwind+0x1e2/0x2e0 [xe], CPU#7: vkd3d_queue/9925[ 413.361944] CPU: 7 UID: 1000 PID: 9925 Comm: vkd3d_queue Kdump: loaded Not tainted 7.0.0-070000rc3-generic #202603090038 PREEMPT(lazy)[ 413.361949] RIP: 0010:vm_bind_ioctl_ops_unwind+0x1e2/0x2e0 [xe][ 413.362074] RSP: 0018:ffffd4c25c3df930 EFLAGS: 00010282[ 413.362077] RAX: 0000000000000000 RBX: ffff8f3ee817ed10 RCX: 0000000000000000[ 413.362078] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000[ 413.362079] RBP: ffffd4c25c3df980 R08: 0000000000000000 R09: 0000000000000000[ 413.362081] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8f41fbf99380[ 413.362082] R13: ffff8f3ee817e968 R14: 00000000ffffffef R15: ffff8f43d00bd380[ 413.362083] FS: 00000001040ff6c0(0000) GS:ffff8f4696d89000(0000) knlGS:00000000330b0000[ 413.362085] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033[ 413.362086] CR2: 00007ddfc4747000 CR3: 00000002e6262005 CR4: 0000000000f72ef0[ 413.362088] PKRU: 55555554[ 413.362089] Call Trace:[ 413.362092] [ 413.362096] xe_vm_bind_ioctl+0xa9a/0xc60 [xe]Which seems to hint that the vma we are re-inserting for the ops unwindis either invalid or overlapping with something already inserted in thevm. It shouldn't be invalid since this is a re-insertion, so must haveworked before. Leaving the likely culprit as something already placedwhere we want to insert the vma.Following from that, for the case where we do something like a rebind inthe middle of a vma, and one or both mapped ends are already compatible,we skip doing the rebind of those vma and set next/prev to NULL. As wellas then adjust the original unmap va range, to avoid unmapping the ends.However, if we trigger the unwind path, we end up with three va, withthe two ends never being removed and the original va range in the middlestill being the shrunken size.If this occurs, one failure mode is when another unwind op needs tointeract with that range, which can happen with a vector of binds. Forexample, if we need to re-insert something in place of the original va.In this case the va is still the shrunken version, so when removing itand then doing a re-insert it can overlap with the ends, which werenever removed, triggering a warning like above, plus leaving the vm in abad state.With that, we need two things here: 1) Stop nuking the prev/next tracking for the skip cases. Instead relying on checking for skip prev/next, where needed. That way on the unwind path, we now correctly remove both ends. 2) Undo the unmap va shrinkage, on the unwind path. With the two ends now removed the unmap va should expand back to the original size again, before re-insertion.v2: - Update the explanation in the commit message, based on an actual IGT of triggering this issue, rather than conjecture. - Also undo the unmap shrinkage, for the skip case. With the two ends now removed, the original unmap va range should expand back to the original range.v3: - Track the old start/range separately. vma_size/start() uses the va info directly.(cherry picked from commit aec6969f75afbf4e01fd5fb5850ed3e9c27043ac)

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31486 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:hwmon: (pmbus/core) Protect regulator operations with mutexThe regulator operations pmbus_regulator_get_voltage(),pmbus_regulator_set_voltage(), and pmbus_regulator_list_voltage()access PMBus registers and shared data but were not protected bythe update_lock mutex. This could lead to race conditions.However, adding mutex protection directly to these functions causesa deadlock because pmbus_regulator_notify() (which callsregulator_notifier_call_chain()) is often called with the mutexalready held (e.g., from pmbus_fault_handler()). If a regulatorcallback then calls one of the now-protected voltage functions,it will attempt to acquire the same mutex.Rework pmbus_regulator_notify() to utilize a worker function tosend notifications outside of the mutex protection. Events arestored as atomics in a per-page bitmask and processed by the worker.Initialize the worker and its associated data during regulatorregistration, and ensure it is cancelled on device removal usingdevm_add_action_or_reset().While at it, remove the unnecessary include of linux/of.h.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31492 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:RDMA/irdma: Initialize free_qp completion before using itIn irdma_create_qp, if ib_copy_to_udata fails, it will callirdma_destroy_qp to clean up which will attempt to wait onthe free_qp completion, which is not initialized yet. Fix thisby initializing the completion before the ib_copy_to_udata call.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31495 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:netfilter: ctnetlink: use netlink policy range checksReplace manual range and mask validations with netlink policyannotations in ctnetlink code paths, so that the netlink core rejectsinvalid values early and can generate extack errors.- CTA_PROTOINFO_TCP_STATE: reject values > TCP_CONNTRACK_SYN_SENT2 at policy level, removing the manual >= TCP_CONNTRACK_MAX check.- CTA_PROTOINFO_TCP_WSCALE_ORIGINAL/REPLY: reject values > TCP_MAX_WSCALE (14). The normal TCP option parsing path already clamps to this value, but the ctnetlink path accepted 0-255, causing undefined behavior when used as a u32 shift count.- CTA_FILTER_ORIG_FLAGS/REPLY_FLAGS: use NLA_POLICY_MASK with CTA_FILTER_F_ALL, removing the manual mask checks.- CTA_EXPECT_FLAGS: use NLA_POLICY_MASK with NF_CT_EXPECT_MASK, adding a new mask define grouping all valid expect flags.Extracted from a broader nf-next patch by Florian Westphal, scoped toctnetlink for the fixes tree.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31519 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:btrfs: set BTRFS_ROOT_ORPHAN_CLEANUP during subvol createWe have recently observed a number of subvolumes with broken dentries.ls-ing the parent dir looks like:drwxrwxrwt 1 root root 16 Jan 23 16:49 .drwxr-xr-x 1 root root 24 Jan 23 16:48 ..d????????? ? ? ? ? ? broken_subvoland similarly stat-ing the file fails.In this state, deleting the subvol fails with ENOENT, but attempting tocreate a new file or subvol over it errors out with EEXIST and evenaborts the fs. Which leaves us a bit stuck.dmesg contains a single notable error message reading:"could not do orphan cleanup -2"2 is ENOENT and the error comes from the failure handling path ofbtrfs_orphan_cleanup(), with the stack leading back up tobtrfs_lookup().btrfs_lookupbtrfs_lookup_dentrybtrfs_orphan_cleanup // prints that message and returns -ENOENTAfter some detailed inspection of the internal state, it became clearthat:- there are no orphan items for the subvol- the subvol is otherwise healthy looking, it is not half-deleted or anything, there is no drop progress, etc.- the subvol was created a while ago and does the meaningful first btrfs_orphan_cleanup() call that sets BTRFS_ROOT_ORPHAN_CLEANUP much later.- after btrfs_orphan_cleanup() fails, btrfs_lookup_dentry() returns -ENOENT, which results in a negative dentry for the subvolume via d_splice_alias(NULL, dentry), leading to the observed behavior. The bug can be mitigated by dropping the dentry cache, at which point we can successfully delete the subvolume if we want.i.e.,btrfs_lookup() btrfs_lookup_dentry() if (!sb_rdonly(inode->vfs_inode)->vfs_inode) btrfs_orphan_cleanup(sub_root) test_and_set_bit(BTRFS_ROOT_ORPHAN_CLEANUP) btrfs_search_slot() // finds orphan item for inode N ... prints "could not do orphan cleanup -2" if (inode == ERR_PTR(-ENOENT)) inode = NULL; return d_splice_alias(NULL, dentry) // NEGATIVE DENTRY for valid subvolumebtrfs_orphan_cleanup() does test_and_set_bit(BTRFS_ROOT_ORPHAN_CLEANUP)on the root when it runs, so it cannot run more than once on a givenroot, so something else must run concurrently. However, the obviousroutes to deleting an orphan when nlinks goes to 0 should not be able torun without first doing a lookup into the subvolume, which should runbtrfs_orphan_cleanup() and set the bit.The final important observation is that create_subvol() callsd_instantiate_new() but does not set BTRFS_ROOT_ORPHAN_CLEANUP, so ifthe dentry cache gets dropped, the next lookup into the subvolume willmake a real call into btrfs_orphan_cleanup() for the first time. Thisopens up the possibility of concurrently deleting the inode/orphan itemsbut most typical evict() paths will be holding a reference on the parentdentry (child dentry holds parent->d_lockref.count via dget ind_alloc(), released in __dentry_kill()) and prevent the parent frombeing removed from the dentry cache.The one exception is delayed iputs. Ordered extent creation callsigrab() on the inode. If the file is unlinked and closed while thoserefs are held, iput() in __dentry_kill() decrements i_count but doesnot trigger eviction (i_count > 0). The child dentry is freed and thesubvol dentry's d_lockref.count drops to 0, making it evictable whilethe inode is still alive.Since there are two races (the race between writeback and unlink andthe race between lookup and delayed iputs), and there are too many movingparts, the following three diagrams show the complete picture.(Only the second and third are races)Phase 1:Create Subvol in dentry cache without BTRFS_ROOT_ORPHAN_CLEANUP setbtrfs_mksubvol() lookup_one_len() __lookup_slow() d_alloc_parallel() __d_alloc() // d_lockref.count = 1 create_subvol(dentry) // doesn't touch the bit.. d_instantiate_new(dentry, inode) // dentry in cache with d_lockref.c---truncated---

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31531 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ipv4: nexthop: allocate skb dynamically in rtm_get_nexthop()When querying a nexthop object via RTM_GETNEXTHOP, the kernel currentlyallocates a fixed-size skb using NLMSG_GOODSIZE. While sufficient forsingle nexthops and small Equal-Cost Multi-Path groups, this fixedallocation fails for large nexthop groups like 512 nexthops.This results in the following warning splat: WARNING: net/ipv4/nexthop.c:3395 at rtm_get_nexthop+0x176/0x1c0, CPU#20: rep/4608 [...] RIP: 0010:rtm_get_nexthop (net/ipv4/nexthop.c:3395) [...] Call Trace: rtnetlink_rcv_msg (net/core/rtnetlink.c:6989) netlink_rcv_skb (net/netlink/af_netlink.c:2550) netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344) netlink_sendmsg (net/netlink/af_netlink.c:1894) ____sys_sendmsg (net/socket.c:721 net/socket.c:736 net/socket.c:2585) ___sys_sendmsg (net/socket.c:2641) __sys_sendmsg (net/socket.c:2671) do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) Fix this by allocating the size dynamically using nh_nlmsg_size() andusing nlmsg_new(), this is consistent with nexthop_notify() behavior. Inaddition, adjust nh_nlmsg_size_grp() so it calculates the size neededbased on flags passed. While at it, also add the size of NHA_FDB fornexthop group size calculation as it was missing too.This cannot be reproduced via iproute2 as the group size is currentlylimited and the command fails as follows:addattr_l ERROR: message exceeded bound of 1048

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31546 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net: bonding: fix NULL deref in bond_debug_rlb_hash_showrlb_clear_slave intentionally keeps RLB hash-table entries onthe rx_hashtbl_used_head list with slave set to NULL when noreplacement slave is available. However, bond_debug_rlb_hash_showvisites client_info->slave without checking if it's NULL.Other used-list iterators in bond_alb.c already handle this NULL-slavestate safely:- rlb_update_client returns early on !client_info->slave- rlb_req_update_slave_clients, rlb_clear_slave, and rlb_rebalancecompare slave values before visiting- lb_req_update_subnet_clients continues if slave is NULLThe following NULL deref crash can be trigger inbond_debug_rlb_hash_show:[ 1.289791] BUG: kernel NULL pointer dereference, address: 0000000000000000[ 1.292058] RIP: 0010:bond_debug_rlb_hash_show (drivers/net/bonding/bond_debugfs.c:41)[ 1.293101] RSP: 0018:ffffc900004a7d00 EFLAGS: 00010286[ 1.293333] RAX: 0000000000000000 RBX: ffff888102b48200 RCX: ffff888102b48204[ 1.293631] RDX: ffff888102b48200 RSI: ffffffff839daad5 RDI: ffff888102815078[ 1.293924] RBP: ffff888102815078 R08: ffff888102b4820e R09: 0000000000000000[ 1.294267] R10: 0000000000000000 R11: 0000000000000000 R12: ffff888100f929c0[ 1.294564] R13: ffff888100f92a00 R14: 0000000000000001 R15: ffffc900004a7ed8[ 1.294864] FS: 0000000001395380(0000) GS:ffff888196e75000(0000) knlGS:0000000000000000[ 1.295239] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033[ 1.295480] CR2: 0000000000000000 CR3: 0000000102adc004 CR4: 0000000000772ef0[ 1.295897] Call Trace:[ 1.296134] seq_read_iter (fs/seq_file.c:231)[ 1.296341] seq_read (fs/seq_file.c:164)[ 1.296493] full_proxy_read (fs/debugfs/file.c:378 (discriminator 1))[ 1.296658] vfs_read (fs/read_write.c:572)[ 1.296981] ksys_read (fs/read_write.c:717)[ 1.297132] do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))[ 1.297325] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)Add a NULL check and print "(none)" for entries with no assigned slave.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31547 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:drm/xe: Fix missing runtime PM reference in ccs_mode_storeccs_mode_store() calls xe_gt_reset() which internally invokesxe_pm_runtime_get_noresume(). That function requires the callerto already hold an outer runtime PM reference and warns if noneis held: [46.891177] xe 0000:03:00.0: [drm] Missing outer runtime PM protection [46.891178] WARNING: drivers/gpu/drm/xe/xe_pm.c:885 at xe_pm_runtime_get_noresume+0x8b/0xc0Fix this by protecting xe_gt_reset() with the scope-basedguard(xe_pm_runtime)(xe), which is the preferred form whenthe reference lifetime matches a single scope.v2:- Use scope-based guard(xe_pm_runtime)(xe) (Shuicheng)- Update commit message accordingly(cherry picked from commit 7937ea733f79b3f25e802a0c8360bf7423856f36)

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31557 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:nvmet: move async event work off nvmet-wqFor target nvmet_ctrl_free() flushes ctrl->async_event_work.If nvmet_ctrl_free() runs on nvmet-wq, the flush re-enters workqueuecompletion for the same worker:-A. Async event work queued on nvmet-wq (prior to disconnect): nvmet_execute_async_event() queue_work(nvmet_wq, &ctrl->async_event_work) nvmet_add_async_event() queue_work(nvmet_wq, &ctrl->async_event_work)B. Full pre-work chain (RDMA CM path): nvmet_rdma_cm_handler() nvmet_rdma_queue_disconnect() __nvmet_rdma_queue_disconnect() queue_work(nvmet_wq, &queue->release_work) process_one_work() lock((wq_completion)nvmet-wq) <--------- 1st nvmet_rdma_release_queue_work()C. Recursive path (same worker): nvmet_rdma_release_queue_work() nvmet_rdma_free_queue() nvmet_sq_destroy() nvmet_ctrl_put() nvmet_ctrl_free() flush_work(&ctrl->async_event_work) __flush_work() touch_wq_lockdep_map() lock((wq_completion)nvmet-wq) <--------- 2ndLockdep splat: ============================================ WARNING: possible recursive locking detected 6.19.0-rc3nvme+ #14 Tainted: G N -------------------------------------------- kworker/u192:42/44933 is trying to acquire lock: ffff888118a00948 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: touch_wq_lockdep_map+0x26/0x90 but task is already holding lock: ffff888118a00948 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: process_one_work+0x53e/0x660 3 locks held by kworker/u192:42/44933: #0: ffff888118a00948 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: process_one_work+0x53e/0x660 #1: ffffc9000e6cbe28 ((work_completion)(&queue->release_work)){+.+.}-{0:0}, at: process_one_work+0x1c5/0x660 #2: ffffffff82d4db60 (rcu_read_lock){....}-{1:3}, at: __flush_work+0x62/0x530 Workqueue: nvmet-wq nvmet_rdma_release_queue_work [nvmet_rdma] Call Trace: __flush_work+0x268/0x530 nvmet_ctrl_free+0x140/0x310 [nvmet] nvmet_cq_put+0x74/0x90 [nvmet] nvmet_rdma_free_queue+0x23/0xe0 [nvmet_rdma] nvmet_rdma_release_queue_work+0x19/0x50 [nvmet_rdma] process_one_work+0x206/0x660 worker_thread+0x184/0x320 kthread+0x10c/0x240 ret_from_fork+0x319/0x390Move async event work to a dedicated nvmet-aen-wq to avoid reentrantflush on nvmet-wq.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31560 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:spi: spi-dw-dma: fix print error log when wait finish transactionIf an error occurs, the device may not have a current message. In thiscase, the system will crash.In this case, it's better to use dev from the struct ctlr (struct spi_controller*).

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31562 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:drm/mediatek: dsi: Store driver data before invoking mipi_dsi_host_registerThe call to mipi_dsi_host_register triggers a callback to mtk_dsi_bind,which uses dev_get_drvdata to retrieve the mtk_dsi struct, so thisstructure needs to be stored inside the driver data before invoking it.As drvdata is currently uninitialized it leads to a crash whenregistering the DSI DRM encoder right after acquiringthe mode_config.idr_mutex, blocking all subsequent DRM operations.Fixes the following crash during mediatek-drm probe (tested on XiaomiSmart Clock x04g):Unable to handle kernel NULL pointer dereference at virtual address 0000000000000040[...]Modules linked in: mediatek_drm(+) drm_display_helper cec drm_client_lib drm_dma_helper drm_kms_helper panel_simple[...]Call trace: drm_mode_object_add+0x58/0x98 (P) __drm_encoder_init+0x48/0x140 drm_encoder_init+0x6c/0xa0 drm_simple_encoder_init+0x20/0x34 [drm_kms_helper] mtk_dsi_bind+0x34/0x13c [mediatek_drm] component_bind_all+0x120/0x280 mtk_drm_bind+0x284/0x67c [mediatek_drm] try_to_bring_up_aggregate_device+0x23c/0x320 __component_add+0xa4/0x198 component_add+0x14/0x20 mtk_dsi_host_attach+0x78/0x100 [mediatek_drm] mipi_dsi_attach+0x2c/0x50 panel_simple_dsi_probe+0x4c/0x9c [panel_simple] mipi_dsi_drv_probe+0x1c/0x28 really_probe+0xc0/0x3dc __driver_probe_device+0x80/0x160 driver_probe_device+0x40/0x120 __device_attach_driver+0xbc/0x17c bus_for_each_drv+0x88/0xf0 __device_attach+0x9c/0x1cc device_initial_probe+0x54/0x60 bus_probe_device+0x34/0xa0 device_add+0x5b0/0x800 mipi_dsi_device_register_full+0xdc/0x16c mipi_dsi_host_register+0xc4/0x17c mtk_dsi_probe+0x10c/0x260 [mediatek_drm] platform_probe+0x5c/0xa4 really_probe+0xc0/0x3dc __driver_probe_device+0x80/0x160 driver_probe_device+0x40/0x120 __driver_attach+0xc8/0x1f8 bus_for_each_dev+0x7c/0xe0 driver_attach+0x24/0x30 bus_add_driver+0x11c/0x240 driver_register+0x68/0x130 __platform_register_drivers+0x64/0x160 mtk_drm_init+0x24/0x1000 [mediatek_drm] do_one_initcall+0x60/0x1d0 do_init_module+0x54/0x240 load_module+0x1838/0x1dc0 init_module_from_file+0xd8/0xf0 __arm64_sys_finit_module+0x1b4/0x428 invoke_syscall.constprop.0+0x48/0xc8 do_el0_svc+0x3c/0xb8 el0_svc+0x34/0xe8 el0t_64_sync_handler+0xa0/0xe4 el0t_64_sync+0x198/0x19cCode: 52800022 941004ab 2a0003f3 37f80040 (29005a80)

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31565 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:RDMA/irdma: Fix deadlock during netdev reset with active connectionsResolve deadlock that occurs when user executes netdev reset while RDMAapplications (e.g., rping) are active. The netdev reset causes icedriver to remove irdma auxiliary driver, triggering device_delete andsubsequent client removal. During client removal, uverbs_client waitsfor QP reference count to reach zero while cma_client holds the finalreference, creating circular dependency and indefinite wait in iWARPmode. Skip QP reference count wait during device reset to preventdeadlock.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31568 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:s390/mm: Add missing secure storage access fixups for donated memoryThere are special cases where secure storage access exceptions happenin a kernel context for pages that don't have the PG_arch_1 bitset. That bit is set for non-exported guest secure storage (memory)but is absent on storage donated to the Ultravisor since the kernelisn't allowed to export donated pages.Prior to this patch we would try to export the page by callingarch_make_folio_accessible() which would instantly return since thearch bit is absent signifying that the page was already exported andno further action is necessary. This leads to secure storage accessexception loops which can never be resolved.With this patch we unconditionally try to export and if that fails wefixup.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31579 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:wireguard: device: use exit_rtnl callback instead of manual rtnl_lock in pre_exitwg_netns_pre_exit() manually acquires rtnl_lock() inside thepernet .pre_exit callback. This causes a hung task when anotherthread holds rtnl_mutex - the cleanup_net workqueue (or thesetup_net failure rollback path) blocks indefinitely inwg_netns_pre_exit() waiting to acquire the lock.Convert to .exit_rtnl, introduced in commit 7a60d91c690b ("net:Add ->exit_rtnl() hook to struct pernet_operations."), where theframework already holds RTNL and batches all callbacks under asingle rtnl_lock()/rtnl_unlock() pair, eliminating the contentionwindow.The rcu_assign_pointer(wg->creating_net, NULL) is safe to movefrom .pre_exit to .exit_rtnl (which runs after synchronize_rcu())because all RCU readers of creating_net either use maybe_get_net()- which returns NULL for a dying namespace with zero refcount - oraccess net->user_ns which remains valid throughout the entireops_undo_list sequence.[ Jason: added __net_exit and __read_mostly annotations that were missing. ]

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31590 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:KVM: SEV: Drop WARN on large size for KVM_MEMORY_ENCRYPT_REG_REGIONDrop the WARN in sev_pin_memory() on npages overflowing an int, as theWARN is comically trivially to trigger from userspace, e.g. by doing: struct kvm_enc_region range = { .addr = 0, .size = -1ul, }; __vm_ioctl(vm, KVM_MEMORY_ENCRYPT_REG_REGION, &range);Note, the checks in sev_mem_enc_register_region() that presumably exist toverify the incoming address+size are completely worthless, as both "addr"and "size" are u64s and SEV is 64-bit only, i.e. they _can't_ be greaterthan ULONG_MAX. That wart will be cleaned up in the near future. if (range->addr > ULONG_MAX || range->size > ULONG_MAX) return -EINVAL;Opportunistically add a comment to explain why the code calculates thenumber of pages the "hard" way, e.g. instead of just shifting @ulen.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31592 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:KVM: SEV: Protect *all* of sev_mem_enc_register_region() with kvm->lockTake and hold kvm->lock for before checking sev_guest() insev_mem_enc_register_region(), as sev_guest() isn't stable unless kvm->lockis held (or KVM can guarantee KVM_SEV_INIT{2} has completed and can'trollack state). If KVM_SEV_INIT{2} fails, KVM can end up trying to add toa not-yet-initialized sev->regions_list, e.g. triggering a #GP Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 110 UID: 0 PID: 72717 Comm: syz.15.11462 Tainted: G U W O 6.16.0-smp-DEV #1 NONE Tainted: [U]=USER, [W]=WARN, [O]=OOT_MODULE Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 12.52.0-0 10/28/2024 RIP: 0010:sev_mem_enc_register_region+0x3f0/0x4f0 ../include/linux/list.h:83 Code: <41> 80 3c 04 00 74 08 4c 89 ff e8 f1 c7 a2 00 49 39 ed 0f 84 c6 00 RSP: 0018:ffff88838647fbb8 EFLAGS: 00010256 RAX: dffffc0000000000 RBX: 1ffff92015cf1e0b RCX: dffffc0000000000 RDX: 0000000000000000 RSI: 0000000000001000 RDI: ffff888367870000 RBP: ffffc900ae78f050 R08: ffffea000d9e0007 R09: 1ffffd4001b3c000 R10: dffffc0000000000 R11: fffff94001b3c001 R12: 0000000000000000 R13: ffff8982ab0bde00 R14: ffffc900ae78f058 R15: 0000000000000000 FS: 00007f34e9dc66c0(0000) GS:ffff89ee64d33000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fe180adef98 CR3: 000000047210e000 CR4: 0000000000350ef0 Call Trace: kvm_arch_vm_ioctl+0xa72/0x1240 ../arch/x86/kvm/x86.c:7371 kvm_vm_ioctl+0x649/0x990 ../virt/kvm/kvm_main.c:5363 __se_sys_ioctl+0x101/0x170 ../fs/ioctl.c:51 do_syscall_x64 ../arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x6f/0x1f0 ../arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f34e9f7e9a9 Code: <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f34e9dc6038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f34ea1a6080 RCX: 00007f34e9f7e9a9 RDX: 0000200000000280 RSI: 000000008010aebb RDI: 0000000000000007 RBP: 00007f34ea000d69 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f34ea1a6080 R15: 00007ffce77197a8 with a syzlang reproducer that looks like: syz_kvm_add_vcpu$x86(0x0, &(0x7f0000000040)={0x0, &(0x7f0000000180)=ANY=[], 0x70}) (async) syz_kvm_add_vcpu$x86(0x0, &(0x7f0000000080)={0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="..."], 0x4f}) (async) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200), 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240), 0x0, 0x0) r3 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0) ioctl$KVM_SET_CLOCK(r3, 0xc008aeba, &(0x7f0000000040)={0x1, 0x8, 0x0, 0x5625e9b0}) (async) ioctl$KVM_SET_PIT2(r3, 0x8010aebb, &(0x7f0000000280)={[...], 0x5}) (async) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, 0x0) (async) r4 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0) openat$kvm(0xffffffffffffff9c, 0x0, 0x0, 0x0) (async) ioctl$KVM_SET_USER_MEMORY_REGION(r4, 0x4020ae46, &(0x7f0000000400)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000001000/0x2000)=nil}) (async) r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x2) close(r0) (async) openat$kvm(0xffffffffffffff9c, &(0x7f0000000000), 0x8000, 0x0) (async) ioctl$KVM_SET_GUEST_DEBUG(r5, 0x4048ae9b, &(0x7f0000000300)={0x4376ea830d46549b, 0x0, [0x46, 0x0, 0x0, 0x0, 0x0, 0x1000]}) (async) ioctl$KVM_RUN(r5, 0xae80, 0x0)Opportunistically use guard() to avoid having to define a new error labeland goto usage.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31594 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:PCI: endpoint: pci-epf-vntb: Remove duplicate resource teardownepf_ntb_epc_destroy() duplicates the teardown that the caller issupposed to perform later. This leads to an oops when .allow_link failsor when .drop_link is performed. The following is an example oops of theformer case: Unable to handle kernel paging request at virtual address dead000000000108 [...] [dead000000000108] address between user and kernel address ranges Internal error: Oops: 0000000096000044 [#1] SMP [...] Call trace: pci_epc_remove_epf+0x78/0xe0 (P) pci_primary_epc_epf_link+0x88/0xa8 configfs_symlink+0x1f4/0x5a0 vfs_symlink+0x134/0x1d8 do_symlinkat+0x88/0x138 __arm64_sys_symlinkat+0x74/0xe0 [...]Remove the helper, and drop pci_epc_put(). EPC device refcounting istied to the configfs EPC group lifetime, and pci_epc_put() in the.drop_link path is sufficient.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31596 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ocfs2: handle invalid dinode in ocfs2_group_extend[BUG]kernel BUG at fs/ocfs2/resize.c:308!Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTIRIP: 0010:ocfs2_group_extend+0x10aa/0x1ae0 fs/ocfs2/resize.c:308Code: 8b8520ff ffff83f8 860f8580 030000e8 5cc3c1feCall Trace: ... ocfs2_ioctl+0x175/0x6e0 fs/ocfs2/ioctl.c:869 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl fs/ioctl.c:583 [inline] __x64_sys_ioctl+0x197/0x1e0 fs/ioctl.c:583 x64_sys_call+0x1144/0x26a0 arch/x86/include/generated/asm/syscalls_64.h:17 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x93/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e ...[CAUSE]ocfs2_group_extend() assumes that the global bitmap inode blockreturned from ocfs2_inode_lock() has already been validated andBUG_ONs when the signature is not a dinode. That assumption is toostrong for crafted filesystems because the JBD2-managed buffer pathcan bypass structural validation and return an invalid dinode to theresize ioctl.[FIX]Validate the dinode explicitly in ocfs2_group_extend(). If the globalbitmap buffer does not contain a valid dinode, report filesystemcorruption with ocfs2_error() and fail the resize operation instead ofcrashing the kernel.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31600 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:arm64: mm: Handle invalid large leaf mappings correctlyIt has been possible for a long time to mark ptes in the linear map asinvalid. This is done for secretmem, kfence, realm dma memory un/share,and others, by simply clearing the PTE_VALID bit. But until commita166563e7ec37 ("arm64: mm: support large block mapping whenrodata=full") large leaf mappings were never made invalid in this way.It turns out various parts of the code base are not equipped to handleinvalid large leaf mappings (in the way they are currently encoded) andI've observed a kernel panic while booting a realm guest on aBBML2_NOABORT system as a result:[ 15.432706] software IO TLB: Memory encryption is active and system is using DMA bounce buffers[ 15.476896] Unable to handle kernel paging request at virtual address ffff000019600000[ 15.513762] Mem abort info:[ 15.527245] ESR = 0x0000000096000046[ 15.548553] EC = 0x25: DABT (current EL), IL = 32 bits[ 15.572146] SET = 0, FnV = 0[ 15.592141] EA = 0, S1PTW = 0[ 15.612694] FSC = 0x06: level 2 translation fault[ 15.640644] Data abort info:[ 15.661983] ISV = 0, ISS = 0x00000046, ISS2 = 0x00000000[ 15.694875] CM = 0, WnR = 1, TnD = 0, TagAccess = 0[ 15.723740] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0[ 15.755776] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000081f3f000[ 15.800410] [ffff000019600000] pgd=0000000000000000, p4d=180000009ffff403, pud=180000009fffe403, pmd=00e8000199600704[ 15.855046] Internal error: Oops: 0000000096000046 [#1] SMP[ 15.886394] Modules linked in:[ 15.900029] CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 7.0.0-rc4-dirty #4 PREEMPT[ 15.935258] Hardware name: linux,dummy-virt (DT)[ 15.955612] pstate: 21400005 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)[ 15.986009] pc : __pi_memcpy_generic+0x128/0x22c[ 16.006163] lr : swiotlb_bounce+0xf4/0x158[ 16.024145] sp : ffff80008000b8f0[ 16.038896] x29: ffff80008000b8f0 x28: 0000000000000000 x27: 0000000000000000[ 16.069953] x26: ffffb3976d261ba8 x25: 0000000000000000 x24: ffff000019600000[ 16.100876] x23: 0000000000000001 x22: ffff0000043430d0 x21: 0000000000007ff0[ 16.131946] x20: 0000000084570010 x19: 0000000000000000 x18: ffff00001ffe3fcc[ 16.163073] x17: 0000000000000000 x16: 00000000003fffff x15: 646e612065766974[ 16.194131] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000[ 16.225059] x11: 0000000000000000 x10: 0000000000000010 x9 : 0000000000000018[ 16.256113] x8 : 0000000000000018 x7 : 0000000000000000 x6 : 0000000000000000[ 16.287203] x5 : ffff000019607ff0 x4 : ffff000004578000 x3 : ffff000019600000[ 16.318145] x2 : 0000000000007ff0 x1 : ffff000004570010 x0 : ffff000019600000[ 16.349071] Call trace:[ 16.360143] __pi_memcpy_generic+0x128/0x22c (P)[ 16.380310] swiotlb_tbl_map_single+0x154/0x2b4[ 16.400282] swiotlb_map+0x5c/0x228[ 16.415984] dma_map_phys+0x244/0x2b8[ 16.432199] dma_map_page_attrs+0x44/0x58[ 16.449782] virtqueue_map_page_attrs+0x38/0x44[ 16.469596] virtqueue_map_single_attrs+0xc0/0x130[ 16.490509] virtnet_rq_alloc.isra.0+0xa4/0x1fc[ 16.510355] try_fill_recv+0x2a4/0x584[ 16.526989] virtnet_open+0xd4/0x238[ 16.542775] __dev_open+0x110/0x24c[ 16.558280] __dev_change_flags+0x194/0x20c[ 16.576879] netif_change_flags+0x24/0x6c[ 16.594489] dev_change_flags+0x48/0x7c[ 16.611462] ip_auto_config+0x258/0x1114[ 16.628727] do_one_initcall+0x80/0x1c8[ 16.645590] kernel_init_freeable+0x208/0x2f0[ 16.664917] kernel_init+0x24/0x1e0[ 16.680295] ret_from_fork+0x10/0x20[ 16.696369] Code: 927cec03 cb0e0021 8b0e0042 a9411c26 (a900340c)[ 16.723106] ---[ end trace 0000000000000000 ]---[ 16.752866] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b[ 16.792556] Kernel Offset: 0x3396ea200000 from 0xffff8000800000---truncated---

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31601 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:vfio/xe: Reorganize the init to decouple migration from resetAttempting to issue reset on VF devices that don't support migrationleads to the following: BUG: unable to handle page fault for address: 00000000000011f8 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 2 UID: 0 PID: 7443 Comm: xe_sriov_flr Tainted: G S U 7.0.0-rc1-lgci-xe-xe-4588-cec43d5c2696af219-nodebug+ #1 PREEMPT(lazy) Tainted: [S]=CPU_OUT_OF_SPEC, [U]=USER Hardware name: Intel Corporation Alder Lake Client Platform/AlderLake-P DDR4 RVP, BIOS RPLPFWI1.R00.4035.A00.2301200723 01/20/2023 RIP: 0010:xe_sriov_vfio_wait_flr_done+0xc/0x80 [xe] Code: ff c3 cc cc cc cc 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 55 48 89 e5 41 54 53 <83> bf f8 11 00 00 02 75 61 41 89 f4 85 f6 74 52 48 8b 47 08 48 89 RSP: 0018:ffffc9000f7c39b8 EFLAGS: 00010202 RAX: ffffffffa04d8660 RBX: ffff88813e3e4000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffffc9000f7c39c8 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffff888101a48800 R13: ffff88813e3e4150 R14: ffff888130d0d008 R15: ffff88813e3e40d0 FS: 00007877d3d0d940(0000) GS:ffff88890b6d3000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000011f8 CR3: 000000015a762000 CR4: 0000000000f52ef0 PKRU: 55555554 Call Trace: xe_vfio_pci_reset_done+0x49/0x120 [xe_vfio_pci] pci_dev_restore+0x3b/0x80 pci_reset_function+0x109/0x140 reset_store+0x5c/0xb0 dev_attr_store+0x17/0x40 sysfs_kf_write+0x72/0x90 kernfs_fop_write_iter+0x161/0x1f0 vfs_write+0x261/0x440 ksys_write+0x69/0xf0 __x64_sys_write+0x19/0x30 x64_sys_call+0x259/0x26e0 do_syscall_64+0xcb/0x1500 ? __fput+0x1a2/0x2d0 ? fput_close_sync+0x3d/0xa0 ? __x64_sys_close+0x3e/0x90 ? x64_sys_call+0x1b7c/0x26e0 ? do_syscall_64+0x109/0x1500 ? __task_pid_nr_ns+0x68/0x100 ? __do_sys_getpid+0x1d/0x30 ? x64_sys_call+0x10b5/0x26e0 ? do_syscall_64+0x109/0x1500 ? putname+0x41/0x90 ? do_faccessat+0x1e8/0x300 ? __x64_sys_access+0x1c/0x30 ? x64_sys_call+0x1822/0x26e0 ? do_syscall_64+0x109/0x1500 ? tick_program_event+0x43/0xa0 ? hrtimer_interrupt+0x126/0x260 ? irqentry_exit+0xb2/0x710 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7877d5f1c5a4 Code: c7 00 16 00 00 00 b8 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 80 3d a5 ea 0e 00 00 74 13 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 55 48 89 e5 48 83 ec 20 48 89 RSP: 002b:00007fff48e5f908 EFLAGS: 00000202 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007877d5f1c5a4 RDX: 0000000000000001 RSI: 00007877d621b0c9 RDI: 0000000000000009 RBP: 0000000000000001 R08: 00005fb49113b010 R09: 0000000000000007 R10: 0000000000000000 R11: 0000000000000202 R12: 00007877d621b0c9 R13: 0000000000000009 R14: 00007fff48e5fac0 R15: 00007fff48e5fac0 This is caused by the fact that some of the xe_vfio_pci_core_devicemembers needed for handling reset are only initialized as part ofmigration init.Fix the problem by reorganizing the code to decouple VF init frommigration init.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31618 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:fbdev: tdfxfb: avoid divide-by-zero on FBIOPUT_VSCREENINFOMuch like commit 19f953e74356 ("fbdev: fb_pm2fb: Avoid potential divideby zero error"), we also need to prevent that same crash from happeningin the udlfb driver as it uses pixclock directly when dividing, whichwill crash.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31624 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:HID: core: clamp report_size in s32ton() to avoid undefined shifts32ton() shifts by n-1 where n is the field's report_size, a value thatcomes directly from a HID device. The HID parser bounds report_sizeonly to <= 256, so a broken HID device can supply a report descriptorwith a wide field that triggers shift exponents up to 256 on a 32-bittype when an output report is built via hid_output_field() orhid_set_field().Commit ec61b41918587 ("HID: core: fix shift-out-of-bounds inhid_report_raw_event") added the same n > 32 clamp to the functionsnto32(), but s32ton() was never given the same fix as I guess syzbothadn't figured out how to fuzz a device the same way.Fix this up by just clamping the max value of n, just like snto32()does.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31630 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:rxrpc: proc: size address buffers for %pISpc outputThe AF_RXRPC procfs helpers format local and remote socket addresses intofixed 50-byte stack buffers with "%pISpc".That is too small for the longest current-tree IPv6-with-port form theformatter can produce. In lib/vsprintf.c, the compressed IPv6 path uses adotted-quad tail not only for v4mapped addresses, but also for ISATAPaddresses via ipv6_addr_is_isatap().As a result, a case such as [ffff:ffff:ffff:ffff:0:5efe:255.255.255.255]:65535is possible with the current formatter. That is 50 visible characters, so51 bytes including the trailing NUL, which does not fit in the existingchar[50] buffers used by net/rxrpc/proc.c.Size the buffers from the formatter's maximum textual form and switch thecall sites to scnprintf().Changes since v1:- correct the changelog to cite the actual maximum current-tree case explicitly- frame the proof around the ISATAP formatting path instead of the earlier mapped-v4 example

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31637 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:rxrpc: reject undecryptable rxkad response ticketsrxkad_decrypt_ticket() decrypts the RXKAD response ticket and thenparses the buffer as plaintext without checking whethercrypto_skcipher_decrypt() succeeded.A malformed RESPONSE can therefore use a non-block-aligned ticketlength, make the decrypt operation fail, and still drive the ticketparser with attacker-controlled bytes.Check the decrypt result and abort the connection with RXKADBADTICKETwhen ticket decryption fails.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31639 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:rxrpc: Fix key reference count leak from call->keyWhen creating a client call in rxrpc_alloc_client_call(), the code obtainsa reference to the key. This is never cleaned up and gets leaked when thecall is destroyed.Fix this by freeing call->key in rxrpc_destroy_call().Before the patch, it shows the key reference counter elevated:$ cat /proc/keys | grep afs@543211bffe9cd I--Q--i 8053480 4169w 3b010000 1000 1000 rxrpc afs@54321: ka$After the patch, the invalidated key is removed when the code exits:$ cat /proc/keys | grep afs@54321$

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31642 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:rxrpc: Fix call removal to use RCU safe deletionFix rxrpc call removal from the rxnet->calls list to use list_del_rcu()rather than list_del_init() to prevent stuffing up reading/proc/net/rxrpc/calls from potentially getting into an infinite loop.This, however, means that list_empty() no longer works on an entry that'sbeen deleted from the list, making it harder to detect prior deletion. Fixthis by:Firstly, make rxrpc_destroy_all_calls() only dump the first ten calls thatare unexpectedly still on the list. Limiting the number of steps meansthere's no need to call cond_resched() or to remove calls from the listhere, thereby eliminating the need for rxrpc_put_call() to check for that.rxrpc_put_call() can then be fixed to unconditionally delete the call fromthe list as it is the only place that the deletion occurs.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31646 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net: lan966x: fix page_pool error handling in lan966x_fdma_rx_alloc_page_pool()page_pool_create() can return an ERR_PTR on failure. The return valueis used unconditionally in the loop that follows, passing the errorpointer through xdp_rxq_info_reg_mem_model() into page_pool_use_xdp_mem(),which dereferences it, causing a kernel oops.Add an IS_ERR check after page_pool_create() to return early on failure.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31647 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:idpf: fix PREEMPT_RT raw/bh spinlock nesting for async VC handlingSwitch from using the completion's raw spinlock to a local lock in theidpf_vc_xn struct. The conversion is safe because complete/_all() arecalled outside the lock and there is no reason to share the completionlock in the current logic. This avoids invalid wait context reported bythe kernel due to the async handler taking BH spinlock:[ 805.726977] =============================[ 805.726991] [ BUG: Invalid wait context ][ 805.727006] 7.0.0-rc2-net-devq-031026+ #28 Tainted: G S OE[ 805.727026] -----------------------------[ 805.727038] kworker/u261:0/572 is trying to lock:[ 805.727051] ff190da6a8dbb6a0 (&vport_config->mac_filter_list_lock){+...}-{3:3}, at: idpf_mac_filter_async_handler+0xe9/0x260 [idpf][ 805.727099] other info that might help us debug this:[ 805.727111] context-{5:5}[ 805.727119] 3 locks held by kworker/u261:0/572:[ 805.727132] #0: ff190da6db3e6148 ((wq_completion)idpf-0000:83:00.0-mbx){+.+.}-{0:0}, at: process_one_work+0x4b5/0x730[ 805.727163] #1: ff3c6f0a6131fe50 ((work_completion)(&(&adapter->mbx_task)->work)){+.+.}-{0:0}, at: process_one_work+0x1e5/0x730[ 805.727191] #2: ff190da765190020 (&x->wait#34){+.+.}-{2:2}, at: idpf_recv_mb_msg+0xc8/0x710 [idpf][ 805.727218] stack backtrace:...[ 805.727238] Workqueue: idpf-0000:83:00.0-mbx idpf_mbx_task [idpf][ 805.727247] Call Trace:[ 805.727249] [ 805.727251] dump_stack_lvl+0x77/0xb0[ 805.727259] __lock_acquire+0xb3b/0x2290[ 805.727268] ? __irq_work_queue_local+0x59/0x130[ 805.727275] lock_acquire+0xc6/0x2f0[ 805.727277] ? idpf_mac_filter_async_handler+0xe9/0x260 [idpf][ 805.727284] ? _printk+0x5b/0x80[ 805.727290] _raw_spin_lock_bh+0x38/0x50[ 805.727298] ? idpf_mac_filter_async_handler+0xe9/0x260 [idpf][ 805.727303] idpf_mac_filter_async_handler+0xe9/0x260 [idpf][ 805.727310] idpf_recv_mb_msg+0x1c8/0x710 [idpf][ 805.727317] process_one_work+0x226/0x730[ 805.727322] worker_thread+0x19e/0x340[ 805.727325] ? __pfx_worker_thread+0x10/0x10[ 805.727328] kthread+0xf4/0x130[ 805.727333] ? __pfx_kthread+0x10/0x10[ 805.727336] ret_from_fork+0x32c/0x410[ 805.727345] ? __pfx_kthread+0x10/0x10[ 805.727347] ret_from_fork_asm+0x1a/0x30[ 805.727354]

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31655 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:pmdomain: imx8mp-blk-ctrl: Keep the NOC_HDCP clock enabledKeep the NOC_HDCP clock always enabled to fix the potential hangcaused by the NoC ADB400 port power down handshake.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31664 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:xfrm: clear trailing padding in build_polexpire()build_expire() clears the trailing padding bytes of structxfrm_user_expire after setting the hard field via memset_after(),but the analogous function build_polexpire() does not do this forstruct xfrm_user_polexpire.The padding bytes after the __u8 hard field are leftuninitialized from the heap allocation, and are then sent touserspace via netlink multicast to XFRMNLGRP_EXPIRE listeners,leaking kernel heap memory contents.Add the missing memset_after() call, matching build_expire().

