SUSE-SU-2026:1185-1
Vulnerability from csaf_suse - Published: 2026-04-03 16:41 - Updated: 2026-04-03 16:41Summary
Security update for the Linux Kernel RT (Live Patch 5 for SUSE Linux Enterprise 15 SP7)
Severity
Important
Notes
Title of the patch: Security update for the Linux Kernel RT (Live Patch 5 for SUSE Linux Enterprise 15 SP7)
Description of the patch:
This update for the SUSE Linux Enterprise Kernel 6.4.0-150700.7.19 fixes various security issues
The following security issues were fixed:
- CVE-2025-39973: i40e: add validation for ring_len param (bsc#1252036).
- CVE-2025-40018: ipvs: Defer ip_vs_ftp unregister during netns cleanup (bsc#1252689).
- CVE-2025-40159: xsk: Harden userspace-supplied xdp_desc validation (bsc#1253404).
- CVE-2025-71120: SUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf (bsc#1256780).
- CVE-2026-22999: net/sched: sch_qfq: do not free existing class in qfq_change_class() (bsc#1257238).
- CVE-2026-23074: net/sched: Enforce that teql can only be used as root qdisc (bsc#1258051).
- CVE-2026-23111: netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate() (bsc#1258183).
- CVE-2026-23209: macvlan: fix error recovery in macvlan_common_newlink() (bsc#1258784).
Patchnames: SUSE-2026-1185,SUSE-SLE-Module-Live-Patching-15-SP7-2026-1185
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
7.5 (High)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
7.8 (High)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
7.8 (High)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
References
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for the Linux Kernel RT (Live Patch 5 for SUSE Linux Enterprise 15 SP7)",
"title": "Title of the patch"
},
{
"category": "description",
"text": "\nThis update for the SUSE Linux Enterprise Kernel 6.4.0-150700.7.19 fixes various security issues\n\nThe following security issues were fixed:\n\n- CVE-2025-39973: i40e: add validation for ring_len param (bsc#1252036).\n- CVE-2025-40018: ipvs: Defer ip_vs_ftp unregister during netns cleanup (bsc#1252689).\n- CVE-2025-40159: xsk: Harden userspace-supplied xdp_desc validation (bsc#1253404).\n- CVE-2025-71120: SUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf (bsc#1256780).\n- CVE-2026-22999: net/sched: sch_qfq: do not free existing class in qfq_change_class() (bsc#1257238).\n- CVE-2026-23074: net/sched: Enforce that teql can only be used as root qdisc (bsc#1258051).\n- CVE-2026-23111: netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate() (bsc#1258183).\n- CVE-2026-23209: macvlan: fix error recovery in macvlan_common_newlink() (bsc#1258784).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2026-1185,SUSE-SLE-Module-Live-Patching-15-SP7-2026-1185",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_1185-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:1185-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20261185-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:1185-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2026-April/045275.html"
},
{
"category": "self",
"summary": "SUSE Bug 1252036",
"url": "https://bugzilla.suse.com/1252036"
},
{
"category": "self",
"summary": "SUSE Bug 1252689",
"url": "https://bugzilla.suse.com/1252689"
},
{
"category": "self",
"summary": "SUSE Bug 1253404",
"url": "https://bugzilla.suse.com/1253404"
},
{
"category": "self",
"summary": "SUSE Bug 1256780",
"url": "https://bugzilla.suse.com/1256780"
},
{
"category": "self",
"summary": "SUSE Bug 1257238",
"url": "https://bugzilla.suse.com/1257238"
},
{
"category": "self",
"summary": "SUSE Bug 1258051",
"url": "https://bugzilla.suse.com/1258051"
},
{
"category": "self",
"summary": "SUSE Bug 1258183",
"url": "https://bugzilla.suse.com/1258183"
},
{
"category": "self",
"summary": "SUSE Bug 1258784",
"url": "https://bugzilla.suse.com/1258784"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-39973 page",
"url": "https://www.suse.com/security/cve/CVE-2025-39973/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-40018 page",
"url": "https://www.suse.com/security/cve/CVE-2025-40018/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-40159 page",
"url": "https://www.suse.com/security/cve/CVE-2025-40159/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-71120 page",
