{ "document":{ "aggregate_severity":{ "namespace":"https://nvd.nist.gov/vuln-metrics/cvss", "text":"Critical" }, "category":"csaf_vex", "csaf_version":"2.0", "distribution":{ "tlp":{ "label":"WHITE", "url":"https:/www.first.org/tlp/" } }, "lang":"en", "notes":[ { "text":"kernel security update", "category":"general", "title":"Synopsis" }, { "text":"An update for kernel is now available for openEuler-20.03-LTS-SP4", "category":"general", "title":"Summary" }, { "text":"The Linux Kernel, the operating system core itself.\n\nSecurity Fix(es):\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix fanout UAF in packet_release() via NETDEV_UP race\n\n`packet_release()` has a race window where `NETDEV_UP` can re-register a\nsocket into a fanout group's `arr[]` array. The re-registration is not\ncleaned up by `fanout_release()`, leaving a dangling pointer in the fanout\narray.\n`packet_release()` does NOT zero `po->num` in its `bind_lock` section.\nAfter releasing `bind_lock`, `po->num` is still non-zero and `po->ifindex`\nstill matches the bound device. A concurrent `packet_notifier(NETDEV_UP)`\nthat already found the socket in `sklist` can re-register the hook.\nFor fanout sockets, this re-registration calls `__fanout_link(sk, po)`\nwhich adds the socket back into `f->arr[]` and increments `f->num_members`,\nbut does NOT increment `f->sk_ref`.\n\nThe fix sets `po->num` to zero in `packet_release` while `bind_lock` is\nheld to prevent NETDEV_UP from linking, preventing the race window.\n\nThis bug was found following an additional audit with Claude Code based\non CVE-2025-38617.(CVE-2026-31504)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\naf_key: validate families in pfkey_send_migrate()\n\nsyzbot was able to trigger a crash in skb_put() [1]\n\nIssue is that pfkey_send_migrate() does not check old/new families,\nand that set_ipsecrequest() @family argument was truncated,\nthus possibly overfilling the skb.\n\nValidate families early, do not wait set_ipsecrequest().\n\n[1]\n\nskbuff: skb_over_panic: text:ffffffff8a752120 len:392 put:16 head:ffff88802a4ad040 data:ffff88802a4ad040 tail:0x188 end:0x180 dev:\n kernel BUG at net/core/skbuff.c:214 !\nCall Trace:\n \n skb_over_panic net/core/skbuff.c:219 [inline]\n skb_put+0x159/0x210 net/core/skbuff.c:2655\n skb_put_zero include/linux/skbuff.h:2788 [inline]\n set_ipsecrequest net/key/af_key.c:3532 [inline]\n pfkey_send_migrate+0x1270/0x2e50 net/key/af_key.c:3636\n km_migrate+0x155/0x260 net/xfrm/xfrm_state.c:2848\n xfrm_migrate+0x2140/0x2450 net/xfrm/xfrm_policy.c:4705\n xfrm_do_migrate+0x8ff/0xaa0 net/xfrm/xfrm_user.c:3150(CVE-2026-31515)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: proc: size address buffers for %pISpc output\n\nThe AF_RXRPC procfs helpers format local and remote socket addresses into\nfixed 50-byte stack buffers with \"%pISpc\".\n\nThat is too small for the longest current-tree IPv6-with-port form the\nformatter can produce. In lib/vsprintf.c, the compressed IPv6 path uses a\ndotted-quad tail not only for v4mapped addresses, but also for ISATAP\naddresses via ipv6_addr_is_isatap().\n\nAs a result, a case such as\n\n [ffff:ffff:ffff:ffff:0:5efe:255.255.255.255]:65535\n\nis possible with the current formatter. That is 50 visible characters, so\n51 bytes including the trailing NUL, which does not fit in the existing\nchar[50] buffers used by net/rxrpc/proc.c.\n\nSize the buffers from the formatter's maximum textual form and switch the\ncall sites to scnprintf().\n\nChanges since v1:\n- correct the changelog to cite the actual maximum current-tree case\n explicitly\n- frame the proof around the ISATAP formatting path instead of the earlier\n mapped-v4 example(CVE-2026-31630)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: read UNIX_DIAG_VFS data under unix_state_lock\n\nExact UNIX diag lookups hold a reference to the socket, but not to\nu->path. Meanwhile, unix_release_sock() clears u->path under\nunix_state_lock() and drops the path reference after unlocking.\n\nRead the inode and device numbers for UNIX_DIAG_VFS while holding\nunix_state_lock(), then emit the netlink attribute after dropping the\nlock.\n\nThis keeps the VFS data stable while the reply is being built.(CVE-2026-31673)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ip6t_rt: reject oversized addrnr in rt_mt6_check()\n\nReject rt match rules whose addrnr exceeds IP6T_RT_HOPS.\n\nrt_mt6() expects addrnr to stay within the bounds of rtinfo->addrs[].\nValidate addrnr during rule installation so malformed rules are rejected\nbefore the match logic can use an out-of-range value.(CVE-2026-31674)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nbridge: br_nd_send: linearize skb before parsing ND options\n\nbr_nd_send() parses neighbour discovery options from ns->opt[] and\nassumes that these options are in the linear part of request.\n\nIts callers only guarantee that the ICMPv6 header and target address\nare available, so the option area can still be non-linear. Parsing\nns->opt[] in that case can access data past the linear buffer.