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31670 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net: rfkill: prevent unlimited numbers of rfkill events from being createdUserspace can create an unlimited number of rfkill events if the systemis so configured, while not consuming them from the rfkill filedescriptor, causing a potential out of memory situation. Prevent thisfrom bounding the number of pending rfkill events at a "large" number(i.e. 1000) to prevent abuses like this.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31674 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:netfilter: ip6t_rt: reject oversized addrnr in rt_mt6_check()Reject rt match rules whose addrnr exceeds IP6T_RT_HOPS.rt_mt6() expects addrnr to stay within the bounds of rtinfo->addrs[].Validate addrnr during rule installation so malformed rules are rejectedbefore the match logic can use an out-of-range value.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31677 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:crypto: af_alg - limit RX SG extraction by receive buffer budgetMake af_alg_get_rsgl() limit each RX scatterlist extraction to theremaining receive buffer budget.af_alg_get_rsgl() currently uses af_alg_readable() only as a gatebefore extracting data into the RX scatterlist. Limit each extractionto the remaining af_alg_rcvbuf(sk) budget so that receive-sideaccounting matches the amount of data attached to the request.If skcipher cannot obtain enough RX space for at least one chunk whilemore data remains to be processed, reject the recvmsg call instead ofrounding the request length down to zero.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31696 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:rxrpc: Fix missing validation of ticket length in non-XDR key preparsingIn rxrpc_preparse(), there are two paths for parsing key payloads: theXDR path (for large payloads) and the non-XDR path (for payloads <= 28bytes). While the XDR path (rxrpc_preparse_xdr_rxkad()) correctlyvalidates the ticket length against AFSTOKEN_RK_TIX_MAX, the non-XDRpath fails to do so.This allows an unprivileged user to provide a very large ticket length.When this key is later read via rxrpc_read(), the totaltoken size (toksize) calculation results in a value that exceedsAFSTOKEN_LENGTH_MAX, triggering a WARN_ON().[ 2001.302904] WARNING: CPU: 2 PID: 2108 at net/rxrpc/key.c:778 rxrpc_read+0x109/0x5c0 [rxrpc]Fix this by adding a check in the non-XDR parsing path of rxrpc_preparse()to ensure the ticket length does not exceed AFSTOKEN_RK_TIX_MAX,bringing it into parity with the XDR parsing logic.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31732 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:gpio: Fix resource leaks on errors in gpiochip_add_data_with_key()Since commit aab5c6f20023 ("gpio: set device type for GPIO chips"),`gdev->dev.release` is unset. As a result, the reference count to`gdev->dev` isn't dropped on the error handling paths.Drop the reference on errors.Also reorder the instructions to make the error handling simpler.Now gpiochip_add_data_with_key() roughly looks like: >>> Some memory allocation. Go to ERR ZONE 1 on errors. >>> device_initialize(). gpiodev_release() takes over the responsibility for freeing the resources of `gdev->dev`. The subsequent error handling paths shouldn't go through ERR ZONE 1 again which leads to double free. >>> Some initialization mainly on `gdev`. >>> The rest of initialization. Go to ERR ZONE 2 on errors. >>> Chip registration success and exit. >>> ERR ZONE 2. gpio_device_put() and exit. >>> ERR ZONE 1.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31737 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net: ftgmac100: fix ring allocation unwind on open failureftgmac100_alloc_rings() allocates rx_skbs, tx_skbs, rxdes, txdes, andrx_scratch in stages. On intermediate failures it returned -ENOMEMdirectly, leaking resources allocated earlier in the function.Rework the failure path to use staged local unwind labels and freeallocated resources in reverse order before returning -ENOMEM. Thismatches common netdev allocation cleanup style.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31752 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:bridge: br_nd_send: validate ND option lengthsbr_nd_send() walks ND options according to option-provided lengths.A malformed option can make the parser advance beyond the computedoption span or use a too-short source LLADDR option payload.Validate option lengths against the remaining NS option area beforeadvancing, and only read source LLADDR when the option is large enoughfor an Ethernet address.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31774 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:io_uring/net: fix slab-out-of-bounds read in io_bundle_nbufs()sqe->len is __u32 but gets stored into sr->len which is int. Whenuserspace passes sqe->len values exceeding INT_MAX (e.g. 0xFFFFFFFF),sr->len overflows to a negative value. This negative value propagatesthrough the bundle recv/send path: 1. io_recv(): sel.val = sr->len (ssize_t gets -1) 2. io_recv_buf_select(): arg.max_len = sel->val (size_t gets 0xFFFFFFFFFFFFFFFF) 3. io_ring_buffers_peek(): buf->len is not clamped because max_len is astronomically large 4. iov[].iov_len = 0xFFFFFFFF flows into io_bundle_nbufs() 5. io_bundle_nbufs(): min_t(int, 0xFFFFFFFF, ret) yields -1, causing ret to increase instead of decrease, creating an infinite loop that reads past the allocated iov[] arrayThis results in a slab-out-of-bounds read in io_bundle_nbufs() fromthe kmalloc-64 slab, as nbufs increments past the allocated iovecentries. BUG: KASAN: slab-out-of-bounds in io_bundle_nbufs+0x128/0x160 Read of size 8 at addr ffff888100ae05c8 by task exp/145 Call Trace: io_bundle_nbufs+0x128/0x160 io_recv_finish+0x117/0xe20 io_recv+0x2db/0x1160Fix this by rejecting negative sr->len values early in bothio_sendmsg_prep() and io_recvmsg_prep(). Since sqe->len is __u32,any value > INT_MAX indicates overflow and is not a valid length.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31777 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ALSA: ctxfi: Check the error for index mappingThe ctxfi driver blindly assumed a proper value returned fromdaio_device_index(), but it's not always true. Add a proper errorcheck to deal with the error from the function.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31787 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:xen/privcmd: fix double free via VMA splittingprivcmd_vm_ops defines .close (privcmd_close), but neither .may_splitnor .open. When userspace does a partial munmap() on a privcmd mapping,the kernel splits the VMA via __split_vma(). Since may_split is NULL,the split is allowed. vm_area_dup() copies vm_private_data (a pagesarray allocated in alloc_empty_pages()) into the new VMA without anyfixup, because there is no .open callback.Both VMAs now point to the same pages array. When the unmapped portionis closed, privcmd_close() calls: - xen_unmap_domain_gfn_range() - xen_free_unpopulated_pages() - kvfree(pages)The surviving VMA still holds the dangling pointer. When it is laterdestroyed, the same sequence runs again, which leads to a double free.Fix this issue by adding a .may_split callback denying the VMA split.This is XSA-487 / CVE-2026-31787

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-33947 Severity: Moderate CVSS3 score: 5.5

Description: jq is a command-line JSON processor. In versions 1.8.1 and below, functions jv_setpath(), jv_getpath(), and delpaths_sorted() in jq's src/jv_aux.c use unbounded recursion whose depth is controlled by the length of a caller-supplied path array, with no depth limit enforced. An attacker can supply a JSON document containing a flat array of ~65,000 integers (~200 KB) that, when used as a path argument by a trusted jq filter, exhausts the C call stack and crashes the process with a segmentation fault (SIGSEGV). This bypass works because the existing MAX_PARSING_DEPTH (10,000) limit only protects the JSON parser, not runtime path operations where arrays can be programmatically constructed to arbitrary lengths. The impact is denial of service (unrecoverable crash) affecting any application or service that processes untrusted JSON input through jq's setpath, getpath, or delpaths builtins. This issue has been addressed in commit fb59f1491058d58bdc3e8dd28f1773d1ac690a1f.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
jq > 0-0 (version in image is 1.6-150000.3.12.1).

CVE-2026-34933 Severity: Moderate CVSS3 score: 5.5

Description: Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. Prior to version 0.9-rc4, any unprivileged local user can crash avahi-daemon by sending a single D-Bus method call with conflicting publish flags. This issue has been patched in version 0.9-rc4.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
libavahi-client3 > 0-0 (version in image is 0.8-150600.15.15.1).

CVE-2026-39314 Severity: Moderate CVSS3 score: 5.5

Description: OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, an integer underflow vulnerability in _ppdCreateFromIPP() (cups/ppd-cache.c) allows any unprivileged local user to crash the cupsd root process by supplying a negative job-password-supported IPP attribute. The bounds check only caps the upper bound, so a negative value passes validation, is cast to size_t (wrapping to ~2^64), and is used as the length argument to memset() on a 33-byte stack buffer. This causes an immediate SIGSEGV in the cupsd root process. Combined with systemd's Restart=on-failure, an attacker can repeat the crash for sustained denial of service.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
cups-config > 0-0 (version in image is 2.2.7-150000.3.86.1).

CVE-2026-39316 Severity: Moderate CVSS3 score: 5.5

Description: OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, a use-after-free vulnerability exists in the CUPS scheduler (cupsd) when temporary printers are automatically deleted. cupsdDeleteTemporaryPrinters() in scheduler/printers.c calls cupsdDeletePrinter() without first expiring subscriptions that reference the printer, leaving cupsd_subscription_t.dest as a dangling pointer to freed heap memory. The dangling pointer is subsequently dereferenced at multiple code sites, causing a crash (denial of service) of the cupsd daemon. With heap grooming, this can be leveraged for code execution.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
cups-config > 0-0 (version in image is 2.2.7-150000.3.86.1).

CVE-2026-39956 Severity: Moderate CVSS3 score: 5.5

Description: jq is a command-line JSON processor. In commits after 69785bf77f86e2ea1b4a20ca86775916889e91c9, the _strindices builtin in jq's src/builtin.c passes its arguments directly to jv_string_indexes() without verifying they are strings, and jv_string_indexes() in src/jv.c relies solely on assert() checks that are stripped in release builds compiled with -DNDEBUG. This allows an attacker to crash jq trivially with input like _strindices(0), and by crafting a numeric value whose IEEE-754 bit pattern maps to a chosen pointer, achieve a controlled pointer dereference and limited memory read/probe primitive. Any deployment that evaluates untrusted jq filters against a release build is vulnerable. This issue has been patched in commit fdf8ef0f0810e3d365cdd5160de43db46f57ed03.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
jq > 0-0 (version in image is 1.6-150000.3.12.1).

CVE-2026-40164 Severity: Moderate CVSS3 score: 5.5

Description: jq is a command-line JSON processor. Before commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784, jq used MurmurHash3 with a hardcoded, publicly visible seed (0x432A9843) for all JSON object hash table operations, which allowed an attacker to precompute key collisions offline. By supplying a crafted JSON object (~100 KB) where all keys hashed to the same bucket, hash table lookups degraded from O(1) to O(n), turning any jq expression into an O(n?) operation and causing significant CPU exhaustion. This affected common jq use cases such as CI/CD pipelines, web services, and data processing scripts, and was far more practical to exploit than existing heap overflow issues since it required only a small payload. This issue has been patched in commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
jq > 0-0 (version in image is 1.6-150000.3.12.1).

CVE-2026-40475 Severity: Moderate CVSS3 score: 5.5

Description: Unknown.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
python3-pyOpenSSL > 0-0 (version in image is 21.0.0-150400.10.1).

CVE-2026-41256 Severity: Moderate CVSS3 score: 5.5

Description: jq is a command-line JSON processor. In 1.8.1 and earlier, Top-level jq programs loaded from a file with -f are truncated at the first embedded NUL byte on current upstream HEAD. A crafted filter file such as . followed by \x00 and arbitrary suffix compiles and executes as only the prefix before the NUL. This leaves jq with a post-CVE-2026-33948 prefix/full-buffer mismatch on the compilation path even though the JSON parser path has already been fixed.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
jq > 0-0 (version in image is 1.6-150000.3.12.1).

CVE-2026-43009 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:bpf: Fix incorrect pruning due to atomic fetch precision trackingWhen backtrack_insn encounters a BPF_STX instruction with BPF_ATOMICand BPF_FETCH, the src register (or r0 for BPF_CMPXCHG) also acts asa destination, thus receiving the old value from the memory location.The current backtracking logic does not account for this. It treatsatomic fetch operations the same as regular stores where the srcregister is only an input. This leads the backtrack_insn to fail topropagate precision to the stack location, which is then not markedas precise!Later, the verifier's path pruning can incorrectly consider two statesequivalent when they differ in terms of stack state. Meaning, twobranches can be treated as equivalent and thus get pruned when theyshould not be seen as such.Fix it as follows: Extend the BPF_LDX handling in backtrack_insn toalso cover atomic fetch operations via is_atomic_fetch_insn() helper.When the fetch dst register is being tracked for precision, clear it,and propagate precision over to the stack slot. For non-stack memory,the precision walk stops at the atomic instruction, same as regularBPF_LDX. This covers all fetch variants.Before: 0: (b7) r1 = 8 ; R1=8 1: (7b) *(u64 *)(r10 -8) = r1 ; R1=8 R10=fp0 fp-8=8 2: (b7) r2 = 0 ; R2=0 3: (db) r2 = atomic64_fetch_add((u64 *)(r10 -8), r2) ; R2=8 R10=fp0 fp-8=mmmmmmmm 4: (bf) r3 = r10 ; R3=fp0 R10=fp0 5: (0f) r3 += r2 mark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1 mark_precise: frame0: regs=r2 stack= before 4: (bf) r3 = r10 mark_precise: frame0: regs=r2 stack= before 3: (db) r2 = atomic64_fetch_add((u64 *)(r10 -8), r2) mark_precise: frame0: regs=r2 stack= before 2: (b7) r2 = 0 6: R2=8 R3=fp8 6: (b7) r0 = 0 ; R0=0 7: (95) exitAfter: 0: (b7) r1 = 8 ; R1=8 1: (7b) *(u64 *)(r10 -8) = r1 ; R1=8 R10=fp0 fp-8=8 2: (b7) r2 = 0 ; R2=0 3: (db) r2 = atomic64_fetch_add((u64 *)(r10 -8), r2) ; R2=8 R10=fp0 fp-8=mmmmmmmm 4: (bf) r3 = r10 ; R3=fp0 R10=fp0 5: (0f) r3 += r2 mark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1 mark_precise: frame0: regs=r2 stack= before 4: (bf) r3 = r10 mark_precise: frame0: regs=r2 stack= before 3: (db) r2 = atomic64_fetch_add((u64 *)(r10 -8), r2) mark_precise: frame0: regs= stack=-8 before 2: (b7) r2 = 0 mark_precise: frame0: regs= stack=-8 before 1: (7b) *(u64 *)(r10 -8) = r1 mark_precise: frame0: regs=r1 stack= before 0: (b7) r1 = 8 6: R2=8 R3=fp8 6: (b7) r0 = 0 ; R0=0 7: (95) exit

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43010 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:bpf: Reject sleepable kprobe_multi programs at attach timekprobe.multi programs run in atomic/RCU context and cannot sleep.However, bpf_kprobe_multi_link_attach() did not validate whether theprogram being attached had the sleepable flag set, allowing sleepablehelpers such as bpf_copy_from_user() to be invoked from a non-sleepablecontext.This causes a "sleeping function called from invalid context" splat: BUG: sleeping function called from invalid context at ./include/linux/uaccess.h:169 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 1787, name: sudo preempt_count: 1, expected: 0 RCU nest depth: 2, expected: 0Fix this by rejecting sleepable programs early inbpf_kprobe_multi_link_attach(), before any further processing.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43013 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net/mlx5: lag: Check for LAG device before creating debugfs__mlx5_lag_dev_add_mdev() may return 0 (success) even when an erroroccurs that is handled gracefully. Consequently, the initializationflow proceeds to call mlx5_ldev_add_debugfs() even when there is novalid LAG context.mlx5_ldev_add_debugfs() blindly created the debugfs directory andattributes. This exposed interfaces (like the members file) that rely ona valid ldev pointer, leading to potential NULL pointer dereferences ifaccessed when ldev is NULL.Add a check to verify that mlx5_lag_dev(dev) returns a valid pointerbefore attempting to create the debugfs entries.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43014 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net: macb: properly unregister fixed rate clocksThe additional resources allocated with clk_register_fixed_rate() needto be released with clk_unregister_fixed_rate(), otherwise they are lost.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43015 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net: macb: fix clk handling on PCI glue driver removalplatform_device_unregister() may still want to use the registered clksduring runtime resume callback.Note that there is a commit d82d5303c4c5 ("net: macb: fix use after freeon rmmod") that addressed the similar problem of clk vs platform deviceunregistration but just moved the bug to another place.Save the pointers to clks into local variables for reuse after platformdevice is unregistered.BUG: KASAN: use-after-free in clk_prepare+0x5a/0x60Read of size 8 at addr ffff888104f85e00 by task modprobe/597CPU: 2 PID: 597 Comm: modprobe Not tainted 6.1.164+ #114Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.1-0-g3208b098f51a-prebuilt.qemu.org 04/01/2014Call Trace: dump_stack_lvl+0x8d/0xba print_report+0x17f/0x496 kasan_report+0xd9/0x180 clk_prepare+0x5a/0x60 macb_runtime_resume+0x13d/0x410 [macb] pm_generic_runtime_resume+0x97/0xd0 __rpm_callback+0xc8/0x4d0 rpm_callback+0xf6/0x230 rpm_resume+0xeeb/0x1a70 __pm_runtime_resume+0xb4/0x170 bus_remove_device+0x2e3/0x4b0 device_del+0x5b3/0xdc0 platform_device_del+0x4e/0x280 platform_device_unregister+0x11/0x50 pci_device_remove+0xae/0x210 device_remove+0xcb/0x180 device_release_driver_internal+0x529/0x770 driver_detach+0xd4/0x1a0 bus_remove_driver+0x135/0x260 driver_unregister+0x72/0xb0 pci_unregister_driver+0x26/0x220 __do_sys_delete_module+0x32e/0x550 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 Allocated by task 519: kasan_save_stack+0x2c/0x50 kasan_set_track+0x21/0x30 __kasan_kmalloc+0x8e/0x90 __clk_register+0x458/0x2890 clk_hw_register+0x1a/0x60 __clk_hw_register_fixed_rate+0x255/0x410 clk_register_fixed_rate+0x3c/0xa0 macb_probe+0x1d8/0x42e [macb_pci] local_pci_probe+0xd7/0x190 pci_device_probe+0x252/0x600 really_probe+0x255/0x7f0 __driver_probe_device+0x1ee/0x330 driver_probe_device+0x4c/0x1f0 __driver_attach+0x1df/0x4e0 bus_for_each_dev+0x15d/0x1f0 bus_add_driver+0x486/0x5e0 driver_register+0x23a/0x3d0 do_one_initcall+0xfd/0x4d0 do_init_module+0x18b/0x5a0 load_module+0x5663/0x7950 __do_sys_finit_module+0x101/0x180 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x6e/0xd8Freed by task 597: kasan_save_stack+0x2c/0x50 kasan_set_track+0x21/0x30 kasan_save_free_info+0x2a/0x50 __kasan_slab_free+0x106/0x180 __kmem_cache_free+0xbc/0x320 clk_unregister+0x6de/0x8d0 macb_remove+0x73/0xc0 [macb_pci] pci_device_remove+0xae/0x210 device_remove+0xcb/0x180 device_release_driver_internal+0x529/0x770 driver_detach+0xd4/0x1a0 bus_remove_driver+0x135/0x260 driver_unregister+0x72/0xb0 pci_unregister_driver+0x26/0x220 __do_sys_delete_module+0x32e/0x550 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x6e/0xd8

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43016 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:bpf: sockmap: Fix use-after-free of sk->sk_socket in sk_psock_verdict_data_ready().syzbot reported use-after-free of AF_UNIX socket's sk->sk_socketin sk_psock_verdict_data_ready(). [0]In unix_stream_sendmsg(), the peer socket's ->sk_data_ready() iscalled after dropping its unix_state_lock().Although the sender socket holds the peer's refcount, it does notprevent the peer's sock_orphan(), and the peer's sk_socket mightbe freed after one RCU grace period.Let's fetch the peer's sk->sk_socket and sk->sk_socket->ops underRCU in sk_psock_verdict_data_ready().[0]:BUG: KASAN: slab-use-after-free in sk_psock_verdict_data_ready+0xec/0x590 net/core/skmsg.c:1278Read of size 8 at addr ffff8880594da860 by task syz.4.1842/11013CPU: 1 UID: 0 PID: 11013 Comm: syz.4.1842 Not tainted syzkaller #0 PREEMPT(full)Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026Call Trace: dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xba/0x230 mm/kasan/report.c:482 kasan_report+0x117/0x150 mm/kasan/report.c:595 sk_psock_verdict_data_ready+0xec/0x590 net/core/skmsg.c:1278 unix_stream_sendmsg+0x8a3/0xe80 net/unix/af_unix.c:2482 sock_sendmsg_nosec net/socket.c:721 [inline] __sock_sendmsg net/socket.c:736 [inline] ____sys_sendmsg+0x972/0x9f0 net/socket.c:2585 ___sys_sendmsg+0x2a5/0x360 net/socket.c:2639 __sys_sendmsg net/socket.c:2671 [inline] __do_sys_sendmsg net/socket.c:2676 [inline] __se_sys_sendmsg net/socket.c:2674 [inline] __x64_sys_sendmsg+0x1bd/0x2a0 net/socket.c:2674 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7fRIP: 0033:0x7facf899c819Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48RSP: 002b:00007facf9827028 EFLAGS: 00000246 ORIG_RAX: 000000000000002eRAX: ffffffffffffffda RBX: 00007facf8c15fa0 RCX: 00007facf899c819RDX: 0000000000000000 RSI: 0000200000000500 RDI: 0000000000000004RBP: 00007facf8a32c91 R08: 0000000000000000 R09: 0000000000000000R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000R13: 00007facf8c16038 R14: 00007facf8c15fa0 R15: 00007ffd41b01c78 Allocated by task 11013: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 unpoison_slab_object mm/kasan/common.c:340 [inline] __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:366 kasan_slab_alloc include/linux/kasan.h:253 [inline] slab_post_alloc_hook mm/slub.c:4538 [inline] slab_alloc_node mm/slub.c:4866 [inline] kmem_cache_alloc_lru_noprof+0x2b8/0x640 mm/slub.c:4885 sock_alloc_inode+0x28/0xc0 net/socket.c:316 alloc_inode+0x6a/0x1b0 fs/inode.c:347 new_inode_pseudo include/linux/fs.h:3003 [inline] sock_alloc net/socket.c:631 [inline] __sock_create+0x12d/0x9d0 net/socket.c:1562 sock_create net/socket.c:1656 [inline] __sys_socketpair+0x1c4/0x560 net/socket.c:1803 __do_sys_socketpair net/socket.c:1856 [inline] __se_sys_socketpair net/socket.c:1853 [inline] __x64_sys_socketpair+0x9b/0xb0 net/socket.c:1853 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7fFreed by task 15: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584 poison_slab_object mm/kasan/common.c:253 [inline] __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285 kasan_slab_free include/linux/kasan.h:235 [inline] slab_free_hook mm/slub.c:2685 [inline] slab_free mm/slub.c:6165 [inline] kmem_cache_free+0x187/0x630 mm/slub.c:6295 rcu_do_batch kernel/rcu/tree.c:---truncated---

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43022 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:Bluetooth: hci_sync: hci_cmd_sync_queue_once() return -EEXIST if existshci_cmd_sync_queue_once() needs to indicate whether a queue item wasadded, so caller can know if callbacks are called, so it can avoidleaking resources.Change the function to return -EEXIST if queue item already exists.Modify all callsites to handle that.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43024 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:netfilter: nf_tables: reject immediate NF_QUEUE verdictnft_queue is always used from userspace nftables to deliver the NF_QUEUEverdict. Immediately emitting an NF_QUEUE verdict is never used by theuserspace nft tools, so reject immediate NF_QUEUE verdicts.The arp family does not provide queue support, but such an immediateverdict is still reachable. Globally reject NF_QUEUE immediate verdictsto address this issue.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43026 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:netfilter: ctnetlink: zero expect NAT fields when CTA_EXPECT_NAT absentctnetlink_alloc_expect() allocates expectations from a non-zeroingslab cache via nf_ct_expect_alloc(). When CTA_EXPECT_NAT is notpresent in the netlink message, saved_addr and saved_proto arenever initialized. Stale data from a previous slab occupant canthen be dumped to userspace by ctnetlink_exp_dump_expect(), whichchecks these fields to decide whether to emit CTA_EXPECT_NAT.The safe sibling nf_ct_expect_init(), used by the packet path,explicitly zeroes these fields.Zero saved_addr, saved_proto and dir in the else branch, guardedby IS_ENABLED(CONFIG_NF_NAT) since these fields only exist whenNAT is enabled.Confirmed by priming the expect slab with NAT-bearing expectations,freeing them, creating a new expectation without CTA_EXPECT_NAT,and observing that the ctnetlink dump emits a spuriousCTA_EXPECT_NAT containing stale data from the prior allocation.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43028 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:netfilter: x_tables: ensure names are nul-terminatedReject names that lack a \0 character before feeding themto functions that expect c-strings.Fixes tag is the most recent commit that needs this change.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43030 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:bpf: Fix regsafe() for pointers to packetIn case rold->reg->range == BEYOND_PKT_END && rcur->reg->range == Nregsafe() may return true which may lead to current state withvalid packet range not being explored. Fix the bug.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43034 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:bnxt_en: set backing store type from query typebnxt_hwrm_func_backing_store_qcaps_v2() stores resp->type from thefirmware response in ctxm->type and later uses that value to indexfixed backing-store metadata arrays such as ctx_arr[] andbnxt_bstore_to_trace[].ctxm->type is fixed by the current backing-store query type and matchesthe array index of ctx->ctx_arr. Set ctxm->type from the current loopvariable instead of depending on resp->type.Also update the loop to advance type from next_valid_type in the forstatement, which keeps the control flow simpler for non-valid andunchanged entries.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43035 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net: sched: cls_api: fix tc_chain_fill_node to initialize tcm_info to zero to prevent an info-leakWhen building netlink messages, tc_chain_fill_node() never initializesthe tcm_info field of struct tcmsg. Since the allocation is not zeroed,kernel heap memory is leaked to userspace through this 4-byte field.The fix simply zeroes tcm_info alongside the other fields that arealready initialized.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43036 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net: use skb_header_pointer() for TCPv4 GSO frag_off checkSyzbot reported a KMSAN uninit-value warning in gso_features_check()called from netif_skb_features() [1].gso_features_check() reads iph->frag_off to decide whether to clearmangleid_features. Accessing the IPv4 header via ip_hdr()/inner_ip_hdr()can rely on skb header offsets that are not always safe for directdereference on packets injected from PF_PACKET paths.Use skb_header_pointer() for the TCPv4 frag_off check so the header readis robust whether data is already linear or needs copying.[1] https://syzkaller.appspot.com/bug?extid=1543a7d954d9c6d00407

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43038 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ipv6: icmp: clear skb2->cb[] in ip6_err_gen_icmpv6_unreach()Sashiko AI-review observed: In ip6_err_gen_icmpv6_unreach(), the skb is an outer IPv4 ICMP error packet where its cb contains an IPv4 inet_skb_parm. When skb is cloned into skb2 and passed to icmp6_send(), it uses IP6CB(skb2). IP6CB interprets the IPv4 inet_skb_parm as an inet6_skb_parm. The cipso offset in inet_skb_parm.opt directly overlaps with dsthao in inet6_skb_parm at offset 18. If an attacker sends a forged ICMPv4 error with a CIPSO IP option, dsthao would be a non-zero offset. Inside icmp6_send(), mip6_addr_swap() is called and uses ipv6_find_tlv(skb, opt->dsthao, IPV6_TLV_HAO). This would scan the inner, attacker-controlled IPv6 packet starting at that offset, potentially returning a fake TLV without checking if the remaining packet length can hold the full 18-byte struct ipv6_destopt_hao. Could mip6_addr_swap() then perform a 16-byte swap that extends past the end of the packet data into skb_shared_info? Should the cb array also be cleared in ip6_err_gen_icmpv6_unreach() and ip6ip6_err() to prevent this?This patch implements the first suggestion.I am not sure if ip6ip6_err() needs to be changed.A separate patch would be better anyway.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43040 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net: ipv6: ndisc: fix ndisc_ra_useropt to initialize nduseropt_padX fields to zero to prevent an info-leakWhen processing Router Advertisements with user options the kernelbuilds an RTM_NEWNDUSEROPT netlink message. The nduseroptmsg structhas three padding fields that are never zeroed and can leak kernel dataThe fix is simple, just zeroes the padding fields.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43041 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net: qrtr: replace qrtr_tx_flow radix_tree with xarray to fix memory leak__radix_tree_create() allocates and links intermediate nodes into thetree one by one. If a subsequent allocation fails, the already-linkednodes remain in the tree with no corresponding leaf entry. These orphanedinternal nodes are never reclaimed because radix_tree_for_each_slot()only visits slots containing leaf values.The radix_tree API is deprecated in favor of xarray. As suggested byMatthew Wilcox, migrate qrtr_tx_flow from radix_tree to xarray insteadof fixing the radix_tree itself [1]. xarray properly handles cleanup ofinternal nodes - xa_destroy() frees all internal xarray nodes when theqrtr_node is released, preventing the leak.[1] https://lore.kernel.org/all/20260225071623.41275-1-jiayuan.chen@linux.dev/T/

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43042 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:mpls: add seqcount to protect the platform_label{,s} pairThe RCU-protected codepaths (mpls_forward, mpls_dump_routes) can havean inconsistent view of platform_labels vs platform_label in case of aconcurrent resize (resize_platform_label_table, underplatform_mutex). This can lead to OOB accesses.This patch adds a seqcount, so that we get a consistent snapshot.Note that mpls_label_ok is also susceptible to this, so the checkagainst RTA_DST in rtm_to_route_config, done outside platform_mutex,is not sufficient. This value gets passed to mpls_label_ok once morein both mpls_route_add and mpls_route_del, so there is no issue, butthat additional check must not be removed.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43048 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:HID: core: Mitigate potential OOB by removing bogus memset()The memset() in hid_report_raw_event() has the good intention ofclearing out bogus data by zeroing the area from the end of the incomingdata string to the assumed end of the buffer. However, as we havepreviously seen, doing so can easily result in OOB reads and writes inthe subsequent thread of execution.The current suggestion from one of the HID maintainers is to remove thememset() and simply return if the incoming event buffer size is notlarge enough to fill the associated report.Suggested-by Benjamin Tissoires [bentiss: changed the return value]

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43049 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:HID: logitech-hidpp: Prevent use-after-free on force feedback initialisation failurePresently, if the force feedback initialisation fails when probing theLogitech G920 Driving Force Racing Wheel for Xbox One, an error numberwill be returned and propagated before the userspace infrastructure(sysfs and /dev/input) has been torn down. If userspace ignores theerrors and continues to use its references to these dangling entities, aUAF will promptly follow.We have 2 options; continue to return the error, but ensure that all ofthe infrastructure is torn down accordingly or continue to treat thiscondition as a warning by emitting the message but returning success.It is thought that the original author's intention was to emit thewarning but keep the device functional, less the force feedback feature,so let's go with that.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43053 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:xfs: close crash window in attr dabtree inactivationWhen inactivating an inode with node-format extended attributes,xfs_attr3_node_inactive() invalidates all child leaf/node blocks viaxfs_trans_binval(), but intentionally does not remove the correspondingentries from their parent node blocks. The implicit assumption is thatxfs_attr_inactive() will truncate the entire attr fork to zero extentsafterwards, so log recovery will never reach the root node and followthose stale pointers.However, if a log shutdown occurs after the leaf/node block cancellationscommit but before the attr bmap truncation commits, this assumptionbreaks. Recovery replays the attr bmap intact (the inode still hasattr fork extents), but suppresses replay of all cancelled leaf/nodeblocks, maybe leaving them as stale data on disk. On the next mount,xlog_recover_process_iunlinks() retries inactivation and attempts toread the root node via the attr bmap. If the root node was not replayed,reading the unreplayed root block triggers a metadata verificationfailure immediately; if it was replayed, following its child pointersto unreplayed child blocks triggers the same failure: XFS (pmem0): Metadata corruption detected at xfs_da3_node_read_verify+0x53/0x220, xfs_da3_node block 0x78 XFS (pmem0): Unmount and run xfs_repair XFS (pmem0): First 128 bytes of corrupted metadata buffer: 00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ XFS (pmem0): metadata I/O error in "xfs_da_read_buf+0x104/0x190" at daddr 0x78 len 8 error 117Fix this in two places:In xfs_attr3_node_inactive(), after calling xfs_trans_binval() on achild block, immediately remove the entry that references it from theparent node in the same transaction. This eliminates the window wherethe parent holds a pointer to a cancelled block. Once all children areremoved, the now-empty root node is converted to a leaf block within thesame transaction. This node-to-leaf conversion is necessary for crashsafety. If the system shutdown after the empty node is written to thelog but before the second-phase bmap truncation commits, log recoverywill attempt to verify the root block on disk. xfs_da3_node_verify()does not permit a node block with count == 0; such a block will failverification and trigger a metadata corruption shutdown. on the otherhand, leaf blocks are allowed to have this transient state.In xfs_attr_inactive(), split the attr fork truncation into two explicitphases. First, truncate all extents beyond the root block (the childextents whose parent references have already been removed above).Second, invalidate the root block and truncate the attr bmap to zero ina single transaction. The two operations in the second phase must beatomic: as long as the attr bmap has any non-zero length, recovery canfollow it to the root block, so the root block invalidation must committogether with the bmap-to-zero truncation.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43054 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:scsi: target: tcm_loop: Drain commands in target_reset handlertcm_loop_target_reset() violates the SCSI EH contract: it returns SUCCESSwithout draining any in-flight commands. The SCSI EH documentation(scsi_eh.rst) requires that when a reset handler returns SUCCESS the driverhas made lower layers "forget about timed out scmds" and is ready for newcommands. Every other SCSI LLD (virtio_scsi, mpt3sas, ipr, scsi_debug,mpi3mr) enforces this by draining or completing outstanding commands beforereturning SUCCESS.Because tcm_loop_target_reset() doesn't drain, the SCSI EH reuses in-flightscsi_cmnd structures for recovery commands (e.g. TUR) while the target corestill has async completion work queued for the old se_cmd. The memset inqueuecommand zeroes se_lun and lun_ref_active, causingtransport_lun_remove_cmd() to skip its percpu_ref_put(). The leaked LUNreference prevents transport_clear_lun_ref() from completing, hangingconfigfs LUN unlink forever in D-state: INFO: task rm:264 blocked for more than 122 seconds. rm D 0 264 258 0x00004000 Call Trace: __schedule+0x3d0/0x8e0 schedule+0x36/0xf0 transport_clear_lun_ref+0x78/0x90 [target_core_mod] core_tpg_remove_lun+0x28/0xb0 [target_core_mod] target_fabric_port_unlink+0x50/0x60 [target_core_mod] configfs_unlink+0x156/0x1f0 [configfs] vfs_unlink+0x109/0x290 do_unlinkat+0x1d5/0x2d0Fix this by making tcm_loop_target_reset() actually drain commands: 1. Issue TMR_LUN_RESET via tcm_loop_issue_tmr() to drain all commands that the target core knows about (those not yet CMD_T_COMPLETE). 2. Use blk_mq_tagset_busy_iter() to iterate all started requests and flush_work() on each se_cmd - this drains any deferred completion work for commands that already had CMD_T_COMPLETE set before the TMR (which the TMR skips via __target_check_io_state()). This is the same pattern used by mpi3mr, scsi_debug, and libsas to drain outstanding commands during reset.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43057 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net: correctly handle tunneled traffic on IPV6_CSUM GSO fallbackNETIF_F_IPV6_CSUM only advertises support for checksum offload ofpackets without IPv6 extension headers. Packets with extensionheaders must fall back onto software checksumming. Since TSOdepends on checksum offload, those must revert to GSO.The below commit introduces that fallback. It always checksnetwork header length. For tunneled packets, the inner header lengthmust be checked instead. Extend the check accordingly.A special case is tunneled packets without inner IP protocol. Such asRFC 6951 SCTP in UDP. Those are not standard IPv6 followed bytransport header either, so also must revert to the software GSO path.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43060 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:netfilter: nft_ct: drop pending enqueued packets on removalPackets sitting in nfqueue might hold a reference to:- templates that specify the conntrack zone, because a percpu area is used and module removal is possible.- conntrack timeout policies and helper, where object removal leave a stale reference.Since these objects can just go away, drop enqueued packets to avoidstale reference to them.If there is a need for finer grain removal, this logic can be revisitedto make selective packet drop upon dependencies.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43078 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:crypto: af_alg - Fix page reassignment overflow in af_alg_pull_tsglWhen page reassignment was added to af_alg_pull_tsgl the originalloop wasn't updated so it may try to reassign one more page thannecessary.Add the check to the reassignment so that this does not happen.Also update the comment which still refers to the obsolete offsetargument.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43079 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:perf/x86/intel/uncore: Skip discovery table for offline diesThis warning can be triggered if NUMA is disabled and the systemboots with fewer CPUs than the number of CPUs in die 0.WARNING: CPU: 9 PID: 7257 at uncore.c:1157 uncore_pci_pmu_register+0x136/0x160 [intel_uncore]Currently, the discovery table continues to be parsed even if all CPUsin the associated die are offline. This can lead to an array overflowat "pmu->boxes[die] = box" in uncore_pci_pmu_register(), which maytrigger the warning above or cause other issues.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43080 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:l2tp: Drop large packets with UDP encapsyzbot reported a WARN on my patch series [1]. The actual issue is anoverflow of 16-bit UDP length field, and it exists in the upstream code.My series added a debug WARN with an overflow check that exposed theissue, that's why syzbot tripped on my patches, rather than on upstreamcode.syzbot's repro:r0 = socket$pppl2tp(0x18, 0x1, 0x1)r1 = socket$inet6_udp(0xa, 0x2, 0x0)connect$inet6(r1, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback, 0xfffffffc}, 0x1c)connect$pppl2tp(r0, &(0x7f0000000240)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x4, 0x0, 0x0, 0x0, {0xa, 0x4e22, 0xffff, @ipv4={'\x00', '\xff\xff', @empty}}}}, 0x32)writev(r0, &(0x7f0000000080)=[{&(0x7f0000000000)="ee", 0x34000}], 0x1)It basically sends an oversized (0x34000 bytes) PPPoL2TP packet with UDPencapsulation, and l2tp_xmit_core doesn't check for overflows when itassigns the UDP length field. The value gets trimmed to 16 bites.Add an overflow check that drops oversized packets and avoids sendingpackets with trimmed UDP length to the wire.syzbot's stack trace (with my patch applied):len >= 65536uWARNING: ./include/linux/udp.h:38 at udp_set_len_short include/linux/udp.h:38 [inline], CPU#1: syz.0.17/5957WARNING: ./include/linux/udp.h:38 at l2tp_xmit_core net/l2tp/l2tp_core.c:1293 [inline], CPU#1: syz.0.17/5957WARNING: ./include/linux/udp.h:38 at l2tp_xmit_skb+0x1204/0x18d0 net/l2tp/l2tp_core.c:1327, CPU#1: syz.0.17/5957Modules linked in:CPU: 1 UID: 0 PID: 5957 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014RIP: 0010:udp_set_len_short include/linux/udp.h:38 [inline]RIP: 0010:l2tp_xmit_core net/l2tp/l2tp_core.c:1293 [inline]RIP: 0010:l2tp_xmit_skb+0x1204/0x18d0 net/l2tp/l2tp_core.c:1327Code: 0f 0b 90 e9 21 f9 ff ff e8 e9 05 ec f6 90 0f 0b 90 e9 8d f9 ff ff e8 db 05 ec f6 90 0f 0b 90 e9 cc f9 ff ff e8 cd 05 ec f6 90 <0f> 0b 90 e9 de fa ff ff 44 89 f1 80 e1 07 80 c1 03 38 c1 0f 8c 4fRSP: 0018:ffffc90003d67878 EFLAGS: 00010293RAX: ffffffff8ad985e3 RBX: ffff8881a6400090 RCX: ffff8881697f0000RDX: 0000000000000000 RSI: 0000000000034010 RDI: 000000000000ffffRBP: dffffc0000000000 R08: 0000000000000003 R09: 0000000000000004R10: dffffc0000000000 R11: fffff520007acf00 R12: ffff8881baf20900R13: 0000000000034010 R14: ffff8881a640008e R15: ffff8881760f7000FS: 000055557e81f500(0000) GS:ffff8882a9467000(0000) knlGS:0000000000000000CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033CR2: 0000200000033000 CR3: 00000001612f4000 CR4: 00000000000006f0Call Trace: pppol2tp_sendmsg+0x40a/0x5f0 net/l2tp/l2tp_ppp.c:302 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg net/socket.c:742 [inline] sock_write_iter+0x503/0x550 net/socket.c:1195 do_iter_readv_writev+0x619/0x8c0 fs/read_write.c:-1 vfs_writev+0x33c/0x990 fs/read_write.c:1059 do_writev+0x154/0x2e0 fs/read_write.c:1105 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7fRIP: 0033:0x7f636479c629Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48RSP: 002b:00007ffffd4241c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000014RAX: ffffffffffffffda RBX: 00007f6364a15fa0 RCX: 00007f636479c629RDX: 0000000000000001 RSI: 0000200000000080 RDI: 0000000000000003RBP: 00007f6364832b39 R08: 0000000000000000 R09: 0000000000000000R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000R13: 00007f6364a15fac R14: 00007f6364a15fa0 R15: 00007f6364a15fa0 [1]: https://lore.kernel.org/all/20260226201600.222044-1-alice.kernel@fastmail.im/