"url": "https://www.suse.com/security/cve/CVE-2025-71120/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-22999 page",
"url": "https://www.suse.com/security/cve/CVE-2026-22999/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-23074 page",
"url": "https://www.suse.com/security/cve/CVE-2026-23074/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-23111 page",
"url": "https://www.suse.com/security/cve/CVE-2026-23111/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-23209 page",
"url": "https://www.suse.com/security/cve/CVE-2026-23209/"
}
],
"title": "Security update for the Linux Kernel RT (Live Patch 5 for SUSE Linux Enterprise 15 SP7)",
"tracking": {
"current_release_date": "2026-04-03T16:41:59Z",
"generator": {
"date": "2026-04-03T16:41:59Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:1185-1",
"initial_release_date": "2026-04-03T16:41:59Z",
"revision_history": [
{
"date": "2026-04-03T16:41:59Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "kernel-livepatch-6_4_0-150700_7_19-rt-5-150700.2.1.x86_64",
"product": {
"name": "kernel-livepatch-6_4_0-150700_7_19-rt-5-150700.2.1.x86_64",
"product_id": "kernel-livepatch-6_4_0-150700_7_19-rt-5-150700.2.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Live Patching 15 SP7",
"product": {
"name": "SUSE Linux Enterprise Live Patching 15 SP7",
"product_id": "SUSE Linux Enterprise Live Patching 15 SP7",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-live-patching:15:sp7"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "kernel-livepatch-6_4_0-150700_7_19-rt-5-150700.2.1.x86_64 as component of SUSE Linux Enterprise Live Patching 15 SP7",
"product_id": "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_19-rt-5-150700.2.1.x86_64"
},
"product_reference": "kernel-livepatch-6_4_0-150700_7_19-rt-5-150700.2.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Live Patching 15 SP7"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-39973",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-39973"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: add validation for ring_len param\n\nThe `ring_len` parameter provided by the virtual function (VF)\nis assigned directly to the hardware memory context (HMC) without\nany validation.\n\nTo address this, introduce an upper boundary check for both Tx and Rx\nqueue lengths. The maximum number of descriptors supported by the\nhardware is 8k-32.\nAdditionally, enforce alignment constraints: Tx rings must be a multiple\nof 8, and Rx rings must be a multiple of 32.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_19-rt-5-150700.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-39973",
"url": "https://www.suse.com/security/cve/CVE-2025-39973"
},
{
"category": "external",
"summary": "SUSE Bug 1247374 for CVE-2025-39973",
"url": "https://bugzilla.suse.com/1247374"
},
{
"category": "external",
"summary": "SUSE Bug 1252035 for CVE-2025-39973",
"url": "https://bugzilla.suse.com/1252035"
},
{
"category": "external",
"summary": "SUSE Bug 1252036 for CVE-2025-39973",
"url": "https://bugzilla.suse.com/1252036"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_19-rt-5-150700.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_19-rt-5-150700.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-03T16:41:59Z",
"details": "important"
}
],
"title": "CVE-2025-39973"
},
{
"cve": "CVE-2025-40018",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-40018"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nipvs: Defer ip_vs_ftp unregister during netns cleanup\n\nOn the netns cleanup path, __ip_vs_ftp_exit() may unregister ip_vs_ftp\nbefore connections with valid cp-\u003eapp pointers are flushed, leading to a\nuse-after-free.\n\nFix this by introducing a global `exiting_module` flag, set to true in\nip_vs_ftp_exit() before unregistering the pernet subsystem. In\n__ip_vs_ftp_exit(), skip ip_vs_ftp unregister if called during netns\ncleanup (when exiting_module is false) and defer it to\n__ip_vs_cleanup_batch(), which unregisters all apps after all connections\nare flushed. If called during module exit, unregister ip_vs_ftp\nimmediately.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_19-rt-5-150700.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-40018",