\n\nLinearize request before option parsing and derive ns from the linear\nnetwork header.(CVE-2026-31682)\n\nIn the Linux kernel xfrm/ESP (IPsec) subsystem, when appending pipe pages to network packets (skb) via zero-copy mechanisms such as splice() / MSG_SPLICE_PAGES, IPv4/IPv6 datagram paths are not correctly marked with the SKBFL_SHARED_FRAG flag. The ESP receive path incorrectly treats these externally owned shared pages as private data, skipping the COW (copy-on-write) step and performing in-place decryption directly, allowing an attacker to pollute otherwise read-only pages in the page cache. Combined with CVE-2026-43500, a complete exploit chain can be formed, allowing local unprivileged users to obtain root privileges. This vulnerability affects almost all Linux distributions since 2017 (kernel ~ 4.10), including Ubuntu, RHEL, AlmaLinux, Debian, Fedora, etc. A public PoC has been released and signs of active exploitation have been observed.(CVE-2026-43284)", "category":"general", "title":"Description" }, { "text":"An update for kernel is now available for openEuler-20.03-LTS-SP4/openEuler-22.03-LTS-SP4/openEuler-24.03-LTS/openEuler-24.03-LTS-SP1/openEuler-24.03-LTS-SP2/openEuler-24.03-LTS-SP3/openEuler-22.03-LTS-SP3.\n\nopenEuler Security has rated this update as having a security impact of critical. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.", "category":"general", "title":"Topic" }, { "text":"Critical", "category":"general", "title":"Severity" }, { "text":"kernel", "category":"general", "title":"Affected Component" } ], "publisher":{ "issuing_authority":"openEuler security committee", "name":"openEuler", "namespace":"https://www.openeuler.org", "contact_details":"openeuler-security@openeuler.org", "category":"vendor" }, "references":[ { "summary":"openEuler-SA-2026-2310", "category":"self", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2310" }, { "summary":"CVE-2026-31504", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-31504&packageName=kernel" }, { "summary":"CVE-2026-31515", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-31515&packageName=kernel" }, { "summary":"CVE-2026-31630", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-31630&packageName=kernel" }, { "summary":"CVE-2026-31673", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-31673&packageName=kernel" }, { "summary":"CVE-2026-31674", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-31674&packageName=kernel" }, { "summary":"CVE-2026-31682", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-31682&packageName=kernel" }, { "summary":"CVE-2026-43284", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-43284&packageName=kernel" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31504" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31515" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31630" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31673" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31674" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31682" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43284" }, { "summary":"openEuler-SA-2026-2310 vex file", "category":"self", "url":"https://repo.openeuler.org/security/data/csaf/advisories/2026/csaf-openeuler-sa-2026-2310.json" } ], "title":"An update for kernel is now available for openEuler-20.03-LTS-SP4", "tracking":{ "initial_release_date":"2026-05-15T22:04:07+08:00", "revision_history":[ { "date":"2026-05-15T22:04:07+08:00", "summary":"Initial", "number":"1.0.0" } ], "generator":{ "date":"2026-05-15T22:04:07+08:00", "engine":{ "name":"openEuler CSAF Tool V1.0" } }, "current_release_date":"2026-05-15T22:04:07+08:00", "id":"openEuler-SA-2026-2310", "version":"1.0.0", "status":"final" } }, "product_tree":{ "branches":[ { "name":"openEuler", "category":"vendor", "branches":[ { "name":"openEuler", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4" }, "product_id":"openEuler-20.03-LTS-SP4", "name":"openEuler-20.03-LTS-SP4" }, "name":"openEuler-20.03-LTS-SP4", "category":"product_version" } ], "category":"product_name" }, { "name":"aarch64", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4" }, "product_id":"bpftool-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm", "name":"bpftool-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm" }, "name":"bpftool-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4" }, "product_id":"bpftool-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm", "name":"bpftool-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm" }, "name":"bpftool-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4" }, "product_id":"kernel-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm", "name":"kernel-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm" }, "name":"kernel-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4" }, "product_id":"kernel-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm", "name":"kernel-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm" }, "name":"kernel-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4" }, "product_id":"kernel-debugsource-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm", "name":"kernel-debugsource-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm" }, "name":"kernel-debugsource-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4" }, "product_id":"kernel-devel-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm", "name":"kernel-devel-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm" }, "name":"kernel-devel-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4" }, "product_id":"kernel-source-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm", "name":"kernel-source-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm" }, "name":"kernel-source-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4" }, "product_id":"kernel-tools-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm", "name":"kernel-tools-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm" }, "name":"kernel-tools-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4" }, "product_id":"kernel-tools-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm", "name":"kernel-tools-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm" }, "name":"kernel-tools-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4" }, "product_id":"kernel-tools-devel-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm", "name":"kernel-tools-devel-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm" }, "name":"kernel-tools-devel-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4" }, "product_id":"perf-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm", "name":"perf-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm" }, "name":"perf-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4" }, "product_id":"perf-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm", "name":"perf-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm" }, "name":"perf-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4" }, "product_id":"python2-perf-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm", "name":"python2-perf-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm" }, "name":"python2-perf-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4" }, "product_id":"python2-perf-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm", "name":"python2-perf-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm" }, "name":"python2-perf-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4" }, "product_id":"python3-perf-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm", "name":"python3-perf-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm" }, "name":"python3-perf-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4" }, "product_id":"python3-perf-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm", "name":"python3-perf-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm" }, "name":"python3-perf-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"x86_64", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4" }, "product_id":"bpftool-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm", "name":"bpftool-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm" }, "name":"bpftool-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4" }, "product_id":"bpftool-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm", "name":"bpftool-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm" }, "name":"bpftool-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4" }, "product_id":"kernel-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm", "name":"kernel-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm" }, "name":"kernel-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4" }, "product_id":"kernel-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm", "name":"kernel-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm" }, "name":"kernel-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4" }, "product_id":"kernel-debugsource-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm", "name":"kernel-debugsource-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm" }, "name":"kernel-debugsource-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4" }, "product_id":"kernel-devel-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm", "name":"kernel-devel-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm" }, "name":"kernel-devel-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4" }, "product_id":"kernel-source-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm", "name":"kernel-source-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm" }, "name":"kernel-source-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4" }, "product_id":"kernel-tools-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm", "name":"kernel-tools-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm" }, "name":"kernel-tools-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4" }, "product_id":"kernel-tools-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm", "name