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43081 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net: ipa: fix GENERIC_CMD register field masks for IPA v5.0+Fix the field masks to match the hardware layout documented indownstream GSI (GSI_V3_0_EE_n_GSI_EE_GENERIC_CMD_*).Notably this fixes a WARN I was seeing when I tried to send "stop"to the MPSS remoteproc while IPA was up.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43083 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net: ioam6: fix OOB and missing lockWhen trace->type.bit6 is set: if (trace->type.bit6) { ... queue = skb_get_tx_queue(dev, skb); qdisc = rcu_dereference(queue->qdisc);This code can lead to an out-of-bounds access of the dev->_tx[] arraywhen is_input is true. In such a case, the packet is on the RX path andskb->queue_mapping contains the RX queue index of the ingress device. Ifthe ingress device has more RX queues than the egress device (dev) hasTX queues, skb_get_queue_mapping(skb) will exceed dev->num_tx_queues.Add a check to avoid this situation since skb_get_tx_queue() does notclamp the index. This issue has also revealed that per queue visibilitycannot be accurate and will be replaced later as a new feature.While at it, add missing lock around qdisc_qstats_qlen_backlog(). Thefunction __ioam6_fill_trace_data() is called from both softirq andprocess contexts, hence the use of spin_lock_bh() here.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43085 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:netfilter: nfnetlink_log: initialize nfgenmsg in NLMSG_DONE terminatorWhen batching multiple NFLOG messages (inst->qlen > 1), __nfulnl_send()appends an NLMSG_DONE terminator with sizeof(struct nfgenmsg) payload vianlmsg_put(), but never initializes the nfgenmsg bytes. The nlmsg_put()helper only zeroes alignment padding after the payload, not the payloaditself, so four bytes of stale kernel heap data are leaked to userspacein the NLMSG_DONE message body.Use nfnl_msg_put() to build the NLMSG_DONE terminator, which initializesthe nfgenmsg payload via nfnl_fill_hdr(), consistent with how__build_packet_message() already constructs NFULNL_MSG_PACKET headers.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43086 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ipvs: fix NULL deref in ip_vs_add_service error pathWhen ip_vs_bind_scheduler() succeeds in ip_vs_add_service(), the localvariable sched is set to NULL. If ip_vs_start_estimator() subsequentlyfails, the out_err cleanup calls ip_vs_unbind_scheduler(svc, sched)with sched == NULL. ip_vs_unbind_scheduler() passes the cur_sched NULLcheck (because svc->scheduler was set by the successful bind) but thendereferences the NULL sched parameter at sched->done_service, causing akernel panic at offset 0x30 from NULL. Oops: general protection fault, [..] [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] RIP: 0010:ip_vs_unbind_scheduler (net/netfilter/ipvs/ip_vs_sched.c:69) Call Trace: ip_vs_add_service.isra.0 (net/netfilter/ipvs/ip_vs_ctl.c:1500) do_ip_vs_set_ctl (net/netfilter/ipvs/ip_vs_ctl.c:2809) nf_setsockopt (net/netfilter/nf_sockopt.c:102) [..]Fix by simply not clearing the local sched variable after a successfulbind. ip_vs_unbind_scheduler() already detects whether a scheduler isinstalled via svc->scheduler, and keeping sched non-NULL ensures theerror path passes the correct pointer to both ip_vs_unbind_scheduler()and ip_vs_scheduler_put().While the bug is older, the problem popups in more recent kernels (6.2),when the new error path is taken after the ip_vs_start_estimator() call.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43089 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:xfrm_user: fix info leak in build_mapping()struct xfrm_usersa_id has a one-byte padding hole after the protofield, which ends up never getting set to zero before copying out touserspace. Fix that up by zeroing out the whole structure beforesetting individual variables.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43091 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:xfrm: Wait for RCU readers during policy netns exitxfrm_policy_fini() frees the policy_bydst hash tables after flushing thepolicy work items and deleting all policies, but it does not wait forconcurrent RCU readers to leave their read-side critical sections first.The policy_bydst tables are published via rcu_assign_pointer() and arelooked up through rcu_dereference_check(), so netns teardown must alsowait for an RCU grace period before freeing the table memory.Fix this by adding synchronize_rcu() before freeing the policy hash tables.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43092 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:xsk: validate MTU against usable frame size on bindAF_XDP bind currently accepts zero-copy pool configurations withoutverifying that the device MTU fits into the usable frame space providedby the UMEM chunk.This becomes a problem since we started to respect tailroom which issubtracted from chunk_size (among with headroom). 2k chunk size mightnot provide enough space for standard 1500 MTU, so let us catch suchsettings at bind time. Furthermore, validate whether underlying HW willbe able to satisfy configured MTU wrt XSK's frame size multiplied bysupported Rx buffer chain length (that is exposed vianet_device::xdp_zc_max_segs).

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43093 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:xsk: tighten UMEM headroom validation to account for tailroom and min frameThe current headroom validation in xdp_umem_reg() could leave us withinsufficient space dedicated to even receive minimum-sized ethernetframe. Furthermore if multi-buffer would come to play thenskb_shared_info stored at the end of XSK frame would be corrupted.HW typically works with 128-aligned sizes so let us provide this valueas bare minimum.Multi-buffer setting is known later in the configuration process sobesides accounting for 128 bytes, let us also take care of tailroom spaceupfront.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43094 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ixgbevf: add missing negotiate_features op to Hyper-V ops tableCommit a7075f501bd3 ("ixgbevf: fix mailbox API compatibility bynegotiating supported features") added the .negotiate_features callbackto ixgbe_mac_operations and populated it in ixgbevf_mac_ops, but forgotto add it to ixgbevf_hv_mac_ops. This leaves the function pointer NULLon Hyper-V VMs.During probe, ixgbevf_negotiate_api() calls ixgbevf_set_features(),which unconditionally dereferences hw->mac.ops.negotiate_features().On Hyper-V this results in a NULL pointer dereference: BUG: kernel NULL pointer dereference, address: 0000000000000000 [...] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine [...] Workqueue: events work_for_cpu_fn RIP: 0010:0x0 [...] Call Trace: ixgbevf_negotiate_api+0x66/0x160 [ixgbevf] ixgbevf_sw_init+0xe4/0x1f0 [ixgbevf] ixgbevf_probe+0x20f/0x4a0 [ixgbevf] local_pci_probe+0x50/0xa0 work_for_cpu_fn+0x1a/0x30 [...]Add ixgbevf_hv_negotiate_features_vf() that returns -EOPNOTSUPP andwire it into ixgbevf_hv_mac_ops. The caller already handles -EOPNOTSUPPgracefully.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43099 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ipv4: icmp: fix null-ptr-deref in icmp_build_probe()ipv6_stub->ipv6_dev_find() may return ERR_PTR(-EAFNOSUPPORT) when theIPv6 stack is not active (CONFIG_IPV6=m and not loaded), and passingthis error pointer to dev_hold() will cause a kernel crash withnull-ptr-deref.Instead, silently discard the request. RFC 8335 does not appear todefine a specific response for the case where an IPv6 interfaceidentifier is syntactically valid but the implementation cannot performthe lookup at runtime, and silently dropping the request may safer thanmisreporting "No Such Interface".

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43101 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ipv6: ioam: fix potential NULL dereferences in __ioam6_fill_trace_data()We need to check __in6_dev_get() for possible NULL value, assuggested by Yiming Qian.Also add skb_dst_dev_rcu() instead of skb_dst_dev(),and two missing READ_ONCE().Note that @dev can't be NULL.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43103 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net: lapbether: handle NETDEV_PRE_TYPE_CHANGElapbeth_data_transmit() expects the underlying device typeto be ARPHRD_ETHER.Returning NOTIFY_BAD from lapbeth_device_event() makes surebonding driver can not break this expectation.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43107 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:xfrm: account XFRMA_IF_ID in aevent size calculationxfrm_get_ae() allocates the reply skb with xfrm_aevent_msgsize(), thenbuild_aevent() appends attributes including XFRMA_IF_ID when x->if_id isset.xfrm_aevent_msgsize() does not include space for XFRMA_IF_ID. For stateswith if_id, build_aevent() can fail with -EMSGSIZE and hit BUG_ON(err < 0)in xfrm_get_ae(), turning a malformed netlink interaction into a kernelpanic.Account XFRMA_IF_ID in the size calculation unconditionally and replacethe BUG_ON with normal error unwinding.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43112 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:fs/smb/client: fix out-of-bounds read in cifs_sanitize_prepathWhen cifs_sanitize_prepath is called with an empty string or a stringcontaining only delimiters (e.g., "/"), the current logic attempts tocheck *(cursor2 - 1) before cursor2 has advanced. This results in anout-of-bounds read.This patch adds an early exit check after stripping prependeddelimiters. If no path content remains, the function returns NULL.The bug was identified via manual audit and verified using astandalone test case compiled with AddressSanitizer, whichtriggered a SEGV on affected inputs.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43114 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:netfilter: nft_set_pipapo_avx2: don't return non-matching entry on expiryNew test case fails unexpectedly when avx2 matching functions are used.The test first loads a ranomly generated pipapo setwith 'ipv4 . port' key, i.e. nft -f foo.This works. Then, it reloads the set after a flush:(echo flush set t s; cat foo) | nft -f -This is expected to work, because its the same set after all and it wasalready loaded once.But with avx2, this fails: nft reports a clashing element.The reported clash is of following form: We successfully re-inserted a . b c . dThen we try to insert a . davx2 finds the already existing a . d, which (due to 'flush set') is markedas invalid in the new generation. It skips the element and moves to next.Due to incorrect masking, the skip-step finds the next matchingelement *only considering the first field*,i.e. we return the already reinserted "a . b", even though thelast field is different and the entry should not have been matched.No such error is reported for the generic c implementation (no avx2) or whenthe last field has to use the 'nft_pipapo_avx2_lookup_slow' fallback.Bisection points to7711f4bb4b36 ("netfilter: nft_set_pipapo: fix range overlap detection")but that fix merely uncovers this bug.Before this commit, the wrong element is returned, but erronouslyreported as a full, identical duplicate.The root-cause is too early return in the avx2 match functions.When we process the last field, we should continue to process datauntil the entire input size has been consumed to make sure no stalebits remain in the map.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43115 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:srcu: Use irq_work to start GP in tiny SRCUTiny SRCU's srcu_gp_start_if_needed() directly calls schedule_work(),which acquires the workqueue pool->lock.This causes a lockdep splat when call_srcu() is called with a schedulerlock held, due to: call_srcu() [holding pi_lock] srcu_gp_start_if_needed() schedule_work() -> pool->lock workqueue_init() / create_worker() [holding pool->lock] wake_up_process() -> try_to_wake_up() -> pi_lockAlso add irq_work_sync() to cleanup_srcu_struct() to prevent ause-after-free if a queued irq_work fires after cleanup begins.Tested with rcutorture SRCU-T and no lockdep warnings.[ Thanks to Boqun for similar fix in patch "rcu: Use an intermediate irq_workto start process_srcu()" ]

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43116 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:netfilter: ctnetlink: ensure safe access to master conntrackHolding reference on the expectation is not sufficient, the masterconntrack object can just go away, making exp->master invalid.To access exp->master safely:- Grab the nf_conntrack_expect_lock, this gets serialized with clean_from_lists() which also holds this lock when the master conntrack goes away.- Hold reference on master conntrack via nf_conntrack_find_get(). Not so easy since the master tuple to look up for the master conntrack is not available in the existing problematic paths.This patch goes for extending the nf_conntrack_expect_lock sectionto address this issue for simplicity, in the cases that are describedbelow this is just slightly extending the lock section.The add expectation command already holds a reference to the masterconntrack from ctnetlink_create_expect().However, the delete expectation command needs to grab the spinlockbefore looking up for the expectation. Expand the existing spinlocksection to address this to cover the expectation lookup. Note that,the nf_ct_expect_iterate_net() calls already grabs the spinlock whileiterating over the expectation table, which is correct.The get expectation command needs to grab the spinlock to ensure masterconntrack does not go away. This also expands the existing spinlocksection to cover the expectation lookup too. I needed to move thenetlink skb allocation out of the spinlock to keep it GFP_KERNEL.For the expectation events, the IPEXP_DESTROY event is already deliveredunder the spinlock, just move the delivery of IPEXP_NEW under thespinlock too because the master conntrack event cache is reached throughexp->master.While at it, add lockdep notations to help identify what codepaths needto grab the spinlock.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43124 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:pstore: ram_core: fix incorrect success return when vmap() failsIn persistent_ram_vmap(), vmap() may return NULL on failure.If offset is non-zero, adding offset_in_page(start) causes the functionto return a non-NULL pointer even though the mapping failed.persistent_ram_buffer_map() therefore incorrectly returns success.Subsequent access to prz->buffer may dereference an invalid addressand cause crashes.Add proper NULL checking for vmap() failures.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43125 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:dlm: validate length in dlm_search_rsb_treeThe len parameter in dlm_dump_rsb_name() is not validated and comesfrom network messages. When it exceeds DLM_RESNAME_MAXLEN, it cancause out-of-bounds write in dlm_search_rsb_tree().Add length validation to prevent potential buffer overflow.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43128 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:RDMA/umem: Fix double dma_buf_unpin in failure pathIn ib_umem_dmabuf_get_pinned_with_dma_device(), the call toib_umem_dmabuf_map_pages() can fail. If this occurs, the dmabufis immediately unpinned but the umem_dmabuf->pinned flag is stillset. Then, when ib_umem_release() is called, it callsib_umem_dmabuf_revoke() which will call dma_buf_unpin() again.Fix this by removing the immediate unpin upon failure and just letthe ib_umem_release/revoke path handle it. This also ensures theproper unmap-unpin unwind ordering if the dmabuf_map_pages callhappened to fail due to dma_resv_wait_timeout (and therefore hasa non-NULL umem_dmabuf->sgt).

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43129 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ima: verify the previous kernel's IMA buffer lies in addressable RAMPatch series "Address page fault in ima_restore_measurement_list()", v3.When the second-stage kernel is booted via kexec with a limiting commandline such as "mem=" we observe a pafe fault that happens. BUG: unable to handle page fault for address: ffff97793ff47000 RIP: ima_restore_measurement_list+0xdc/0x45a #PF: error_code(0x0000) not-present pageThis happens on x86_64 only, as this is already fixed in aarch64 incommit: cbf9c4b9617b ("of: check previous kernel's ima-kexec-bufferagainst memory bounds")This patch (of 3):When the second-stage kernel is booted with a limiting command line (e.g. "mem="), the IMA measurement buffer handed over from the previouskernel may fall outside the addressable RAM of the new kernel. Accessingsuch a buffer can fault during early restore.Introduce a small generic helper, ima_validate_range(), which verifiesthat a physical [start, end] range for the previous-kernel IMA buffer lieswithin addressable memory: - On x86, use pfn_range_is_mapped(). - On OF based architectures, use page_is_ram().

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43130 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:iommu/vt-d: Flush dev-IOTLB only when PCIe device is accessible in scalable modeCommit 4fc82cd907ac ("iommu/vt-d: Don't issue ATS Invalidationrequest when device is disconnected") relies onpci_dev_is_disconnected() to skip ATS invalidation forsafely-removed devices, but it does not cover link-down causedby faults, which can still hard-lock the system.For example, if a VM fails to connect to the PCIe device,"virsh destroy" is executed to release resources and isolatethe fault, but a hard-lockup occurs while releasing the group fd.Call Trace: qi_submit_sync qi_flush_dev_iotlb intel_pasid_tear_down_entry device_block_translation blocking_domain_attach_dev __iommu_attach_device __iommu_device_set_domain __iommu_group_set_domain_internal iommu_detach_group vfio_iommu_type1_detach_group vfio_group_detach_container vfio_group_fops_release __fputAlthough pci_device_is_present() is slower thanpci_dev_is_disconnected(), it still takes only ~70 ?s on aConnectX-5 (8 GT/s, x2) and becomes even faster as PCIe speedand width increase.Besides, devtlb_invalidation_with_pasid() is called only in thepaths below, which are far less frequent than memory map/unmap.1. mm-struct release2. {attach,release}_dev3. set/remove PASID4. dirty-tracking setupThe gain in system stability far outweighs the negligible costof using pci_device_is_present() instead of pci_dev_is_disconnected()to decide when to skip ATS invalidation, especially under GDRhigh-load conditions.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43132 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:dm-verity: correctly handle dm_bufio_client_create() failureIf either of the calls to dm_bufio_client_create() in verity_fec_ctr()fails, then dm_bufio_client_destroy() is later called with an ERR_PTR()argument. That causes a crash. Fix this.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43133 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:KVM: nSVM: Always use vmcb01 in VMLOAD/VMSAVE emulationCommit cc3ed80ae69f ("KVM: nSVM: always use vmcb01 to for vmsave/vmloadof guest state") made KVM always use vmcb01 for the fields controlled byVMSAVE/VMLOAD, but it missed updating the VMLOAD/VMSAVE emulation codeto always use vmcb01.As a result, if VMSAVE/VMLOAD is executed by an L2 guest and is notintercepted by L1, KVM will mistakenly use vmcb02. Always use vmcb01instead of the current VMCB.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43137 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ASoC: SOF: Intel: hda: Fix NULL pointer dereferenceIf there's a mismatch between the DAI links in the machine driver andthe topology, it is possible that the playback/capture widget is notset, especially in the case of loopback capture for echo referencewhere we use the dummy DAI link. Return the error when the widget is notset to avoid a null pointer dereference like below when the topology isbroken.RIP: 0010:hda_dai_get_ops.isra.0+0x14/0xa0 [snd_sof_intel_hda_common]

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43139 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:xfrm6: fix uninitialized saddr in xfrm6_get_saddr()xfrm6_get_saddr() does not check the return value ofipv6_dev_get_saddr(). When ipv6_dev_get_saddr() fails to find a suitablesource address (returns -EADDRNOTAVAIL), saddr->in6 is leftuninitialized, but xfrm6_get_saddr() still returns 0 (success).This causes the caller xfrm_tmpl_resolve_one() to use the uninitializedaddress in xfrm_state_find(), triggering KMSAN warning:=====================================================BUG: KMSAN: uninit-value in xfrm_state_find+0x2424/0xa940 xfrm_state_find+0x2424/0xa940 xfrm_resolve_and_create_bundle+0x906/0x5a20 xfrm_lookup_with_ifid+0xcc0/0x3770 xfrm_lookup_route+0x63/0x2b0 ip_route_output_flow+0x1ce/0x270 udp_sendmsg+0x2ce1/0x3400 inet_sendmsg+0x1ef/0x2a0 __sock_sendmsg+0x278/0x3d0 __sys_sendto+0x593/0x720 __x64_sys_sendto+0x130/0x200 x64_sys_call+0x332b/0x3e70 do_syscall_64+0xd3/0xf80 entry_SYSCALL_64_after_hwframe+0x77/0x7fLocal variable tmp.i.i created at: xfrm_resolve_and_create_bundle+0x3e3/0x5a20 xfrm_lookup_with_ifid+0xcc0/0x3770=====================================================Fix by checking the return value of ipv6_dev_get_saddr() and propagatingthe error.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43148 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:powerpc/smp: Add check for kcalloc() failure in parse_thread_groups()As kcalloc() may fail, check its return value to avoid a NULL pointerdereference when passing it to of_property_read_u32_array().

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43150 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:perf/arm-cmn: Reject unsupported hardware configurationsSo far we've been fairly lax about accepting both unknown CMN models(at least with a warning), and unknown revisions of those which wedo know, as although things do frequently change between releases,typically enough remains the same to be somewhat useful for at leastsome basic bringup checks. However, we also make assumptions of themaximum supported sizes and numbers of things in various places, andthere's no guarantee that something new might not be bigger and leadto nasty array overflows. Make sure we only try to run on things thatactually match our assumptions and so will not risk memory corruption.We have at least always failed on completely unknown node types, soupdate that error message for clarity and consistency too.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43157 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:octeontx2-af: CGX: fix bitmap leaksThe RX/TX flow-control bitmaps (rx_fc_pfvf_bmap and tx_fc_pfvf_bmap)are allocated by cgx_lmac_init() but never freed in cgx_lmac_exit().Unbinding and rebinding the driver therefore triggers kmemleak: unreferenced object (size 16): backtrace: rvu_alloc_bitmap cgx_probeFree both bitmaps during teardown.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43161 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:iommu/vt-d: Skip dev-iotlb flush for inaccessible PCIe device without scalable modePCIe endpoints with ATS enabled and passed through to userspace(e.g., QEMU, DPDK) can hard-lock the host when their link drops,either by surprise removal or by a link fault.Commit 4fc82cd907ac ("iommu/vt-d: Don't issue ATS Invalidationrequest when device is disconnected") adds pci_dev_is_disconnected()to devtlb_invalidation_with_pasid() so ATS invalidation is skippedonly when the device is being safely removed, but it applies onlywhen Intel IOMMU scalable mode is enabled.With scalable mode disabled or unsupported, a system hard-lockoccurs when a PCIe endpoint's link drops because the Intel IOMMUwaits indefinitely for an ATS invalidation that cannot complete.Call Trace: qi_submit_sync qi_flush_dev_iotlb __context_flush_dev_iotlb.part.0 domain_context_clear_one_cb pci_for_each_dma_alias device_block_translation blocking_domain_attach_dev iommu_deinit_device __iommu_group_remove_device iommu_release_device iommu_bus_notifier blocking_notifier_call_chain bus_notify device_del pci_remove_bus_device pci_stop_and_remove_bus_device pciehp_unconfigure_device pciehp_disable_slot pciehp_handle_presence_or_link_change pciehp_istCommit 81e921fd3216 ("iommu/vt-d: Fix NULL domain on device release")adds intel_pasid_teardown_sm_context() to intel_iommu_release_device(),which calls qi_flush_dev_iotlb() and can also hard-lock the systemwhen a PCIe endpoint's link drops.Call Trace: qi_submit_sync qi_flush_dev_iotlb __context_flush_dev_iotlb.part.0 intel_context_flush_no_pasid device_pasid_table_teardown pci_pasid_table_teardown pci_for_each_dma_alias intel_pasid_teardown_sm_context intel_iommu_release_device iommu_deinit_device __iommu_group_remove_device iommu_release_device iommu_bus_notifier blocking_notifier_call_chain bus_notify device_del pci_remove_bus_device pci_stop_and_remove_bus_device pciehp_unconfigure_device pciehp_disable_slot pciehp_handle_presence_or_link_change pciehp_istSometimes the endpoint loses connection without a link-down event(e.g., due to a link fault); killing the process (virsh destroy)then hard-locks the host.Call Trace: qi_submit_sync qi_flush_dev_iotlb __context_flush_dev_iotlb.part.0 domain_context_clear_one_cb pci_for_each_dma_alias device_block_translation blocking_domain_attach_dev __iommu_attach_device __iommu_device_set_domain __iommu_group_set_domain_internal iommu_detach_group vfio_iommu_type1_detach_group vfio_group_detach_container vfio_group_fops_release __fputpci_dev_is_disconnected() only covers safe-removal paths;pci_device_is_present() tests accessibility by readingvendor/device IDs and internally calls pci_dev_is_disconnected().On a ConnectX-5 (8 GT/s, x2) this costs ~70 ?s.Since __context_flush_dev_iotlb() is only called on{attach,release}_dev paths (not hot), add pci_device_is_present()there to skip inaccessible devices and avoid the hard-lock.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43163 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:md/bitmap: fix GPF in write_page caused by resize raceA General Protection Fault occurs in write_page() during array resize:RIP: 0010:write_page+0x22b/0x3c0 [md_mod]This is a use-after-free race between bitmap_daemon_work() and__bitmap_resize(). The daemon iterates over `bitmap->storage.filemap`without locking, while the resize path frees that storage viamd_bitmap_file_unmap(). `quiesce()` does not stop the md thread,allowing concurrent access to freed pages.Fix by holding `mddev->bitmap_info.mutex` during the bitmap update.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43167 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:xfrm: always flush state and policy upon NETDEV_UNREGISTER eventsyzbot is reporting that "struct xfrm_state" refcount is leaking. unregister_netdevice: waiting for netdevsim0 to become free. Usage count = 2 ref_tracker: netdev@ffff888052f24618 has 1/1 users at __netdev_tracker_alloc include/linux/netdevice.h:4400 [inline] netdev_tracker_alloc include/linux/netdevice.h:4412 [inline] xfrm_dev_state_add+0x3a5/0x1080 net/xfrm/xfrm_device.c:316 xfrm_state_construct net/xfrm/xfrm_user.c:986 [inline] xfrm_add_sa+0x34ff/0x5fa0 net/xfrm/xfrm_user.c:1022 xfrm_user_rcv_msg+0x58e/0xc00 net/xfrm/xfrm_user.c:3507 netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2550 xfrm_netlink_rcv+0x71/0x90 net/xfrm/xfrm_user.c:3529 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x5aa/0x870 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x8c8/0xdd0 net/netlink/af_netlink.c:1894 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg net/socket.c:742 [inline] ____sys_sendmsg+0xa5d/0xc30 net/socket.c:2592 ___sys_sendmsg+0x134/0x1d0 net/socket.c:2646 __sys_sendmsg+0x16d/0x220 net/socket.c:2678 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7fThis is because commit d77e38e612a0 ("xfrm: Add an IPsec hardwareoffloading API") implemented xfrm_dev_unregister() as no-op despitexfrm_dev_state_add() from xfrm_state_construct() acquires a referenceto "struct net_device".I guess that that commit expected that NETDEV_DOWN event is fired beforeNETDEV_UNREGISTER event fires, and also assumed that xfrm_dev_state_add()is called only if (dev->features & NETIF_F_HW_ESP) != 0.Sabrina Dubroca identified steps to reproduce the same symptoms as below. echo 0 > /sys/bus/netdevsim/new_device dev=$(ls -1 /sys/bus/netdevsim/devices/netdevsim0/net/) ip xfrm state add src 192.168.13.1 dst 192.168.13.2 proto esp \ spi 0x1000 mode tunnel aead 'rfc4106(gcm(aes))' $key 128 \ offload crypto dev $dev dir out ethtool -K $dev esp-hw-offload off echo 0 > /sys/bus/netdevsim/del_deviceLike these steps indicate, the NETIF_F_HW_ESP bit can be cleared afterxfrm_dev_state_add() acquired a reference to "struct net_device".Also, xfrm_dev_state_add() does not check for the NETIF_F_HW_ESP bitwhen acquiring a reference to "struct net_device".Commit 03891f820c21 ("xfrm: handle NETDEV_UNREGISTER for xfrm device")re-introduced the NETDEV_UNREGISTER event to xfrm_dev_event(), but thatcommit for unknown reason chose to share xfrm_dev_down() between theNETDEV_DOWN event and the NETDEV_UNREGISTER event.I guess that that commit missed the behavior in the previous paragraph.Therefore, we need to re-introduce xfrm_dev_unregister() in order torelease the reference to "struct net_device" by unconditionally flushingstate and policy.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43168 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ocfs2: fix reflink preserve cleanup issuecommit c06c303832ec ("ocfs2: fix xattr array entry __counted_by error")doesn't handle all cases and the cleanup job for preserved xattr entriesstill has bug:- the 'last' pointer should be shifted by one unit after cleanup an array entry.- current code logic doesn't cleanup the first entry when xh_count is 1.Note, commit c06c303832ec is also a bug fix for 0fe9b66c65f3.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43170 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:usb: dwc3: gadget: Move vbus draw to workqueue contextCurrently dwc3_gadget_vbus_draw() can be called from atomiccontext, which in turn invokes power-supply-core APIs. Andsome these PMIC APIs have operations that may sleep, leadingto kernel panic.Fix this by moving the vbus_draw into a workqueue context.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43171 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:EFI/CPER: don't dump the entire memory regionThe current logic at cper_print_fw_err() doesn't check if theerror record length is big enough to handle offset. On a bad firmware,if the ofset is above the actual record, length -= offset willunderflow, making it dump the entire memory.The end result can be: - the logic taking a lot of time dumping large regions of memory; - data disclosure due to the memory dumps; - an OOPS, if it tries to dump an unmapped memory region.Fix it by checking if the section length is too small before doinga hex dump.[ rjw: Subject tweaks ]

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43172 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:wifi: iwlwifi: fix 22000 series SMEM parsingIf the firmware were to report three LMACs (which doesn'texist in hardware) then using "fwrt->smem_cfg.lmac[2]" isan overrun of the array. Reject such and use IWL_FW_CHECKinstead of WARN_ON in this function.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43173 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net: ethernet: xscale: Check for PTP support properlyIn ixp4xx_get_ts_info() ixp46x_ptp_find() is calledunconditionally despite this feature only existing onixp46x, leading to the following splat from tcpdump:root@OpenWrt:~# tcpdump -vv -X -i eth0(...)Unable to handle kernel NULL pointer dereference at virtual address 00000238 when read(...)Call trace: ptp_clock_index from ixp46x_ptp_find+0x1c/0x38 ixp46x_ptp_find from ixp4xx_get_ts_info+0x4c/0x64 ixp4xx_get_ts_info from __ethtool_get_ts_info+0x90/0x108 __ethtool_get_ts_info from __dev_ethtool+0xa00/0x2648 __dev_ethtool from dev_ethtool+0x160/0x234 dev_ethtool from dev_ioctl+0x2cc/0x460 dev_ioctl from sock_ioctl+0x1ec/0x524 sock_ioctl from sys_ioctl+0x51c/0xa94 sys_ioctl from ret_fast_syscall+0x0/0x44 (...)Segmentation faultCheck for ixp46x in ixp46x_ptp_find() before trying to set upPTP to avoid this.To avoid altering the returned error code from ixp4xx_hwtstamp_set()which before this patch was -EOPNOTSUPP, we return -EOPNOTSUPPfrom ixp4xx_hwtstamp_set() if ixp46x_ptp_find() fails no matterthe error code. The helper function ixp46x_ptp_find() helperreturns -ENODEV.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43185 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ksmbd: fix signededness bug in smb_direct_prepare_negotiation()smb_direct_prepare_negotiation() casts an unsigned __u32 valuefrom sp->max_recv_size and req->preferred_send_size to a signedint before computing min_t(int, ...). A maliciously providedpreferred_send_size of 0x80000000 will return as smaller thanmax_recv_size, and then be used to set the maximum allowedalowed receive size for the next message.By sending a second message with a large value (>1420 bytes)the attacker can then achieve a heap buffer overflow.This fix replaces min_t(int, ...) with min_t(u32)

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43186 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ipv6: ioam: fix heap buffer overflow in __ioam6_fill_trace_data()On the receive path, __ioam6_fill_trace_data() uses trace->nodelento decide how much data to write for each node. It trusts this fieldas-is from the incoming packet, with no consistency check againsttrace->type (the 24-bit field that tells which data items arepresent). A crafted packet can set nodelen=0 while setting type bits0-21, causing the function to write ~100 bytes past the allocatedregion (into skb_shared_info), which corrupts adjacent heap memoryand leads to a kernel panic.Add a shared helper ioam6_trace_compute_nodelen() in ioam6.c toderive the expected nodelen from the type field, and use it: - in ioam6_iptunnel.c (send path, existing validation) to replace the open-coded computation; - in exthdrs.c (receive path, ipv6_hop_ioam) to drop packets whose nodelen is inconsistent with the type field, before any data is written.Per RFC 9197, bits 12-21 are each short (4-octet) fields, so theyare included in IOAM6_MASK_SHORT_FIELDS (changed from 0xff100000 to0xff1ffc00).

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43191 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:drm/amd/display: Adjust PHY FSM transition to TX_EN-to-PLL_ON for TMDS on DCN35[Why]A backport of the change made for DCN401 that addresses an issue wherewe turn off the PHY PLL when disabling TMDS output, which causes theOTG to remain stuck.The OTG being stuck can lead to a hang in the DCHVM's ability to ACKinvalidations when it thinks the HUBP is still on but it's not receivingglobal sync.The transition to PLL_ON needs to be atomic as there's no guaranteethat the thread isn't pre-empted or is able to complete before theIOMMU watchdog times out.[How]Backport the implementation from dcn401 back to dcn35.There's a functional difference in when the eDP output is disabled indcn401 code so we don't want to utilize it directly.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43194 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net: consume xmit errors of GSO framesudpgro_frglist.sh and udpgro_bench.sh are the flakiest testscurrently in NIPA. They fail in the same exact way, TCP GROtest stalls occasionally and the test gets killed after 10min.These tests use veth to simulate GRO. They attach a trivial("return XDP_PASS;") XDP program to the veth to force TSO offand NAPI on.Digging into the failure mode we can see that the connectionis completely stuck after a burst of drops. The sender's snd_nxtis at sequence number N [1], but the receiver claims to havereceived (rcv_nxt) up to N + 3 * MSS [2]. Last piece of the puzzleis that senders rtx queue is not empty (let's say the block inthe rtx queue is at sequence number N - 4 * MSS [3]).In this state, sender sends a retransmission from the rtx queuewith a single segment, and sequence numbers N-4*MSS:N-3*MSS [3].Receiver sees it and responds with an ACK all the way up toN + 3 * MSS [2]. But sender will reject this ack as TCP_ACK_UNSENT_DATAbecause it has no recollection of ever sending data that far out [1].And we are stuck.The root cause is the mess of the xmit return codes. veth returnsan error when it can't xmit a frame. We end up with a loss eventlike this: ------------------------------------------------- | GSO super frame 1 | GSO super frame 2 | |-----------------------------------------------| | seg | seg | seg | seg | seg | seg | seg | seg | | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | ------------------------------------------------- x ok ok | ok ok ok \\ snd_nxt"x" means packet lost by veth, and "ok" means it went thru.Since veth has TSO disabled in this test it sees individual segments.Segment 1 is on the retransmit queue and will be resent.So why did the sender not advance snd_nxt even tho it clearly didsend up to seg 8? tcp_write_xmit() interprets the return codefrom the core to mean that data has not been sent at all. SinceTCP deals with GSO super frames, not individual segment the cruxof the problem is that loss of a single segment can be interpretedas loss of all. TCP only sees the last return code for the lastsegment of the GSO frame (in <> brackets in the diagram above).Of course for the problem to occur we need a setup or a devicewithout a Qdisc. Otherwise Qdisc layer disconnects the protocollayer from the device errors completely.We have multiple ways to fix this. 1) make veth not return an error when it lost a packet. While this is what I think we did in the past, the issue keeps reappearing and it's annoying to debug. The game of whack a mole is not great. 2) fix the damn return codes We only talk about NETDEV_TX_OK and NETDEV_TX_BUSY in the documentation, so maybe we should make the return code from ndo_start_xmit() a boolean. I like that the most, but perhaps some ancient, not-really-networking protocol would suffer. 3) make TCP ignore the errors It is not entirely clear to me what benefit TCP gets from interpreting the result of ip_queue_xmit()? Specifically once the connection is established and we're pushing data - packet loss is just packet loss? 4) this fix Ignore the rc in the Qdisc-less+GSO case, since it's unreliable. We already always return OK in the TCQ_F_CAN_BYPASS case. In the Qdisc-less case let's be a bit more conservative and only mask the GSO errors. This path is taken by non-IP-"networks" like CAN, MCTP etc, so we could regress some ancient thing. This is the simplest, but also maybe the hackiest fix?Similar fix has been proposed by Eric in the past but never committedbecause original reporter was working with an OOT driver and wasn'tproviding feedback (see Link).

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43199 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net/mlx5e: Fix "scheduling while atomic" in IPsec MAC address queryFix a "scheduling while atomic" bug in mlx5e_ipsec_init_macs() byreplacing mlx5_query_mac_address() with ether_addr_copy() to get thelocal MAC address directly from netdev->dev_addr.The issue occurs because mlx5_query_mac_address() queries the hardwarewhich involves mlx5_cmd_exec() that can sleep, but it is called fromthe mlx5e_ipsec_handle_event workqueue which runs in atomic context.The MAC address is already available in netdev->dev_addr, so no needto query hardware. This avoids the sleeping call and resolves the bug.Call trace: BUG: scheduling while atomic: kworker/u112:2/69344/0x00000200 __schedule+0x7ab/0xa20 schedule+0x1c/0xb0 schedule_timeout+0x6e/0xf0 __wait_for_common+0x91/0x1b0 cmd_exec+0xa85/0xff0 [mlx5_core] mlx5_cmd_exec+0x1f/0x50 [mlx5_core] mlx5_query_nic_vport_mac_address+0x7b/0xd0 [mlx5_core] mlx5_query_mac_address+0x19/0x30 [mlx5_core] mlx5e_ipsec_init_macs+0xc1/0x720 [mlx5_core] mlx5e_ipsec_build_accel_xfrm_attrs+0x422/0x670 [mlx5_core] mlx5e_ipsec_handle_event+0x2b9/0x460 [mlx5_core] process_one_work+0x178/0x2e0 worker_thread+0x2ea/0x430

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43204 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ASoC: qcom: q6asm: drop DSP responses for closed data streams'Commit a354f030dbce ("ASoC: qcom: q6asm: handle the responsesafter closing")' attempted to ignore DSP responses arrivingafter a stream had been closed.However, those responses were still handled, causing lockups.Fix this by unconditionally dropping all DSP responses associated withclosed data streams.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43205 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:dpaa2-switch: validate num_ifs to prevent out-of-bounds writeThe driver obtains sw_attr.num_ifs from firmware via dpsw_get_attributes()but never validates it against DPSW_MAX_IF (64). This value controlsiteration in dpaa2_switch_fdb_get_flood_cfg(), which writes port indicesinto the fixed-size cfg->if_id[DPSW_MAX_IF] array. When firmware reportsnum_ifs >= 64, the loop can write past the array bounds.Add a bound check for num_ifs in dpaa2_switch_init().dpaa2_switch_fdb_get_flood_cfg() appends the control interface (portnum_ifs) after all matched ports. When num_ifs == DPSW_MAX_IF and allports match the flood filter, the loop fills all 64 slots and the controlinterface write overflows by one entry.The check uses >= because num_ifs == DPSW_MAX_IF is also functionallybroken.build_if_id_bitmap() silently drops any ID >= 64: if (id[i] < DPSW_MAX_IF) bmap[id[i] / 64] |= ...