"url": "https://www.suse.com/security/cve/CVE-2025-40018"
},
{
"category": "external",
"summary": "SUSE Bug 1247374 for CVE-2025-40018",
"url": "https://bugzilla.suse.com/1247374"
},
{
"category": "external",
"summary": "SUSE Bug 1252688 for CVE-2025-40018",
"url": "https://bugzilla.suse.com/1252688"
},
{
"category": "external",
"summary": "SUSE Bug 1252689 for CVE-2025-40018",
"url": "https://bugzilla.suse.com/1252689"
},
{
"category": "external",
"summary": "SUSE Bug 1253291 for CVE-2025-40018",
"url": "https://bugzilla.suse.com/1253291"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_19-rt-5-150700.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_19-rt-5-150700.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-03T16:41:59Z",
"details": "important"
}
],
"title": "CVE-2025-40018"
},
{
"cve": "CVE-2025-40159",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-40159"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nxsk: Harden userspace-supplied xdp_desc validation\n\nTurned out certain clearly invalid values passed in xdp_desc from\nuserspace can pass xp_{,un}aligned_validate_desc() and then lead\nto UBs or just invalid frames to be queued for xmit.\n\ndesc-\u003elen close to ``U32_MAX`` with a non-zero pool-\u003etx_metadata_len\ncan cause positive integer overflow and wraparound, the same way low\nenough desc-\u003eaddr with a non-zero pool-\u003etx_metadata_len can cause\nnegative integer overflow. Both scenarios can then pass the\nvalidation successfully.\nThis doesn\u0027t happen with valid XSk applications, but can be used\nto perform attacks.\n\nAlways promote desc-\u003elen to ``u64`` first to exclude positive\noverflows of it. Use explicit check_{add,sub}_overflow() when\nvalidating desc-\u003eaddr (which is ``u64`` already).\n\nbloat-o-meter reports a little growth of the code size:\n\nadd/remove: 0/0 grow/shrink: 2/1 up/down: 60/-16 (44)\nFunction old new delta\nxskq_cons_peek_desc 299 330 +31\nxsk_tx_peek_release_desc_batch 973 1002 +29\nxsk_generic_xmit 3148 3132 -16\n\nbut hopefully this doesn\u0027t hurt the performance much.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_19-rt-5-150700.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-40159",
"url": "https://www.suse.com/security/cve/CVE-2025-40159"
},
{
"category": "external",
"summary": "SUSE Bug 1253403 for CVE-2025-40159",
"url": "https://bugzilla.suse.com/1253403"
},
{
"category": "external",
"summary": "SUSE Bug 1253404 for CVE-2025-40159",
"url": "https://bugzilla.suse.com/1253404"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_19-rt-5-150700.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_19-rt-5-150700.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-03T16:41:59Z",
"details": "important"
}
],
"title": "CVE-2025-40159"
},
{
"cve": "CVE-2025-71120",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-71120"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nSUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf\n\nA zero length gss_token results in pages == 0 and in_token-\u003epages[0]\nis NULL. The code unconditionally evaluates\npage_address(in_token-\u003epages[0]) for the initial memcpy, which can\ndereference NULL even when the copy length is 0. Guard the first\nmemcpy so it only runs when length \u003e 0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_19-rt-5-150700.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-71120",
"url": "https://www.suse.com/security/cve/CVE-2025-71120"
},
{
"category": "external",
"summary": "SUSE Bug 1256779 for CVE-2025-71120",
"url": "https://bugzilla.suse.com/1256779"
},
{
"category": "external",
"summary": "SUSE Bug 1256780 for CVE-2025-71120",
"url": "https://bugzilla.suse.com/1256780"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_19-rt-5-150700.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_19-rt-5-150700.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-03T16:41:59Z",
"details": "important"
}
],
"title": "CVE-2025-71120"
},
{