":"kernel-tools-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm" }, "name":"kernel-tools-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4" }, "product_id":"kernel-tools-devel-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm", "name":"kernel-tools-devel-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm" }, "name":"kernel-tools-devel-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4" }, "product_id":"perf-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm", "name":"perf-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm" }, "name":"perf-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4" }, "product_id":"perf-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm", "name":"perf-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm" }, "name":"perf-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4" }, "product_id":"python2-perf-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm", "name":"python2-perf-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm" }, "name":"python2-perf-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4" }, "product_id":"python2-perf-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm", "name":"python2-perf-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm" }, "name":"python2-perf-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4" }, "product_id":"python3-perf-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm", "name":"python3-perf-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm" }, "name":"python3-perf-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4" }, "product_id":"python3-perf-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm", "name":"python3-perf-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm" }, "name":"python3-perf-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"src", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4" }, "product_id":"kernel-4.19.90-2605.3.0.0372.oe2003sp4.src.rpm", "name":"kernel-4.19.90-2605.3.0.0372.oe2003sp4.src.rpm" }, "name":"kernel-4.19.90-2605.3.0.0372.oe2003sp4.src.rpm", "category":"product_version" } ], "category":"architecture" } ] } ], "relationships":[ { "relates_to_product_reference":"openEuler-20.03-LTS-SP4", "product_reference":"bpftool-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP4:bpftool-4.19.90-2605.3.0.0372.oe2003sp4.aarch64", "name":"bpftool-4.19.90-2605.3.0.0372.oe2003sp4.aarch64 as a component of openEuler-20.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP4", "product_reference":"bpftool-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP4:bpftool-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.aarch64", "name":"bpftool-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.aarch64 as a component of openEuler-20.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP4", "product_reference":"kernel-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP4:kernel-4.19.90-2605.3.0.0372.oe2003sp4.aarch64", "name":"kernel-4.19.90-2605.3.0.0372.oe2003sp4.aarch64 as a component of openEuler-20.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP4", "product_reference":"kernel-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP4:kernel-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.aarch64", "name":"kernel-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.aarch64 as a component of openEuler-20.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP4", "product_reference":"kernel-debugsource-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP4:kernel-debugsource-4.19.90-2605.3.0.0372.oe2003sp4.aarch64", "name":"kernel-debugsource-4.19.90-2605.3.0.0372.oe2003sp4.aarch64 as a component of openEuler-20.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP4", "product_reference":"kernel-devel-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP4:kernel-devel-4.19.90-2605.3.0.0372.oe2003sp4.aarch64", "name":"kernel-devel-4.19.90-2605.3.0.0372.oe2003sp4.aarch64 as a component of openEuler-20.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP4", "product_reference":"kernel-source-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP4:kernel-source-4.19.90-2605.3.0.0372.oe2003sp4.aarch64", "name":"kernel-source-4.19.90-2605.3.0.0372.oe2003sp4.aarch64 as a component of openEuler-20.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP4", "product_reference":"kernel-tools-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP4:kernel-tools-4.19.90-2605.3.0.0372.oe2003sp4.aarch64", "name":"kernel-tools-4.19.90-2605.3.0.0372.oe2003sp4.aarch64 as a component of openEuler-20.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP4", "product_reference":"kernel-tools-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP4:kernel-tools-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.aarch64", "name":"kernel-tools-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.aarch64 as a component of openEuler-20.