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43213 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:wifi: rtw89: pci: validate sequence number of TX release reportHardware rarely reports abnormal sequence number in TX release report,which will access out-of-bounds of wd_ring->pages array, causing NULLpointer dereference. BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 1 PID: 1085 Comm: irq/129-rtw89_p Tainted: G S U 6.1.145-17510-g2f3369c91536 #1 (HASH:69e8 1) Call Trace: rtw89_pci_release_tx+0x18f/0x300 [rtw89_pci (HASH:4c83 2)] rtw89_pci_napi_poll+0xc2/0x190 [rtw89_pci (HASH:4c83 2)] net_rx_action+0xfc/0x460 net/core/dev.c:6578 net/core/dev.c:6645 net/core/dev.c:6759 handle_softirqs+0xbe/0x290 kernel/softirq.c:601 ? rtw89_pci_interrupt_threadfn+0xc5/0x350 [rtw89_pci (HASH:4c83 2)] __local_bh_enable_ip+0xeb/0x120 kernel/softirq.c:499 kernel/softirq.c:423 rtw89_pci_interrupt_threadfn+0xf8/0x350 [rtw89_pci (HASH:4c83 2)] ? irq_thread+0xa7/0x340 kernel/irq/manage.c:0 irq_thread+0x177/0x340 kernel/irq/manage.c:1205 kernel/irq/manage.c:1314 ? thaw_kernel_threads+0xb0/0xb0 kernel/irq/manage.c:1202 ? irq_forced_thread_fn+0x80/0x80 kernel/irq/manage.c:1220 kthread+0xea/0x110 kernel/kthread.c:376 ? synchronize_irq+0x1a0/0x1a0 kernel/irq/manage.c:1287 ? kthread_associate_blkcg+0x80/0x80 kernel/kthread.c:331 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 To prevent crash, validate rpp_info.seq before using.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43216 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net: Drop the lock in skb_may_tx_timestamp()skb_may_tx_timestamp() may acquire sock::sk_callback_lock. The lock mustnot be taken in IRQ context, only softirq is okay. A few drivers receivethe timestamp via a dedicated interrupt and complete the TX timestampfrom that handler. This will lead to a deadlock if the lock is alreadywrite-locked on the same CPU.Taking the lock can be avoided. The socket (pointed by the skb) willremain valid until the skb is released. The ->sk_socket and ->filemember will be set to NULL once the user closes the socket which mayhappen before the timestamp arrives.If we happen to observe the pointer while the socket is closing butbefore the pointer is set to NULL then we may use it because bothpointer (and the file's cred member) are RCU freed.Drop the lock. Use READ_ONCE() to obtain the individual pointer. Add amatching WRITE_ONCE() where the pointer are cleared.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43219 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net: cpsw_new: Fix potential unregister of netdev that has not been registered yetIf an error occurs during register_netdev() for the first MAC incpsw_register_ports(), even though cpsw->slaves[0].ndev is set to NULL,cpsw->slaves[1].ndev would remain unchanged. This could later causecpsw_unregister_ports() to attempt unregistering the second MAC.To address this, add a check for ndev->reg_state before callingunregister_netdev(). With this change, setting cpsw->slaves[i].ndevto NULL becomes unnecessary and can be removed accordingly.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43226 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net/rds: No shortcut out of RDS_CONN_ERRORRDS connections carry a state "rds_conn_path::cp_state"and transitions from one state to another and are conditionalupon an expected state: "rds_conn_path_transition."There is one exception to this conditionality, which is"RDS_CONN_ERROR" that can be enforced by "rds_conn_path_drop"regardless of what state the condition is currently in.But as soon as a connection enters state "RDS_CONN_ERROR",the connection handling code expects it to go through theshutdown-path.The RDS/TCP multipath changes added a shortcut out of"RDS_CONN_ERROR" straight back to "RDS_CONN_CONNECTING"via "rds_tcp_accept_one_path" (e.g. after "rds_tcp_state_change").A subsequent "rds_tcp_reset_callbacks" can then transitionthe state to "RDS_CONN_RESETTING" with a shutdown-worker queued.That'll trip up "rds_conn_init_shutdown", which wasnever adjusted to handle "RDS_CONN_RESETTING" and subsequentlydrops the connection with the dreaded "DR_INV_CONN_STATE",which leaves "RDS_SHUTDOWN_WORK_QUEUED" on forever.So we do two things here:a) Don't shortcut "RDS_CONN_ERROR", but take the longer path through the shutdown code.b) Add "RDS_CONN_RESETTING" to the expected states in "rds_conn_init_shutdown" so that we won't error out and get stuck, if we ever hit weird state transitions like this again."

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43227 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:clocksource/drivers/sh_tmu: Always leave device running after probeThe TMU device can be used as both a clocksource and a clockeventprovider. The driver tries to be smart and power itself on and off, aswell as enabling and disabling its clock when it's not in operation.This behavior is slightly altered if the TMU is used as an earlyplatform device in which case the device is left powered on after probe,but the clock is still enabled and disabled at runtime.This has worked for a long time, but recent improvements in PREEMPT_RTand PROVE_LOCKING have highlighted an issue. As the TMU registers itselfas a clockevent provider, clockevents_register_device(), it needs to useraw spinlocks internally as this is the context of which the clockeventframework interacts with the TMU driver. However in the context ofholding a raw spinlock the TMU driver can't really manage its powerstate or clock with calls to pm_runtime_*() and clk_*() as these callsend up in other platform drivers using regular spinlocks to controlpower and clocks.This mix of spinlock contexts trips a lockdep warning. ============================= [ BUG: Invalid wait context ] 6.18.0-arm64-renesas-09926-gee959e7c5e34 #1 Not tainted ----------------------------- swapper/0/0 is trying to lock: ffff000008c9e180 (&dev->power.lock){-...}-{3:3}, at: __pm_runtime_resume+0x38/0x88 other info that might help us debug this: context-{5:5} 1 lock held by swapper/0/0: ccree e6601000.crypto: ARM CryptoCell 630P Driver: HW version 0xAF400001/0xDCC63000, Driver version 5.0 #0: ffff8000817ec298 ccree e6601000.crypto: ARM ccree device initialized (tick_broadcast_lock){-...}-{2:2}, at: __tick_broadcast_oneshot_control+0xa4/0x3a8 stack backtrace: CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.18.0-arm64-renesas-09926-gee959e7c5e34 #1 PREEMPT Hardware name: Renesas Salvator-X 2nd version board based on r8a77965 (DT) Call trace: show_stack+0x14/0x1c (C) dump_stack_lvl+0x6c/0x90 dump_stack+0x14/0x1c __lock_acquire+0x904/0x1584 lock_acquire+0x220/0x34c _raw_spin_lock_irqsave+0x58/0x80 __pm_runtime_resume+0x38/0x88 sh_tmu_clock_event_set_oneshot+0x84/0xd4 clockevents_switch_state+0xfc/0x13c tick_broadcast_set_event+0x30/0xa4 __tick_broadcast_oneshot_control+0x1e0/0x3a8 tick_broadcast_oneshot_control+0x30/0x40 cpuidle_enter_state+0x40c/0x680 cpuidle_enter+0x30/0x40 do_idle+0x1f4/0x280 cpu_startup_entry+0x34/0x40 kernel_init+0x0/0x130 do_one_initcall+0x0/0x230 __primary_switched+0x88/0x90For non-PREEMPT_RT builds this is not really an issue, but forPREEMPT_RT builds where normal spinlocks can sleep this might be anissue. Be cautious and always leave the power and clock running afterprobe.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43230 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net/rds: Clear reconnect pending bitWhen canceling the reconnect worker, care must be taken to reset thereconnect-pending bit. If the reconnect worker has not yet beenscheduled before it is canceled, the reconnect-pending bit will stayon forever.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43234 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:team: avoid NETDEV_CHANGEMTU event when unregistering slavesyzbot is reporting unregister_netdevice: waiting for netdevsim0 to become free. Usage count = 3 ref_tracker: netdev@ffff88807dcf8618 has 1/2 users at __netdev_tracker_alloc include/linux/netdevice.h:4400 [inline] netdev_hold include/linux/netdevice.h:4429 [inline] inetdev_init+0x201/0x4e0 net/ipv4/devinet.c:286 inetdev_event+0x251/0x1610 net/ipv4/devinet.c:1600 notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85 call_netdevice_notifiers_mtu net/core/dev.c:2318 [inline] netif_set_mtu_ext+0x5aa/0x800 net/core/dev.c:9886 netif_set_mtu+0xd7/0x1b0 net/core/dev.c:9907 dev_set_mtu+0x126/0x260 net/core/dev_api.c:248 team_port_del+0xb07/0xcb0 drivers/net/team/team_core.c:1333 team_del_slave drivers/net/team/team_core.c:1936 [inline] team_device_event+0x207/0x5b0 drivers/net/team/team_core.c:2929 notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85 call_netdevice_notifiers_extack net/core/dev.c:2281 [inline] call_netdevice_notifiers net/core/dev.c:2295 [inline] __dev_change_net_namespace+0xcb7/0x2050 net/core/dev.c:12592 do_setlink+0x2ce/0x4590 net/core/rtnetlink.c:3060 rtnl_changelink net/core/rtnetlink.c:3776 [inline] __rtnl_newlink net/core/rtnetlink.c:3935 [inline] rtnl_newlink+0x15a9/0x1be0 net/core/rtnetlink.c:4072 rtnetlink_rcv_msg+0x7d5/0xbe0 net/core/rtnetlink.c:6958 netlink_rcv_skb+0x232/0x4b0 net/netlink/af_netlink.c:2550 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x80f/0x9b0 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x813/0xb40 net/netlink/af_netlink.c:1894problem. Ido Schimmel found steps to reproduce ip link add name team1 type team ip link add name dummy1 mtu 1499 master team1 type dummy ip netns add ns1 ip link set dev dummy1 netns ns1 ip -n ns1 link del dev dummy1and also found that the same issue was fixed in the bond driver incommit f51048c3e07b ("bonding: avoid NETDEV_CHANGEMTU event whenunregistering slave").Let's do similar thing for the team driver, with commit ad7c7b2172c3 ("net:hold netdev instance lock during sysfs operations") and commit 303a8487a657("net: s/__dev_set_mtu/__netif_set_mtu/") also applied.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43238 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net/sched: act_skbedit: fix divide-by-zero in tcf_skbedit_hash()Commit 38a6f0865796 ("net: sched: support hash selecting tx queue")added SKBEDIT_F_TXQ_SKBHASH support. The inclusive range size iscomputed as:mapping_mod = queue_mapping_max - queue_mapping + 1;The range size can be 65536 when the requested range covers all possibleu16 queue IDs (e.g. queue_mapping=0 and queue_mapping_max=U16_MAX).That value cannot be represented in a u16 and previously wrapped to 0,so tcf_skbedit_hash() could trigger a divide-by-zero:queue_mapping += skb_get_hash(skb) % params->mapping_mod;Compute mapping_mod in a wider type and reject ranges larger than U16_MAXto prevent params->mapping_mod from becoming 0 and avoid the crash.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43240 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:x86/kexec: add a sanity check on previous kernel's ima kexec bufferWhen the second-stage kernel is booted via kexec with a limiting commandline such as "mem=", the physical range that contains the carriedover IMA measurement list may fall outside the truncated RAM leading to akernel panic. BUG: unable to handle page fault for address: ffff97793ff47000 RIP: ima_restore_measurement_list+0xdc/0x45a #PF: error_code(0x0000) - not-present pageOther architectures already validate the range with page_is_ram(), as donein commit cbf9c4b9617b ("of: check previous kernel's ima-kexec-bufferagainst memory bounds") do a similar check on x86.Without carrying the measurement list across kexec, the attestationwould fail.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43244 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:kcm: fix zero-frag skb in frag_list on partial sendmsg errorSyzkaller reported a warning in kcm_write_msgs() when processing amessage with a zero-fragment skb in the frag_list.When kcm_sendmsg() fills MAX_SKB_FRAGS fragments in the current skb,it allocates a new skb (tskb) and links it into the frag_list beforecopying data. If the copy subsequently fails (e.g. -EFAULT fromuser memory), tskb remains in the frag_list with zero fragments: head skb (msg being assembled, NOT yet in sk_write_queue) +-----------+ | frags[17] | (MAX_SKB_FRAGS, all filled with data) | frag_list-+--> tskb +-----------+ +----------+ | frags[0] | (empty! copy failed before filling) +----------+For SOCK_SEQPACKET with partial data already copied, the error pathsaves this message via partial_message for later completion. ForSOCK_SEQPACKET, sock_write_iter() automatically sets MSG_EOR, so asubsequent zero-length write(fd, NULL, 0) completes the message andqueues it to sk_write_queue. kcm_write_msgs() then walks thefrag_list and hits: WARN_ON(!skb_shinfo(skb)->nr_frags)TCP has a similar pattern where skbs are enqueued before data copyand cleaned up on failure via tcp_remove_empty_skb(). KCM wasmissing the equivalent cleanup.Fix this by tracking the predecessor skb (frag_prev) when allocatinga new frag_list entry. On error, if the tail skb has zero frags,use frag_prev to unlink and free it in O(1) without walking thesingly-linked frag_list. frag_prev is safe to dereference becausethe entire message chain is only held locally (or in kcm->seq_skb)and is not added to sk_write_queue until MSG_EOR, so the send pathcannot free it underneath us.Also change the WARN_ON to WARN_ON_ONCE to avoid flooding the logif the condition is somehow hit repeatedly.There are currently no KCM selftests in the kernel tree; a simplereproducer is available at [1].[1] https://gist.github.com/mrpre/a94d431c757e8d6f168f4dd1a3749daa

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43248 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:vhost: move vdpa group bound check to vhost_vdpaRemove duplication by consolidating these here. This reduces theposibility of a parent driver missing them.While we're at it, fix a bug in vdpa_sim where a valid ASID can beassigned to a group equal to ngroups, causing an out of bound write.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43252 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:mptcp: pm: in-kernel: always set ID as avail when rm endpSyzkaller managed to find a combination of actions that was generatingthis warning: WARNING: net/mptcp/pm_kernel.c:1074 at __mark_subflow_endp_available net/mptcp/pm_kernel.c:1074 [inline], CPU#1: syz.7.48/2535 WARNING: net/mptcp/pm_kernel.c:1074 at mptcp_pm_nl_fullmesh net/mptcp/pm_kernel.c:1446 [inline], CPU#1: syz.7.48/2535 WARNING: net/mptcp/pm_kernel.c:1074 at mptcp_pm_nl_set_flags_all net/mptcp/pm_kernel.c:1474 [inline], CPU#1: syz.7.48/2535 WARNING: net/mptcp/pm_kernel.c:1074 at mptcp_pm_nl_set_flags+0x5de/0x640 net/mptcp/pm_kernel.c:1538, CPU#1: syz.7.48/2535 Modules linked in: CPU: 1 UID: 0 PID: 2535 Comm: syz.7.48 Not tainted 6.18.0-03987-gea5f5e676cf5 #17 PREEMPT(voluntary) Hardware name: QEMU Ubuntu 25.10 PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014 RIP: 0010:__mark_subflow_endp_available net/mptcp/pm_kernel.c:1074 [inline] RIP: 0010:mptcp_pm_nl_fullmesh net/mptcp/pm_kernel.c:1446 [inline] RIP: 0010:mptcp_pm_nl_set_flags_all net/mptcp/pm_kernel.c:1474 [inline] RIP: 0010:mptcp_pm_nl_set_flags+0x5de/0x640 net/mptcp/pm_kernel.c:1538 Code: 89 c7 e8 c5 8c 73 fe e9 f7 fd ff ff 49 83 ef 80 e8 b7 8c 73 fe 4c 89 ff be 03 00 00 00 e8 4a 29 e3 fe eb ac e8 a3 8c 73 fe 90 <0f> 0b 90 e9 3d ff ff ff e8 95 8c 73 fe b8 a1 ff ff ff eb 1a e8 89 RSP: 0018:ffffc9001535b820 EFLAGS: 00010287 netdevsim0: tun_chr_ioctl cmd 1074025677 RAX: ffffffff82da294d RBX: 0000000000000001 RCX: 0000000000080000 RDX: ffffc900096d0000 RSI: 00000000000006d6 RDI: 00000000000006d7 netdevsim0: linktype set to 823 RBP: ffff88802cdb2240 R08: 00000000000104ae R09: ffffffffffffffff R10: ffffffff82da27d4 R11: 0000000000000000 R12: 0000000000000000 R13: ffff88801246d8c0 R14: ffffc9001535b8b8 R15: ffff88802cdb1800 FS: 00007fc6ac5a76c0(0000) GS:ffff8880f90c8000(0000) knlGS:0000000000000000 netlink: 'syz.3.50': attribute type 5 has an invalid length. CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 netlink: 1232 bytes leftover after parsing attributes in process `syz.3.50'. CR2: 0000200000010000 CR3: 0000000025b1a000 CR4: 0000000000350ef0 Call Trace: mptcp_pm_set_flags net/mptcp/pm_netlink.c:277 [inline] mptcp_pm_nl_set_flags_doit+0x1d7/0x210 net/mptcp/pm_netlink.c:282 genl_family_rcv_msg_doit+0x117/0x180 net/netlink/genetlink.c:1115 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0x3a8/0x3f0 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x16d/0x240 net/netlink/af_netlink.c:2550 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x3e9/0x4c0 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x4ab/0x5b0 net/netlink/af_netlink.c:1894 sock_sendmsg_nosec net/socket.c:718 [inline] __sock_sendmsg+0xc9/0xf0 net/socket.c:733 ____sys_sendmsg+0x272/0x3b0 net/socket.c:2608 ___sys_sendmsg+0x2de/0x320 net/socket.c:2662 __sys_sendmsg net/socket.c:2694 [inline] __do_sys_sendmsg net/socket.c:2699 [inline] __se_sys_sendmsg net/socket.c:2697 [inline] __x64_sys_sendmsg+0x110/0x1a0 net/socket.c:2697 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xed/0x360 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fc6adb66f6d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fc6ac5a6ff8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007fc6addf5fa0 RCX: 00007fc6adb66f6d RDX: 0000000000048084 RSI: 00002000000002c0 RDI: 000000000000000e RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000---truncated---

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43260 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:bnxt_en: Fix RSS context delete logicWe need to free the corresponding RSS context VNICin FW everytime an RSS context is deleted in driver.Commit 667ac333dbb7 added a check to delete the VNICin FW only when netif_running() is true to help deleteRSS contexts with interface down.Having that condition will make the driver leak VNICsin FW whenever close() happens with active RSS contexts.On the subsequent open(), as part of RSS context restoration,we will end up trying to create extra VNICs for which wedid not make any reservation. FW can fail this request,thereby making us lose active RSS contexts.Suppose an RSS context is deleted already and we try toprocess a delete request again, then the HWRM functionswill check for validity of the request and they simplyreturn if the resource is already freed. So, even fordelete-when-down cases, netif_running() check is notnecessary.Remove the netif_running() condition check when deletingan RSS context.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43262 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:gfs2: fiemap page fault fixIn gfs2_fiemap(), we are calling iomap_fiemap() while holding the inodeglock. This can lead to recursive glock taking if the fiemap buffer ismemory mapped to the same inode and accessing it triggers a page fault.Fix by disabling page faults for iomap_fiemap() and faulting in thebuffer by hand if necessary.Fixes xfstest generic/742.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43263 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:media: chips-media: wave5: Fix Null reference while testing flusterWhen multi instances are created/destroyed, many interrupts happensand structures for decoder are removed."struct vpu_instance" this structure is shared for all flow in the decoder,so if the structure is not protected by lock, Null dereferencecould happens sometimes.IRQ Handler was spilt to two phases and Lock was added as well.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43266 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:EFI/CPER: don't go past the ARM processor CPER record bufferThere's a logic inside GHES/CPER to detect if the section_lengthis too small, but it doesn't detect if it is too big.Currently, if the firmware receives an ARM processor CPER recordstating that a section length is big, kernel will blindly trustsection_length, producing a very long dump. For instance, a 67bytes record with ERR_INFO_NUM set 46198 and section lengthset to 854918320 would dump a lot of data going a way past thefirmware memory-mapped area.Fix it by adding a logic to prevent it to go past the bufferif ERR_INFO_NUM is too big, making it report instead: [Hardware Error]: Hardware error from APEI Generic Hardware Error Source: 1 [Hardware Error]: event severity: recoverable [Hardware Error]: Error 0, type: recoverable [Hardware Error]: section_type: ARM processor error [Hardware Error]: MIDR: 0xff304b2f8476870a [Hardware Error]: section length: 854918320, CPER size: 67 [Hardware Error]: section length is too big [Hardware Error]: firmware-generated error record is incorrect [Hardware Error]: ERR_INFO_NUM is 46198[ rjw: Subject and changelog tweaks ]

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43273 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ceph: supply snapshot context in ceph_zero_partial_object()The ceph_zero_partial_object function was missing proper snapshotcontext for its OSD write operations, which could lead to datainconsistencies in snapshots.Reproducer:../src/vstart.sh --new -x --localhost --bluestore./bin/ceph auth caps client.fs_a mds 'allow rwps fsname=a' mon 'allow r fsname=a' osd 'allow rw tag cephfs data=a'mount -t ceph fs_a@.a=/ /mnt/mycephfs/ -o conf=./ceph.confdd if=/dev/urandom of=/mnt/mycephfs/foo bs=64K count=1mkdir /mnt/mycephfs/.snap/snap1md5sum /mnt/mycephfs/.snap/snap1/foofallocate -p -o 0 -l 4096 /mnt/mycephfs/fooecho 3 > /proc/sys/vm/drop/cachesmd5sum /mnt/mycephfs/.snap/snap1/foo # get different md5sum!!

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43275 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:scsi: ufs: core: Flush exception handling work when RPM level is zeroEnsure that the exception event handling work is explicitly flushed duringsuspend when the runtime power management level is set to UFS_PM_LVL_0.When the RPM level is zero, the device power mode and link state bothremain active. Previously, the UFS core driver bypassed flushing exceptionevent handling jobs in this configuration. This created a race conditionwhere the driver could attempt to access the host controller to handle anexception after the system had already entered a deep power-down state,resulting in a system crash.Explicitly flush this work and disable auto BKOPs before the suspendcallback proceeds. This guarantees that pending exception tasks completeand prevents illegal hardware access during the power-down sequence.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43281 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:mailbox: Prevent out-of-bounds access in fw_mbox_index_xlate()Although it is guided that `#mbox-cells` must be at least 1, there aremany instances of `#mbox-cells = <0>;` in the device tree. If that isthe case and the corresponding mailbox controller does not provide`fw_xlate` and of_xlate` function pointers, `fw_mbox_index_xlate()` willbe used by default and out-of-bounds accesses could occur due to lack ofbounds check in that function.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43283 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net: ethernet: ec_bhf: Fix dma_free_coherent() dma handledma_free_coherent() in error path takes priv->rx_buf.alloc_len asthe dma handle. This would lead to improper unmapping of the buffer.Change the dma handle to priv->rx_buf.alloc_phys.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43288 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ext4: move ext4_percpu_param_init() before ext4_mb_init()When running `kvm-xfstests -c ext4/1k -C 1 generic/383` with the`DOUBLE_CHECK` macro defined, the following panic is triggered:==================================================================EXT4-fs error (device vdc): ext4_validate_block_bitmap:423: comm mount: bg 0: bad block bitmap checksumBUG: unable to handle page fault for address: ff110000fa2cc000PGD 3e01067 P4D 3e02067 PUD 0Oops: Oops: 0000 [#1] SMP NOPTICPU: 0 UID: 0 PID: 2386 Comm: mount Tainted: G W 6.18.0-gba65a4e7120a-dirty #1152 PREEMPT(none)RIP: 0010:percpu_counter_add_batch+0x13/0xa0Call Trace: ext4_mark_group_bitmap_corrupted+0xcb/0xe0 ext4_validate_block_bitmap+0x2a1/0x2f0 ext4_read_block_bitmap+0x33/0x50 mb_group_bb_bitmap_alloc+0x33/0x80 ext4_mb_add_groupinfo+0x190/0x250 ext4_mb_init_backend+0x87/0x290 ext4_mb_init+0x456/0x640 __ext4_fill_super+0x1072/0x1680 ext4_fill_super+0xd3/0x280 get_tree_bdev_flags+0x132/0x1d0 vfs_get_tree+0x29/0xd0 vfs_cmd_create+0x59/0xe0 __do_sys_fsconfig+0x4f6/0x6b0 do_syscall_64+0x50/0x1f0 entry_SYSCALL_64_after_hwframe+0x76/0x7e==================================================================This issue can be reproduced using the following commands: mkfs.ext4 -F -q -b 1024 /dev/sda 5G tune2fs -O quota,project /dev/sda mount /dev/sda /tmp/testWith DOUBLE_CHECK defined, mb_group_bb_bitmap_alloc() readsand validates the block bitmap. When the validation fails,ext4_mark_group_bitmap_corrupted() attempts to updatesbi->s_freeclusters_counter. However, this percpu_counter has not beeninitialized yet at this point, which leads to the panic described above.Fix this by moving the execution of ext4_percpu_param_init() to occurbefore ext4_mb_init(), ensuring the per-CPU counters are initializedbefore they are used.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43289 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:kexec: derive purgatory entry from symbolkexec_load_purgatory() derives image->start by locating e_entry inside anSHF_EXECINSTR section. If the purgatory object contains multipleexecutable sections with overlapping sh_addr, the entrypoint check canmatch more than once and trigger a WARN.Derive the entry section from the purgatory_start symbol when present andcompute image->start from its final placement. Keep the existing e_entryfallback for purgatories that do not expose the symbol.WARNING: kernel/kexec_file.c:1009 at kexec_load_purgatory+0x395/0x3c0, CPU#10: kexec/1784Call Trace: bzImage64_load+0x133/0xa00 __do_sys_kexec_file_load+0x2b3/0x5c0 do_syscall_64+0x81/0x610 entry_SYSCALL_64_after_hwframe+0x76/0x7e[me@linux.beauty: move helper to avoid forward declaration, per Baoquan]

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43294 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:drm: renesas: rz-du: mipi_dsi: fix kernel panic when rebooting for some panelsSince commit 56de5e305d4b ("clk: renesas: r9a07g044: Add MSTOP for RZ/G2L")we may get the following kernel panic, for some panels, when rebooting: systemd-shutdown[1]: Rebooting. Call trace: ... do_serror+0x28/0x68 el1h_64_error_handler+0x34/0x50 el1h_64_error+0x6c/0x70 rzg2l_mipi_dsi_host_transfer+0x114/0x458 (P) mipi_dsi_device_transfer+0x44/0x58 mipi_dsi_dcs_set_display_off_multi+0x9c/0xc4 ili9881c_unprepare+0x38/0x88 drm_panel_unprepare+0xbc/0x108This happens for panels that need to send MIPI-DSI commands in theirunprepare() callback. Since the MIPI-DSI interface is stopped at thatpoint, rzg2l_mipi_dsi_host_transfer() triggers the kernel panic.Fix by moving rzg2l_mipi_dsi_stop() to new callback functionrzg2l_mipi_dsi_atomic_post_disable().With this change we now have the correct power-down/stop sequence: systemd-shutdown[1]: Rebooting. rzg2l-mipi-dsi 10850000.dsi: rzg2l_mipi_dsi_atomic_disable(): entry ili9881c-dsi 10850000.dsi.0: ili9881c_unprepare(): entry rzg2l-mipi-dsi 10850000.dsi: rzg2l_mipi_dsi_atomic_post_disable(): entry reboot: Restarting system

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43296 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:octeontx2-af: Workaround SQM/PSE stalls by disabling stickyNIX SQ manager sticky mode is known to cause stalls when multiple SQsshare an SMQ and transmit concurrently. Additionally, PSE may deadlockon transitions between sticky and non-sticky transmissions. There isalso a credit drop issue observed when certain condition clocks aregated.work around these hardware errata by:- Disabling SQM sticky operation: - Clear TM6 (bit 15) - Clear TM11 (bit 14)- Disabling sticky -> non-sticky transition path that can deadlock PSE: - Clear TM5 (bit 23)- Preventing credit drops by keeping the control-flow clock enabled: - Set TM9 (bit 21)These changes are applied via NIX_AF_SQM_DBG_CTL_STATUS. With thisconfiguration the SQM/PSE maintain forward progress under load withoutcredit loss, at the cost of disabling sticky optimizations.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43298 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:drm/amdgpu: Skip vcn poison irq release on VFVF doesn't enable VCN poison irq in VCNv2.5. Skip releasing it and avoidcall trace during deinitialization.[ 71.913601] [drm] clean up the vf2pf work item[ 71.915088] ------------[ cut here ]------------[ 71.915092] WARNING: CPU: 3 PID: 1079 at /tmp/amd.aFkFvSQl/amd/amdgpu/amdgpu_irq.c:641 amdgpu_irq_put+0xc6/0xe0 [amdgpu][ 71.915355] Modules linked in: amdgpu(OE-) amddrm_ttm_helper(OE) amdttm(OE) amddrm_buddy(OE) amdxcp(OE) amddrm_exec(OE) amd_sched(OE) amdkcl(OE) drm_suballoc_helper drm_display_helper cec rc_core i2c_algo_bit video wmi binfmt_misc nls_iso8859_1 intel_rapl_msr intel_rapl_common input_leds joydev serio_raw mac_hid qemu_fw_cfg sch_fq_codel dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua efi_pstore ip_tables x_tables autofs4 btrfs blake2b_generic raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 hid_generic crct10dif_pclmul crc32_pclmul polyval_clmulni polyval_generic ghash_clmulni_intel usbhid 8139too sha256_ssse3 sha1_ssse3 hid psmouse bochs i2c_i801 ahci drm_vram_helper libahci i2c_smbus lpc_ich drm_ttm_helper 8139cp mii ttm aesni_intel crypto_simd cryptd[ 71.915484] CPU: 3 PID: 1079 Comm: rmmod Tainted: G OE 6.8.0-87-generic #88~22.04.1-Ubuntu[ 71.915489] Hardware name: Red Hat KVM/RHEL, BIOS 1.16.3-2.el9_5.1 04/01/2014[ 71.915492] RIP: 0010:amdgpu_irq_put+0xc6/0xe0 [amdgpu][ 71.915768] Code: 75 84 b8 ea ff ff ff eb d4 44 89 ea 48 89 de 4c 89 e7 e8 fd fc ff ff 5b 41 5c 41 5d 41 5e 5d 31 d2 31 f6 31 ff e9 55 30 3b c7 <0f> 0b eb d4 b8 fe ff ff ff eb a8 e9 b7 3b 8a 00 66 2e 0f 1f 84 00[ 71.915771] RSP: 0018:ffffcf0800eafa30 EFLAGS: 00010246[ 71.915775] RAX: 0000000000000000 RBX: ffff891bda4b0668 RCX: 0000000000000000[ 71.915777] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000[ 71.915779] RBP: ffffcf0800eafa50 R08: 0000000000000000 R09: 0000000000000000[ 71.915781] R10: 0000000000000000 R11: 0000000000000000 R12: ffff891bda480000[ 71.915782] R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000000[ 71.915792] FS: 000070cff87c4c40(0000) GS:ffff893abfb80000(0000) knlGS:0000000000000000[ 71.915795] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033[ 71.915797] CR2: 00005fa13073e478 CR3: 000000010d634006 CR4: 0000000000770ef0[ 71.915800] PKRU: 55555554[ 71.915802] Call Trace:[ 71.915805] [ 71.915809] vcn_v2_5_hw_fini+0x19e/0x1e0 [amdgpu]

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43299 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:btrfs: do not ASSERT() when the fs flips RO inside btrfs_repair_io_failure()[BUG]There is a bug report that when btrfs hits ENOSPC error in a criticalpath, btrfs flips RO (this part is expected, although the ENOSPC bugstill needs to be addressed).The problem is after the RO flip, if there is a read repair pending, wecan hit the ASSERT() inside btrfs_repair_io_failure() like the following: BTRFS info (device vdc): relocating block group 30408704 flags metadata|raid1 ------------[ cut here ]------------ BTRFS: Transaction aborted (error -28) WARNING: fs/btrfs/extent-tree.c:3235 at __btrfs_free_extent.isra.0+0x453/0xfd0, CPU#1: btrfs/383844 Modules linked in: kvm_intel kvm irqbypass [...] ---[ end trace 0000000000000000 ]--- BTRFS info (device vdc state EA): 2 enospc errors during balance BTRFS info (device vdc state EA): balance: ended with status: -30 BTRFS error (device vdc state EA): parent transid verify failed on logical 30556160 mirror 2 wanted 8 found 6 BTRFS error (device vdc state EA): bdev /dev/nvme0n1 errs: wr 0, rd 0, flush 0, corrupt 10, gen 0 [...] assertion failed: !(fs_info->sb->s_flags & SB_RDONLY) :: 0, in fs/btrfs/bio.c:938 ------------[ cut here ]------------ assertion failed: !(fs_info->sb->s_flags & SB_RDONLY) :: 0, in fs/btrfs/bio.c:938 kernel BUG at fs/btrfs/bio.c:938! Oops: invalid opcode: 0000 [#1] SMP NOPTI CPU: 0 UID: 0 PID: 868 Comm: kworker/u8:13 Tainted: G W N 6.19.0-rc6+ #4788 PREEMPT(full) Tainted: [W]=WARN, [N]=TEST Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014 Workqueue: btrfs-endio simple_end_io_work RIP: 0010:btrfs_repair_io_failure.cold+0xb2/0x120 RSP: 0000:ffffc90001d2bcf0 EFLAGS: 00010246 RAX: 0000000000000051 RBX: 0000000000001000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff8305cf42 RDI: 00000000ffffffff RBP: 0000000000000002 R08: 00000000fffeffff R09: ffffffff837fa988 R10: ffffffff8327a9e0 R11: 6f69747265737361 R12: ffff88813018d310 R13: ffff888168b8a000 R14: ffffc90001d2bd90 R15: ffff88810a169000 FS: 0000000000000000(0000) GS:ffff8885e752c000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 ------------[ cut here ]------------[CAUSE]The cause of -ENOSPC error during the test case btrfs/124 is stillunknown, although it's known that we still have cases where metadata canbe over-committed but can not be fulfilled correctly, thus if we hitsuch ENOSPC error inside a critical path, we have no choice but abortthe current transaction.This will mark the fs read-only.The problem is inside the btrfs_repair_io_failure() path that we requirethe fs not to be mount read-only. This is normally fine, but if we aredoing a read-repair meanwhile the fs flips RO due to a critical error,we can enter btrfs_repair_io_failure() with super block set toread-only, thus triggering the above crash.[FIX]Just replace the ASSERT() with a proper return if the fs is alreadyread-only.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43301 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:media: chips-media: wave5: Fix PM runtime usage count underflowReplace pm_runtime_put_sync() with pm_runtime_dont_use_autosuspend() inthe remove path to properly pair with pm_runtime_use_autosuspend() fromprobe. This allows pm_runtime_disable() to handle reference count cleanupcorrectly regardless of current suspend state.The driver calls pm_runtime_put_sync() unconditionally in remove, but thedevice may already be suspended due to autosuspend configured in probe.When autosuspend has already suspended the device, the usage count is 0,and pm_runtime_put_sync() decrements it to -1.This causes the following warning on module unload: ------------[ cut here ]------------ WARNING: CPU: 1 PID: 963 at kernel/kthread.c:1430 kthread_destroy_worker+0x84/0x98 ... vdec 30210000.video-codec: Runtime PM usage count underflow!

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43303 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:mm/page_alloc: clear page->private in free_pages_prepare()Several subsystems (slub, shmem, ttm, etc.) use page->private but don'tclear it before freeing pages. When these pages are later allocated ashigh-order pages and split via split_page(), tail pages retain stalepage->private values.This causes a use-after-free in the swap subsystem. The swap code usespage->private to track swap count continuations, assuming freshlyallocated pages have page->private == 0. When stale values are present,swap_count_continued() incorrectly assumes the continuation list is validand iterates over uninitialized page->lru containing LIST_POISON values,causing a crash: KASAN: maybe wild-memory-access in range [0xdead000000000100-0xdead000000000107] RIP: 0010:__do_sys_swapoff+0x1151/0x1860Fix this by clearing page->private in free_pages_prepare(), ensuring allfreed pages have clean state regardless of previous use.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43304 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:libceph: define and enforce CEPH_MAX_KEY_LENWhen decoding the key, verify that the key material would fit intoa fixed-size buffer in process_auth_done() and generally has a sanelength.The new CEPH_MAX_KEY_LEN check replaces the existing check for a keywith no key material which is a) not universal since CEPH_CRYPTO_NONEhas to be excluded and b) doesn't provide much value since a smallerthan needed key is just as invalid as no key -- this has to be handledelsewhere anyway.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43308 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:btrfs: don't BUG() on unexpected delayed ref type in run_one_delayed_ref()There is no need to BUG(), we can just return an error and log an errormessage.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43309 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:md raid: fix hang when stopping arrays with metadata through dm-raidWhen using device-mapper's dm-raid target, stopping a RAID array can causethe system to hang under specific conditions.This occurs when:- A dm-raid managed device tree is suspended from top to bottom (the top-level RAID device is suspended first, followed by its underlying metadata and data devices)- The top-level RAID device is then removedRemoving the top-level device triggers a hang in the following sequence:the dm-raid destructor calls md_stop(), which tries to flush thewrite-intent bitmap by writing to the metadata sub-devices. However, thesedevices are already suspended, making them unable to complete the write-intentoperations and causing an indefinite block.Fix:- Prevent bitmap flushing when md_stop() is called from dm-raiddestructor context and avoid a quiescing/unquescing cycle which could also cause I/O- Still allow write-intent bitmap flushing when called from dm-raidsuspend contextThis ensures that RAID array teardown can complete successfully even when theunderlying devices are in a suspended state.This second patch uses md_is_rdwr() to distinguish between suspend anddestructor paths as elaborated on above.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43310 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:media: verisilicon: Avoid G2 bus error while decoding H.264 and HEVCFor the i.MX8MQ platform, there is a hardware limitation: the g1 VPU andg2 VPU cannot decode simultaneously; otherwise, it will cause below buserror and produce corrupted pictures, even potentially lead to system hang.[ 110.527986] hantro-vpu 38310000.video-codec: frame decode timed out.[ 110.583517] hantro-vpu 38310000.video-codec: bus error detected.Therefore, it is necessary to ensure that g1 and g2 operate alternately.This allows for successful multi-instance decoding of H.264 and HEVC.To achieve this, g1 and g2 share the same v4l2_m2m_dev, and then thev4l2_m2m_dev can handle the scheduling.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43311 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:soc/tegra: pmc: Fix unsafe generic_handle_irq() callCurrently, when resuming from system suspend on Tegra platforms,the following warning is observed:WARNING: CPU: 0 PID: 14459 at kernel/irq/irqdesc.c:666Call trace: handle_irq_desc+0x20/0x58 (P) tegra186_pmc_wake_syscore_resume+0xe4/0x15c syscore_resume+0x3c/0xb8 suspend_devices_and_enter+0x510/0x540 pm_suspend+0x16c/0x1d8The warning occurs because generic_handle_irq() is being called froma non-interrupt context which is considered as unsafe.Fix this warning by deferring generic_handle_irq() call to an IRQ workwhich gets executed in hard IRQ context where generic_handle_irq()can be called safely.When PREEMPT_RT kernels are used, regular IRQ work (initialized withinit_irq_work) is deferred to run in per-CPU kthreads in preemptiblecontext rather than hard IRQ context. Hence, use the IRQ_WORK_INIT_HARDvariant so that with PREEMPT_RT kernels, the IRQ work is processed inhardirq context instead of being deferred to a thread which is requiredfor calling generic_handle_irq().On non-PREEMPT_RT kernels, both init_irq_work() and IRQ_WORK_INIT_HARD()execute in IRQ context, so this change has no functional impact forstandard kernel configurations.[treding@nvidia.com: miscellaneous cleanups]

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43315 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:KVM: nSVM: Remove a user-triggerable WARN on nested_svm_load_cr3() succeedingDrop the WARN in svm_set_nested_state() on nested_svm_load_cr3() failingas it is trivially easy to trigger from userspace by modifying CPUID afterloading CR3. E.g. modifying the state restoration selftest like so: --- tools/testing/selftests/kvm/x86/state_test.c +++ tools/testing/selftests/kvm/x86/state_test.c @@ -280,7 +280,16 @@ int main(int argc, char *argv[]) /* Restore state in a new VM. */ vcpu = vm_recreate_with_one_vcpu(vm); - vcpu_load_state(vcpu, state); + + if (stage == 4) { + state->sregs.cr3 = BIT(44); + vcpu_load_state(vcpu, state); + + vcpu_set_cpuid_property(vcpu, X86_PROPERTY_MAX_PHY_ADDR, 36); + __vcpu_nested_state_set(vcpu, &state->nested); + } else { + vcpu_load_state(vcpu, state); + } /* * Restore XSAVE state in a dummy vCPU, first without doinggenerates: WARNING: CPU: 30 PID: 938 at arch/x86/kvm/svm/nested.c:1877 svm_set_nested_state+0x34a/0x360 [kvm_amd] Modules linked in: kvm_amd kvm irqbypass [last unloaded: kvm] CPU: 30 UID: 1000 PID: 938 Comm: state_test Tainted: G W 6.18.0-rc7-58e10b63777d-next-vm Tainted: [W]=WARN Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 RIP: 0010:svm_set_nested_state+0x34a/0x360 [kvm_amd] Call Trace: kvm_arch_vcpu_ioctl+0xf33/0x1700 [kvm] kvm_vcpu_ioctl+0x4e6/0x8f0 [kvm] __x64_sys_ioctl+0x8f/0xd0 do_syscall_64+0x61/0xad0 entry_SYSCALL_64_after_hwframe+0x4b/0x53Simply delete the WARN instead of trying to prevent userspace from shoving"illegal" state into CR3. For better or worse, KVM's ABI allows userspaceto set CPUID after SREGS, and vice versa, and KVM is very permissive whenit comes to guest CPUID. I.e. attempting to enforce the virtual CPU modelwhen setting CPUID could break userspace. Given that the WARN doesn'tprovide any meaningful protection for KVM or benefit for userspace, simplydrop it even though the odds of breaking userspace are minuscule.Opportunistically delete a spurious newline.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43317 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:most: core: fix leak on early registration failureA recent commit fixed a resource leak on early registration failures butfor some reason left out the first error path which still leaks theresources associated with the interface.Fix up also the first error path so that the interface is alwaysreleased on errors.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43328 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:cpufreq: governor: fix double free in cpufreq_dbs_governor_init() error pathWhen kobject_init_and_add() fails, cpufreq_dbs_governor_init() callskobject_put(&dbs_data->attr_set.kobj).The kobject release callback cpufreq_dbs_data_release() callsgov->exit(dbs_data) and kfree(dbs_data), but the current error paththen calls gov->exit(dbs_data) and kfree(dbs_data) again, causing adouble free.Keep the direct kfree(dbs_data) for the gov->init() failure path, butafter kobject_init_and_add() has been called, let kobject_put() handlethe cleanup through cpufreq_dbs_data_release().