"cve": "CVE-2026-22999",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-22999"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: sch_qfq: do not free existing class in qfq_change_class()\n\nFixes qfq_change_class() error case.\n\ncl-\u003eqdisc and cl should only be freed if a new class and qdisc\nwere allocated, or we risk various UAF.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_19-rt-5-150700.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-22999",
"url": "https://www.suse.com/security/cve/CVE-2026-22999"
},
{
"category": "external",
"summary": "SUSE Bug 1257236 for CVE-2026-22999",
"url": "https://bugzilla.suse.com/1257236"
},
{
"category": "external",
"summary": "SUSE Bug 1257238 for CVE-2026-22999",
"url": "https://bugzilla.suse.com/1257238"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_19-rt-5-150700.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_19-rt-5-150700.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-03T16:41:59Z",
"details": "important"
}
],
"title": "CVE-2026-22999"
},
{
"cve": "CVE-2026-23074",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-23074"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: Enforce that teql can only be used as root qdisc\n\nDesign intent of teql is that it is only supposed to be used as root qdisc.\nWe need to check for that constraint.\n\nAlthough not important, I will describe the scenario that unearthed this\nissue for the curious.\n\nGangMin Kim \u003ckm.kim1503@gmail.com\u003e managed to concot a scenario as follows:\n\nROOT qdisc 1:0 (QFQ)\n \u251c\u2500\u2500 class 1:1 (weight=15, lmax=16384) netem with delay 6.4s\n \u2500\u2500 class 1:2 (weight=1, lmax=1514) teql\n\nGangMin sends a packet which is enqueued to 1:1 (netem).\nAny invocation of dequeue by QFQ from this class will not return a packet\nuntil after 6.4s. In the meantime, a second packet is sent and it lands on\n1:2. teql\u0027s enqueue will return success and this will activate class 1:2.\nMain issue is that teql only updates the parent visible qlen (sch-\u003eq.qlen)\nat dequeue. Since QFQ will only call dequeue if peek succeeds (and teql\u0027s\npeek always returns NULL), dequeue will never be called and thus the qlen\nwill remain as 0. With that in mind, when GangMin updates 1:2\u0027s lmax value,\nthe qfq_change_class calls qfq_deact_rm_from_agg. Since the child qdisc\u0027s\nqlen was not incremented, qfq fails to deactivate the class, but still\nfrees its pointers from the aggregate. So when the first packet is\nrescheduled after 6.4 seconds (netem\u0027s delay), a dangling pointer is\naccessed causing GangMin\u0027s causing a UAF.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_19-rt-5-150700.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-23074",
"url": "https://www.suse.com/security/cve/CVE-2026-23074"
},
{
"category": "external",
"summary": "SUSE Bug 1257749 for CVE-2026-23074",
"url": "https://bugzilla.suse.com/1257749"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_19-rt-5-150700.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_19-rt-5-150700.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-03T16:41:59Z",
"details": "important"
}
],
"title": "CVE-2026-23074"
},
{
"cve": "CVE-2026-23111",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-23111"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate()\n\nnft_map_catchall_activate() has an inverted element activity check\ncompared to its non-catchall counterpart nft_mapelem_activate() and\ncompared to what is logically required.\n\nnft_map_catchall_activate() is called from the abort path to re-activate\ncatchall map elements that were deactivated during a failed transaction.\nIt should skip elements that are already active (they don\u0027t need\nre-activation) and process elements that are inactive (they need to be\nrestored). Instead, the current code does the opposite: it skips inactive\nelements and processes active ones.\n\nCompare the non-catchall activate callback, which is correct:\n\n nft_mapelem_activate():\n if (nft_set_elem_active(ext, iter-\u003egenmask))\n return 0; /* skip active, process inactive */\n\nWith the buggy catchall version:\n\n nft_map_catchall_activate():\n if (!nft_set_elem_active(ext, genmask))\n continue; /* skip inactive, process active */\n\nThe consequence is that when a DELSET operation is aborted,\nnft_setelem_data_activate() is never called for the catchall element.