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP4", "product_reference":"kernel-tools-devel-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP4:kernel-tools-devel-4.19.90-2605.3.0.0372.oe2003sp4.aarch64", "name":"kernel-tools-devel-4.19.90-2605.3.0.0372.oe2003sp4.aarch64 as a component of openEuler-20.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP4", "product_reference":"perf-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP4:perf-4.19.90-2605.3.0.0372.oe2003sp4.aarch64", "name":"perf-4.19.90-2605.3.0.0372.oe2003sp4.aarch64 as a component of openEuler-20.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP4", "product_reference":"perf-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP4:perf-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.aarch64", "name":"perf-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.aarch64 as a component of openEuler-20.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP4", "product_reference":"python2-perf-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP4:python2-perf-4.19.90-2605.3.0.0372.oe2003sp4.aarch64", "name":"python2-perf-4.19.90-2605.3.0.0372.oe2003sp4.aarch64 as a component of openEuler-20.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP4", "product_reference":"python2-perf-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP4:python2-perf-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.aarch64", "name":"python2-perf-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.aarch64 as a component of openEuler-20.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP4", "product_reference":"python3-perf-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP4:python3-perf-4.19.90-2605.3.0.0372.oe2003sp4.aarch64", "name":"python3-perf-4.19.90-2605.3.0.0372.oe2003sp4.aarch64 as a component of openEuler-20.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP4", "product_reference":"python3-perf-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP4:python3-perf-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.aarch64", "name":"python3-perf-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.aarch64 as a component of openEuler-20.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP4", "product_reference":"bpftool-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP4:bpftool-4.19.90-2605.3.0.0372.oe2003sp4.x86_64", "name":"bpftool-4.19.90-2605.3.0.0372.oe2003sp4.x86_64 as a component of openEuler-20.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP4", "product_reference":"bpftool-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP4:bpftool-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.x86_64", "name":"bpftool-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.x86_64 as a component of openEuler-20.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP4", "product_reference":"kernel-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP4:kernel-4.19.90-2605.3.0.0372.oe2003sp4.x86_64", "name":"kernel-4.19.90-2605.3.0.0372.oe2003sp4.x86_64 as a component of openEuler-20.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP4", "product_reference":"kernel-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP4:kernel-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.x86_64", "name":"kernel-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.x86_64 as a component of openEuler-20.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP4", "product_reference":"kernel-debugsource-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP4:kernel-debugsource-4.19.90-2605.3.0.0372.oe2003sp4.x86_64", "name":"kernel-debugsource-4.19.90-2605.3.0.0372.oe2003sp4.x86_64 as a component of openEuler-20.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP4", "product_reference":"kernel-devel-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP4:kernel-devel-4.19.90-2605.3.0.0372.oe2003sp4.x86_64", "name":"kernel-devel-4.19.90-2605.3.0.0372.oe2003sp4.x86_64 as a component of openEuler-20.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP4", "product_reference":"kernel-source-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP4:kernel-source-4.19.90-2605.3.0.0372.oe2003sp4.x86_64", "name":"kernel-source-4.19.90-2605.3.0.0372.oe2003sp4.x86_64 as a component of openEuler-20.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP4", "product_reference":"kernel-tools-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP4:kernel-tools-4.19.90-2605.3.0.0372.oe2003sp4.x86_64", "name":"kernel-tools-4.19.90-2605.3.0.0372.oe2003sp4.x86_64 as a component of openEuler-20.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP4", "product_reference":"kernel-tools-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP4:kernel-tools-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.x86_64", "name":"kernel-tools-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.x86_64 as a component of openEuler-20.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP4", "product_reference":"kernel-tools-devel-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP4:kernel-tools-devel-4.19.90-2605.3.0.0372.oe2003sp4.x86_64", "name":"kernel-tools-devel-4.19.90-2605.3.0.0372.oe2003sp4.x86_64 as a component of openEuler-20.