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43337 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:drm/amd/display: Fix NULL pointer dereference in dcn401_init_hw()dcn401_init_hw() assumes that update_bw_bounding_box() is valid whenentering the update path. However, the existing condition: ((!fams2_enable && update_bw_bounding_box) || freq_changed)does not guarantee this, as the freq_changed branch can evaluate to trueindependently of the callback pointer.This can result in calling update_bw_bounding_box() when it is NULL.Fix this by separating the update condition from the pointer checks andensuring the callback, dc->clk_mgr, and bw_params are validated beforeuse.Fixes the below:../dc/hwss/dcn401/dcn401_hwseq.c:367 dcn401_init_hw() error: we previously assumed 'dc->res_pool->funcs->update_bw_bounding_box' could be null (see line 362)(cherry picked from commit 86117c5ab42f21562fedb0a64bffea3ee5fcd477)

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43339 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ipv6: prevent possible UaF in addrconf_permanent_addr()The mentioned helper try to warn the user about an exceptionalcondition, but the message is delivered too late, accessing the ipv6after its possible deletion.Reorder the statement to avoid the possible UaF; while at it, place thewarning outside the idev->lock as it needs no protection.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43341 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net/ipv6: ioam6: prevent schema length wraparound in trace fillioam6_fill_trace_data() stores the schema contribution to the tracelength in a u8. With bit 22 enabled and the largest schema payload,sclen becomes 1 + 1020 / 4, wraps from 256 to 0, and bypasses theremaining-space check. __ioam6_fill_trace_data() then positions thewrite cursor without reserving the schema area but still copies the4-byte schema header and the full schema payload, overrunning the tracebuffer.Keep sclen in an unsigned int so the remaining-space check and the writecursor calculation both see the full schema length.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43345 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net: ipa: fix event ring index not programmed for IPA v5.0+For IPA v5.0+, the event ring index field moved from CH_C_CNTXT_0 toCH_C_CNTXT_1. The v5.0 register definition intended to define thisfield in the CH_C_CNTXT_1 fmask array but used the old identifier ofERINDEX instead of CH_ERINDEX.Without a valid event ring, GSI channels could never signal transfercompletions. This caused gsi_channel_trans_quiesce() to blockforever in wait_for_completion().At least for IPA v5.2 this resolves an issue seen where runtimesuspend, system suspend, and remoteproc stop all hanged forever. Italso meant the IPA data path was completely non functional.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43346 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ice: ptp: don't WARN when controlling PF is unavailableIn VFIO passthrough setups, it is possible to pass through only a PFwhich doesn't own the source timer. In that case the PTP controlling PF(adapter->ctrl_pf) is never initialized in the VM, so ice_get_ctrl_ptp()returns NULL and triggers WARN_ON() in ice_ptp_setup_pf().Since this is an expected behavior in that configuration, replaceWARN_ON() with an informational message and return -EOPNOTSUPP.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43352 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:i3c: mipi-i3c-hci: Correct RING_CTRL_ABORT handling in DMA dequeueThe logic used to abort the DMA ring contains several flaws: 1. The driver unconditionally issues a ring abort even when the ring has already stopped. 2. The completion used to wait for abort completion is never re-initialized, resulting in incorrect wait behavior. 3. The abort sequence unintentionally clears RING_CTRL_ENABLE, which resets hardware ring pointers and disrupts the controller state. 4. If the ring is already stopped, the abort operation should be considered successful without attempting further action.Fix the abort handling by checking whether the ring is running beforeissuing an abort, re-initializing the completion when needed, ensuring thatRING_CTRL_ENABLE remains asserted during abort, and treating an alreadystopped ring as a successful condition.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43355 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:iio: light: bh1780: fix PM runtime leak on error pathMove pm_runtime_put_autosuspend() before the error check to ensurethe PM runtime reference count is always decremented afterpm_runtime_get_sync(), regardless of whether the read operationsucceeds or fails.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43360 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:btrfs: fix transaction abort on file creation due to name hash collisionIf we attempt to create several files with names that result in the samehash, we have to pack them in same dir item and that has a limit inherentto the leaf size. However if we reach that limit, we trigger a transactionabort and turns the filesystem into RO mode. This allows for a malicioususer to disrupt a system, without the need to have administrationprivileges/capabilities.Reproducer: $ cat exploit-hash-collisions.sh #!/bin/bash DEV=/dev/sdi MNT=/mnt/sdi # Use smallest node size to make the test faster and require fewer file # names that result in hash collision. mkfs.btrfs -f --nodesize 4K $DEV mount $DEV $MNT # List of names that result in the same crc32c hash for btrfs. declare -a names=( 'foobar' '%a8tYkxfGMLWRGr55QSeQc4PBNH9PCLIvR6jZnkDtUUru1t@RouaUe_L:@xGkbO3nCwvLNYeK9vhE628gss:T$yZjZ5l-Nbd6CbC$M=hqE-ujhJICXyIxBvYrIU9-TDC' 'AQci3EUB%shMsg-N%frgU:02ByLs=IPJU0OpgiWit5nexSyxZDncY6WB:=zKZuk5Zy0DD$Ua78%MelgBuMqaHGyKsJUFf9s=UW80PcJmKctb46KveLSiUtNmqrMiL9-Y0I_l5Fnam04CGIg=8@U:Z' 'CvVqJpJzueKcuA$wqwePfyu7VxuWNN3ho$p0zi2H8QFYK$7YlEqOhhb%:hHgjhIjW5vnqWHKNP4' 'ET:vk@rFU4tsvMB0$C_p=xQHaYZjvoF%-BTc%wkFW8yaDAPcCYoR%x$FH5O:' 'HwTon%v7SGSP4FE08jBwwiu5aot2CFKXHTeEAa@38fUcNGOWvE@Mz6WBeDH_VooaZ6AgsXPkVGwy9l@@ZbNXabUU9csiWrrOp0MWUdfi$EZ3w9GkIqtz7I_eOsByOkBOO' 'Ij%2VlFGXSuPvxJGf5UWy6O@1svxGha%b@=%wjkq:CIgE6u7eJOjmQY5qTtxE2Rjbis9@us' 'KBkjG5%9R8K9sOG8UTnAYjxLNAvBmvV5vz3IiZaPmKuLYO03-6asI9lJ_j4@6Xo$KZicaLWJ3Pv8XEwVeUPMwbHYWwbx0pYvNlGMO9F:ZhHAwyctnGy%_eujl%WPd4U2BI7qooOSr85J-C2V$LfY' 'NcRfDfuUQ2=zP8K3CCF5dFcpfiOm6mwenShsAb_F%n6GAGC7fT2JFFn:c35X-3aYwoq7jNX5$ZJ6hI3wnZs$7KgGi7wjulffhHNUxAT0fRRLF39vJ@NvaEMxsMO' 'Oj42AQAEzRoTxa5OuSKIr=A_lwGMy132v4g3Pdq1GvUG9874YseIFQ6QU' 'Ono7avN5GjC:_6dBJ_' 'WHmN2gnmaN-9dVDy4aWo:yNGFzz8qsJyJhWEWcud7$QzN2D9R0efIWWEdu5kwWr73NZm4=@CoCDxrrZnRITr-kGtU_cfW2:%2_am' 'WiFnuTEhAG9FEC6zopQmj-A-$LDQ0T3WULz%ox3UZAPybSV6v1Z$b4L_XBi4M4BMBtJZpz93r9xafpB77r:lbwvitWRyo$odnAUYlYMmU4RvgnNd--e=I5hiEjGLETTtaScWlQp8mYsBovZwM2k' 'XKyH=OsOAF3p%uziGF_ZVr$ivrvhVgD@1u%5RtrV-gl_vqAwHkK@x7YwlxX3qT6WKKQ%PR56NrUBU2dOAOAdzr2=5nJuKPM-T-$ZpQfCL7phxQbUcb:BZOTPaFExc-qK-gDRCDW2' 'd3uUR6OFEwZr%ns1XH_@tbxA@cCPmbBRLdyh7p6V45H$P2$F%w0RqrD3M0g8aGvWpoTFMiBdOTJXjD:JF7=h9a_43xBywYAP%r$SPZi%zDg%ql-KvkdUCtF9OLaQlxmd' 'ePTpbnit%hyNm@WELlpKzNZYOzOTf8EQ$sEfkMy1VOfIUu3coyvIr13-Y7Sv5v-Ivax2Go_GQRFMU1b3362nktT9WOJf3SpT%z8sZmM3gvYQBDgmKI%%RM-G7hyrhgYflOw%z::ZRcv5O:lDCFm' 'evqk743Y@dvZAiG5J05L_ROFV@$2%rVWJ2%3nxV72-W7$e$-SK3tuSHA2mBt$qloC5jwNx33GmQUjD%akhBPu=VJ5g$xhlZiaFtTrjeeM5x7dt4cHpX0cZkmfImndYzGmvwQG:$euFYmXn$_2rA9mKZ' 'gkgUtnihWXsZQTEkrMAWIxir09k3t7jk_IK25t1:cy1XWN0GGqC%FrySdcmU7M8MuPO_ppkLw3=Dfr0UuBAL4%GFk2$Ma10V1jDRGJje%Xx9EV2ERaWKtjpwiZwh0gCSJsj5UL7CR8RtW5opCVFKGGy8Cky' 'hNgsG_8lNRik3PvphqPm0yEH3P%%fYG:kQLY=6O-61Wa6nrV_WVGR6TLB09vHOv%g4VQRP8Gzx7VXUY1qvZyS' 'isA7JVzN12xCxVPJZ_qoLm-pTBuhjjHMvV7o=F:EaClfYNyFGlsfw-Kf%uxdqW-kwk1sPl2vhbjyHU1A6$hz' 'kiJ_fgcdZFDiOptjgH5PN9-PSyLO4fbk_:u5_2tz35lV_iXiJ6cx7pwjTtKy-XGaQ5IefmpJ4N_ZqGsqCsKuqOOBgf9LkUdffHet@Wu' 'lvwtxyhE9:%Q3UxeHiViUyNzJsy:fm38pg_b6s25JvdhOAT=1s0$pG25x=LZ2rlHTszj=gN6M4zHZYr_qrB49i=pA--@WqWLIuX7o1S_SfS@2FSiUZN' 'rC24cw3UBDZ=5qJBUMs9e$=S4Y94ni%Z8639vnrGp=0Hv4z3dNFL0fBLmQ40=EYIY:Z=SLc@QLMSt2zsss2ZXrP7j4=' 'uwGl2s-fFrf@GqS=DQqq2I0LJSsOmM%xzTjS:lzXguE3wChdMoHYtLRKPvfaPOZF2fER@j53evbKa7R%A7r4%YEkD=kicJe@SFiGtXHbKe4gCgPAYbnVn' 'UG37U6KKua2bgc:IHzRs7BnB6FD:2Mt5Cc5NdlsW%$1tyvnfz7S27FvNkroXwAW:mBZLA1@qa9WnDbHCDmQmfPMC9z-Eq6QT0jhhPpqyymaD:R02ghwYo%yx7SAaaq-:x33LYpei$5g8DMl3C' 'y2vjek0FE1PDJC0qpfnN:x8k2wCFZ9xiUF2ege=JnP98R%wxjKkdfEiLWvQzmnW' '8-HCSgH5B%K7P8_jaVtQhBXpBk:pE-$P7ts58U0J@iR9YZntMPl7j$s62yAJO@_9eanFPS54b=UTw$94C-t=HLxT8n6o9P=QnIxq-f1=Ne2dvhe6WbjEQtc' 'YPPh:IFt2mtR6XWSmjHptXL_hbSYu8bMw-JP8@PNyaFkdNFsk$M=xfL6LDKCDM-mSyGA_2MBwZ8Dr4=R1D%7-mC---truncated---

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43363 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:x86/apic: Disable x2apic on resume if the kernel expects soWhen resuming from s2ram, firmware may re-enable x2apic mode, which may havebeen disabled by the kernel during boot either because it doesn't support IRQremapping or for other reasons. This causes the kernel to continue using thexapic interface, while the hardware is in x2apic mode, which causes hangs.This happens on defconfig + bare metal + s2ram.Fix this in lapic_resume() by disabling x2apic if the kernel expects it to bedisabled, i.e. when x2apic_mode = 0.The ACPI v6.6 spec, Section 16.3 [1] says firmware restores either thepre-sleep configuration or initial boot configuration for each CPU, includingMSR state: When executing from the power-on reset vector as a result of waking from an S2 or S3 sleep state, the platform firmware performs only the hardware initialization required to restore the system to either the state the platform was in prior to the initial operating system boot, or to the pre-sleep configuration state. In multiprocessor systems, non-boot processors should be placed in the same state as prior to the initial operating system boot. (further ahead) If this is an S2 or S3 wake, then the platform runtime firmware restores minimum context of the system before jumping to the waking vector. This includes: CPU configuration. Platform runtime firmware restores the pre-sleep configuration or initial boot configuration of each CPU (MSR, MTRR, firmware update, SMBase, and so on). Interrupts must be disabled (for IA-32 processors, disabled by CLI instruction). (and other things)So at least as per the spec, re-enablement of x2apic by the firmware isallowed if "x2apic on" is a part of the initial boot configuration. [1] https://uefi.org/specs/ACPI/6.6/16_Waking_and_Sleeping.html#initialization [ bp: Massage. ]

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43373 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net: ncsi: fix skb leak in error pathsEarly return paths in NCSI RX and AEN handlers fail to releasethe received skb, resulting in a memory leak.Specifically, ncsi_aen_handler() returns on invalid AEN packetswithout consuming the skb. Similarly, ncsi_rcv_rsp() exits earlywhen failing to resolve the NCSI device, response handler, orrequest, leaving the skb unfreed.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43383 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net/tcp-md5: Fix MAC comparison to be constant-timeTo prevent timing attacks, MACs need to be compared in constanttime. Use the appropriate helper function for this.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43386 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:staging: rtl8723bs: fix potential out-of-bounds read in rtw_restruct_wmm_ieThe current code checks 'i + 5 < in_len' at the end of the if statement.However, it accesses 'in_ie[i + 5]' before that check, which can leadto an out-of-bounds read. Move the length check to the beginning of theconditional to ensure the index is within bounds before accessing thearray.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43405 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:libceph: Use u32 for non-negative values in ceph_monmap_decode()This patch fixes unnecessary implicit conversions that change signednessof blob_len and num_mon in ceph_monmap_decode().Currently blob_len and num_mon are (signed) int variables. They are usedto hold values that are always non-negative and get assigned inceph_decode_32_safe(), which is meant to assign u32 values. Bothvariables are subsequently used as unsigned values, and the value ofnum_mon is further assigned to monmap->num_mon, which is of type u32.Therefore, both variables should be of type u32. This is especiallyrelevant for num_mon. If the value read from the incoming message isvery large, it is interpreted as a negative value, and the check fornum_mon > CEPH_MAX_MON does not catch it. This leads to the attempt toallocate a very large chunk of memory for monmap, which will most likelyfail. In this case, an unnecessary attempt to allocate memory isperformed, and -ENOMEM is returned instead of -EINVAL.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43406 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:libceph: prevent potential out-of-bounds reads in process_message_header()If the message frame is (maliciously) corrupted in a way that thelength of the control segment ends up being less than the size of themessage header or a different frame is made to look like a messageframe, out-of-bounds reads may ensue in process_message_header().Perform an explicit bounds check before decoding the message header.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43407 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply()This patch fixes an out-of-bounds access in ceph_handle_auth_reply()that can be triggered by a message of type CEPH_MSG_AUTH_REPLY. Inceph_handle_auth_reply(), the value of the payload_len field of such amessage is stored in a variable of type int. A value greater thanINT_MAX leads to an integer overflow and is interpreted as a negativevalue. This leads to decrementing the pointer address by this value andsubsequently accessing it because ceph_decode_need() only checks thatthe memory access does not exceed the end address of the allocation.This patch fixes the issue by changing the data type of payload_len tou32. Additionally, the data type of result_msg_len is changed to u32,as it is also a variable holding a non-negative length.Also, an additional layer of sanity checks is introduced, ensuring thatdirectly after reading it from the message, payload_len andresult_msg_len are not greater than the overall segment length.BUG: KASAN: slab-out-of-bounds in ceph_handle_auth_reply+0x642/0x7a0 [libceph]Read of size 4 at addr ffff88811404df14 by task kworker/20:1/262CPU: 20 UID: 0 PID: 262 Comm: kworker/20:1 Not tainted 6.19.2 #5 PREEMPT(voluntary)Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014Workqueue: ceph-msgr ceph_con_workfn [libceph]Call Trace: dump_stack_lvl+0x76/0xa0 print_report+0xd1/0x620 ? __pfx__raw_spin_lock_irqsave+0x10/0x10 ? kasan_complete_mode_report_info+0x72/0x210 kasan_report+0xe7/0x130 ? ceph_handle_auth_reply+0x642/0x7a0 [libceph] ? ceph_handle_auth_reply+0x642/0x7a0 [libceph] __asan_report_load_n_noabort+0xf/0x20 ceph_handle_auth_reply+0x642/0x7a0 [libceph] mon_dispatch+0x973/0x23d0 [libceph] ? apparmor_socket_recvmsg+0x6b/0xa0 ? __pfx_mon_dispatch+0x10/0x10 [libceph] ? __kasan_check_write+0x14/0x30i ? mutex_unlock+0x7f/0xd0 ? __pfx_mutex_unlock+0x10/0x10 ? __pfx_do_recvmsg+0x10/0x10 [libceph] ceph_con_process_message+0x1f1/0x650 [libceph] process_message+0x1e/0x450 [libceph] ceph_con_v2_try_read+0x2e48/0x6c80 [libceph] ? __pfx_ceph_con_v2_try_read+0x10/0x10 [libceph] ? save_fpregs_to_fpstate+0xb0/0x230 ? raw_spin_rq_unlock+0x17/0xa0 ? finish_task_switch.isra.0+0x13b/0x760 ? __switch_to+0x385/0xda0 ? __kasan_check_write+0x14/0x30 ? mutex_lock+0x8d/0xe0 ? __pfx_mutex_lock+0x10/0x10 ceph_con_workfn+0x248/0x10c0 [libceph] process_one_work+0x629/0xf80 ? __kasan_check_write+0x14/0x30 worker_thread+0x87f/0x1570 ? __pfx__raw_spin_lock_irqsave+0x10/0x10 ? __pfx_try_to_wake_up+0x10/0x10 ? kasan_print_address_stack_frame+0x1f7/0x280 ? __pfx_worker_thread+0x10/0x10 kthread+0x396/0x830 ? __pfx__raw_spin_lock_irq+0x10/0x10 ? __pfx_kthread+0x10/0x10 ? __kasan_check_write+0x14/0x30 ? recalc_sigpending+0x180/0x210 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x3f7/0x610 ? __pfx_ret_from_fork+0x10/0x10 ? __switch_to+0x385/0xda0 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 [ idryomov: replace if statements with ceph_decode_need() for payload_len and result_msg_len ]

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43409 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:kprobes: avoid crash when rmmod/insmod after ftrace killedAfter we hit ftrace is killed by some errors, the kernel crash ifwe remove modules in which kprobe probes.BUG: unable to handle page fault for address: fffffbfff805000dPGD 817fcc067 P4D 817fcc067 PUD 817fc8067 PMD 101555067 PTE 0Oops: Oops: 0000 [#1] SMP KASAN PTICPU: 4 UID: 0 PID: 2012 Comm: rmmod Tainted: G W OETainted: [W]=WARN, [O]=OOT_MODULE, [E]=UNSIGNED_MODULERIP: 0010:kprobes_module_callback+0x89/0x790RSP: 0018:ffff88812e157d30 EFLAGS: 00010a02RAX: 1ffffffff805000d RBX: dffffc0000000000 RCX: ffffffff86a8de90RDX: ffffed1025c2af9b RSI: 0000000000000008 RDI: ffffffffc0280068RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed1025c2af9aR10: ffff88812e157cd7 R11: 205d323130325420 R12: 0000000000000002R13: ffffffffc0290488 R14: 0000000000000002 R15: ffffffffc0280040FS: 00007fbc450dd740(0000) GS:ffff888420331000(0000) knlGS:0000000000000000CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033CR2: fffffbfff805000d CR3: 000000010f624000 CR4: 00000000000006f0Call Trace: notifier_call_chain+0xc6/0x280 blocking_notifier_call_chain+0x60/0x90 __do_sys_delete_module.constprop.0+0x32a/0x4e0 do_syscall_64+0x5d/0xfa0 entry_SYSCALL_64_after_hwframe+0x76/0x7eThis is because the kprobe on ftrace does not correctly handlesthe kprobe_ftrace_disabled flag set by ftrace_kill().To prevent this error, check kprobe_ftrace_disabled in__disarm_kprobe_ftrace() and skip all ftrace related operations.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43416 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:powerpc, perf: Check that current->mm is alive before getting user callchainIt may happen that mm is already released, which leads to kernel panic.This adds the NULL check for current->mm, similarly tocommit 20afc60f892d ("x86, perf: Check that current->mm is alive before getting user callchain").I was getting this panic when running a profiling BPF program(profile.py from bcc-tools): [26215.051935] Kernel attempted to read user page (588) - exploit attempt? (uid: 0) [26215.051950] BUG: Kernel NULL pointer dereference on read at 0x00000588 [26215.051952] Faulting instruction address: 0xc00000000020fac0 [26215.051957] Oops: Kernel access of bad area, sig: 11 [#1] [...] [26215.052049] Call Trace: [26215.052050] [c000000061da6d30] [c00000000020fc10] perf_callchain_user_64+0x2d0/0x490 (unreliable) [26215.052054] [c000000061da6dc0] [c00000000020f92c] perf_callchain_user+0x1c/0x30 [26215.052057] [c000000061da6de0] [c0000000005ab2a0] get_perf_callchain+0x100/0x360 [26215.052063] [c000000061da6e70] [c000000000573bc8] bpf_get_stackid+0x88/0xf0 [26215.052067] [c000000061da6ea0] [c008000000042258] bpf_prog_16d4ab9ab662f669_do_perf_event+0xf8/0x274 [...]In addition, move storing the top-level stack entry to genericperf_callchain_user to make sure the top-evel entry is always captured,even if current->mm is NULL.[Maddy: fixed message to avoid checkpatch format style error]

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43420 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ceph: fix i_nlink underrun during async unlinkDuring async unlink, we drop the `i_nlink` counter before we receivethe completion (that will eventually update the `i_nlink`) because "weassume that the unlink will succeed". That is not a bad idea, but itraces against deletions by other clients (or against the completion ofour own unlink) and can lead to an underrun which emits a WARNING likethis one: WARNING: CPU: 85 PID: 25093 at fs/inode.c:407 drop_nlink+0x50/0x68 Modules linked in: CPU: 85 UID: 3221252029 PID: 25093 Comm: php-cgi8.1 Not tainted 6.14.11-cm4all1-ampere #655 Hardware name: Supermicro ARS-110M-NR/R12SPD-A, BIOS 1.1b 10/17/2023 pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : drop_nlink+0x50/0x68 lr : ceph_unlink+0x6c4/0x720 sp : ffff80012173bc90 x29: ffff80012173bc90 x28: ffff086d0a45aaf8 x27: ffff0871d0eb5680 x26: ffff087f2a64a718 x25: 0000020000000180 x24: 0000000061c88647 x23: 0000000000000002 x22: ffff07ff9236d800 x21: 0000000000001203 x20: ffff07ff9237b000 x19: ffff088b8296afc0 x18: 00000000f3c93365 x17: 0000000000070000 x16: ffff08faffcbdfe8 x15: ffff08faffcbdfec x14: 0000000000000000 x13: 45445f65645f3037 x12: 34385f6369706f74 x11: 0000a2653104bb20 x10: ffffd85f26d73290 x9 : ffffd85f25664f94 x8 : 00000000000000c0 x7 : 0000000000000000 x6 : 0000000000000002 x5 : 0000000000000081 x4 : 0000000000000481 x3 : 0000000000000000 x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff08727d3f91e8 Call trace: drop_nlink+0x50/0x68 (P) vfs_unlink+0xb0/0x2e8 do_unlinkat+0x204/0x288 __arm64_sys_unlinkat+0x3c/0x80 invoke_syscall.constprop.0+0x54/0xe8 do_el0_svc+0xa4/0xc8 el0_svc+0x18/0x58 el0t_64_sync_handler+0x104/0x130 el0t_64_sync+0x154/0x158In ceph_unlink(), a call to ceph_mdsc_submit_request() submits theCEPH_MDS_OP_UNLINK to the MDS, but does not wait for completion.Meanwhile, between this call and the following drop_nlink() call, aworker thread may process a CEPH_CAP_OP_IMPORT, CEPH_CAP_OP_GRANT orjust a CEPH_MSG_CLIENT_REPLY (the latter of which could be our owncompletion). These will lead to a set_nlink() call, updating the`i_nlink` counter to the value received from the MDS. If that new`i_nlink` value happens to be zero, it is illegal to decrement itfurther. But that is exactly what ceph_unlink() will do then.The WARNING can be reproduced this way:1. Force async unlink; only the async code path is affected. Having no real clue about Ceph internals, I was unable to find out why the MDS wouldn't give me the "Fxr" capabilities, so I patched get_caps_for_async_unlink() to always succeed. (Note that the WARNING dump above was found on an unpatched kernel, without this kludge - this is not a theoretical bug.)2. Add a sleep call after ceph_mdsc_submit_request() so the unlink completion gets handled by a worker thread before drop_nlink() is called. This guarantees that the `i_nlink` is already zero before drop_nlink() runs.The solution is to skip the counter decrement when it is already zero,but doing so without a lock is still racy (TOCTOU). Sinceceph_fill_inode() and handle_cap_grant() both hold the`ceph_inode_info.i_ceph_lock` spinlock while set_nlink() runs, thisseems like the proper lock to protect the `i_nlink` updates.I found prior art in NFS and SMB (using `inode.i_lock`) and AFS (using`afs_vnode.cb_lock`). All three have the zero check as well.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43439 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:cgroup: fix race between task migration and iterationWhen a task is migrated out of a css_set, cgroup_migrate_add_task()first moves it from cset->tasks to cset->mg_tasks via: list_move_tail(&task->cg_list, &cset->mg_tasks);If a css_task_iter currently has it->task_pos pointing to this task,css_set_move_task() calls css_task_iter_skip() to keep the iteratorvalid. However, since the task has already been moved to ->mg_tasks,the iterator is advanced relative to the mg_tasks list instead of theoriginal tasks list. As a result, remaining tasks on cset->tasks, aswell as tasks queued on cset->mg_tasks, can be skipped by iteration.Fix this by calling css_set_skip_task_iters() before unlinkingtask->cg_list from cset->tasks. This advances all active iterators tothe next task on cset->tasks, so iteration continues correctly evenwhen a task is concurrently being migrated.This race is hard to hit in practice without instrumentation, but itcan be reproduced by artificially slowing down cgroup_procs_show().For example, on an Android device a temporary/sys/kernel/cgroup/cgroup_test knob can be added to inject a delayinto cgroup_procs_show(), and then: 1) Spawn three long-running tasks (PIDs 101, 102, 103). 2) Create a test cgroup and move the tasks into it. 3) Enable a large delay via /sys/kernel/cgroup/cgroup_test. 4) In one shell, read cgroup.procs from the test cgroup. 5) Within the delay window, in another shell migrate PID 102 by writing it to a different cgroup.procs file.Under this setup, cgroup.procs can intermittently show only PID 101while skipping PID 103. Once the migration completes, reading thefile again shows all tasks as expected.Note that this change does not allow removing the existingcss_set_skip_task_iters() call in css_set_move_task(). The new callin cgroup_migrate_add_task() only handles iterators that are racingwith migration while the task is still on cset->tasks. Iterators mayalso start after the task has been moved to cset->mg_tasks. If wedropped css_set_skip_task_iters() from css_set_move_task(), suchiterators could keep task_pos pointing to a migrating task, causingcss_task_iter_advance() to malfunction on the destination css_set,up to and including crashes or infinite loops.The race window between migration and iteration is very small, andcss_task_iter is not on a hot path. In the worst case, when aniterator is positioned on the first thread of the migrating process,cgroup_migrate_add_task() may have to skip multiple tasks viacss_set_skip_task_iters(). However, this only happens when migrationand iteration actually race, so the performance impact is negligiblecompared to the correctness fix provided here.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43445 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:e1000/e1000e: Fix leak in DMA error cleanupIf an error is encountered while mapping TX buffers, the driver shouldunmap any buffers already mapped for that skb.Because count is incremented after a successful mapping, it will alwaysmatch the correct number of unmappings needed when dma_error is reached.Decrementing count before the while loop in dma_error causes anoff-by-one error. If any mapping was successful before an unsuccessfulmapping, exactly one DMA mapping would leak.In these commits, a faulty while condition caused an infinite loop indma_error:Commit 03b1320dfcee ("e1000e: remove use of skb_dma_map from e1000edriver")Commit 602c0554d7b0 ("e1000: remove use of skb_dma_map from e1000 driver")Commit c1fa347f20f1 ("e1000/e1000e/igb/igbvf/ixgb/ixgbe: Fix tests ofunsigned in *_tx_map()") fixed the infinite loop, but introduced theoff-by-one error.This issue may still exist in the igbvf driver, but I did not address itin this patch.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43448 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:nvme-pci: Fix race bug in nvme_poll_irqdisable()In the following scenario, pdev can be disabled between (1) and (3) by(2). This sets pdev->msix_enabled = 0. Then, pci_irq_vector() willreturn MSI-X IRQ(>15) for (1) whereas return INTx IRQ(<=15) for (2).This causes IRQ warning because it tries to enable INTx IRQ that hasnever been disabled before.To fix this, save IRQ number into a local variable and ensuredisable_irq() and enable_irq() operate on the same IRQ number. Even ifpci_free_irq_vectors() frees the IRQ concurrently, disable_irq() andenable_irq() on a stale IRQ number is still valid and safe, and thedepth accounting reamins balanced.task 1:nvme_poll_irqdisable() disable_irq(pci_irq_vector(pdev, nvmeq->cq_vector)) ...(1) enable_irq(pci_irq_vector(pdev, nvmeq->cq_vector)) ...(3)task 2:nvme_reset_work() nvme_dev_disable() pdev->msix_enable = 0; ...(2)crash log:------------[ cut here ]------------Unbalanced enable for IRQ 10WARNING: kernel/irq/manage.c:753 at __enable_irq+0x102/0x190 kernel/irq/manage.c:753, CPU#1: kworker/1:0H/26Modules linked in:CPU: 1 UID: 0 PID: 26 Comm: kworker/1:0H Not tainted 6.19.0-dirty #9 PREEMPT(voluntary)Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014Workqueue: kblockd blk_mq_timeout_workRIP: 0010:__enable_irq+0x107/0x190 kernel/irq/manage.c:753Code: ff df 48 89 fa 48 c1 ea 03 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 79 48 8d 3d 2e 7a 3f 05 41 8b 74 24 2c <67> 48 0f b9 3a e8 ef b9 21 00 5b 41 5c 5d e9 46 54 66 03 e8 e1 b9RSP: 0018:ffffc900001bf550 EFLAGS: 00010046RAX: 0000000000000007 RBX: 0000000000000000 RCX: ffffffffb20c0e90RDX: 0000000000000000 RSI: 000000000000000a RDI: ffffffffb74b88f0RBP: ffffc900001bf560 R08: ffff88800197cf00 R09: 0000000000000001R10: 0000000000000003 R11: 0000000000000003 R12: ffff8880012a6000R13: 1ffff92000037eae R14: 000000000000000a R15: 0000000000000293FS: 0000000000000000(0000) GS:ffff8880b49f7000(0000) knlGS:0000000000000000CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033CR2: 0000555da4a25fa8 CR3: 00000000208e8000 CR4: 00000000000006f0Call Trace: enable_irq+0x121/0x1e0 kernel/irq/manage.c:797 nvme_poll_irqdisable+0x162/0x1c0 drivers/nvme/host/pci.c:1494 nvme_timeout+0x965/0x14b0 drivers/nvme/host/pci.c:1744 blk_mq_rq_timed_out block/blk-mq.c:1653 [inline] blk_mq_handle_expired+0x227/0x2d0 block/blk-mq.c:1721 bt_iter+0x2fc/0x3a0 block/blk-mq-tag.c:292 __sbitmap_for_each_set include/linux/sbitmap.h:269 [inline] sbitmap_for_each_set include/linux/sbitmap.h:290 [inline] bt_for_each block/blk-mq-tag.c:324 [inline] blk_mq_queue_tag_busy_iter+0x969/0x1e80 block/blk-mq-tag.c:536 blk_mq_timeout_work+0x627/0x870 block/blk-mq.c:1763 process_one_work+0x956/0x1aa0 kernel/workqueue.c:3257 process_scheduled_works kernel/workqueue.c:3340 [inline] worker_thread+0x65c/0xe60 kernel/workqueue.c:3421 kthread+0x41a/0x930 kernel/kthread.c:463 ret_from_fork+0x6f8/0x8c0 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 irq event stamp: 74478hardirqs last enabled at (74477): [] __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:159 [inline]hardirqs last enabled at (74477): [] _raw_spin_unlock_irq+0x2c/0x60 kernel/locking/spinlock.c:202hardirqs last disabled at (74478): [] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline]hardirqs last disabled at (74478): [] _raw_spin_lock_irqsave+0x85/0xa0 kernel/locking/spinlock.c:162softirqs last enabled at (74304): [] __do_softirq kernel/softirq.c:656 [inline]softirqs last enabled at (74304): [] invoke_softirq kernel/softirq.c:496 [inline]softirqs last enabled at (74304): [] __irq_exit_rcu+0xdc/0x120---truncated---

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43449 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:nvme-pci: Fix slab-out-of-bounds in nvme_dbbuf_setdev->online_queues is a count incremented in nvme_init_queue. Thus,valid indices are 0 through dev->online_queues − 1.This patch fixes the loop condition to ensure the index stays within thevalid range. Index 0 is excluded because it is the admin queue.KASAN splat:==================================================================BUG: KASAN: slab-out-of-bounds in nvme_dbbuf_free drivers/nvme/host/pci.c:377 [inline]BUG: KASAN: slab-out-of-bounds in nvme_dbbuf_set+0x39c/0x400 drivers/nvme/host/pci.c:404Read of size 2 at addr ffff88800592a574 by task kworker/u8:5/74CPU: 0 UID: 0 PID: 74 Comm: kworker/u8:5 Not tainted 6.19.0-dirty #10 PREEMPT(voluntary)Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014Workqueue: nvme-reset-wq nvme_reset_workCall Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0xea/0x150 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xce/0x5d0 mm/kasan/report.c:482 kasan_report+0xdc/0x110 mm/kasan/report.c:595 __asan_report_load2_noabort+0x18/0x20 mm/kasan/report_generic.c:379 nvme_dbbuf_free drivers/nvme/host/pci.c:377 [inline] nvme_dbbuf_set+0x39c/0x400 drivers/nvme/host/pci.c:404 nvme_reset_work+0x36b/0x8c0 drivers/nvme/host/pci.c:3252 process_one_work+0x956/0x1aa0 kernel/workqueue.c:3257 process_scheduled_works kernel/workqueue.c:3340 [inline] worker_thread+0x65c/0xe60 kernel/workqueue.c:3421 kthread+0x41a/0x930 kernel/kthread.c:463 ret_from_fork+0x6f8/0x8c0 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 Allocated by task 34 on cpu 1 at 4.241550s: kasan_save_stack+0x2c/0x60 mm/kasan/common.c:57 kasan_save_track+0x1c/0x70 mm/kasan/common.c:78 kasan_save_alloc_info+0x3c/0x50 mm/kasan/generic.c:570 poison_kmalloc_redzone mm/kasan/common.c:398 [inline] __kasan_kmalloc+0xb5/0xc0 mm/kasan/common.c:415 kasan_kmalloc include/linux/kasan.h:263 [inline] __do_kmalloc_node mm/slub.c:5657 [inline] __kmalloc_node_noprof+0x2bf/0x8d0 mm/slub.c:5663 kmalloc_array_node_noprof include/linux/slab.h:1075 [inline] nvme_pci_alloc_dev drivers/nvme/host/pci.c:3479 [inline] nvme_probe+0x2f1/0x1820 drivers/nvme/host/pci.c:3534 local_pci_probe+0xef/0x1c0 drivers/pci/pci-driver.c:324 pci_call_probe drivers/pci/pci-driver.c:392 [inline] __pci_device_probe drivers/pci/pci-driver.c:417 [inline] pci_device_probe+0x743/0x920 drivers/pci/pci-driver.c:451 call_driver_probe drivers/base/dd.c:583 [inline] really_probe+0x29b/0xb70 drivers/base/dd.c:661 __driver_probe_device+0x3b0/0x4a0 drivers/base/dd.c:803 driver_probe_device+0x56/0x1f0 drivers/base/dd.c:833 __driver_attach_async_helper+0x155/0x340 drivers/base/dd.c:1159 async_run_entry_fn+0xa6/0x4b0 kernel/async.c:129 process_one_work+0x956/0x1aa0 kernel/workqueue.c:3257 process_scheduled_works kernel/workqueue.c:3340 [inline] worker_thread+0x65c/0xe60 kernel/workqueue.c:3421 kthread+0x41a/0x930 kernel/kthread.c:463 ret_from_fork+0x6f8/0x8c0 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246The buggy address belongs to the object at ffff88800592a000 which belongs to the cache kmalloc-2k of size 2048The buggy address is located 244 bytes to the right of allocated 1152-byte region [ffff88800592a000, ffff88800592a480)The buggy address belongs to the physical page:page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5928head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0anon flags: 0xfffffc0000040(head|node=0|zone=1|lastcpupid=0x1fffff)page_type: f5(slab)raw: 000fffffc0000040 ffff888001042000 0000000000000000 dead000000000001raw: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000head: 000fffffc0000040 ffff888001042000 00000---truncated---

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43450 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:netfilter: nfnetlink_cthelper: fix OOB read in nfnl_cthelper_dump_table()nfnl_cthelper_dump_table() has a 'goto restart' that jumps to a labelinside the for loop body. When the "last" helper saved in cb->args[1]is deleted between dump rounds, every entry fails the (cur != last)check, so cb->args[1] is never cleared. The for loop finishes withcb->args[0] == nf_ct_helper_hsize, and the 'goto restart' jumps backinto the loop body bypassing the bounds check, causing an 8-byteout-of-bounds read on nf_ct_helper_hash[nf_ct_helper_hsize].The 'goto restart' block was meant to re-traverse the current bucketwhen "last" is no longer found, but it was placed after the for loopinstead of inside it. Move the block into the for loop body so thatthe restart only occurs while cb->args[0] is still within bounds. BUG: KASAN: slab-out-of-bounds in nfnl_cthelper_dump_table+0x9f/0x1b0 Read of size 8 at addr ffff888104ca3000 by task poc_cthelper/131 Call Trace: nfnl_cthelper_dump_table+0x9f/0x1b0 netlink_dump+0x333/0x880 netlink_recvmsg+0x3e2/0x4b0 sock_recvmsg+0xde/0xf0 __sys_recvfrom+0x150/0x200 __x64_sys_recvfrom+0x76/0x90 do_syscall_64+0xc3/0x6e0 Allocated by task 1: __kvmalloc_node_noprof+0x21b/0x700 nf_ct_alloc_hashtable+0x65/0xd0 nf_conntrack_helper_init+0x21/0x60 nf_conntrack_init_start+0x18d/0x300 nf_conntrack_standalone_init+0x12/0xc0

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43451 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:netfilter: nfnetlink_queue: fix entry leak in bridge verdict error pathnfqnl_recv_verdict() calls find_dequeue_entry() to remove the queueentry from the queue data structures, taking ownership of the entry.For PF_BRIDGE packets, it then calls nfqa_parse_bridge() to parse VLANattributes. If nfqa_parse_bridge() returns an error (e.g. NFQA_VLANpresent but NFQA_VLAN_TCI missing), the function returns immediatelywithout freeing the dequeued entry or its sk_buff.This leaks the nf_queue_entry, its associated sk_buff, and all heldreferences (net_device refcounts, struct net refcount). Repeatedtriggering exhausts kernel memory.Fix this by dropping the entry via nfqnl_reinject() with NF_DROP verdicton the error path, consistent with other error handling in this file.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43452 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:netfilter: x_tables: guard option walkers against 1-byte tail readsWhen the last byte of options is a non-single-byte option kind, walkersthat advance with i += op[i + 1] ? : 1 can read op[i + 1] past the endof the option area.Add an explicit i == optlen - 1 check before dereferencing op[i + 1]in xt_tcpudp and xt_dccp option walkers.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43453 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:netfilter: nft_set_pipapo: fix stack out-of-bounds read in pipapo_drop()pipapo_drop() passes rulemap[i + 1].n to pipapo_unmap() as theto_offset argument on every iteration, including the last one wherei == m->field_count - 1. This reads one element past the end of thestack-allocated rulemap array (declared as rulemap[NFT_PIPAPO_MAX_FIELDS]with NFT_PIPAPO_MAX_FIELDS == 16).Although pipapo_unmap() returns early when is_last is true withoutusing the to_offset value, the argument is evaluated at the call sitebefore the function body executes, making this a genuine out-of-boundsstack read confirmed by KASAN: BUG: KASAN: stack-out-of-bounds in pipapo_drop+0x50c/0x57c [nf_tables] Read of size 4 at addr ffff8000810e71a4 This frame has 1 object: [32, 160) 'rulemap' The buggy address is at offset 164 -- exactly 4 bytes past the end of the rulemap array.Pass 0 instead of rulemap[i + 1].n on the last iteration to avoidthe out-of-bounds read.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43455 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:mctp: route: hold key->lock in mctp_flow_prepare_output()mctp_flow_prepare_output() checks key->dev and may callmctp_dev_set_key(), but it does not hold key->lock while doing so.mctp_dev_set_key() and mctp_dev_release_key() are annotated with__must_hold(&key->lock), so key->dev access is intended to beserialized by key->lock. The mctp_sendmsg() transmit path reachesmctp_flow_prepare_output() via mctp_local_output() -> mctp_dst_output()without holding key->lock, so the check-and-set sequence is racy.Example interleaving: CPU0 CPU1 ---- ---- mctp_flow_prepare_output(key, devA) if (!key->dev) // sees NULL mctp_flow_prepare_output( key, devB) if (!key->dev) // still NULL mctp_dev_set_key(devB, key) mctp_dev_hold(devB) key->dev = devB mctp_dev_set_key(devA, key) mctp_dev_hold(devA) key->dev = devA // overwrites devBNow both devA and devB references were acquired, but only the finalkey->dev value is tracked for release. One reference can be lost,causing a resource leak as mctp_dev_release_key() would only decreasethe reference on one dev.Fix by taking key->lock around the key->dev check andmctp_dev_set_key() call.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43456 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:bonding: fix type confusion in bond_setup_by_slave()kernel BUG at net/core/skbuff.c:2306!Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTIRIP: 0010:pskb_expand_head+0xa08/0xfe0 net/core/skbuff.c:2306RSP: 0018:ffffc90004aff760 EFLAGS: 00010293RAX: 0000000000000000 RBX: ffff88807e3c8780 RCX: ffffffff89593e0eRDX: ffff88807b7c4900 RSI: ffffffff89594747 RDI: ffff88807b7c4900RBP: 0000000000000820 R08: 0000000000000005 R09: 0000000000000000R10: 00000000961a63e0 R11: 0000000000000000 R12: ffff88807e3c8780R13: 00000000961a6560 R14: dffffc0000000000 R15: 00000000961a63e0CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033CR2: 00007fe1a0ed8df0 CR3: 000000002d816000 CR4: 00000000003526f0Call Trace: ipgre_header+0xdd/0x540 net/ipv4/ip_gre.c:900 dev_hard_header include/linux/netdevice.h:3439 [inline] packet_snd net/packet/af_packet.c:3028 [inline] packet_sendmsg+0x3ae5/0x53c0 net/packet/af_packet.c:3108 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg net/socket.c:742 [inline] ____sys_sendmsg+0xa54/0xc30 net/socket.c:2592 ___sys_sendmsg+0x190/0x1e0 net/socket.c:2646 __sys_sendmsg+0x170/0x220 net/socket.c:2678 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7fRIP: 0033:0x7fe1a0e6c1a9When a non-Ethernet device (e.g. GRE tunnel) is enslaved to a bond,bond_setup_by_slave() directly copies the slave's header_ops to thebond device: bond_dev->header_ops = slave_dev->header_ops;This causes a type confusion when dev_hard_header() is later calledon the bond device. Functions like ipgre_header(), ip6gre_header(),all usenetdev_priv(dev) to access their device-specific private data. Whencalled with the bond device, netdev_priv() returns the bond's privatedata (struct bonding) instead of the expected type (e.g. structip_tunnel), leading to garbage values being read and kernel crashes.Fix this by introducing bond_header_ops with wrapper functions thatdelegate to the active slave's header_ops using the slave's owndevice. This ensures netdev_priv() in the slave's header functionsalways receives the correct device.The fix is placed in the bonding driver rather than individual devicedrivers, as the root cause is bond blindly inheriting header_ops fromthe slave without considering that these callbacks expect a specificnetdev_priv() layout.The type confusion can be observed by adding a printk inipgre_header() and running the following commands: ip link add dummy0 type dummy ip addr add 10.0.0.1/24 dev dummy0 ip link set dummy0 up ip link add gre1 type gre local 10.0.0.1 ip link add bond1 type bond mode active-backup ip link set gre1 master bond1 ip link set gre1 up ip link set bond1 up ip addr add fe80::1/64 dev bond1