\nFor NFT_GOTO verdict elements, this means nft_data_hold() is never\ncalled to restore the chain-\u003euse reference count. Each abort cycle\npermanently decrements chain-\u003euse. Once chain-\u003euse reaches zero,\nDELCHAIN succeeds and frees the chain while catchall verdict elements\nstill reference it, resulting in a use-after-free.\n\nThis is exploitable for local privilege escalation from an unprivileged\nuser via user namespaces + nftables on distributions that enable\nCONFIG_USER_NS and CONFIG_NF_TABLES.\n\nFix by removing the negation so the check matches nft_mapelem_activate():\nskip active elements, process inactive ones.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_19-rt-5-150700.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-23111",
"url": "https://www.suse.com/security/cve/CVE-2026-23111"
},
{
"category": "external",
"summary": "SUSE Bug 1258181 for CVE-2026-23111",
"url": "https://bugzilla.suse.com/1258181"
},
{
"category": "external",
"summary": "SUSE Bug 1258183 for CVE-2026-23111",
"url": "https://bugzilla.suse.com/1258183"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_19-rt-5-150700.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_19-rt-5-150700.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-03T16:41:59Z",
"details": "important"
}
],
"title": "CVE-2026-23111"
},
{
"cve": "CVE-2026-23209",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-23209"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmacvlan: fix error recovery in macvlan_common_newlink()\n\nvalis provided a nice repro to crash the kernel:\n\nip link add p1 type veth peer p2\nip link set address 00:00:00:00:00:20 dev p1\nip link set up dev p1\nip link set up dev p2\n\nip link add mv0 link p2 type macvlan mode source\nip link add invalid% link p2 type macvlan mode source macaddr add 00:00:00:00:00:20\n\nping -c1 -I p1 1.2.3.4\n\nHe also gave a very detailed analysis:\n\n\u003cquote valis\u003e\n\nThe issue is triggered when a new macvlan link is created with\nMACVLAN_MODE_SOURCE mode and MACVLAN_MACADDR_ADD (or\nMACVLAN_MACADDR_SET) parameter, lower device already has a macvlan\nport and register_netdevice() called from macvlan_common_newlink()\nfails (e.g. because of the invalid link name).\n\nIn this case macvlan_hash_add_source is called from\nmacvlan_change_sources() / macvlan_common_newlink():\n\nThis adds a reference to vlan to the port\u0027s vlan_source_hash using\nmacvlan_source_entry.\n\nvlan is a pointer to the priv data of the link that is being created.\n\nWhen register_netdevice() fails, the error is returned from\nmacvlan_newlink() to rtnl_newlink_create():\n\n if (ops-\u003enewlink)\n err = ops-\u003enewlink(dev, \u0026params, extack);\n else\n err = register_netdevice(dev);\n if (err \u003c 0) {\n free_netdev(dev);\n goto out;\n }\n\nand free_netdev() is called, causing a kvfree() on the struct\nnet_device that is still referenced in the source entry attached to\nthe lower device\u0027s macvlan port.\n\nNow all packets sent on the macvlan port with a matching source mac\naddress will trigger a use-after-free in macvlan_forward_source().\n\n\u003c/quote valis\u003e\n\nWith all that, my fix is to make sure we call macvlan_flush_sources()\nregardless of @create value whenever \"goto destroy_macvlan_port;\"\npath is taken.\n\nMany thanks to valis for following up on this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_19-rt-5-150700.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-23209",
"url": "https://www.suse.com/security/cve/CVE-2026-23209"
},
{
"category": "external",
"summary": "SUSE Bug 1258518 for CVE-2026-23209",
"url": "https://bugzilla.suse.com/1258518"
},
{
"category": "external",
"summary": "SUSE Bug 1258784 for CVE-2026-23209",
"url": "https://bugzilla.suse.com/1258784"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_19-rt-5-150700.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_19-rt-5-150700.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-03T16:41:59Z",
"details": "important"
}
],
"title": "CVE-2026-23209"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…