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP4", "product_reference":"perf-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP4:perf-4.19.90-2605.3.0.0372.oe2003sp4.x86_64", "name":"perf-4.19.90-2605.3.0.0372.oe2003sp4.x86_64 as a component of openEuler-20.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP4", "product_reference":"perf-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP4:perf-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.x86_64", "name":"perf-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.x86_64 as a component of openEuler-20.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP4", "product_reference":"python2-perf-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP4:python2-perf-4.19.90-2605.3.0.0372.oe2003sp4.x86_64", "name":"python2-perf-4.19.90-2605.3.0.0372.oe2003sp4.x86_64 as a component of openEuler-20.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP4", "product_reference":"python2-perf-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP4:python2-perf-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.x86_64", "name":"python2-perf-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.x86_64 as a component of openEuler-20.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP4", "product_reference":"python3-perf-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP4:python3-perf-4.19.90-2605.3.0.0372.oe2003sp4.x86_64", "name":"python3-perf-4.19.90-2605.3.0.0372.oe2003sp4.x86_64 as a component of openEuler-20.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP4", "product_reference":"python3-perf-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP4:python3-perf-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.x86_64", "name":"python3-perf-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.x86_64 as a component of openEuler-20.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP4", "product_reference":"kernel-4.19.90-2605.3.0.0372.oe2003sp4.src.rpm", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP4:kernel-4.19.90-2605.3.0.0372.oe2003sp4.src", "name":"kernel-4.19.90-2605.3.0.0372.oe2003sp4.src as a component of openEuler-20.03-LTS-SP4" }, "category":"default_component_of" } ] }, "vulnerabilities":[ { "cve":"CVE-2026-31504", "notes":[ { "text":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix fanout UAF in packet_release() via NETDEV_UP race\n\n`packet_release()` has a race window where `NETDEV_UP` can re-register a\nsocket into a fanout group's `arr[]` array. The re-registration is not\ncleaned up by `fanout_release()`, leaving a dangling pointer in the fanout\narray.\n`packet_release()` does NOT zero `po->num` in its `bind_lock` section.\nAfter releasing `bind_lock`, `po->num` is still non-zero and `po->ifindex`\nstill matches the bound device. A concurrent `packet_notifier(NETDEV_UP)`\nthat already found the socket in `sklist` can re-register the hook.\nFor fanout sockets, this re-registration calls `__fanout_link(sk, po)`\nwhich adds the socket back into `f->arr[]` and increments `f->num_members`,\nbut does NOT increment `f->sk_ref`.\n\nThe fix sets `po->num` to zero in `packet_release` while `bind_lock` is\nheld to prevent NETDEV_UP from linking, preventing the race window.\n\nThis bug was found following an additional audit with Claude Code based\non CVE-2025-38617.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-20.03-LTS-SP4:bpftool-4.19.90-2605.3.0.0372.oe2003sp4.aarch64", "openEuler-20.03-LTS-SP4:bpftool-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.aarch64", "openEuler-20.03-LTS-SP4:kernel-4.19.90-2605.3.0.0372.oe2003sp4.aarch64", "openEuler-20.03-LTS-SP4:kernel-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.aarch64", "openEuler-20.03-LTS-SP4:kernel-debugsource-4.19.90-2605.3.0.0372.oe2003sp4.aarch64", "openEuler-20.03-LTS-SP4:kernel-devel-4.19.90-2605.3.0.0372.oe2003sp4.aarch64", "openEuler-20.03-LTS-SP4:kernel-source-4.19.90-2605.3.0.0372.oe2003sp4.aarch64", "openEuler-20.03-LTS-SP4:kernel-tools-4.19.90-2605.3.0.0372.oe2003sp4.aarch64", "openEuler-20.03-LTS-SP4:kernel-tools-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.aarch64", "openEuler-20.03-LTS-SP4:kernel-tools-devel-4.19.90-2605.3.0.0372.oe2003sp4.aarch64", "openEuler-20.03-LTS-SP4:perf-4.19.90-2605.3.0.0372.oe2003sp4.aarch64", "openEuler-20.03-LTS-SP4:perf-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.aarch64", "openEuler-20.03-LTS-SP4:python2-perf-4.19.90-2605.3.0.0372.oe2003sp4.aarch64", "openEuler-20.03-LTS-SP4:python2-perf-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.aarch64", "openEuler-20.03-LTS-SP4:python3-perf-4.19.90-2605.3.0.0372.oe2003sp4.aarch64", "openEuler-20.03-LTS-SP4:python3-perf-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.aarch64", "openEuler-20.03-LTS-SP4:bpftool-4.19.90-2605.3.0.0372.oe2003sp4.x86_64", "openEuler-20.03-LTS-SP4:bpftool-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.x86_64", "openEuler-20.03-LTS-SP4:kernel-4.19.90-2605.3.0.0372.oe2003sp4.x86_64", "openEuler-20.03-LTS-SP4:kernel-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.x86_64", "openEuler-20.03-LTS-SP4:kernel-debugsource-4.19.90-2605.3.0.0372.oe2003sp4.x86_64", "openEuler-20.03-LTS-SP4:kernel-devel-4.19.90-2605.3.0.0372.oe2003sp4.x86_64", "openEuler-20.03-LTS-SP4:kernel-source-4.19.90-2605.3.0.0372.oe2003sp4.x86_64", "openEuler-20.03-LTS-SP4:kernel-tools-4.19.90-2605.3.0.0372.oe2003sp4.x86_64", "openEuler-20.03-LTS-SP4:kernel-tools-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.x86_64", "openEuler-20.03-LTS-SP4:kernel-tools-devel-4.19.90-2605.3.0.0372.oe2003sp4.x86_64", "openEuler-20.03-LTS-SP4:perf-4.19.90-2605.3.0.0372.oe2003sp4.x86_64", "openEuler-20.03-LTS-SP4:perf-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.x86_64", "openEuler-20.03-LTS-SP4:python2-perf-4.19.90-2605.3.0.0372.oe2003sp4.x86_64", "openEuler-20.03-LTS-SP4:python2-perf-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.x86_64", "openEuler-20.03-LTS-SP4:python3-perf-4.19.90-2605.3.0.0372.oe2003sp4.x86_64", "openEuler-20.03-LTS-SP4:python3-perf-debuginfo-4.19.90-2605.3.0.0372.oe2003sp4.x86_64", "openEuler-20.03-LTS-SP4:kernel-4.19.90-2605.3.0.0372.oe2003sp4.src" ] }, "remediations":[ { "product_ids":{"$ref":"$.vulnerabilities[0].product_status.fixed"}, "details":"kernel security update", "category":"vendor_fix", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2310" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"HIGH", "baseScore":7.8, "vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version":"3.1" }, "products":{"$ref":"$.vulnerabilities[0].product_status.fixed"} } ], "threats":[ { "details":"High", "category":"impact" } ], "title":"CVE-2026-31504" }, { "cve":"CVE-2026-31515", "notes":[ { "text":"In the Linux kernel, the following vulnerability has been resolved:\n\naf_key: validate families in pfkey_send_migrate()\n\nsyzbot was able to trigger a crash in skb_put() [1]\n\nIssue is that pfkey_send_migrate() does not check old/new families,\nand that set_ipsecrequest() @family argument was truncated,\nthus possibly overfilling the skb.\n\nValidate families early, do not wait set_ipsecrequest().\n\n[1]\n\nskbuff: skb_over_panic: text:ffffffff8a752120 len:392 put:16 head:ffff88802a4ad040 data:ffff88802a4ad040 tail:0x188 end:0x180 dev:\n kernel BUG at net/core/skbuff.c:214 !\nCall Trace:\n \n skb_over_panic net/core/skbuff.c:219 [inline]\n skb_put+0x159/0x210 net/core/skbuff.c:2655\n skb_put_zero include/linux/skbuff.h:2788 [inline]\n set_ipsecrequest net/key/af_key.c:3532 [inline]\n pfkey_send_migrate+0x1270/0x2e50 net/key/af_key.c:3636\n km_migrate+0x155/0x260 net/xfrm/xfrm_state.c:2848\n xfrm_migrate+0x2140/0x2450 net/xfrm/xfrm_policy.c:4705\n xfrm_do_migrate+0x8ff/0xaa0 net/xfrm/xfrm_user.c:3150", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":{"$ref":"$.vulnerabilities[0].product_status.fixed"} }, "remediations":[ { "product_ids":{"$ref":"$.vulnerabilities[0].product_status.fixed"}, "details":"kernel security update", "category":"vendor_fix", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2310" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"MEDIUM", "baseScore":5.5, "vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version":"3.1" }, "products":{"$ref":"$.vulnerabilities[0].product_status.fixed"} } ], "threats":[ { "details":"Medium", "category":"impact" } ], "title":"CVE-2026-31515" }, { "cve":"CVE-2026-31630", "notes":[ { "text":"In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: proc: size address buffers for %pISpc output\n\nThe AF_RXRPC procfs helpers format local and remote socket addresses into\nfixed 50-byte stack buffers with \"%pISpc\".\n\nThat is too small for the longest current-tree IPv6-with-port form the\nformatter can produce. In lib/vsprintf.c, the compressed IPv6 path uses a\ndotted-quad tail not only for v4mapped addresses, but also for ISATAP\naddresses via ipv6_addr_is_isatap().\n\nAs a result, a case such as\n\n [ffff:ffff:ffff:ffff:0:5efe:255.255.255.255]:65535\n\nis possible with the current formatter. That is 50 visible characters, so\n51 bytes including the trailing NUL, which does not fit in the existing\nchar[50] buffers used by net/rxrpc/proc.c.\n\nSize the buffers from the formatter's maximum textual form and switch the\ncall sites to scnprintf().\n\nChanges since v1:\n- correct the changelog to cite the actual maximum current-tree case\n explicitly\n- frame the proof around the ISATAP formatting path instead of the earlier\n mapped-v4 example", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":{"$ref":"$.vulnerabilities[0].product_status.fixed"} }, "remediations":[ { "product_ids":{"$ref":"$.vulnerabilities[0].product_status.fixed"}, "details":"kernel security update", "category":"vendor_fix", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2310" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"HIGH", "baseScore":7.8, "vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version":"3.1" }, "products":{"$ref":"$.vulnerabilities[0].product_status.fixed"} } ], "threats":[ { "details":"High", "category":"impact" } ], "title":"CVE-2026-31630" }, { "cve":"CVE-2026-31673", "notes":[ { "text":"In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: read UNIX_DIAG_VFS data under unix_state_lock\n\nExact UNIX diag lookups hold a reference to the socket, but not to\nu->path. Meanwhile, unix_release_sock() clears u->path under\nunix_state_lock() and drops the path reference after unlocking.\n\nRead the inode and device numbers for UNIX_DIAG_VFS while holding\nunix_state_lock(), then emit the netlink attribute after dropping the\nlock.\n\nThis keeps the VFS data stable while the reply is being built.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":{"$ref":"$.vulnerabilities[0].product_status.fixed"} }, "remediations":[ { "product_ids":{"$ref":"$.vulnerabilities[0].product_status.fixed"}, "details":"kernel security update", "category":"vendor_fix", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2310" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"HIGH", "baseScore":7.8, "vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version":"3.1" }, "products":{"$ref":"$.vulnerabilities[0].product_status.fixed"} } ], "threats":[ { "details":"High", "category":"impact" } ], "title":"CVE-2026-31673" }, { "cve":"CVE-2026-31674", "notes":[ { "text":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ip6t_rt: reject oversized addrnr in rt_mt6_check()\n\nReject rt match rules whose addrnr exceeds IP6T_RT_HOPS.\n\nrt_mt6() expects addrnr to stay within the bounds of rtinfo->addrs[].\nValidate addrnr during rule installation so malformed rules are rejected\nbefore the match logic can use an out-of-range value.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":{"$ref":"$.vulnerabilities[0].product_status.fixed"} }, "remediations":[ { "product_ids":{"$ref":"$.vulnerabilities[0].product_status.fixed"}, "details":"kernel security update", "category":"vendor_fix", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2310" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"HIGH", "baseScore":7.1, "vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "version":"3.1" }, "products":{"$ref":"$.vulnerabilities[0].product_status.fixed"} } ], "threats":[ { "details":"High", "category":"impact" } ], "title":"CVE-2026-31674" }, { "cve":"CVE-2026-31682", "notes":[ { "text":"In the Linux kernel, the following vulnerability has been resolved:\n\nbridge: br_nd_send: linearize skb before parsing ND options\n\nbr_nd_send() parses neighbour discovery options from ns->opt[] and\nassumes that these options are in the linear part of request.\n\nIts callers only guarantee that the ICMPv6 header and target address\nare available, so the option area can still be non-linear. Parsing\nns->opt[] in that case can access data past the linear buffer.\n\nLinearize request before option parsing and derive ns from the linear\nnetwork header.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":{"$ref":"$.vulnerabilities[0].product_status.fixed"} }, "remediations":[ { "product_ids":{"$ref":"$.vulnerabilities[0].product_status.fixed"}, "details":"kernel security update", "category":"vendor_fix", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2310" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"CRITICAL", "baseScore":9.1, "vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "version":"3.1" }, "products":{"$ref":"$.vulnerabilities[0].product_status.fixed"} } ], "threats":[ { "details":"Critical", "category":"impact" } ], "title":"CVE-2026-31682" }, { "cve":"CVE-2026-43284", "notes":[ { "text":"In the Linux kernel xfrm/ESP (IPsec) subsystem, when appending pipe pages to network packets (skb) via zero-copy mechanisms such as splice() / MSG_SPLICE_PAGES, IPv4/IPv6 datagram paths are not correctly marked with the SKBFL_SHARED_FRAG flag. The ESP receive path incorrectly treats these externally owned shared pages as private data, skipping the COW (copy-on-write) step and performing in-place decryption directly, allowing an attacker to pollute otherwise read-only pages in the page cache. Combined with CVE-2026-43500, a complete exploit chain can be formed, allowing local unprivileged users to obtain root privileges. This vulnerability affects almost all Linux distributions since 2017 (kernel ~ 4.10), including Ubuntu, RHEL, AlmaLinux, Debian, Fedora, etc. A public PoC has been released and signs of active exploitation have been observed.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":{"$ref":"$.vulnerabilities[0].product_status.fixed"} }, "remediations":[ { "product_ids":{"$ref":"$.vulnerabilities[0].product_status.fixed"}, "details":"kernel security update", "category":"vendor_fix", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2310" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"HIGH", "baseScore":8.8, "vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version":"3.1" }, "products":{"$ref":"$.vulnerabilities[0].product_status.fixed"} } ], "threats":[ { "details":"High", "category":"impact" } ], "title":"CVE-2026-43284" } ] }