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43457 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:mctp: i2c: fix skb memory leak in receive pathWhen 'midev->allow_rx' is false, the newly allocated skb isn't consumedby netif_rx(), it needs to free the skb directly.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43458 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:serial: caif: hold tty->link reference in ldisc_open and ser_releaseA reproducer triggers a KASAN slab-use-after-free in pty_write_room()when caif_serial's TX path calls tty_write_room(). The faulting accessis on tty->link->port.Hold an extra kref on tty->link for the lifetime of the caif_serial linediscipline: get it in ldisc_open() and drop it in ser_release(), andalso drop it on the ldisc_open() error path.With this change applied, the reproducer no longer triggers the UAF inmy testing.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43465 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net/mlx5e: RX, Fix XDP multi-buf frag counting for striding RQXDP multi-buf programs can modify the layout of the XDP buffer when theprogram calls bpf_xdp_pull_data() or bpf_xdp_adjust_tail(). Thereferenced commit in the fixes tag corrected the assumption in the mlx5driver that the XDP buffer layout doesn't change during a programexecution. However, this fix introduced another issue: the droppedfragments still need to be counted on the driver side to avoid pagefragment reference counting issues.The issue was discovered by the drivers/net/xdp.py selftest,more specifically the test_xdp_native_tx_mb:- The mlx5 driver allocates a page_pool page and initializes it with a frag counter of 64 (pp_ref_count=64) and the internal frag counter to 0.- The test sends one packet with no payload.- On RX (mlx5e_skb_from_cqe_mpwrq_nonlinear()), mlx5 configures the XDP buffer with the packet data starting in the first fragment which is the page mentioned above.- The XDP program runs and calls bpf_xdp_pull_data() which moves the header into the linear part of the XDP buffer. As the packet doesn't contain more data, the program drops the tail fragment since it no longer contains any payload (pp_ref_count=63).- mlx5 device skips counting this fragment. Internal frag counter remains 0.- mlx5 releases all 64 fragments of the page but page pp_ref_count is 63 => negative reference counting error.Resulting splat during the test: WARNING: CPU: 0 PID: 188225 at ./include/net/page_pool/helpers.h:297 mlx5e_page_release_fragmented.isra.0+0xbd/0xe0 [mlx5_core] Modules linked in: [...] CPU: 0 UID: 0 PID: 188225 Comm: ip Not tainted 6.18.0-rc7_for_upstream_min_debug_2025_12_08_11_44 #1 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:mlx5e_page_release_fragmented.isra.0+0xbd/0xe0 [mlx5_core] [...] Call Trace: mlx5e_free_rx_mpwqe+0x20a/0x250 [mlx5_core] mlx5e_dealloc_rx_mpwqe+0x37/0xb0 [mlx5_core] mlx5e_free_rx_descs+0x11a/0x170 [mlx5_core] mlx5e_close_rq+0x78/0xa0 [mlx5_core] mlx5e_close_queues+0x46/0x2a0 [mlx5_core] mlx5e_close_channel+0x24/0x90 [mlx5_core] mlx5e_close_channels+0x5d/0xf0 [mlx5_core] mlx5e_safe_switch_params+0x2ec/0x380 [mlx5_core] mlx5e_change_mtu+0x11d/0x490 [mlx5_core] mlx5e_change_nic_mtu+0x19/0x30 [mlx5_core] netif_set_mtu_ext+0xfc/0x240 do_setlink.isra.0+0x226/0x1100 rtnl_newlink+0x7a9/0xba0 rtnetlink_rcv_msg+0x220/0x3c0 netlink_rcv_skb+0x4b/0xf0 netlink_unicast+0x255/0x380 netlink_sendmsg+0x1f3/0x420 __sock_sendmsg+0x38/0x60 ____sys_sendmsg+0x1e8/0x240 ___sys_sendmsg+0x7c/0xb0 [...] __sys_sendmsg+0x5f/0xb0 do_syscall_64+0x55/0xc70The problem applies for XDP_PASS as well which is handled in a differentcode path in the driver.This patch fixes the issue by doing page frag counting on all theoriginal XDP buffer fragments for all relevant XDP actions (XDP_TX ,XDP_REDIRECT and XDP_PASS). This is basically reverting to the originalcounting before the commit in the fixes tag.As frag_page is still pointing to the original tail, the nr_fragsparameter to xdp_update_skb_frags_info() needs to be calculatedin a different way to reflect the new nr_frags.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43466 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net/mlx5e: Fix DMA FIFO desync on error CQE SQ recoveryIn case of a TX error CQE, a recovery flow is triggered,mlx5e_reset_txqsq_cc_pc() resets dma_fifo_cc to 0 but not dma_fifo_pc,desyncing the DMA FIFO producer and consumer.After recovery, the producer pushes new DMA entries at the olddma_fifo_pc, while the consumer reads from position 0.This causes us to unmap stale DMA addresses from before the recovery.The DMA FIFO is a purely software construct with no HW counterpart.At the point of reset, all WQEs have been flushed so dma_fifo_cc isalready equal to dma_fifo_pc. There is no need to reset either counter,similar to how skb_fifo pc/cc are untouched.Remove the 'dma_fifo_cc = 0' reset.This fixes the following WARNING: WARNING: CPU: 0 PID: 0 at drivers/iommu/dma-iommu.c:1240 iommu_dma_unmap_page+0x79/0x90 Modules linked in: mlx5_vdpa vringh vdpa bonding mlx5_ib mlx5_vfio_pci ipip mlx5_fwctl tunnel4 mlx5_core ib_ipoib geneve ip6_gre ip_gre gre nf_tables ip6_tunnel rdma_ucm ib_uverbs ib_umad vfio_pci vfio_pci_core act_mirred act_skbedit act_vlan vhost_net vhost tap ip6table_mangle ip6table_nat ip6table_filter ip6_tables iptable_mangle cls_matchall nfnetlink_cttimeout act_gact cls_flower sch_ingress vhost_iotlb iptable_raw tunnel6 vfio_iommu_type1 vfio openvswitch nsh rpcsec_gss_krb5 auth_rpcgss oid_registry xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat nf_nat xt_addrtype br_netfilter overlay zram zsmalloc rpcrdma ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_cm ib_core fuse [last unloaded: nf_tables] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.13.0-rc5_for_upstream_min_debug_2024_12_30_21_33 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:iommu_dma_unmap_page+0x79/0x90 Code: 2b 4d 3b 21 72 26 4d 3b 61 08 73 20 49 89 d8 44 89 f9 5b 4c 89 f2 4c 89 e6 48 89 ef 5d 41 5c 41 5d 41 5e 41 5f e9 c7 ae 9e ff <0f> 0b 5b 5d 41 5c 41 5d 41 5e 41 5f c3 66 2e 0f 1f 84 00 00 00 00 Call Trace: ? __warn+0x7d/0x110 ? iommu_dma_unmap_page+0x79/0x90 ? report_bug+0x16d/0x180 ? handle_bug+0x4f/0x90 ? exc_invalid_op+0x14/0x70 ? asm_exc_invalid_op+0x16/0x20 ? iommu_dma_unmap_page+0x79/0x90 ? iommu_dma_unmap_page+0x2e/0x90 dma_unmap_page_attrs+0x10d/0x1b0 mlx5e_tx_wi_dma_unmap+0xbe/0x120 [mlx5_core] mlx5e_poll_tx_cq+0x16d/0x690 [mlx5_core] mlx5e_napi_poll+0x8b/0xac0 [mlx5_core] __napi_poll+0x24/0x190 net_rx_action+0x32a/0x3b0 ? mlx5_eq_comp_int+0x7e/0x270 [mlx5_core] ? notifier_call_chain+0x35/0xa0 handle_softirqs+0xc9/0x270 irq_exit_rcu+0x71/0xd0 common_interrupt+0x7f/0xa0 asm_common_interrupt+0x22/0x40

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43468 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net/mlx5: Fix deadlock between devlink lock and esw->wqesw->work_queue executes esw_functions_changed_event_handler ->esw_vfs_changed_event_handler and acquires the devlink lock..eswitch_mode_set (acquires devlink lock in devlink_nl_pre_doit) ->mlx5_devlink_eswitch_mode_set -> mlx5_eswitch_disable_locked ->mlx5_eswitch_event_handler_unregister -> flush_workqueue deadlockswhen esw_vfs_changed_event_handler executes.Fix that by no longer flushing the work to avoid the deadlock, and usinga generation counter to keep track of work relevance. This avoids an oldhandler manipulating an esw that has undergone one or more mode changes:- the counter is incremented in mlx5_eswitch_event_handler_unregister.- the counter is read and passed to the ephemeral mlx5_host_work struct.- the work handler takes the devlink lock and bails out if the current generation is different than the one it was scheduled to operate on.- mlx5_eswitch_cleanup does the final draining before destroying the wq.No longer flushing the workqueue has the side effect of maybe no longercancelling pending vport_change_handler work items, but that's ok sincethose are disabled elsewhere:- mlx5_eswitch_disable_locked disables the vport eq notifier.- mlx5_esw_vport_disable disarms the HW EQ notification and marks vport->enabled under state_lock to false to prevent pending vport handler from doing anything.- mlx5_eswitch_cleanup destroys the workqueue and makes sure all events are disabled/finished.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43469 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:xprtrdma: Decrement re_receiving on the early exit pathsIn the event that rpcrdma_post_recvs() fails to create a work request(due to memory allocation failure, say) or otherwise exits early, weshould decrement ep->re_receiving before returning. Otherwise we willhang in rpcrdma_xprt_drain() as re_receiving will never reach zero andthe completion will never be triggered.On a system with high memory pressure, this can appear as the followinghung task: INFO: task kworker/u385:17:8393 blocked for more than 122 seconds. Tainted: G S E 6.19.0 #3 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/u385:17 state:D stack:0 pid:8393 tgid:8393 ppid:2 task_flags:0x4248060 flags:0x00080000 Workqueue: xprtiod xprt_autoclose [sunrpc] Call Trace: __schedule+0x48b/0x18b0 ? ib_post_send_mad+0x247/0xae0 [ib_core] schedule+0x27/0xf0 schedule_timeout+0x104/0x110 __wait_for_common+0x98/0x180 ? __pfx_schedule_timeout+0x10/0x10 wait_for_completion+0x24/0x40 rpcrdma_xprt_disconnect+0x444/0x460 [rpcrdma] xprt_rdma_close+0x12/0x40 [rpcrdma] xprt_autoclose+0x5f/0x120 [sunrpc] process_one_work+0x191/0x3e0 worker_thread+0x2e3/0x420 ? __pfx_worker_thread+0x10/0x10 kthread+0x10d/0x230 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x273/0x2b0 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43470 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:nfs: return EISDIR on nfs3_proc_create if d_alias is a dirIf we found an alias through nfs3_do_create/nfs_add_or_obtain/d_splice_alias which happens to be a dir dentry, we don't returnany error, and simply forget about this alias, but the originaldentry we were adding and passed as parameter remains negative.This later causes an oops on nfs_atomic_open_v23/finish_open since wesupply a negative dentry to do_dentry_open.This has been observed running lustre-racer, where dirs and files arecreated/removed concurrently with the same name and O_EXCL is notused to open files (frequent file redirection).While d_splice_alias typically returns a directory alias or NULL, weexplicitly check d_is_dir() to ensure that we don't attempt to performfile operations (like finish_open) on a directory inode, which triggersthe observed oops.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43473 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:scsi: mpi3mr: Add NULL checks when resetting request and reply queuesThe driver encountered a crash during resource cleanup when the reply andrequest queues were NULL due to freed memory. This issue occurred when thecreation of reply or request queues failed, and the driver freed the memoryfirst, but attempted to mem set the content of the freed memory, leading toa system crash.Add NULL pointer checks for reply and request queues before accessing thereply/request memory during cleanup

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43483 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:KVM: SVM: Set/clear CR8 write interception when AVIC is (de)activatedExplicitly set/clear CR8 write interception when AVIC is (de)activated tofix a bug where KVM leaves the interception enabled after AVIC isactivated. E.g. if KVM emulates INIT=>WFS while AVIC is deactivated, CR8will remain intercepted in perpetuity.On its own, the dangling CR8 intercept is "just" a performance issue, butcombined with the TPR sync bug fixed by commit d02e48830e3f ("KVM: SVM:Sync TPR from LAPIC into VMCB::V_TPR even if AVIC is active"), the dangingintercept is fatal to Windows guests as the TPR seen by hardware getswildly out of sync with reality.Note, VMX isn't affected by the bug as TPR_THRESHOLD is explicitly ignoredwhen Virtual Interrupt Delivery is enabled, i.e. when APICv is active inKVM's world. I.e. there's no need to trigger update_cr8_intercept(), thisis firmly an SVM implementation flaw/detail.WARN if KVM gets a CR8 write #VMEXIT while AVIC is active, as KVM shouldnever enter the guest with AVIC enabled and CR8 writes intercepted.[Squash fix to avic_deactivate_vmcb. - Paolo]

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43484 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:mmc: core: Avoid bitfield RMW for claim/retune flagsMove claimed and retune control flags out of the bitfield word toavoid unrelated RMW side effects in asynchronous contexts.The host->claimed bit shared a word with retune flags. Writes to claimedin __mmc_claim_host() or retune_now in mmc_mq_queue_rq() can overwriteother bits when concurrent updates happen in other contexts, triggeringspurious WARN_ON(!host->claimed). Convert claimed, can_retune,retune_now and retune_paused to bool to remove shared-word coupling.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43485 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:nouveau/gsp: drop WARN_ON in ACPI probesThese WARN_ONs seem to trigger a lot, and we don't seem to have aplan to fix them, so just drop them, as they are most likelyharmless.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43490 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ksmbd: validate inherited ACE SID lengthsmb_inherit_dacl() walks the parent directory DACL loaded from thesecurity descriptor xattr. It verifies that each ACE contains the fixedSID header before using it, but does not verify that the variable-lengthSID described by sid.num_subauth is fully contained in the ACE.A malformed inheritable ACE can advertise more subauthorities than arepresent in the ACE. compare_sids() may then read past the ACE.smb_set_ace() also clamps the copied destination SID, but used theunchecked source SID count to compute the inherited ACE size. That couldadvance the temporary inherited ACE buffer pointer and nt_size accountingpast the allocated buffer.Fix this by validating the parent ACE SID count and SID length beforeusing the SID during inheritance. Compute the inherited ACE size from thecopied SID so the size matches the bounded destination SID. Reject theinherited DACL if size accumulation would overflow smb_acl.size or thesecurity descriptor allocation size.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43896 Severity: Moderate CVSS3 score: 5.5

Description: jq is a command-line JSON processor. In 1.8.1 and earlier, unbounded recursion in jv_object_merge_recursive() allows a crafted jq program to crash the process with a segfault. The function is reachable through the * operator when both operands are objects.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
jq > 0-0 (version in image is 1.6-150000.3.12.1).

CVE-2026-44777 Severity: Moderate CVSS3 score: 5.5

Description: jq is a command-line JSON processor. In 1.8.2rc1 and earlier, the ordinary module loader recurses without cycle detection when twootherwise valid modules include each other.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
jq > 0-0 (version in image is 1.6-150000.3.12.1).

CVE-2026-4948 Severity: Moderate CVSS3 score: 5.5

Description: A flaw was found in firewalld. A local unprivileged user can exploit this vulnerability by mis-authorizing two runtime D-Bus (Desktop Bus) setters, setZoneSettings2 and setPolicySettings. This mis-authorization allows the user to modify the runtime firewall state without proper authentication, leading to unauthorized changes in network security configurations.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
firewalld < 2.0.1-150600.3.15.1 (version in image is 1.3.4-150600.13.3.1).

CVE-2026-5704 Severity: Moderate CVSS3 score: 5.5

Description: A flaw was found in tar. A remote attacker could exploit this vulnerability by crafting a malicious archive, leading to hidden file injection with fully attacker-controlled content. This bypasses pre-extraction inspection mechanisms, potentially allowing an attacker to introduce malicious files onto a system without detection.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
tar > 0-0 (version in image is 1.34-150000.3.37.1).

CVE-2026-6862 Severity: Moderate CVSS3 score: 5.5

Description: A flaw was found in libefiboot, a component of efivar. The device path node parser in libefiboot fails to validate that each node's Length field is at least 4 bytes, which is the minimum size for an EFI (Extensible Firmware Interface) device path node header. A local user could exploit this vulnerability by providing a specially crafted device path node. This can lead to infinite recursion, causing stack exhaustion and a process crash, resulting in a denial of service (DoS).

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
libefivar1 > 0-0 (version in image is 37-6.12.1).

CVE-2025-39927 Severity: Moderate CVSS3 score: 5.3

Description: In the Linux kernel, the following vulnerability has been resolved:ceph: fix race condition validating r_parent before applying stateAdd validation to ensure the cached parent directory inode matches thedirectory info in MDS replies. This prevents client-side race conditionswhere concurrent operations (e.g. rename) cause r_parent to become stalebetween request initiation and reply processing, which could lead toapplying state changes to incorrect directory inodes.[ idryomov: folded a kerneldoc fixup and a follow-up fix from Alex to move CEPH_CAP_PIN reference when r_parent is updated: When the parent directory lock is not held, req->r_parent can become stale and is updated to point to the correct inode. However, the associated CEPH_CAP_PIN reference was not being adjusted. The CEPH_CAP_PIN is a reference on an inode that is tracked for accounting purposes. Moving this pin is important to keep the accounting balanced. When the pin was not moved from the old parent to the new one, it created two problems: The reference on the old, stale parent was never released, causing a reference leak. A reference for the new parent was never acquired, creating the risk of a reference underflow later in ceph_mdsc_release_request(). This patch corrects the logic by releasing the pin from the old parent and acquiring it for the new parent when r_parent is switched. This ensures reference accounting stays balanced. ]

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2025-40303 Severity: Moderate CVSS3 score: 5.3

Description: In the Linux kernel, the following vulnerability has been resolved:btrfs: ensure no dirty metadata is written back for an fs with errors[BUG]During development of a minor feature (make sure all btrfs_bio::end_io()is called in task context), I noticed a crash in generic/388, wheremetadata writes triggered new works after btrfs_stop_all_workers().It turns out that it can even happen without any code modification, justusing RAID5 for metadata and the same workload from generic/388 is goingto trigger the use-after-free.[CAUSE]If btrfs hits an error, the fs is marked as error, no newtransaction is allowed thus metadata is in a frozen state.But there are some metadata modifications before that error, and they arestill in the btree inode page cache.Since there will be no real transaction commit, all those dirty foliosare just kept as is in the page cache, and they can not be invalidatedby invalidate_inode_pages2() call inside close_ctree(), because they aredirty.And finally after btrfs_stop_all_workers(), we call iput() on btreeinode, which triggers writeback of those dirty metadata.And if the fs is using RAID56 metadata, this will trigger RMW and queuenew works into rmw_workers, which is already stopped, causing warningfrom queue_work() and use-after-free.[FIX]Add a special handling for write_one_eb(), that if the fs is already inan error state, immediately mark the bbio as failure, instead of reallysubmitting them.Then during close_ctree(), iput() will just discard all those dirtytree blocks without really writing them back, thus no more new jobs foralready stopped-and-freed workqueues.The extra discard in write_one_eb() also acts as an extra safenet.E.g. the transaction abort is triggered by some extent/free spacetree corruptions, and since extent/free space tree is already corruptedsome tree blocks may be allocated where they shouldn't be (overwritingexisting tree blocks). In that case writing them back will furthercorrupting the fs.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2025-47911 Severity: Moderate CVSS3 score: 5.3

Description: The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
docker > 0-0 (version in image is 28.5.1_ce-150000.245.2).

CVE-2025-47914 Severity: Moderate CVSS3 score: 5.3

Description: SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
docker > 0-0 (version in image is 28.5.1_ce-150000.245.2).

CVE-2025-58058 Severity: Moderate CVSS3 score: 5.3

Description: xz is a pure golang package for reading and writing xz-compressed files. Prior to version 0.5.14, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the current implementation allocates the full decoding buffer directly after reading the header. The LZMA header doesn't include a magic number or has a checksum to detect such an issue according to the specification. Note that the code recognizes the issue later while reading the stream, but at this time the memory allocation has already been done. This issue has been patched in version 0.5.14.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
google-osconfig-agent > 0-0 (version in image is 20250416.02-150000.1.50.1).

CVE-2025-58181 Severity: Moderate CVSS3 score: 5.3

Description: SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
google-guest-agent > 0-0 (version in image is 20250506.01-150000.1.63.1).

CVE-2025-9390 Severity: Moderate CVSS3 score: 5.3

Description: A security flaw has been discovered in vim up to 9.1.1615. Affected by this vulnerability is the function main of the file src/xxd/xxd.c of the component xxd. The manipulation results in buffer overflow. The attack requires a local approach. The exploit has been released to the public and may be exploited. Upgrading to version 9.1.1616 addresses this issue. The patch is identified as eeef7c77436a78cd27047b0f5fa6925d56de3cb0. It is recommended to upgrade the affected component.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
vim > 0-0 (version in image is 9.2.0280-150500.20.46.1).

CVE-2026-23059 Severity: Moderate CVSS3 score: 5.3

Description: In the Linux kernel, the following vulnerability has been resolved:scsi: qla2xxx: Sanitize payload size to prevent member overflowIn qla27xx_copy_fpin_pkt() and qla27xx_copy_multiple_pkt(), the frame_sizereported by firmware is used to calculate the copy length intoitem->iocb. However, the iocb member is defined as a fixed-size 64-bytearray within struct purex_item.If the reported frame_size exceeds 64 bytes, subsequent memcpy calls willoverflow the iocb member boundary. While extra memory might be allocated,this cross-member write is unsafe and triggers warnings underCONFIG_FORTIFY_SOURCE.Fix this by capping total_bytes to the size of the iocb member (64 bytes)before allocation and copying. This ensures all copies remain within thebounds of the destination structure member.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23271 Severity: Moderate CVSS3 score: 5.3

Description: In the Linux kernel, the following vulnerability has been resolved:perf: Fix __perf_event_overflow() vs perf_remove_from_context() raceMake sure that __perf_event_overflow() runs with IRQs disabled for allpossible callchains. Specifically the software events can end up runningit with only preemption disabled.This opens up a race vs perf_event_exit_event() and friends that will goand free various things the overflow path expects to be present, likethe BPF program.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23286 Severity: Moderate CVSS3 score: 5.3

Description: In the Linux kernel, the following vulnerability has been resolved:atm: lec: fix null-ptr-deref in lec_arp_clear_vccssyzkaller reported a null-ptr-deref in lec_arp_clear_vccs().This issue can be easily reproduced using the syzkaller reproducer.In the ATM LANE (LAN Emulation) module, the same atm_vcc can be shared bymultiple lec_arp_table entries (e.g., via entry->vcc or entry->recv_vcc).When the underlying VCC is closed, lec_vcc_close() iterates over allARP entries and calls lec_arp_clear_vccs() for each matched entry.For example, when lec_vcc_close() iterates through the hlists inpriv->lec_arp_empty_ones or other ARP tables:1. In the first iteration, for the first matched ARP entry sharing the VCC,lec_arp_clear_vccs() frees the associated vpriv (which is vcc->user_back)and sets vcc->user_back to NULL.2. In the second iteration, for the next matched ARP entry sharing the sameVCC, lec_arp_clear_vccs() is called again. It obtains a NULL vpriv fromvcc->user_back (via LEC_VCC_PRIV(vcc)) and then attempts to dereference itvia `vcc->pop = vpriv->old_pop`, leading to a null-ptr-deref crash.Fix this by adding a null check for vpriv before dereferencingit. If vpriv is already NULL, it means the VCC has been clearedby a previous call, so we can safely skip the cleanup and justclear the entry's vcc/recv_vcc pointers.The entire cleanup block (including vcc_release_async()) is placed insidethe vpriv guard because a NULL vpriv indicates the VCC has already beenfully released by a prior iteration - repeating the teardown wouldredundantly set flags and trigger callbacks on an already-closing socket.The Fixes tag points to the initial commit because the entry->vcc path hasbeen vulnerable since the original code. The entry->recv_vcc path was lateradded by commit 8d9f73c0ad2f ("atm: fix a memory leak of vcc->user_back")with the same pattern, and both paths are fixed here.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23456 Severity: Moderate CVSS3 score: 5.3

Description: In the Linux kernel, the following vulnerability has been resolved:netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS caseIn decode_int(), the CONS case calls get_bits(bs, 2) to read a lengthvalue, then calls get_uint(bs, len) without checking that len bytesremain in the buffer. The existing boundary check only validates the2 bits for get_bits(), not the subsequent 1-4 bytes that get_uint()reads. This allows a malformed H.323/RAS packet to cause a 1-4 byteslab-out-of-bounds read.Add a boundary check for len bytes after get_bits() and beforeget_uint().

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23457 Severity: Moderate CVSS3 score: 5.3

Description: In the Linux kernel, the following vulnerability has been resolved:netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp()sip_help_tcp() parses the SIP Content-Length header withsimple_strtoul(), which returns unsigned long, but stores the result inunsigned int clen. On 64-bit systems, values exceeding UINT_MAX aresilently truncated before computing the SIP message boundary.For example, Content-Length 4294967328 (2^32 + 32) is truncated to 32,causing the parser to miscalculate where the current message ends. Theloop then treats trailing data in the TCP segment as a second SIPmessage and processes it through the SDP parser.Fix this by changing clen to unsigned long to match the return type ofsimple_strtoul(), and reject Content-Length values that exceed theremaining TCP payload length.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31487 Severity: Moderate CVSS3 score: 5.3

Description: In the Linux kernel, the following vulnerability has been resolved:spi: use generic driver_override infrastructureWhen a driver is probed through __driver_attach(), the bus' match()callback is called without the device lock held, thus accessing thedriver_override field without a lock, which can cause a UAF.Fix this by using the driver-core driver_override infrastructure takingcare of proper locking internally.Note that calling match() from __driver_attach() without the device lockheld is intentional. [1]Also note that we do not enable the driver_override feature of structbus_type, as SPI - in contrast to most other buses - passes "" tosysfs_emit() when the driver_override pointer is NULL. Thus, printing"\n" instead of "(null)\n".

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31499 Severity: Moderate CVSS3 score: 5.3

Description: In the Linux kernel, the following vulnerability has been resolved:Bluetooth: L2CAP: Fix deadlock in l2cap_conn_del()l2cap_conn_del() calls cancel_delayed_work_sync() for both info_timerand id_addr_timer while holding conn->lock. However, the work functionsl2cap_info_timeout() and l2cap_conn_update_id_addr() both acquireconn->lock, creating a potential AB-BA deadlock if the work is alreadyexecuting when l2cap_conn_del() takes the lock.Move the work cancellations before acquiring conn->lock and usedisable_delayed_work_sync() to additionally prevent the works frombeing rearmed after cancellation, consistent with the pattern used inhci_conn_del().

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31703 Severity: Moderate CVSS3 score: 5.3

Description: In the Linux kernel, the following vulnerability has been resolved:writeback: Fix use after free in inode_switch_wbs_work_fn()inode_switch_wbs_work_fn() has a loop like: wb_get(new_wb); while (1) { list = llist_del_all(&new_wb->switch_wbs_ctxs); /* Nothing to do? */ if (!list) break; ... process the items ... }Now adding of items to the list looks like:wb_queue_isw() if (llist_add(&isw->list, &wb->switch_wbs_ctxs)) queue_work(isw_wq, &wb->switch_work);Because inode_switch_wbs_work_fn() loops when processing isw items, itcan happen that wb->switch_work is pending while wb->switch_wbs_ctxs isempty. This is a problem because in that case wb can get freed (no iswitems -> no wb reference) while the work is still pending causinguse-after-free issues.We cannot just fix this by cancelling work when freeing wb because thatcould still trigger problematic 0 -> 1 transitions on wb refcount due towb_get() in inode_switch_wbs_work_fn(). It could be all handled withmore careful code but that seems unnecessarily complex so let's avoidthat until it is proven that the looping actually brings practicalbenefit. Just remove the loop from inode_switch_wbs_work_fn() instead.That way when wb_queue_isw() queues work, we are guaranteed we haveadded the first item to wb->switch_wbs_ctxs and nobody is going toremove it (and drop the wb reference it holds) until the queued workruns.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-33948 Severity: Moderate CVSS3 score: 5.3

Description: jq is a command-line JSON processor. Commits before 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b contain a vulnerability where CLI input parsing allows validation bypass via embedded NUL bytes. When reading JSON from files or stdin, jq uses strlen() to determine buffer length instead of the actual byte count from fgets(), causing it to truncate input at the first NUL byte and parse only the preceding prefix. This enables an attacker to craft input with a benign JSON prefix before a NUL byte followed by malicious trailing data, where jq validates only the prefix as valid JSON while silently discarding the suffix. Workflows relying on jq to validate untrusted JSON before forwarding it to downstream consumers are susceptible to parser differential attacks, as those consumers may process the full input including the malicious trailing bytes. This issue has been patched by commit 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
jq > 0-0 (version in image is 1.6-150000.3.12.1).

CVE-2026-3446 Severity: Moderate CVSS3 score: 5.3

Description: When calling base64.b64decode() or related functions the decoding process would stop after encountering the first padded quad regardless of whether there was more information to be processed. This can lead to data being accepted which may be processed differently by other implementations. Use "validate=True" to enable stricter processing of base64 data.

Packages affected:

sles-release == 15.7 (version in image is 15.7-150700.67.6.1).
python311 > 0-0 (version in image is 3.11.15-150600.3.53.1).

CVE-2026-34979 Severity: Moderate CVSS3 score: 5.3

Description: OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, there is a heap-based buffer overflow in the CUPS scheduler when building filter option strings from job attribute. At time of publication, there are no publicly available patches.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
cups-config > 0-0 (version in image is 2.2.7-150000.3.86.1).

CVE-2026-43109 Severity: Moderate CVSS3 score: 5.3

Description: In the Linux kernel, the following vulnerability has been resolved:x86: shadow stacks: proper error handling for mmap lock김영민 reports that shstk_pop_sigframe() doesn't check for errors frommmap_read_lock_killable(), which is a silly oversight, and also showsthat we haven't marked those functions with "__must_check", which wouldhave immediately caught it.So let's fix both issues.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43271 Severity: Moderate CVSS3 score: 5.3

Description: In the Linux kernel, the following vulnerability has been resolved:md-cluster: fix NULL pointer dereference in process_metadata_updateThe function process_metadata_update() blindly dereferences the 'thread'pointer (acquired via rcu_dereference_protected) within the wait_event()macro.While the code comment states "daemon thread must exist", there is a validrace condition window during the MD array startup sequence (md_run):1. bitmap_load() is called, which invokes md_cluster_ops->join().2. join() starts the "cluster_recv" thread (recv_daemon).3. At this point, recv_daemon is active and processing messages.4. However, mddev->thread (the main MD thread) is not initialized until later in md_run().If a METADATA_UPDATED message is received from a remote node during thisspecific window, process_metadata_update() will be called whilemddev->thread is still NULL, leading to a kernel panic.To fix this, we must validate the 'thread' pointer. If it is NULL, werelease the held lock (no_new_dev_lockres) and return early, safelyignoring the update request as the array is not yet fully ready toprocess it.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43325 Severity: Moderate CVSS3 score: 5.3

Description: In the Linux kernel, the following vulnerability has been resolved:wifi: iwlwifi: mvm: don't send a 6E related command when not supportedMCC_ALLOWED_AP_TYPE_CMD is related to 6E support. Do not send it if thedevice doesn't support 6E.Apparently, the firmware is mistakenly advertising support for thiscommand even on AX201 which does not support 6E and then the firmwarecrashes.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-45409 Severity: Moderate CVSS3 score: 5.3

Description: Unknown.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
python3-idna > 0-0 (version in image is 2.6-150000.3.6.1).

CVE-2026-5435 Severity: Moderate CVSS3 score: 5.3

Description: The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the GNU C Library version 2.2 and newer fail to enforce the caller-supplied buffer length, and can result in an out-of-bounds write when printing TSIG records.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
glibc > 0-0 (version in image is 2.38-150600.14.46.1).

CVE-2026-6238 Severity: Moderate CVSS3 score: 5.3

Description: The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the GNU C Library version 2.2 and newer fail to validate the RDATA content against the RDATA length in a DNS response when processing LOC, CERT, TKEY or TSIG records, which may allow an attacker to craft a DNS response, causing a target application to crash or read uninitialized memory.These functions are for application debugging only and hence not in the path of code executed by the DNS resolver. Further, they have been deprecated since version 2.34 and should not be used by any new applications. Applications should consider porting away from these interfaces since they may be removed in future versions.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
glibc > 0-0 (version in image is 2.38-150600.14.46.1).

CVE-2026-8328 Severity: Moderate CVSS3 score: 5.3

Description: The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
python3 > 0-0 (version in image is 3.6.15-150300.10.109.1).

CVE-2024-2201 Severity: Moderate CVSS3 score: 5.1

Description: A cross-privilege Spectre v2 vulnerability allows attackers to bypass all deployed mitigations, including the recent Fine(IBT), and to leak arbitrary Linux kernel memory on Intel systems.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2025-20012 Severity: Moderate CVSS3 score: 4.9

Description: Incorrect behavior order for some Intel(R) Core(tm) Ultra Processors may allow an unauthenticated user to potentially enable information disclosure via physical access.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-1502 Severity: Moderate CVSS3 score: 4.9

Description: CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.

Packages affected:

sles-release == 15.7 (version in image is 15.7-150700.67.6.1).
python311 > 0-0 (version in image is 3.11.15-150600.3.53.1).

CVE-2026-27447 Severity: Moderate CVSS3 score: 4.8

Description: OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, CUPS daemon (cupsd) contains an authorization bypass vulnerability due to case-insensitive username comparison during authorization checks. The vulnerability allows an unprivileged user to gain unauthorized access to restricted operations by using a user with a username that differs only in case from an authorized user. At time of publication, there are no publicly available patches.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
cups-config > 0-0 (version in image is 2.2.7-150000.3.86.1).

CVE-2026-31683 Severity: Moderate CVSS3 score: 4.8

Description: In the Linux kernel, the following vulnerability has been resolved:batman-adv: avoid OGM aggregation when skb tailroom is insufficientWhen OGM aggregation state is toggled at runtime, an existing forwardedpacket may have been allocated with only packet_len bytes, while a laterpacket can still be selected for aggregation. Appending in this case canhit skb_put overflow conditions.Reject aggregation when the target skb tailroom cannot accommodate the newpacket. The caller then falls back to creating a new forward packetinstead of appending.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-42011 Severity: Moderate CVSS3 score: 4.8

Description: A flaw was found in gnutls. This vulnerability occurs because permitted name constraints were incorrectly ignored when previous Certificate Authorities (CAs) only had excluded name constraints. A remote attacker could exploit this to bypass critical name constraint checks during certificate validation. This bypass could lead to the acceptance of invalid certificates, potentially enabling spoofing or man-in-the-middle attacks against affected systems.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
libgnutls30 > 0-0 (version in image is 3.8.3-150600.4.17.1).

CVE-2026-43961 Severity: Moderate CVSS3 score: 4.8

Description: Unknown.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
vim > 0-0 (version in image is 9.2.0280-150500.20.46.1).

CVE-2025-37942 Severity: Moderate CVSS3 score: 4.7

Description: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2025-38383 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:mm/vmalloc: fix data race in show_numa_info()The following data-race was found in show_numa_info():==================================================================BUG: KCSAN: data-race in vmalloc_info_show / vmalloc_info_showread to 0xffff88800971fe30 of 4 bytes by task 8289 on cpu 0: show_numa_info mm/vmalloc.c:4936 [inline] vmalloc_info_show+0x5a8/0x7e0 mm/vmalloc.c:5016 seq_read_iter+0x373/0xb40 fs/seq_file.c:230 proc_reg_read_iter+0x11e/0x170 fs/proc/inode.c:299....write to 0xffff88800971fe30 of 4 bytes by task 8287 on cpu 1: show_numa_info mm/vmalloc.c:4934 [inline] vmalloc_info_show+0x38f/0x7e0 mm/vmalloc.c:5016 seq_read_iter+0x373/0xb40 fs/seq_file.c:230 proc_reg_read_iter+0x11e/0x170 fs/proc/inode.c:299....value changed: 0x0000008f -> 0x00000000==================================================================According to this report,there is a read/write data-race becausem->private is accessible to multiple CPUs. To fix this, instead ofallocating the heap in proc_vmalloc_init() and passing the heap address tom->private, vmalloc_info_show() should allocate the heap.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2025-68745 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:scsi: qla2xxx: Clear cmds after chip resetCommit aefed3e5548f ("scsi: qla2xxx: target: Fix offline port handlingand host reset handling") caused two problems:1. Commands sent to FW, after chip reset got stuck and never freed as FW is not going to respond to them anymore.2. BUG_ON(cmd->sg_mapped) in qlt_free_cmd(). Commit 26f9ce53817a ("scsi: qla2xxx: Fix missed DMA unmap for aborted commands") attempted to fix this, but introduced another bug under different circumstances when two different CPUs were racing to call qlt_unmap_sg() at the same time: BUG_ON(!valid_dma_direction(dir)) in dma_unmap_sg_attrs().So revert "scsi: qla2xxx: Fix missed DMA unmap for aborted commands" andpartially revert "scsi: qla2xxx: target: Fix offline port handling andhost reset handling" at __qla2x00_abort_all_cmds.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23019 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:net: marvell: prestera: fix NULL dereference on devlink_alloc() failuredevlink_alloc() may return NULL on allocation failure, butprestera_devlink_alloc() unconditionally calls devlink_priv() onthe returned pointer.This leads to a NULL pointer dereference if devlink allocation fails.Add a check for a NULL devlink pointer and return NULL early to avoidthe crash.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23050 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:pNFS: Fix a deadlock when returning a delegation during open()Ben Coddington reports seeing a hang in the following stack trace: 0 [ffffd0b50e1774e0] __schedule at ffffffff9ca05415 1 [ffffd0b50e177548] schedule at ffffffff9ca05717 2 [ffffd0b50e177558] bit_wait at ffffffff9ca061e1 3 [ffffd0b50e177568] __wait_on_bit at ffffffff9ca05cfb 4 [ffffd0b50e1775c8] out_of_line_wait_on_bit at ffffffff9ca05ea5 5 [ffffd0b50e177618] pnfs_roc at ffffffffc154207b [nfsv4] 6 [ffffd0b50e1776b8] _nfs4_proc_delegreturn at ffffffffc1506586 [nfsv4] 7 [ffffd0b50e177788] nfs4_proc_delegreturn at ffffffffc1507480 [nfsv4] 8 [ffffd0b50e1777f8] nfs_do_return_delegation at ffffffffc1523e41 [nfsv4] 9 [ffffd0b50e177838] nfs_inode_set_delegation at ffffffffc1524a75 [nfsv4] 10 [ffffd0b50e177888] nfs4_process_delegation at ffffffffc14f41dd [nfsv4] 11 [ffffd0b50e1778a0] _nfs4_opendata_to_nfs4_state at ffffffffc1503edf [nfsv4] 12 [ffffd0b50e1778c0] _nfs4_open_and_get_state at ffffffffc1504e56 [nfsv4] 13 [ffffd0b50e177978] _nfs4_do_open at ffffffffc15051b8 [nfsv4] 14 [ffffd0b50e1779f8] nfs4_do_open at ffffffffc150559c [nfsv4] 15 [ffffd0b50e177a80] nfs4_atomic_open at ffffffffc15057fb [nfsv4] 16 [ffffd0b50e177ad0] nfs4_file_open at ffffffffc15219be [nfsv4] 17 [ffffd0b50e177b78] do_dentry_open at ffffffff9c09e6ea 18 [ffffd0b50e177ba8] vfs_open at ffffffff9c0a082e 19 [ffffd0b50e177bd0] dentry_open at ffffffff9c0a0935The issue is that the delegreturn is being asked to wait for a layoutreturn that cannot complete because a state recovery was initiated. Thestate recovery cannot complete until the open() finishes processing thedelegations it was given.The solution is to propagate the existing flags that indicate anon-blocking call to the function pnfs_roc(), so that it knows not towait in this situation.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23304 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:ipv6: fix NULL pointer deref in ip6_rt_get_dev_rcu()l3mdev_master_dev_rcu() can return NULL when the slave device is beingun-slaved from a VRF. All other callers deal with this, but we lostthe fallback to loopback in ip6_rt_pcpu_alloc() -> ip6_rt_get_dev_rcu()with commit 4832c30d5458 ("net: ipv6: put host and anycast routes ondevice with address"). KASAN: null-ptr-deref in range [0x0000000000000108-0x000000000000010f] RIP: 0010:ip6_rt_pcpu_alloc (net/ipv6/route.c:1418) Call Trace: ip6_pol_route (net/ipv6/route.c:2318) fib6_rule_lookup (net/ipv6/fib6_rules.c:115) ip6_route_output_flags (net/ipv6/route.c:2607) vrf_process_v6_outbound (drivers/net/vrf.c:437)I was tempted to rework the un-slaving code to clear the flag firstand insert synchronize_rcu() before we remove the upper. But looks likethe explicit fallback to loopback_dev is an established pattern.And I guess avoiding the synchronize_rcu() is nice, too.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23371 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:sched/deadline: Fix missing ENQUEUE_REPLENISH during PI de-boostingRunning stress-ng --schedpolicy 0 on an RT kernel on a big machinemight lead to the following WARNINGs (edited). sched: DL de-boosted task PID 22725: REPLENISH flag missing WARNING: CPU: 93 PID: 0 at kernel/sched/deadline.c:239 dequeue_task_dl+0x15c/0x1f8 ... (running_bw underflow) Call trace: dequeue_task_dl+0x15c/0x1f8 (P) dequeue_task+0x80/0x168 deactivate_task+0x24/0x50 push_dl_task+0x264/0x2e0 dl_task_timer+0x1b0/0x228 __hrtimer_run_queues+0x188/0x378 hrtimer_interrupt+0xfc/0x260 ...The problem is that when a SCHED_DEADLINE task (lock holder) ischanged to a lower priority class via sched_setscheduler(), it mayfail to properly inherit the parameters of potential DEADLINE donorsif it didn't already inherit them in the past (shorter deadline thandonor's at that time). This might lead to bandwidth accountingcorruption, as enqueue_task_dl() won't recognize the lock holder asboosted.The scenario occurs when:1. A DEADLINE task (donor) blocks on a PI mutex held by another DEADLINE task (holder), but the holder doesn't inherit parameters (e.g., it already has a shorter deadline)2. sched_setscheduler() changes the holder from DEADLINE to a lower class while still holding the mutex3. The holder should now inherit DEADLINE parameters from the donor and be enqueued with ENQUEUE_REPLENISH, but this doesn't happenFix the issue by introducing __setscheduler_dl_pi(), which detects whena DEADLINE (proper or boosted) task gets setscheduled to a lowerpriority class. In case, the function makes the task inherit DEADLINEparameters of the donoer (pi_se) and sets ENQUEUE_REPLENISH flag toensure proper bandwidth accounting during the next enqueue operation.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23399 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:nf_tables: nft_dynset: fix possible stateful expression memleak in error pathIf cloning the second stateful expression in the element via GFP_ATOMICfails, then the first stateful expression remains in place without beingreleased. unreferenced object (percpu) 0x607b97e9cab8 (size 16): comm "softirq", pid 0, jiffies 4294931867 hex dump (first 16 bytes on cpu 3): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 backtrace (crc 0): pcpu_alloc_noprof+0x453/0xd80 nft_counter_clone+0x9c/0x190 [nf_tables] nft_expr_clone+0x8f/0x1b0 [nf_tables] nft_dynset_new+0x2cb/0x5f0 [nf_tables] nft_rhash_update+0x236/0x11c0 [nf_tables] nft_dynset_eval+0x11f/0x670 [nf_tables] nft_do_chain+0x253/0x1700 [nf_tables] nft_do_chain_ipv4+0x18d/0x270 [nf_tables] nf_hook_slow+0xaa/0x1e0 ip_local_deliver+0x209/0x330

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23440 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:net/mlx5e: Fix race condition during IPSec ESN updateIn IPSec full offload mode, the device reports an ESN (ExtendedSequence Number) wrap event to the driver. The driver validates thisevent by querying the IPSec ASO and checking that the esn_event_armfield is 0x0, which indicates an event has occurred. After handlingthe event, the driver must re-arm the context by setting esn_event_armback to 0x1.A race condition exists in this handling path. After validating theevent, the driver calls mlx5_accel_esp_modify_xfrm() to update thekernel's xfrm state. This function temporarily releases andre-acquires the xfrm state lock.So, need to acknowledge the event first by setting esn_event_arm to0x1. This prevents the driver from reprocessing the same ESN update ifthe hardware sends events for other reason. Since the next ESN updateonly occurs after nearly 2^31 packets are received, there's no risk ofmissing an update, as it will happen long after this handling hasfinished.Processing the event twice causes the ESN high-order bits (esn_msb) tobe incremented incorrectly. The driver then programs the hardware withthis invalid ESN state, which leads to anti-replay failures and acomplete halt of IPSec traffic.Fix this by re-arming the ESN event immediately after it is validated,before calling mlx5_accel_esp_modify_xfrm(). This ensures that anyspurious, duplicate events are correctly ignored, closing the racewindow.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23473 Severity: Moderate CVSS3 score: 4.7

Description: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-27456 Severity: Moderate CVSS3 score: 4.7

Description: util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4.

Packages affected:

sle-module-server-applications-release == 15.7 (version in image is 15.7-150700.28.1).
util-linux > 0-0 (version in image is 2.40.4-150700.4.10.1).

CVE-2026-31399 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:nvdimm/bus: Fix potential use after free in asynchronous initializationDingisoul with KASAN reports a use after free if device_add() fails innd_async_device_register().Commit b6eae0f61db2 ("libnvdimm: Hold reference on parent whilescheduling async init") correctly added a reference on the parent deviceto be held until asynchronous initialization was complete. However, ifdevice_add() results in an allocation failure the ref count of thedevice drops to 0 prior to the parent pointer being accessed. Thusresulting in use after free.The bug bot AI correctly identified the fix. Save a reference to theparent pointer to be used to drop the parent reference regardless of theoutcome of device_add().

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31404 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:NFSD: Defer sub-object cleanup in export put callbackssvc_export_put() calls path_put() and auth_domain_put() immediatelywhen the last reference drops, before the RCU grace period. RCUreaders in e_show() and c_show() access both ex_path (viaseq_path/d_path) and ex_client->name (via seq_escape) withoutholding a reference. If cache_clean removes the entry and drops thelast reference concurrently, the sub-objects are freed while stillin use, producing a NULL pointer dereference in d_path.Commit 2530766492ec ("nfsd: fix UAF when access ex_uuid orex_stats") moved kfree of ex_uuid and ex_stats into thecall_rcu callback, but left path_put() and auth_domain_put() runningbefore the grace period because both may sleep and call_rcucallbacks execute in softirq context.Replace call_rcu/kfree_rcu with queue_rcu_work(), which defers thecallback until after the RCU grace period and executes it in processcontext where sleeping is permitted. This allows path_put() andauth_domain_put() to be moved into the deferred callback alongsidethe other resource releases. Apply the same fix to expkey_put(),which has the identical pattern with ek_path and ek_client.A dedicated workqueue scopes the shutdown drain to only NFSDexport release work items; flushing the sharedsystem_unbound_wq would stall on unrelated work from othersubsystems. nfsd_export_shutdown() uses rcu_barrier() followedby flush_workqueue() to ensure all deferred release callbackscomplete before the export caches are destroyed.Reviwed-by: Jeff Layton

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31446 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:ext4: fix use-after-free in update_super_work when racing with umountCommit b98535d09179 ("ext4: fix bug_on in start_this_handle during umountfilesystem") moved ext4_unregister_sysfs() before flushing s_sb_upd_workto prevent new error work from being queued via /proc/fs/ext4/xx/mb_groupsreads during unmount. However, this introduced a use-after-free becauseupdate_super_work calls ext4_notify_error_sysfs() -> sysfs_notify() whichaccesses the kobject's kernfs_node after it has been freed by kobject_del()in ext4_unregister_sysfs(): update_super_work ext4_put_super ----------------- -------------- ext4_unregister_sysfs(sb) kobject_del(&sbi->s_kobj) __kobject_del() sysfs_remove_dir() kobj->sd = NULL sysfs_put(sd) kernfs_put() // RCU free ext4_notify_error_sysfs(sbi) sysfs_notify(&sbi->s_kobj) kn = kobj->sd // stale pointer kernfs_get(kn) // UAF on freed kernfs_node ext4_journal_destroy() flush_work(&sbi->s_sb_upd_work)Instead of reordering the teardown sequence, fix this by makingext4_notify_error_sysfs() detect that sysfs has already been torn downby checking s_kobj.state_in_sysfs, and skipping the sysfs_notify() callin that case. A dedicated mutex (s_error_notify_mutex) serializesext4_notify_error_sysfs() against kobject_del() in ext4_unregister_sysfs()to prevent TOCTOU races where the kobject could be deleted between thestate_in_sysfs check and the sysfs_notify() call.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31461 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:drm/amd/display: Fix drm_edid leak in amdgpu_dm[WHAT]When a sink is connected, aconnector->drm_edid was overwritten withoutfreeing the previous allocation, causing a memory leak on resume.[HOW]Free the previous drm_edid before updating it.(cherry picked from commit 52024a94e7111366141cfc5d888b2ef011f879e5)

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31480 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:tracing: Fix potential deadlock in cpu hotplug with osnoiseThe following sequence may leads deadlock in cpu hotplug: task1 task2 task3 ----- ----- ----- mutex_lock(&interface_lock) [CPU GOING OFFLINE] cpus_write_lock(); osnoise_cpu_die(); kthread_stop(task3); wait_for_completion(); osnoise_sleep(); mutex_lock(&interface_lock); cpus_read_lock(); [DEAD LOCK]Fix by swap the order of cpus_read_lock() and mutex_lock(&interface_lock).

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31483 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:s390/syscalls: Add spectre boundary for syscall dispatch tableThe s390 syscall number is directly controlled by userspace, but doesnot have an array_index_nospec() boundary to prevent access past thesyscall function pointer tables.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31518 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:esp: fix skb leak with espintcp and async cryptoWhen the TX queue for espintcp is full, esp_output_tail_tcp willreturn an error and not free the skb, because with synchronous crypto,the common xfrm output code will drop the packet for us.With async crypto (esp_output_done), we need to drop the skb whenesp_output_tail_tcp returns an error.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31550 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:pmdomain: bcm: bcm2835-power: Increase ASB control timeoutThe bcm2835_asb_control() function uses a tight polling loop to waitfor the ASB bridge to acknowledge a request. During intensive workloads,this handshake intermittently fails for V3D's master ASB on BCM2711,resulting in "Failed to disable ASB master for v3d" errors duringruntime PM suspend. As a consequence, the failed power-off leaves V3D ina broken state, leading to bus faults or system hangs on later accesses.As the timeout is insufficient in some scenarios, increase the pollingtimeout from 1us to 5us, which is still negligible in the context of apower domain transition. Also, replace the open-coded ktime_get_ns()/cpu_relax() polling loop with readl_poll_timeout_atomic().

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31572 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:i2c: designware: amdisp: Fix resume-probe race condition issueIdentified resume-probe race condition in kernel v7.0 with the commit38fa29b01a6a ("i2c: designware: Combine the init functions"),but thisissue existed from the beginning though not detected.The amdisp i2c device requires ISP to be in power-on state for probeto succeed. To meet this requirement, this device is added to genpdto control ISP power using runtime PM. The pm_runtime_get_sync() calledbefore i2c_dw_probe() triggers PM resume, which powers on ISP and alsoinvokes the amdisp i2c runtime resume before the probe completes resultingin this race condition and a NULL dereferencing issue in v7.0Fix this race condition by using the genpd APIs directly during probe: - Call dev_pm_genpd_resume() to Power ON ISP before probe - Call dev_pm_genpd_suspend() to Power OFF ISP after probe - Set the device to suspended state with pm_runtime_set_suspended() - Enable runtime PM only after the device is fully initialized

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31595 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:PCI: endpoint: pci-epf-vntb: Stop cmd_handler work in epf_ntb_epc_cleanupDisable the delayed work before clearing BAR mappings and doorbells toavoid running the handler after resources have been torn down. Unable to handle kernel paging request at virtual address ffff800083f46004 [...] Internal error: Oops: 0000000096000007 [#1] SMP [...] Call trace: epf_ntb_cmd_handler+0x54/0x200 [pci_epf_vntb] (P) process_one_work+0x154/0x3b0 worker_thread+0x2c8/0x400 kthread+0x148/0x210 ret_from_fork+0x10/0x20

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31628 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:x86/CPU: Fix FPDSS on Zen1Zen1's hardware divider can leave, under certain circumstances, partialresults from previous operations. Those results can be leaked byanother, attacker thread.Fix that with a chicken bit.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31634 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:rxrpc: fix reference count leak in rxrpc_server_keyring()This patch fixes a reference count leak in rxrpc_server_keyring()by checking if rx->securities is already set.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31658 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:net: altera-tse: fix skb leak on DMA mapping error in tse_start_xmit()When dma_map_single() fails in tse_start_xmit(), the function returnsNETDEV_TX_OK without freeing the skb. Since NETDEV_TX_OK tells thestack the packet was consumed, the skb is never freed, leaking memoryon every DMA mapping failure.Add dev_kfree_skb_any() before returning to properly free the skb.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31680 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:net: ipv6: flowlabel: defer exclusive option free until RCU teardown`ip6fl_seq_show()` walks the global flowlabel hash under the seq-fileRCU read-side lock and prints `fl->opt->opt_nflen` when an option blockis present.Exclusive flowlabels currently free `fl->opt` as soon as `fl->users`drops to zero in `fl_release()`. However, the surrounding`struct ip6_flowlabel` remains visible in the global hash table untillater garbage collection removes it and `fl_free_rcu()` finally tears itdown.A concurrent `/proc/net/ip6_flowlabel` reader can therefore race thatearly `kfree()` and dereference freed option state, triggering a crashin `ip6fl_seq_show()`.Fix this by keeping `fl->opt` alive until `fl_free_rcu()`. That matchesthe lifetime already required for the enclosing flowlabel while readerscan still reach it under RCU.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43265 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:KVM: x86: Ignore -EBUSY when checking nested events from vcpu_block()Ignore -EBUSY when checking nested events after exiting a blocking statewhile L2 is active, as exiting to userspace will generate a spurioususerspace exit, usually with KVM_EXIT_UNKNOWN, and likely lead to the VM'sdemise. Continuing with the wakeup isn't perfect either, as *something*has gone sideways if a vCPU is awakened in L2 with an injected event (orworse, a nested run pending), but continuing on gives the VM a decentchance of surviving without any major side effects.As explained in the Fixes commits, it _should_ be impossible for a vCPU tobe put into a blocking state with an already-injected event (exception,IRQ, or NMI). Unfortunately, userspace can stuff MP_STATE and/or injectedevents, and thus put the vCPU into what should be an impossible state.Don't bother trying to preserve the WARN, e.g. with an anti-syzkallerKconfig, as WARNs can (hopefully) be added in paths where _KVM_ would beviolating x86 architecture, e.g. by WARNing if KVM attempts to inject anexception or interrupt while the vCPU isn't running.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43336 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:lib/crypto: chacha: Zeroize permuted_state before it leaves scopeSince the ChaCha permutation is invertible, the local variable'permuted_state' is sufficient to compute the original 'state', and thusthe key, even after the permutation has been done.While the kernel is quite inconsistent about zeroizing secrets on thestack (and some prominent userspace crypto libraries don't bother at allsince it's not guaranteed to work anyway), the kernel does try to do itas a best practice, especially in cases involving the RNG.Thus, explicitly zeroize 'permuted_state' before it goes out of scope.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43344 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:perf/x86/intel/uncore: Fix die ID init and look up bugsIn snbep_pci2phy_map_init(), in the nr_node_ids > 8 path,uncore_device_to_die() may return -1 when all CPUs associatedwith the UBOX device are offline.Remove the WARN_ON_ONCE(die_id == -1) check for two reasons:- The current code breaks out of the loop. This is incorrect because pci_get_device() does not guarantee iteration in domain or bus order, so additional UBOX devices may be skipped during the scan.- Returning -EINVAL is incorrect, since marking offline buses with die_id == -1 is expected and should not be treated as an error.Separately, when NUMA is disabled on a NUMA-capable platform,pcibus_to_node() returns NUMA_NO_NODE, causing uncore_device_to_die()to return -1 for all PCI devices. As a result,spr_update_device_location(), used on Intel SPR and EMR, ignores thecorresponding PMON units and does not add them to the RB tree.Fix this by using uncore_pcibus_to_dieid(), which retrieves topologyfrom the UBOX GIDNIDMAP register and works regardless of whether NUMAis enabled in Linux. This requires snbep_pci2phy_map_init() to beadded in spr_uncore_pci_init().Keep uncore_device_to_die() only for the nr_node_ids > 8 case, whereNUMA is expected to be enabled.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43353 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:i3c: mipi-i3c-hci: Fix race in DMA ring dequeueThe HCI DMA dequeue path (hci_dma_dequeue_xfer()) may be invoked formultiple transfers that timeout around the same time. However, thefunction is not serialized and can race with itself.When a timeout occurs, hci_dma_dequeue_xfer() stops the ring, processesincomplete transfers, and then restarts the ring. If another timeouttriggers a parallel call into the same function, the two instances mayinterfere with each other - stopping or restarting the ring at unexpectedtimes.Add a mutex so that hci_dma_dequeue_xfer() is serialized with respect toitself.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23290 Severity: Moderate CVSS3 score: 4.6

Description: In the Linux kernel, the following vulnerability has been resolved:net: usb: pegasus: validate USB endpointsThe pegasus driver should validate that the device it is probing has theproper number and types of USB endpoints it is expecting before it bindsto it. If a malicious device were to not have the same urbs the driverwill crash later on when it blindly accesses these endpoints.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31623 Severity: Moderate CVSS3 score: 4.6

Description: In the Linux kernel, the following vulnerability has been resolved:net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete()A malicious USB device claiming to be a CDC Phonet modem can overflowthe skb_shared_info->frags[] array by sending an unbounded sequence offull-page bulk transfers.Drop the skb and increment the length error when the frag limit isreached. This matches the same fix that commit f0813bcd2d9d ("net:wwan: t7xx: fix potential skb->frags overflow in RX path") did for thet7xx driver.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2025-11065 Severity: Moderate CVSS3 score: 4.5

Description: A flaw was found in github.com/go-viper/mapstructure/v2, in the field processing component using mapstructure.WeakDecode. This vulnerability allows information disclosure through detailed error messages that may leak sensitive input values via malformed user-supplied data processed in security-critical contexts.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
docker > 0-0 (version in image is 28.5.1_ce-150000.245.2).

CVE-2026-31427 Severity: Moderate CVSS3 score: 4.5

Description: In the Linux kernel, the following vulnerability has been resolved:netfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in process_sdpprocess_sdp() declares union nf_inet_addr rtp_addr on the stack andpasses it to the nf_nat_sip sdp_session hook after walking the SDPmedia descriptions. However rtp_addr is only initialized inside themedia loop when a recognized media type with a non-zero port is found.If the SDP body contains no m= lines, only inactive media sections(m=audio 0 ...) or only unrecognized media types, rtp_addr is neverassigned. Despite that, the function still calls hooks->sdp_session()with &rtp_addr, causing nf_nat_sdp_session() to format the stale stackvalue as an IP address and rewrite the SDP session owner and connectionlines with it.With CONFIG_INIT_STACK_ALL_ZERO (default on most distributions) thisresults in the session-level o= and c= addresses being rewritten to0.0.0.0 for inactive SDP sessions. Without stack auto-init therewritten address is whatever happened to be on the stack.Fix this by pre-initializing rtp_addr from the session-level connectionaddress (caddr) when available, and tracking via a have_rtp_addr flagwhether any valid address was established. Skip the sdp_session hookentirely when no valid address exists.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31673 Severity: Moderate CVSS3 score: 4.5

Description: In the Linux kernel, the following vulnerability has been resolved:af_unix: read UNIX_DIAG_VFS data under unix_state_lockExact UNIX diag lookups hold a reference to the socket, but not tou->path. Meanwhile, unix_release_sock() clears u->path underunix_state_lock() and drops the path reference after unlocking.Read the inode and device numbers for UNIX_DIAG_VFS while holdingunix_state_lock(), then emit the netlink attribute after dropping thelock.This keeps the VFS data stable while the reply is being built.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2025-40144 Severity: Moderate CVSS3 score: 4.4

Description: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2025-40255 Severity: Moderate CVSS3 score: 4.4

Description: In the Linux kernel, the following vulnerability has been resolved:net: core: prevent NULL deref in generic_hwtstamp_ioctl_lower()The ethtool tsconfig Netlink path can trigger a null pointerdereference. A call chain such as: tsconfig_prepare_data() -> dev_get_hwtstamp_phylib() -> vlan_hwtstamp_get() -> generic_hwtstamp_get_lower() -> generic_hwtstamp_ioctl_lower()results in generic_hwtstamp_ioctl_lower() being called withkernel_cfg->ifr as NULL.The generic_hwtstamp_ioctl_lower() function does not expecta NULL ifr and dereferences it, leading to a system crash.Fix this by adding a NULL check for kernel_cfg->ifr ingeneric_hwtstamp_ioctl_lower(). If ifr is NULL, return -EINVAL.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2025-71233 Severity: Moderate CVSS3 score: 4.4

Description: In the Linux kernel, the following vulnerability has been resolved:PCI: endpoint: Avoid creating sub-groups asynchronouslyThe asynchronous creation of sub-groups by a delayed work could lead to aNULL pointer dereference when the driver directory is removed before thework completes.The crash can be easily reproduced with the following commands: # cd /sys/kernel/config/pci_ep/functions/pci_epf_test # for i in {1..20}; do mkdir test && rmdir test; done BUG: kernel NULL pointer dereference, address: 0000000000000088 ... Call Trace: configfs_register_group+0x3d/0x190 pci_epf_cfs_work+0x41/0x110 process_one_work+0x18f/0x350 worker_thread+0x25a/0x3a0Fix this issue by using configfs_add_default_group() API which does nothave the deadlock problem as configfs_register_group() and does not requirethe delayed work handler.[mani: slightly reworded the description and added stable list]

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23031 Severity: Moderate CVSS3 score: 4.4

Description: In the Linux kernel, the following vulnerability has been resolved:can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leakIn gs_can_open(), the URBs for USB-in transfers are allocated, added to theparent->rx_submitted anchor and submitted. In the complete callbackgs_usb_receive_bulk_callback(), the URB is processed and resubmitted. Ings_can_close() the URBs are freed by callingusb_kill_anchored_urbs(parent->rx_submitted).However, this does not take into account that the USB framework unanchorsthe URB before the complete function is called. This means that once anin-URB has been completed, it is no longer anchored and is ultimately notreleased in gs_can_close().Fix the memory leak by anchoring the URB in thegs_usb_receive_bulk_callback() to the parent->rx_submitted anchor.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23300 Severity: Moderate CVSS3 score: 4.4

Description: In the Linux kernel, the following vulnerability has been resolved:net: ipv6: fix panic when IPv4 route references loopback IPv6 nexthopWhen a standalone IPv6 nexthop object is created with a loopback device(e.g., "ip -6 nexthop add id 100 dev lo"), fib6_nh_init() misclassifiesit as a reject route. This is because nexthop objects have no destinationprefix (fc_dst=::), causing fib6_is_reject() to match any loopbacknexthop. The reject path skips fib_nh_common_init(), leavingnhc_pcpu_rth_output unallocated. If an IPv4 route later references thisnexthop, __mkroute_output() dereferences NULL nhc_pcpu_rth_output andpanics.Simplify the check in fib6_nh_init() to only match explicit rejectroutes (RTF_REJECT) instead of using fib6_is_reject(). The loopbackpromotion heuristic in fib6_is_reject() is handled separately byip6_route_info_create_nh(). After this change, the three cases behaveas follows:1. Explicit reject route ("ip -6 route add unreachable 2001:db8::/64"): RTF_REJECT is set, enters reject path, skips fib_nh_common_init(). No behavior change.2. Implicit loopback reject route ("ip -6 route add 2001:db8::/32 dev lo"): RTF_REJECT is not set, takes normal path, fib_nh_common_init() is called. ip6_route_info_create_nh() still promotes it to reject afterward. nhc_pcpu_rth_output is allocated but unused, which is harmless.3. Standalone nexthop object ("ip -6 nexthop add id 100 dev lo"): RTF_REJECT is not set, takes normal path, fib_nh_common_init() is called. nhc_pcpu_rth_output is properly allocated, fixing the crash when IPv4 routes reference this nexthop.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23310 Severity: Moderate CVSS3 score: 4.4

Description: In the Linux kernel, the following vulnerability has been resolved:bpf/bonding: reject vlan+srcmac xmit_hash_policy change when XDP is loadedbond_option_mode_set() already rejects mode changes that would make aloaded XDP program incompatible via bond_xdp_check(). However,bond_option_xmit_hash_policy_set() has no such guard.For 802.3ad and balance-xor modes, bond_xdp_check() returns false whenxmit_hash_policy is vlan+srcmac, because the 802.1q payload is usuallyabsent due to hardware offload. This means a user can:1. Attach a native XDP program to a bond in 802.3ad/balance-xor mode with a compatible xmit_hash_policy (e.g. layer2+3).2. Change xmit_hash_policy to vlan+srcmac while XDP remains loaded.This leaves bond->xdp_prog set but bond_xdp_check() now returning falsefor the same device. When the bond is later destroyed, dev_xdp_uninstall()calls bond_xdp_set(dev, NULL, NULL) to remove the program, which hitsthe bond_xdp_check() guard and returns -EOPNOTSUPP, triggering:WARN_ON(dev_xdp_install(dev, mode, bpf_op, NULL, 0, NULL))Fix this by rejecting xmit_hash_policy changes to vlan+srcmac when anXDP program is loaded on a bond in 802.3ad or balance-xor mode.commit 39a0876d595b ("net, bonding: Disallow vlan+srcmac with XDP")introduced bond_xdp_check() which returns false for 802.3ad/balance-xormodes when xmit_hash_policy is vlan+srcmac. The check was wired intobond_xdp_set() to reject XDP attachment with an incompatible policy, butthe symmetric path -- preventing xmit_hash_policy from being changed to anincompatible value after XDP is already loaded -- was left unguarded inbond_option_xmit_hash_policy_set().Note:commit 094ee6017ea0 ("bonding: check xdp prog when set bond mode")later added a similar guard to bond_option_mode_set(), butbond_option_xmit_hash_policy_set() remained unprotected.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23333 Severity: Moderate CVSS3 score: 4.4

Description: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23397 Severity: Moderate CVSS3 score: 4.4

Description: In the Linux kernel, the following vulnerability has been resolved:nfnetlink_osf: validate individual option lengths in fingerprintsnfnl_osf_add_callback() validates opt_num bounds and stringNUL-termination but does not check individual option length fields.A zero-length option causes nf_osf_match_one() to enter the optionmatching loop even when foptsize sums to zero, which matches packetswith no TCP options where ctx->optp is NULL: Oops: general protection fault KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98) Call Trace: nf_osf_match (net/netfilter/nfnetlink_osf.c:227) xt_osf_match_packet (net/netfilter/xt_osf.c:32) ipt_do_table (net/ipv4/netfilter/ip_tables.c:293) nf_hook_slow (net/netfilter/core.c:623) ip_local_deliver (net/ipv4/ip_input.c:262) ip_rcv (net/ipv4/ip_input.c:573)Additionally, an MSS option (kind=2) with length < 4 causesout-of-bounds reads when nf_osf_match_one() unconditionally accessesoptp[2] and optp[3] for MSS value extraction. While RFC 9293section 3.2 specifies that the MSS option is always exactly 4bytes (Kind=2, Length=4), the check uses "< 4" rather than"!= 4" because lengths greater than 4 do not cause memorysafety issues -- the buffer is guaranteed to be at leastfoptsize bytes by the ctx->optsize == foptsize check.Reject fingerprints where any option has zero length, or where an MSSoption has length less than 4, at add time rather than trusting thesevalues in the packet matching hot path.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31407 Severity: Moderate CVSS3 score: 4.4

Description: In the Linux kernel, the following vulnerability has been resolved:netfilter: conntrack: add missing netlink policy validationsHyunwoo Kim reports out-of-bounds access in sctp and ctnetlink.These attributes are used by the kernel without any validation.Extend the netlink policies accordingly.Quoting the reporter: nlattr_to_sctp() assigns the user-supplied CTA_PROTOINFO_SCTP_STATE value directly to ct->proto.sctp.state without checking that it is within the valid range. [..] and: ... with exp->dir = 100, the access at ct->master->tuplehash[100] reads 5600 bytes past the start of a 320-byte nf_conn object, causing a slab-out-of-bounds read confirmed by UBSAN.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31415 Severity: Moderate CVSS3 score: 4.4

Description: In the Linux kernel, the following vulnerability has been resolved:ipv6: avoid overflows in ip6_datagram_send_ctl()Yiming Qian reported : I believe I found a locally triggerable kernel bug in the IPv6 sendmsg ancillary-data path that can panic the kernel via `skb_under_panic()` (local DoS). The core issue is a mismatch between: - a 16-bit length accumulator (`struct ipv6_txoptions::opt_flen`, type `__u16`) and - a pointer to the *last* provided destination-options header (`opt->dst1opt`) when multiple `IPV6_DSTOPTS` control messages (cmsgs) are provided. - `include/net/ipv6.h`: - `struct ipv6_txoptions::opt_flen` is `__u16` (wrap possible). (lines 291-307, especially 298) - `net/ipv6/datagram.c:ip6_datagram_send_ctl()`: - Accepts repeated `IPV6_DSTOPTS` and accumulates into `opt_flen` without rejecting duplicates. (lines 909-933) - `net/ipv6/ip6_output.c:__ip6_append_data()`: - Uses `opt->opt_flen + opt->opt_nflen` to compute header sizes/headroom decisions. (lines 1448-1466, especially 1463-1465) - `net/ipv6/ip6_output.c:__ip6_make_skb()`: - Calls `ipv6_push_frag_opts()` if `opt->opt_flen` is non-zero. (lines 1930-1934) - `net/ipv6/exthdrs.c:ipv6_push_frag_opts()` / `ipv6_push_exthdr()`: - Push size comes from `ipv6_optlen(opt->dst1opt)` (based on the pointed-to header). (lines 1179-1185 and 1206-1211) 1. `opt_flen` is a 16-bit accumulator: - `include/net/ipv6.h:298` defines `__u16 opt_flen; /* after fragment hdr */`. 2. `ip6_datagram_send_ctl()` accepts *repeated* `IPV6_DSTOPTS` cmsgs and increments `opt_flen` each time: - In `net/ipv6/datagram.c:909-933`, for `IPV6_DSTOPTS`: - It computes `len = ((hdr->hdrlen + 1) << 3);` - It checks `CAP_NET_RAW` using `ns_capable(net->user_ns, CAP_NET_RAW)`. (line 922) - Then it does: - `opt->opt_flen += len;` (line 927) - `opt->dst1opt = hdr;` (line 928) There is no duplicate rejection here (unlike the legacy `IPV6_2292DSTOPTS` path which rejects duplicates at `net/ipv6/datagram.c:901-904`). If enough large `IPV6_DSTOPTS` cmsgs are provided, `opt_flen` wraps while `dst1opt` still points to a large (2048-byte) destination-options header. In the attached PoC (`poc.c`): - 32 cmsgs with `hdrlen=255` => `len = (255+1)*8 = 2048` - 1 cmsg with `hdrlen=0` => `len = 8` - Total increment: `32*2048 + 8 = 65544`, so `(__u16)opt_flen == 8` - The last cmsg is 2048 bytes, so `dst1opt` points to a 2048-byte header. 3. The transmit path sizes headers using the wrapped `opt_flen`:- In `net/ipv6/ip6_output.c:1463-1465`: - `headersize = sizeof(struct ipv6hdr) + (opt ? opt->opt_flen + opt->opt_nflen : 0) + ...;` With wrapped `opt_flen`, `headersize`/headroom decisions underestimate what will be pushed later. 4. When building the final skb, the actual push length comes from `dst1opt` and is not limited by wrapped `opt_flen`: - In `net/ipv6/ip6_output.c:1930-1934`: - `if (opt->opt_flen) proto = ipv6_push_frag_opts(skb, opt, proto);` - In `net/ipv6/exthdrs.c:1206-1211`, `ipv6_push_frag_opts()` pushes `dst1opt` via `ipv6_push_exthdr()`. - In `net/ipv6/exthdrs.c:1179-1184`, `ipv6_push_exthdr()` does: - `skb_push(skb, ipv6_optlen(opt));` - `memcpy(h, opt, ipv6_optlen(opt));` With insufficient headroom, `skb_push()` underflows and triggers `skb_under_panic()` -> `BUG()`: - `net/core/skbuff.c:2669-2675` (`skb_push()` calls `skb_under_panic()`) - `net/core/skbuff.c:207-214` (`skb_panic()` ends in `BUG()`) - The `IPV6_DSTOPTS` cmsg path requires `CAP_NET_RAW` in the target netns user namespace (`ns_capable(net->user_ns, CAP_NET_RAW)`). - Root (or any task with `CAP_NET_RAW`) can trigger this without user namespaces. - An unprivileged `uid=1000` user can trigger this if unprivileged user namespaces are enabled and it can create a userns+netns to obtain namespaced `CAP_NET_RAW` (the attached PoC does this). - Local denial of service: kernel BUG/panic (system crash). ----truncated---

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31464 Severity: Moderate CVSS3 score: 4.4

Description: In the Linux kernel, the following vulnerability has been resolved:scsi: ibmvfc: Fix OOB access in ibmvfc_discover_targets_done()A malicious or compromised VIO server can return a num_written value in thediscover targets MAD response that exceeds max_targets. This value isstored directly in vhost->num_targets without validation, and is then usedas the loop bound in ibmvfc_alloc_targets() to index into disc_buf[], whichis only allocated for max_targets entries. Indices at or beyond max_targetsaccess kernel memory outside the DMA-coherent allocation. Theout-of-bounds data is subsequently embedded in Implicit Logout and PLOGIMADs that are sent back to the VIO server, leaking kernel memory.Fix by clamping num_written to max_targets before storing it.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31494 Severity: Moderate CVSS3 score: 4.4

Description: In the Linux kernel, the following vulnerability has been resolved:net: macb: use the current queue number for statsThere's a potential mismatch between the memory reserved for statisticsand the amount of memory written.gem_get_sset_count() correctly computes the number of stats based on theactive queues, whereas gem_get_ethtool_stats() indiscriminately copiesdata using the maximum number of queues, and in the case the number ofactive queues is less than MACB_MAX_QUEUES, this results in a OOB writeas observed in the KASAN splat.==================================================================BUG: KASAN: vmalloc-out-of-bounds in gem_get_ethtool_stats+0x54/0x78 [macb]Write of size 760 at addr ffff80008080b000 by task ethtool/1027CPU: [...]Tainted: [E]=UNSIGNED_MODULEHardware name: raspberrypi rpi/rpi, BIOS 2025.10 10/01/2025Call trace: show_stack+0x20/0x38 (C) dump_stack_lvl+0x80/0xf8 print_report+0x384/0x5e0 kasan_report+0xa0/0xf0 kasan_check_range+0xe8/0x190 __asan_memcpy+0x54/0x98 gem_get_ethtool_stats+0x54/0x78 [macb 926c13f3af83b0c6fe64badb21ec87d5e93fcf65] dev_ethtool+0x1220/0x38c0 dev_ioctl+0x4ac/0xca8 sock_do_ioctl+0x170/0x1d8 sock_ioctl+0x484/0x5d8 __arm64_sys_ioctl+0x12c/0x1b8 invoke_syscall+0xd4/0x258 el0_svc_common.constprop.0+0xb4/0x240 do_el0_svc+0x48/0x68 el0_svc+0x40/0xf8 el0t_64_sync_handler+0xa0/0xe8 el0t_64_sync+0x1b0/0x1b8The buggy address belongs to a 1-page vmalloc region starting at 0xffff80008080b000 allocated at dev_ethtool+0x11f0/0x38c0The buggy address belongs to the physical page:page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff00000a333000 pfn:0xa333flags: 0x7fffc000000000(node=0|zone=0|lastcpupid=0x1ffff)raw: 007fffc000000000 0000000000000000 dead000000000122 0000000000000000raw: ffff00000a333000 0000000000000000 00000001ffffffff 0000000000000000page dumped because: kasan: bad access detectedMemory state around the buggy address: ffff80008080b080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff80008080b100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00>ffff80008080b180: 00 00 00 00 00 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ^ ffff80008080b200: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ffff80008080b280: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8==================================================================Fix it by making sure the copied size only considers the active number ofqueues.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31515 Severity: Moderate CVSS3 score: 4.4

Description: In the Linux kernel, the following vulnerability has been resolved:af_key: validate families in pfkey_send_migrate()syzbot was able to trigger a crash in skb_put() [1]Issue is that pfkey_send_migrate() does not check old/new families,and that set_ipsecrequest() @family argument was truncated,thus possibly overfilling the skb.Validate families early, do not wait set_ipsecrequest().[1]skbuff: skb_over_panic: text:ffffffff8a752120 len:392 put:16 head:ffff88802a4ad040 data:ffff88802a4ad040 tail:0x188 end:0x180 dev: kernel BUG at net/core/skbuff.c:214 !Call Trace: skb_over_panic net/core/skbuff.c:219 [inline] skb_put+0x159/0x210 net/core/skbuff.c:2655 skb_put_zero include/linux/skbuff.h:2788 [inline] set_ipsecrequest net/key/af_key.c:3532 [inline] pfkey_send_migrate+0x1270/0x2e50 net/key/af_key.c:3636 km_migrate+0x155/0x260 net/xfrm/xfrm_state.c:2848 xfrm_migrate+0x2140/0x2450 net/xfrm/xfrm_policy.c:4705 xfrm_do_migrate+0x8ff/0xaa0 net/xfrm/xfrm_user.c:3150

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31521 Severity: Moderate CVSS3 score: 4.4

Description: In the Linux kernel, the following vulnerability has been resolved:module: Fix kernel panic when a symbol st_shndx is out of boundsThe module loader doesn't check for bounds of the ELF section index insimplify_symbols(): for (i = 1; i < symsec->sh_size / sizeof(Elf_Sym); i++) { const char *name = info->strtab + sym[i].st_name; switch (sym[i].st_shndx) { case SHN_COMMON: [...] default: /* Divert to percpu allocation if a percpu var. */ if (sym[i].st_shndx == info->index.pcpu) secbase = (unsigned long)mod_percpu(mod); else /** HERE --> **/ secbase = info->sechdrs[sym[i].st_shndx].sh_addr; sym[i].st_value += secbase; break; } }A symbol with an out-of-bounds st_shndx value, for example 0xffff(known as SHN_XINDEX or SHN_HIRESERVE), may cause a kernel panic: BUG: unable to handle page fault for address: ... RIP: 0010:simplify_symbols+0x2b2/0x480 ... Kernel panic - not syncing: Fatal exceptionThis can happen when module ELF is legitimately using SHN_XINDEX orwhen it is corrupted.Add a bounds check in simplify_symbols() to validate that st_shndx iswithin the valid range before using it.This issue was discovered due to a bug in llvm-objcopy, see relevantdiscussion for details [1].[1] https://lore.kernel.org/linux-modules/20251224005752.201911-1-ihor.solodrai@linux.dev/

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31668 Severity: Moderate CVSS3 score: 4.4

Description: In the Linux kernel, the following vulnerability has been resolved:seg6: separate dst_cache for input and output paths in seg6 lwtunnelThe seg6 lwtunnel uses a single dst_cache per encap route, sharedbetween seg6_input_core() and seg6_output_core(). These two pathscan perform the post-encap SID lookup in different routing contexts(e.g., ip rules matching on the ingress interface, or VRF tableseparation). Whichever path runs first populates the cache, and theother reuses it blindly, bypassing its own lookup.Fix this by splitting the cache into cache_input and cache_output,so each path maintains its own cached dst independently.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31681 Severity: Moderate CVSS3 score: 4.4

Description: In the Linux kernel, the following vulnerability has been resolved:netfilter: xt_multiport: validate range encoding in checkentryports_match_v1() treats any non-zero pflags entry as the start of aport range and unconditionally consumes the next ports[] element asthe range end.The checkentry path currently validates protocol, flags and count, butit does not validate the range encoding itself. As a result, malformedrules can mark the last slot as a range start or place two range startsback to back, leaving ports_match_v1() to step past the last validports[] element while interpreting the rule.Reject malformed multiport v1 rules in checkentry by validating thateach range start has a following element and that the following elementis not itself marked as another range start.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31689 Severity: Moderate CVSS3 score: 4.4

Description: In the Linux kernel, the following vulnerability has been resolved:EDAC/mc: Fix error path ordering in edac_mc_alloc()When the mci->pvt_info allocation in edac_mc_alloc() fails, the error pathwill call put_device() which will end up calling the device's releasefunction.However, the init ordering is wrong such that device_initialize() happens*after* the failed allocation and thus the device itself and the releasefunction pointer are not initialized yet when they're called: MCE: In-kernel MCE decoding enabled. ------------[ cut here ]------------ kobject: '(null)': is not initialized, yet kobject_put() is being called. WARNING: lib/kobject.c:734 at kobject_put, CPU#22: systemd-udevd CPU: 22 UID: 0 PID: 538 Comm: systemd-udevd Not tainted 7.0.0-rc1+ #2 PREEMPT(full) RIP: 0010:kobject_put Call Trace: edac_mc_alloc+0xbe/0xe0 [edac_core] amd64_edac_init+0x7a4/0xff0 [amd64_edac] ? __pfx_amd64_edac_init+0x10/0x10 [amd64_edac] do_one_initcall ...Reorder the calling sequence so that the device is initialized and thus therelease function pointer is properly set before it can be used.This was found by Claude while reviewing another EDAC patch.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43338 Severity: Moderate CVSS3 score: 4.4

Description: In the Linux kernel, the following vulnerability has been resolved:btrfs: reserve enough transaction items for qgroup ioctlsCurrently our qgroup ioctls don't reserve any space, they just do atransaction join, which does not reserve any space, neither for the quotatree updates nor for the delayed refs generated when updating the quotatree. The quota root uses the global block reserve, which is fine most ofthe time since we don't expect a lot of updates to the quota root, or tobe too close to -ENOSPC such that other critical metadata updates need toresort to the global reserve.However this is not optimal, as not reserving proper space may result in atransaction abort due to not reserving space for delayed refs and thenabusing the use of the global block reserve.For example, the following reproducer (which is unlikely to model anyreal world use case, but just to illustrate the problem), triggers such atransaction abort due to -ENOSPC when running delayed refs: $ cat test.sh #!/bin/bash DEV=/dev/nullb0 MNT=/mnt/nullb0 umount $DEV &> /dev/null # Limit device to 1G so that it's much faster to reproduce the issue. mkfs.btrfs -f -b 1G $DEV mount -o commit=600 $DEV $MNT fallocate -l 800M $MNT/filler btrfs quota enable $MNT for ((i = 1; i <= 400000; i++)); do btrfs qgroup create 1/$i $MNT done umount $MNTWhen running this, we can see in dmesg/syslog that a transaction aborthappened: [436.490] BTRFS error (device nullb0): failed to run delayed ref for logical 30408704 num_bytes 16384 type 176 action 1 ref_mod 1: -28 [436.493] ------------[ cut here ]------------ [436.494] BTRFS: Transaction aborted (error -28) [436.495] WARNING: fs/btrfs/extent-tree.c:2247 at btrfs_run_delayed_refs+0xd9/0x110 [btrfs], CPU#4: umount/2495372 [436.497] Modules linked in: btrfs loop (...) [436.508] CPU: 4 UID: 0 PID: 2495372 Comm: umount Tainted: G W 6.19.0-rc8-btrfs-next-225+ #1 PREEMPT(full) [436.510] Tainted: [W]=WARN [436.511] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014 [436.513] RIP: 0010:btrfs_run_delayed_refs+0xdf/0x110 [btrfs] [436.514] Code: 0f 82 ea (...) [436.518] RSP: 0018:ffffd511850b7d78 EFLAGS: 00010292 [436.519] RAX: 00000000ffffffe4 RBX: ffff8f120dad37e0 RCX: 0000000002040001 [436.520] RDX: 0000000000000002 RSI: 00000000ffffffe4 RDI: ffffffffc090fd80 [436.522] RBP: 0000000000000000 R08: 0000000000000001 R09: ffffffffc04d1867 [436.523] R10: ffff8f18dc1fffa8 R11: 0000000000000003 R12: ffff8f173aa89400 [436.524] R13: 0000000000000000 R14: ffff8f173aa89400 R15: 0000000000000000 [436.526] FS: 00007fe59045d840(0000) GS:ffff8f192e22e000(0000) knlGS:0000000000000000 [436.527] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [436.528] CR2: 00007fe5905ff2b0 CR3: 000000060710a002 CR4: 0000000000370ef0 [436.530] Call Trace: [436.530] [436.530] btrfs_commit_transaction+0x73/0xc00 [btrfs] [436.531] ? btrfs_attach_transaction_barrier+0x1e/0x70 [btrfs] [436.532] sync_filesystem+0x7a/0x90 [436.533] generic_shutdown_super+0x28/0x180 [436.533] kill_anon_super+0x12/0x40 [436.534] btrfs_kill_super+0x12/0x20 [btrfs] [436.534] deactivate_locked_super+0x2f/0xb0 [436.534] cleanup_mnt+0xea/0x180 [436.535] task_work_run+0x58/0xa0 [436.535] exit_to_user_mode_loop+0xed/0x480 [436.536] ? __x64_sys_umount+0x68/0x80 [436.536] do_syscall_64+0x2a5/0xf20 [436.537] entry_SYSCALL_64_after_hwframe+0x76/0x7e [436.537] RIP: 0033:0x7fe5906b6217 [436.538] Code: 0d 00 f7 (...) [436.540] RSP: 002b:00007ffcd87a61f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 [436.541] RAX: 0000000000000000 RBX: 00005618b9ecadc8 RCX: 00007fe5906b6217 [436.541] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00005618b9ecb100 [436.542] RBP: 0000000000000000 R08: 00007ffcd87a4fe0 R09: 00000000ffffffff [436.544] R10: 0000000000000103 R11: ---truncated---

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43895 Severity: Moderate CVSS3 score: 4.4

Description: jq is a command-line JSON processor. In 1.8.1 and earlier, jq accepts embedded NUL bytes in import paths at the jq-language level, but later resolves those paths through C string operations during module and data-file lookup. This creates a mismatch between the logical import string that policy or audit code may validate and the on-disk path that jq actually opens.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
jq > 0-0 (version in image is 1.6-150000.3.12.1).

CVE-2026-44656 Severity: Moderate CVSS3 score: 4.4

Description: Vim is an open source, command line text editor. Prior to version 9.2.0435, an OS command injection vulnerability exists in Vim's :find command-line completion. When the path option contains backtick-enclosed shell commands, those commands are executed during file name completion. Because the path option lacks the P_SECURE flag, it can be set from a modeline, allowing an attacker who controls the contents of a file to execute arbitrary shell commands when the user opens that file in Vim and triggers :find completion. This issue has been patched in version 9.2.0435.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
vim > 0-0 (version in image is 9.2.0280-150500.20.46.1).

CVE-2025-32728 Severity: Moderate CVSS3 score: 4.3

Description: In sshd in OpenSSH before 10.0, the DisableForwarding directive does not adhere to the documentation stating that it disables X11 and agent forwarding.

Packages affected:

sle-module-desktop-applications-release == 15.7 (version in image is 15.7-150700.28.1).
openssh > 0-0 (version in image is 9.6p1-150600.6.34.1).

CVE-2026-23180 Severity: Moderate CVSS3 score: 4.3

Description: In the Linux kernel, the following vulnerability has been resolved:dpaa2-switch: add bounds check for if_id in IRQ handlerThe IRQ handler extracts if_id from the upper 16 bits of the hardwarestatus register and uses it to index into ethsw->ports[] withoutvalidation. Since if_id can be any 16-bit value (0-65535) but the portsarray is only allocated with sw_attr.num_ifs elements, this can lead toan out-of-bounds read potentially.Add a bounds check before accessing the array, consistent with theexisting validation in dpaa2_switch_rx().

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23206 Severity: Moderate CVSS3 score: 4.3

Description: In the Linux kernel, the following vulnerability has been resolved:dpaa2-switch: prevent ZERO_SIZE_PTR dereference when num_ifs is zeroThe driver allocates arrays for ports, FDBs, and filter blocks usingkcalloc() with ethsw->sw_attr.num_ifs as the element count. When thedevice reports zero interfaces (either due to hardware configurationor firmware issues), kcalloc(0, ...) returns ZERO_SIZE_PTR (0x10)instead of NULL.Later in dpaa2_switch_probe(), the NAPI initialization unconditionallyaccesses ethsw->ports[0]->netdev, which attempts to dereferenceZERO_SIZE_PTR (address 0x10), resulting in a kernel panic.Add a check to ensure num_ifs is greater than zero after retrievingdevice attributes. This prevents the zero-sized allocations andsubsequent invalid pointer dereference.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31682 Severity: Moderate CVSS3 score: 4.3

Description: In the Linux kernel, the following vulnerability has been resolved:bridge: br_nd_send: linearize skb before parsing ND optionsbr_nd_send() parses neighbour discovery options from ns->opt[] andassumes that these options are in the linear part of request.Its callers only guarantee that the ICMPv6 header and target addressare available, so the option area can still be non-linear. Parsingns->opt[] in that case can access data past the linear buffer.Linearize request before option parsing and derive ns from the linearnetwork header.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43184 Severity: Moderate CVSS3 score: 4.3

Description: In the Linux kernel, the following vulnerability has been resolved:rnbd-srv: Zero the rsp buffer before using itBefore using the data buffer to send back the response message, zero itcompletely. This prevents any stray bytes to be picked up by the clientside when there the message is exchanged between different protocolversions.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2021-37577 Severity: Moderate CVSS3 score: 4.2

Description: Bluetooth LE and BR/EDR Secure Connections pairing and Secure Simple Pairing using the Passkey entry protocol in Bluetooth Core Specifications 2.1 through 5.3 may permit an unauthenticated man-in-the-middle attacker to identify the Passkey used during pairing by reflection of a crafted public key with the same X coordinate as the offered public key and by reflection of the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. This is a related issue to CVE-2020-26558.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-35414 Severity: Moderate CVSS3 score: 4.2

Description: OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
openssh < 9.6p1-150600.6.37.1 (version in image is 9.6p1-150600.6.34.1).

CVE-2026-43424 Severity: Moderate CVSS3 score: 4.2

Description: In the Linux kernel, the following vulnerability has been resolved:usb: gadget: f_tcm: Fix NULL pointer dereferences in nexus handlingThe `tpg->tpg_nexus` pointer in the USB Target driver is dynamicallymanaged and tied to userspace configuration via ConfigFS. It can beNULL if the USB host sends requests before the nexus is fullyestablished or immediately after it is dropped.Currently, functions like `bot_submit_command()` and the datatransfer paths retrieve `tv_nexus = tpg->tpg_nexus` and immediatelydereference `tv_nexus->tvn_se_sess` without any validation. If amalicious or misconfigured USB host sends a BOT (Bulk-Only Transport)command during this race window, it triggers a NULL pointerdereference, leading to a kernel panic (local DoS).This exposes an inconsistent API usage within the module, as peerfunctions like `usbg_submit_command()` and `bot_send_bad_response()`correctly implement a NULL check for `tv_nexus` before proceeding.Fix this by bringing consistency to the nexus handling. Add themissing `if (!tv_nexus)` checks to the vulnerable BOT command andrequest processing paths, aborting the command gracefully with anerror instead of crashing the system.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-43066 Severity: Moderate CVSS3 score: 4.1

Description: In the Linux kernel, the following vulnerability has been resolved:ext4: fix iloc.bh leak in ext4_fc_replay_inode() error pathsDuring code review, Joseph found that ext4_fc_replay_inode() callsext4_get_fc_inode_loc() to get the inode location, which holds areference to iloc.bh that must be released via brelse().However, several error paths jump to the 'out' label withoutreleasing iloc.bh: - ext4_handle_dirty_metadata() failure - sync_dirty_buffer() failure - ext4_mark_inode_used() failure - ext4_iget() failureFix this by introducing an 'out_brelse' label placed just beforethe existing 'out' label to ensure iloc.bh is always released.Additionally, make ext4_fc_replay_inode() propagate errorsproperly instead of always returning 0.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2025-66382 Severity: Moderate CVSS3 score: 4.0

Description: In libexpat through 2.7.3, a crafted file with an approximate size of 2 MiB can lead to dozens of seconds of processing time.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
libexpat1 > 0-0 (version in image is 2.7.1-150700.3.12.1).

CVE-2026-42014 Severity: Moderate CVSS3 score: 4.0

Description: Unknown.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
libgnutls30 > 0-0 (version in image is 3.8.3-150600.4.17.1).

CVE-2025-13763 Severity: Low CVSS3 score: 3.9

Description: Multiple uses of uninitialized variables were found in libopensc that may lead to information disclosure or application crash. An attack requires a crafted USB device or smart card that would present the system with specially crafted responses to the APDUs

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
opensc > 0-0 (version in image is 0.22.0-150600.11.6.1).

CVE-2025-66037 Severity: Low CVSS3 score: 3.9

Description: OpenSC is an open source smart card tools and middleware. Prior to version 0.27.0, feeding a crafted input to the fuzz_pkcs15_reader harness causes OpenSC to perform an out-of-bounds heap read in the X.509/SPKI handling path. Specifically, sc_pkcs15_pubkey_from_spki_fields() allocates a zero-length buffer and then reads one byte past the end of that allocation. This issue has been patched in version 0.27.0.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
opensc > 0-0 (version in image is 0.22.0-150600.11.6.1).

CVE-2025-66038 Severity: Low CVSS3 score: 3.9

Description: OpenSC is an open source smart card tools and middleware. Prior to version 0.27.0, sc_compacttlv_find_tag searches a compact-TLV buffer for a given tag. In compact-TLV, a single byte encodes the tag (high nibble) and value length (low nibble). With a 1-byte buffer {0x0A}, the encoded element claims tag=0 and length=10 but no value bytes follow. Calling sc_compacttlv_find_tag with search tag 0x00 returns a pointer equal to buf+1 and outlen=10 without verifying that the claimed value length fits within the remaining buffer. In cases where the sc_compacttlv_find_tag is provided untrusted data (such as being read from cards/files), attackers may be able to influence it to return out-of-bounds pointers leading to downstream memory corruption when subsequent code tries to dereference the pointer. This issue has been patched in version 0.27.0.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
opensc > 0-0 (version in image is 0.22.0-150600.11.6.1).

CVE-2026-43065 Severity: Low CVSS3 score: 3.9

Description: In the Linux kernel, the following vulnerability has been resolved:ext4: always drain queued discard work in ext4_mb_release()While reviewing recent ext4 patch[1], Sashiko raised the followingconcern[2]:> If the filesystem is initially mounted with the discard option,> deleting files will populate sbi->s_discard_list and queue> s_discard_work. If it is then remounted with nodiscard, the> EXT4_MOUNT_DISCARD flag is cleared, but the pending s_discard_work is> neither cancelled nor flushed.[1] https://lore.kernel.org/r/20260319094545.19291-1-qiang.zhang@linux.dev/[2] https://sashiko.dev/#/patchset/20260319094545.19291-1-qiang.zhang%40linux.devThe concern was valid, but it had nothing to do with the patch[1].One of the problems with Sashiko in its current (early) form is thatit will detect pre-existing issues and report it as a problem with thepatch that it is reviewing.In practice, it would be hard to hit deliberately (unless you are amalicious syzkaller fuzzer), since it would involve mounting the filesystem with -o discard, and then deleting a large number of files,remounting the file system with -o nodiscard, and then immediatelyunmounting the file system before the queued discard work has a changeto drain on its own.Fix it because it's a real bug, and to avoid Sashiko from raising thisconcern when analyzing future patches to mballoc.c.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2025-49010 Severity: Low CVSS3 score: 3.8

Description: OpenSC is an open source smart card tools and middleware. Prior to version 0.27.0, an attacker with physical access to the computer at the time user or administrator uses a token can cause a stack-buffer-overflow write in GET RESPONSE. The attack requires crafted USB device or smart card that would present the system with specially crafted responses to the APDUs. This issue has been patched in version 0.27.0.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
opensc > 0-0 (version in image is 0.22.0-150600.11.6.1).

CVE-2025-66215 Severity: Low CVSS3 score: 3.8

Description: OpenSC is an open source smart card tools and middleware. Prior to version 0.27.0, an attacker with physical access to the computer at the time user or administrator uses a token can cause a stack-buffer-overflow WRITE in card-oberthur. The attack requires crafted USB device or smart card that would present the system with specially crafted responses to the APDUs. This issue has been patched in version 0.27.0.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
opensc > 0-0 (version in image is 0.22.0-150600.11.6.1).

CVE-2026-6019 Severity: Low CVSS3 score: 3.8

Description: http.cookies.Morsel.js_output() returns an inline inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.

Packages affected:

sles-release == 15.7 (version in image is 15.7-150700.67.6.1).
python311 > 0-0 (version in image is 3.11.15-150600.3.53.1).

CVE-2026-5419 Severity: Moderate CVSS3 score: 3.7

Description: Unknown.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
libgnutls30 > 0-0 (version in image is 3.8.3-150600.4.17.1).

CVE-2026-4873 Severity: Low CVSS3 score: 3.7

Description: A vulnerability exists where a connection requiring TLS incorrectly reuses anexisting unencrypted connection from the same connection pool. If an initialtransfer is made in clear-text (via IMAP, SMTP, or POP3), a subsequent requestto that same host bypasses the TLS requirement and instead transmit dataunencrypted.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
curl > 0-0 (version in image is 8.14.1-150700.7.14.1).

CVE-2026-5773 Severity: Low CVSS3 score: 3.7

Description: libcurl might in some circumstances reuse the wrong connection for SMB(S)transfers.libcurl features a pool of recent connections so that subsequent requests canreuse an existing connection to avoid overhead.When reusing a connection a range of criteria must be met. Due to a logicalerror in the code, a network transfer operation that was requested by anapplication could wrongfully reuse an existing SMB connection to the sameserver that was using a different 'share' than the new subsequent transfershould.This could in unlucky situations lead to the download of the wrong file or theupload of a file to the wrong place. When this happens, the same credentialsare used and the server name is the same.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
curl > 0-0 (version in image is 8.14.1-150700.7.14.1).

CVE-2026-6276 Severity: Low CVSS3 score: 3.7

Description: Using libcurl, when a custom `Host:` header is first set for an HTTP requestand a second request is subsequently done using the same *easy handle* butwithout the custom `Host:` header set, the second request would use staleinformation and pass on cookies meant for the first host in the secondrequest. Leak them.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
curl > 0-0 (version in image is 8.14.1-150700.7.14.1).

CVE-2026-35386 Severity: Low CVSS3 score: 3.6

Description: In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config.

Packages affected:

sle-module-desktop-applications-release == 15.7 (version in image is 15.7-150700.28.1).
openssh > 0-0 (version in image is 9.6p1-150600.6.34.1).

CVE-2026-41079 Severity: Low CVSS3 score: 3.5

Description: OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. Prior to 2.4.17, a network-adjacent attacker can send a crafted SNMP response to the CUPS SNMP backend that causes an out-of-bounds read of up to 176 bytes past a stack buffer. The leaked memory is converted from UTF-16 to UTF-8 and stored as printer supply description strings, which are subsequently visible to authenticated users via IPP Get-Printer-Attributes responses and the CUPS web interface. This vulnerability is fixed in 2.4.17.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
cups-config > 0-0 (version in image is 2.2.7-150000.3.86.1).

CVE-2026-23321 Severity: Moderate CVSS3 score: 3.3

Description: In the Linux kernel, the following vulnerability has been resolved:mptcp: pm: in-kernel: always mark signal+subflow endp as usedSyzkaller managed to find a combination of actions that was generatingthis warning: msk->pm.local_addr_used == 0 WARNING: net/mptcp/pm_kernel.c:1071 at __mark_subflow_endp_available net/mptcp/pm_kernel.c:1071 [inline], CPU#1: syz.2.17/961 WARNING: net/mptcp/pm_kernel.c:1071 at mptcp_nl_remove_subflow_and_signal_addr net/mptcp/pm_kernel.c:1103 [inline], CPU#1: syz.2.17/961 WARNING: net/mptcp/pm_kernel.c:1071 at mptcp_pm_nl_del_addr_doit+0x81d/0x8f0 net/mptcp/pm_kernel.c:1210, CPU#1: syz.2.17/961 Modules linked in: CPU: 1 UID: 0 PID: 961 Comm: syz.2.17 Not tainted 6.19.0-08368-gfafda3b4b06b #22 PREEMPT(full) Hardware name: QEMU Ubuntu 25.10 PC v2 (i440FX + PIIX, + 10.1 machine, 1996), BIOS 1.17.0-debian-1.17.0-1build1 04/01/2014 RIP: 0010:__mark_subflow_endp_available net/mptcp/pm_kernel.c:1071 [inline] RIP: 0010:mptcp_nl_remove_subflow_and_signal_addr net/mptcp/pm_kernel.c:1103 [inline] RIP: 0010:mptcp_pm_nl_del_addr_doit+0x81d/0x8f0 net/mptcp/pm_kernel.c:1210 Code: 89 c5 e8 46 30 6f fe e9 21 fd ff ff 49 83 ed 80 e8 38 30 6f fe 4c 89 ef be 03 00 00 00 e8 db 49 df fe eb ac e8 24 30 6f fe 90 <0f> 0b 90 e9 1d ff ff ff e8 16 30 6f fe eb 05 e8 0f 30 6f fe e8 9a RSP: 0018:ffffc90001663880 EFLAGS: 00010293 RAX: ffffffff82de1a6c RBX: 0000000000000000 RCX: ffff88800722b500 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffff8880158b22d0 R08: 0000000000010425 R09: ffffffffffffffff R10: ffffffff82de18ba R11: 0000000000000000 R12: ffff88800641a640 R13: ffff8880158b1880 R14: ffff88801ec3c900 R15: ffff88800641a650 FS: 00005555722c3500(0000) GS:ffff8880f909d000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f66346e0f60 CR3: 000000001607c000 CR4: 0000000000350ef0 Call Trace: genl_family_rcv_msg_doit+0x117/0x180 net/netlink/genetlink.c:1115 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0x3a8/0x3f0 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x16d/0x240 net/netlink/af_netlink.c:2550 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x3e9/0x4c0 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x4aa/0x5b0 net/netlink/af_netlink.c:1894 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg+0xc9/0xf0 net/socket.c:742 ____sys_sendmsg+0x272/0x3b0 net/socket.c:2592 ___sys_sendmsg+0x2de/0x320 net/socket.c:2646 __sys_sendmsg net/socket.c:2678 [inline] __do_sys_sendmsg net/socket.c:2683 [inline] __se_sys_sendmsg net/socket.c:2681 [inline] __x64_sys_sendmsg+0x110/0x1a0 net/socket.c:2681 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x143/0x440 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f66346f826d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffc83d8bdc8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f6634985fa0 RCX: 00007f66346f826d RDX: 00000000040000b0 RSI: 0000200000000740 RDI: 0000000000000007 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f6634985fa8 R13: 00007f6634985fac R14: 0000000000000000 R15: 0000000000001770 The actions that caused that seem to be: - Set the MPTCP subflows limit to 0 - Create an MPTCP endpoint with both the 'signal' and 'subflow' flags - Create a new MPTCP connection from a different address: an ADD_ADDR linked to the MPTCP endpoint will be sent ('signal' flag), but no subflows is initiated ('subflow' flag) - Remove the MPTCP endpoint---truncated---

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-3219 Severity: Moderate CVSS3 score: 3.3

Description: pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing "incorrect" files according to the filename of the archive. New behavior only proceeds with installation if the file identifies uniquely as a ZIP or tar archive, not as both.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
python3 > 0-0 (version in image is 3.6.15-150300.10.109.1).

CVE-2026-43088 Severity: Moderate CVSS3 score: 3.3

Description: In the Linux kernel, the following vulnerability has been resolved:net: af_key: zero aligned sockaddr tail in PF_KEY exportsPF_KEY export paths use `pfkey_sockaddr_size()` when reserving sockaddrpayload space, so IPv6 addresses occupy 32 bytes on the wire. However,`pfkey_sockaddr_fill()` initializes only the first 28 bytes of`struct sockaddr_in6`, leaving the final 4 aligned bytes uninitialized.Not every PF_KEY message is affected. The state and policy dump buildersalready zero the whole message buffer before filling the sockaddrpayloads. Keep the fix to the export paths that still append alignedsockaddr payloads with plain `skb_put()`: - `SADB_ACQUIRE` - `SADB_X_NAT_T_NEW_MAPPING` - `SADB_X_MIGRATE`Fix those paths by clearing only the aligned sockaddr tail after`pfkey_sockaddr_fill()`.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2025-11839 Severity: Low CVSS3 score: 3.3

Description: A security flaw has been discovered in GNU Binutils 2.45. Impacted is the function tg_tag_type of the file prdbg.c. Performing a manipulation results in unchecked return value. The attack needs to be approached locally. The exploit has been released to the public and may be used for attacks.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
binutils > 0-0 (version in image is 2.45-150100.7.57.1).

CVE-2025-11840 Severity: Low CVSS3 score: 3.3

Description: A weakness has been identified in GNU Binutils 2.45. The affected element is the function vfinfo of the file ldmisc.c. Executing a manipulation can lead to out-of-bounds read. The attack can only be executed locally. The exploit has been made available to the public and could be used for attacks. This patch is called 16357. It is best practice to apply a patch to resolve this issue.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
binutils > 0-0 (version in image is 2.45-150100.7.57.1).

CVE-2025-38549 Severity: Low CVSS3 score: 3.3

Description: In the Linux kernel, the following vulnerability has been resolved:efivarfs: Fix memory leak of efivarfs_fs_info in fs_context error pathsWhen processing mount options, efivarfs allocates efivarfs_fs_info (sfi)early in fs_context initialization. However, sfi is associated with thesuperblock and typically freed when the superblock is destroyed. If thefs_context is released (final put) before fill_super is called-such ason error paths or during reconfiguration-the sfi structure would leak,as ownership never transfers to the superblock.Implement the .free callback in efivarfs_context_ops to ensure anyallocated sfi is properly freed if the fs_context is torn down beforefill_super, preventing this memory leak.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2025-69645 Severity: Low CVSS3 score: 3.3

Description: Binutils objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF debug information. A logic error in the handling of DWARF compilation units can result in an invalid offset_size value being used inside byte_get_little_endian, leading to an abort (SIGABRT). The issue was observed in binutils 2.44. A local attacker can trigger the crash by supplying a malicious input file.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
binutils > 0-0 (version in image is 2.45-150100.7.57.1).

CVE-2025-69649 Severity: Low CVSS3 score: 3.3

Description: GNU Binutils thru 2.46 readelf contains a null pointer dereference vulnerability when processing a crafted ELF binary with malformed header fields. During relocation processing, an invalid or null section pointer may be passed into display_relocations(), resulting in a segmentation fault (SIGSEGV) and abrupt termination. No evidence of memory corruption beyond the null pointer dereference, nor any possibility of code execution, was observed.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
binutils > 0-0 (version in image is 2.45-150100.7.57.1).

CVE-2025-69652 Severity: Low CVSS3 score: 3.3

Description: GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an abort (SIGABRT) when processing a crafted ELF binary with malformed DWARF abbrev or debug information. Due to incomplete state cleanup in process_debug_info(), an invalid debug_info_p state may propagate into DWARF attribute parsing routines. When certain malformed attributes result in an unexpected data length of zero, byte_get_little_endian() triggers a fatal abort. No evidence of memory corruption or code execution was observed; the impact is limited to denial of service.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
binutils > 0-0 (version in image is 2.45-150100.7.57.1).

CVE-2025-71160 Severity: Low CVSS3 score: 3.3

Description: In the Linux kernel, the following vulnerability has been resolved:netfilter: nf_tables: avoid chain re-validation if possibleHamza Mahfooz reports cpu soft lock-ups innft_chain_validate(): watchdog: BUG: soft lockup - CPU#1 stuck for 27s! [iptables-nft-re:37547][..] RIP: 0010:nft_chain_validate+0xcb/0x110 [nf_tables][..] nft_immediate_validate+0x36/0x50 [nf_tables] nft_chain_validate+0xc9/0x110 [nf_tables] nft_immediate_validate+0x36/0x50 [nf_tables] nft_chain_validate+0xc9/0x110 [nf_tables] nft_immediate_validate+0x36/0x50 [nf_tables] nft_chain_validate+0xc9/0x110 [nf_tables] nft_immediate_validate+0x36/0x50 [nf_tables] nft_chain_validate+0xc9/0x110 [nf_tables] nft_immediate_validate+0x36/0x50 [nf_tables] nft_chain_validate+0xc9/0x110 [nf_tables] nft_immediate_validate+0x36/0x50 [nf_tables] nft_chain_validate+0xc9/0x110 [nf_tables] nft_table_validate+0x6b/0xb0 [nf_tables] nf_tables_validate+0x8b/0xa0 [nf_tables] nf_tables_commit+0x1df/0x1eb0 [nf_tables][..]Currently nf_tables will traverse the entire table (chain graph), startingfrom the entry points (base chains), exploring all possible paths(chain jumps). But there are cases where we could avoid revalidation.Consider:1 input -> j2 -> j32 input -> j2 -> j33 input -> j1 -> j2 -> j3Then the second rule does not need to revalidate j2, and, by extension j3,because this was already checked during validation of the first rule.We need to validate it only for rule 3.This is needed because chain loop detection also ensures we do not exceedthe jump stack: Just because we know that j2 is cycle free, its last jumpmight now exceed the allowed stack size. We also need to update allreachable chains with the new largest observed call depth.Care has to be taken to revalidate even if the chain depth won't be anissue: chain validation also ensures that expressions are not called frominvalid base chains. For example, the masquerade expression can only becalled from NAT postrouting base chains.Therefore we also need to keep record of the base chain context (type,hooknum) and revalidate if the chain becomes reachable from a differenthook location.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23032 Severity: Low CVSS3 score: 3.3

Description: In the Linux kernel, the following vulnerability has been resolved:null_blk: fix kmemleak by releasing references to fault configfs itemsWhen CONFIG_BLK_DEV_NULL_BLK_FAULT_INJECTION is enabled, the null-blkdriver sets up fault injection support by creating the timeout_inject,requeue_inject, and init_hctx_fault_inject configfs items as childrenof the top-level nullbX configfs group.However, when the nullbX device is removed, the references taken tothese fault-config configfs items are not released. As a result,kmemleak reports a memory leak, for example:unreferenced object 0xc00000021ff25c40 (size 32): comm "mkdir", pid 10665, jiffies 4322121578 hex dump (first 32 bytes): 69 6e 69 74 5f 68 63 74 78 5f 66 61 75 6c 74 5f init_hctx_fault_ 69 6e 6a 65 63 74 00 88 00 00 00 00 00 00 00 00 inject.......... backtrace (crc 1a018c86): __kmalloc_node_track_caller_noprof+0x494/0xbd8 kvasprintf+0x74/0xf4 config_item_set_name+0xf0/0x104 config_group_init_type_name+0x48/0xfc fault_config_init+0x48/0xf0 0xc0080000180559e4 configfs_mkdir+0x304/0x814 vfs_mkdir+0x49c/0x604 do_mkdirat+0x314/0x3d0 sys_mkdir+0xa0/0xd8 system_call_exception+0x1b0/0x4f0 system_call_vectored_common+0x15c/0x2ecFix this by explicitly releasing the references to the fault-configconfigfs items when dropping the reference to the top-level nullbXconfigfs group.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23258 Severity: Low CVSS3 score: 3.3

Description: In the Linux kernel, the following vulnerability has been resolved:net: liquidio: Initialize netdev pointer before queue setupIn setup_nic_devices(), the netdev is allocated using alloc_etherdev_mq().However, the pointer to this structure is stored in oct->props[i].netdevonly after the calls to netif_set_real_num_rx_queues() andnetif_set_real_num_tx_queues().If either of these functions fails, setup_nic_devices() returns an errorwithout freeing the allocated netdev. Since oct->props[i].netdev is stillNULL at this point, the cleanup function liquidio_destroy_nic_device()will fail to find and free the netdev, resulting in a memory leak.Fix this by initializing oct->props[i].netdev before calling the queuesetup functions. This ensures that the netdev is properly accessible forcleanup in case of errors.Compile tested only. Issue found using a prototype static analysis tooland code review.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-23335 Severity: Low CVSS3 score: 3.3

Description: In the Linux kernel, the following vulnerability has been resolved:RDMA/irdma: Fix kernel stack leak in irdma_create_user_ah()struct irdma_create_ah_resp { // 8 bytes, no padding __u32 ah_id; // offset 0 - SET (uresp.ah_id = ah->sc_ah.ah_info.ah_idx) __u8 rsvd[4]; // offset 4 - NEVER SET <- LEAK};rsvd[4]: 4 bytes of stack memory leaked unconditionally. Only ah_id is assigned before ib_respond_udata().The reserved members of the structure were not zeroed.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31391 Severity: Low CVSS3 score: 3.3

Description: In the Linux kernel, the following vulnerability has been resolved:crypto: atmel-sha204a - Fix OOM ->tfm_count leakIf memory allocation fails, decrement ->tfm_count to avoid blockingfuture reads.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31416 Severity: Low CVSS3 score: 3.3

Description: In the Linux kernel, the following vulnerability has been resolved:netfilter: nfnetlink_log: account for netlink header sizeThis is a followup to an old bug fix: NLMSG_DONE needs to accountfor the netlink header size, not just the attribute size.This can result in a WARN splat + drop of the netlink message,but other than this there are no ill effects.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31496 Severity: Low CVSS3 score: 3.3

Description: In the Linux kernel, the following vulnerability has been resolved:netfilter: nf_conntrack_expect: skip expectations in other netns via procSkip expectations that do not reside in this netns.Similar to e77e6ff502ea ("netfilter: conntrack: do not dump other netns'sconntrack entries via proc").

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31645 Severity: Low CVSS3 score: 3.3

Description: In the Linux kernel, the following vulnerability has been resolved:net: lan966x: fix page pool leak in error pathslan966x_fdma_rx_alloc() creates a page pool but does not destroy it ifthe subsequent fdma_alloc_coherent() call fails, leaking the pool.Similarly, lan966x_fdma_init() frees the coherent DMA memory whenlan966x_fdma_tx_alloc() fails but does not destroy the page pool thatwas successfully created by lan966x_fdma_rx_alloc(), leaking it.Add the missing page_pool_destroy() calls in both error paths.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31671 Severity: Low CVSS3 score: 3.3

Description: In the Linux kernel, the following vulnerability has been resolved:xfrm_user: fix info leak in build_report()struct xfrm_user_report is a __u8 proto field followed by a structxfrm_selector which means there is three "empty" bytes of padding, butthe padding is never zeroed before copying to userspace. Fix that up byzeroing the structure before setting individual member variables.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-3479 Severity: Low CVSS3 score: 3.3

Description: DISPUTED: The project has clarified that the documentation was incorrect, and that pkgutil.get_data() has the same security model as open(). The documentation has been updated to clarify this point. There is no vulnerability in the function if following the intended security model.pkgutil.get_data() did not validate the resource argument as documented, allowing path traversals.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
libpython3_6m1_0 < 3.6.15-150300.10.118.1 (version in image is 3.6.15-150300.10.109.1).

CVE-2026-43419 Severity: Low CVSS3 score: 3.3

Description: In the Linux kernel, the following vulnerability has been resolved:ceph: fix memory leaks in ceph_mdsc_build_path()Add __putname() calls to error code paths that did not free the "path"pointer obtained by __getname(). If ownership of this pointer is notpassed to the caller via path_info.path, the function must free itbefore returning.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-35387 Severity: Low CVSS3 score: 3.1

Description: OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA algorithms.

Packages affected:

sle-module-desktop-applications-release == 15.7 (version in image is 15.7-150700.28.1).
openssh > 0-0 (version in image is 9.6p1-150600.6.34.1).

CVE-2026-45186 Severity: Low CVSS3 score: 2.9

Description: In libexpat before 2.8.1, the computational complexity of attribute name collision checks allows a denial of service via moderately sized crafted XML input.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
libexpat1 > 0-0 (version in image is 2.7.1-150700.3.12.1).

CVE-2025-66863 Severity: Moderate CVSS3 score: 2.5

Description: An issue was discovered in function d_discriminator in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
binutils > 0-0 (version in image is 2.45-150100.7.57.1).

CVE-2025-66866 Severity: Moderate CVSS3 score: 2.5

Description: An issue was discovered in function d_abi_tags in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
binutils > 0-0 (version in image is 2.45-150100.7.57.1).

CVE-2025-13462 Severity: Low CVSS3 score: 2.5

Description: The "tarfile" module would still apply normalization of AREGTYPE (\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
libpython3_6m1_0 < 3.6.15-150300.10.118.1 (version in image is 3.6.15-150300.10.109.1).

CVE-2025-39737 Severity: Low CVSS3 score: 2.5

Description: In the Linux kernel, the following vulnerability has been resolved:mm/kmemleak: avoid soft lockup in __kmemleak_do_cleanup()A soft lockup warning was observed on a relative small system x86-64system with 16 GB of memory when running a debug kernel with kmemleakenabled. watchdog: BUG: soft lockup - CPU#8 stuck for 33s! [kworker/8:1:134]The test system was running a workload with hot unplug happening inparallel. Then kemleak decided to disable itself due to its inability toallocate more kmemleak objects. The debug kernel has itsCONFIG_DEBUG_KMEMLEAK_MEM_POOL_SIZE set to 40,000.The soft lockup happened in kmemleak_do_cleanup() when the existingkmemleak objects were being removed and deleted one-by-one in a loop via aworkqueue. In this particular case, there are at least 40,000 objectsthat need to be processed and given the slowness of a debug kernel and thefact that a raw_spinlock has to be acquired and released in__delete_object(), it could take a while to properly handle all theseobjects.As kmemleak has been disabled in this case, the object removal anddeletion process can be further optimized as locking isn't really needed. However, it is probably not worth the effort to optimize for such an edgecase that should rarely happen. So the simple solution is to callcond_resched() at periodic interval in the iteration loop to avoid softlockup.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2025-66861 Severity: Low CVSS3 score: 2.5

Description: An issue was discovered in function d_unqualified_name in file cp-demangle.c in BinUtils 2.26 allowing attackers to cause a denial of service via crafted PE file.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
binutils > 0-0 (version in image is 2.45-150100.7.57.1).

CVE-2025-66864 Severity: Low CVSS3 score: 2.5

Description: An issue was discovered in function d_print_comp_inner in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
binutils > 0-0 (version in image is 2.45-150100.7.57.1).

CVE-2025-66865 Severity: Low CVSS3 score: 2.5

Description: An issue was discovered in function d_print_comp_inner in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
binutils > 0-0 (version in image is 2.45-150100.7.57.1).

CVE-2026-23330 Severity: Low CVSS3 score: 2.5

Description: In the Linux kernel, the following vulnerability has been resolved:nfc: nci: complete pending data exchange on device closeIn nci_close_device(), complete any pending data exchange beforeclosing. The data exchange callback (e.g.rawsock_data_exchange_complete) holds a socket reference.NIPA occasionally hits this leak:unreferenced object 0xff1100000f435000 (size 2048): comm "nci_dev", pid 3954, jiffies 4295441245 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 27 00 01 40 00 00 00 00 00 00 00 00 00 00 00 00 '..@............ backtrace (crc ec2b3c5): __kmalloc_noprof+0x4db/0x730 sk_prot_alloc.isra.0+0xe4/0x1d0 sk_alloc+0x36/0x760 rawsock_create+0xd1/0x540 nfc_sock_create+0x11f/0x280 __sock_create+0x22d/0x630 __sys_socket+0x115/0x1d0 __x64_sys_socket+0x72/0xd0 do_syscall_64+0x117/0xfc0 entry_SYSCALL_64_after_hwframe+0x4b/0x53

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-31482 Severity: Low CVSS3 score: 2.5

Description: In the Linux kernel, the following vulnerability has been resolved:s390/entry: Scrub r12 register on kernel entryBefore commit f33f2d4c7c80 ("s390/bp: remove TIF_ISOLATE_BP"),all entry handlers loaded r12 with the current task pointer(lg %r12,__LC_CURRENT) for use by the BPENTER/BPEXIT macros. Thatcommit removed TIF_ISOLATE_BP, dropping both the branch predictionmacros and the r12 load, but did not add r12 to the register clearingsequence.Add the missing xgr %r12,%r12 to make the register scrub consistentacross all entry points.

Packages affected:

sle-module-development-tools-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-35388 Severity: Low CVSS3 score: 2.5

Description: OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions.

Packages affected:

sle-module-desktop-applications-release == 15.7 (version in image is 15.7-150700.28.1).
openssh > 0-0 (version in image is 9.6p1-150600.6.34.1).

CVE-2026-41080 Severity: Low CVSS3 score: 2.5

Description: libexpat before 2.8.0 uses insufficient entropy, and thus hash flooding can occur via a crafted XML document.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
libexpat1 > 0-0 (version in image is 2.7.1-150700.3.12.1).

CVE-2023-20585 Severity: Moderate CVSS3 score: None

Description: Insufficient checks of the RMP on host buffer access in IOMMU may allow an attacker with privileges and a compromised hypervisor to trigger an out of bounds condition without RMP checks, resulting in a potential loss of confidential guest integrity.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2025-20054 Severity: Moderate CVSS3 score: None

Description: Uncaught exception in the core management mechanism for some Intel(R) Processors may allow an authenticated user to potentially enable denial of service via local access.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2025-20103 Severity: Moderate CVSS3 score: None

Description: Insufficient resource pool in the core management mechanism for some Intel(R) Processors may allow an authenticated user to potentially enable denial of service via local access.

Packages affected:

sle-module-public-cloud-release == 15.7 (version in image is 15.7-150700.28.1).
kernel-default > 0-0 (version in image is 6.4.0-150700.53.40.1).

CVE-2026-42307 Severity: Moderate CVSS3 score: None

Description: Vim is an open source, command line text editor. Prior to version 9.2.0383, an OS command injection vulnerability exists in the netrw standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the sftp:// or file:// protocol handlers), an attacker can execute arbitrary shell commands with the privileges of the Vim process. This issue has been patched in version 9.2.0383.

Packages affected:

sle-module-basesystem-release == 15.7 (version in image is 15.7-150700.28.1).
vim > 0-0 (version in image is 9.2.0280-150500.20.46.1).

CVE scan

Summary of CVEs affecting the image: