Security update for the Linux Kernel SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2026:0369-1 Final 1 1 2026-02-03T13:42:47Z current 2026-02-03T13:42:47Z 2026-02-03T13:42:47Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for the Linux Kernel The SUSE Linux Enterprise 15 SP3 kernel was updated to fix various security issues The following security issues were fixed: - CVE-2022-50282: chardev: fix error handling in cdev_device_add() (bsc#1249739). - CVE-2022-50630: mm: hugetlb: fix UAF in hugetlb_handle_userfault (bsc#1254785). - CVE-2022-50700: wifi: ath10k: Delay the unmapping of the buffer (bsc#1255576). - CVE-2022-50717: nvmet-tcp: add bounds check on Transfer Tag (bsc#1255844). - CVE-2022-50726: net/mlx5: Fix possible use-after-free in async command interface (bsc#1256040). - CVE-2022-50736: RDMA/siw: Fix immediate work request flush to completion queue (bsc#1256137). - CVE-2022-50756: nvme-core: replace ctrl page size with a macro (bsc#1256216). - CVE-2023-53215: sched/fair: Don't balance task to its current running CPU (bsc#1250397). - CVE-2023-53254: cacheinfo: Fix shared_cpu_map to handle shared caches at different levels (bsc#1249871). - CVE-2023-53761: USB: usbtmc: Fix direction for 0-length ioctl control messages (bsc#1255002). - CVE-2023-53781: smc: Fix use-after-free in tcp_write_timer_handler() (bsc#1254751). - CVE-2023-54142: gtp: Fix use-after-free in __gtp_encap_destroy() (bsc#1256095). - CVE-2023-54168: RDMA/mlx4: Prevent shift wrapping in set_user_sq_size() (bsc#1256053). - CVE-2023-54243: netfilter: ebtables: fix table blob use-after-free (bsc#1255908). - CVE-2025-38068: crypto: lzo - Fix compression buffer overrun (bsc#1245210). - CVE-2025-38159: wifi: rtw88: fix the 'para' buffer size to avoid reading out of bounds (bsc#1245751). - CVE-2025-40019: crypto: essiv - Check ssize for decryption and in-place encryption (bsc#1252678). - CVE-2025-40215: kABI: xfrm: delete x->tunnel as we delete x (bsc#1254959). - CVE-2025-40220: fuse: fix livelock in synchronous file put from fuseblk workers (bsc#1254520). - CVE-2025-40233: ocfs2: clear extent cache after moving/defragmenting extents (bsc#1254813). - CVE-2025-40277: drm/vmwgfx: Validate command header size against (bsc#1254894). - CVE-2025-40280: tipc: Fix use-after-free in tipc_mon_reinit_self() (bsc#1254847). - CVE-2025-40331: sctp: Prevent TOCTOU out-of-bounds write (bsc#1254615). - CVE-2025-68813: ipvs: fix ipv4 null-ptr-deref in route error path (bsc#1256641). - CVE-2025-71120: SUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf (bsc#1256779). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Container suse/sle-micro-rancher/5.2:latest-2026-369,SUSE-2026-369,SUSE-SUSE-MicroOS-5.2-2026-369 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2026/suse-su-20260369-1/ Link for SUSE-SU-2026:0369-1 https://lists.suse.com/pipermail/sle-security-updates/2026-February/024037.html E-Mail link for SUSE-SU-2026:0369-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1065729 SUSE Bug 1065729 https://bugzilla.suse.com/1196823 SUSE Bug 1196823 https://bugzilla.suse.com/1204957 SUSE Bug 1204957 https://bugzilla.suse.com/1206889 SUSE Bug 1206889 https://bugzilla.suse.com/1207051 SUSE Bug 1207051 https://bugzilla.suse.com/1207088 SUSE Bug 1207088 https://bugzilla.suse.com/1207653 SUSE Bug 1207653 https://bugzilla.suse.com/1209799 SUSE Bug 1209799 https://bugzilla.suse.com/1213653 SUSE Bug 1213653 https://bugzilla.suse.com/1213969 SUSE Bug 1213969 https://bugzilla.suse.com/1225109 SUSE Bug 1225109 https://bugzilla.suse.com/1228015 SUSE Bug 1228015 https://bugzilla.suse.com/1245210 SUSE Bug 1245210 https://bugzilla.suse.com/1245751 SUSE Bug 1245751 https://bugzilla.suse.com/1249739 SUSE Bug 1249739 https://bugzilla.suse.com/1249871 SUSE Bug 1249871 https://bugzilla.suse.com/1250397 SUSE Bug 1250397 https://bugzilla.suse.com/1252678 SUSE Bug 1252678 https://bugzilla.suse.com/1254520 SUSE Bug 1254520 https://bugzilla.suse.com/1254592 SUSE Bug 1254592 https://bugzilla.suse.com/1254614 SUSE Bug 1254614 https://bugzilla.suse.com/1254615 SUSE Bug 1254615 https://bugzilla.suse.com/1254632 SUSE Bug 1254632 https://bugzilla.suse.com/1254634 SUSE Bug 1254634 https://bugzilla.suse.com/1254686 SUSE Bug 1254686 https://bugzilla.suse.com/1254711 SUSE Bug 1254711 https://bugzilla.suse.com/1254751 SUSE Bug 1254751 https://bugzilla.suse.com/1254763 SUSE Bug 1254763 https://bugzilla.suse.com/1254775 SUSE Bug 1254775 https://bugzilla.suse.com/1254785 SUSE Bug 1254785 https://bugzilla.suse.com/1254792 SUSE Bug 1254792 https://bugzilla.suse.com/1254813 SUSE Bug 1254813 https://bugzilla.suse.com/1254847 SUSE Bug 1254847 https://bugzilla.suse.com/1254851 SUSE Bug 1254851 https://bugzilla.suse.com/1254894 SUSE Bug 1254894 https://bugzilla.suse.com/1254902 SUSE Bug 1254902 https://bugzilla.suse.com/1254959 SUSE Bug 1254959 https://bugzilla.suse.com/1255002 SUSE Bug 1255002 https://bugzilla.suse.com/1255565 SUSE Bug 1255565 https://bugzilla.suse.com/1255576 SUSE Bug 1255576 https://bugzilla.suse.com/1255607 SUSE Bug 1255607 https://bugzilla.suse.com/1255609 SUSE Bug 1255609 https://bugzilla.suse.com/1255636 SUSE Bug 1255636 https://bugzilla.suse.com/1255844 SUSE Bug 1255844 https://bugzilla.suse.com/1255901 SUSE Bug 1255901 https://bugzilla.suse.com/1255908 SUSE Bug 1255908 https://bugzilla.suse.com/1255919 SUSE Bug 1255919 https://bugzilla.suse.com/1256040 SUSE Bug 1256040 https://bugzilla.suse.com/1256045 SUSE Bug 1256045 https://bugzilla.suse.com/1256048 SUSE Bug 1256048 https://bugzilla.suse.com/1256049 SUSE Bug 1256049 https://bugzilla.suse.com/1256053 SUSE Bug 1256053 https://bugzilla.suse.com/1256056 SUSE Bug 1256056 https://bugzilla.suse.com/1256064 SUSE Bug 1256064 https://bugzilla.suse.com/1256095 SUSE Bug 1256095 https://bugzilla.suse.com/1256127 SUSE Bug 1256127 https://bugzilla.suse.com/1256132 SUSE Bug 1256132 https://bugzilla.suse.com/1256136 SUSE Bug 1256136 https://bugzilla.suse.com/1256137 SUSE Bug 1256137 https://bugzilla.suse.com/1256143 SUSE Bug 1256143 https://bugzilla.suse.com/1256154 SUSE Bug 1256154 https://bugzilla.suse.com/1256165 SUSE Bug 1256165 https://bugzilla.suse.com/1256194 SUSE Bug 1256194 https://bugzilla.suse.com/1256203 SUSE Bug 1256203 https://bugzilla.suse.com/1256207 SUSE Bug 1256207 https://bugzilla.suse.com/1256208 SUSE Bug 1256208 https://bugzilla.suse.com/1256216 SUSE Bug 1256216 https://bugzilla.suse.com/1256230 SUSE Bug 1256230 https://bugzilla.suse.com/1256242 SUSE Bug 1256242 https://bugzilla.suse.com/1256248 SUSE Bug 1256248 https://bugzilla.suse.com/1256333 SUSE Bug 1256333 https://bugzilla.suse.com/1256344 SUSE Bug 1256344 https://bugzilla.suse.com/1256353 SUSE Bug 1256353 https://bugzilla.suse.com/1256426 SUSE Bug 1256426 https://bugzilla.suse.com/1256641 SUSE Bug 1256641 https://bugzilla.suse.com/1256779 SUSE Bug 1256779 https://www.suse.com/security/cve/CVE-2022-0854/ SUSE CVE CVE-2022-0854 page https://www.suse.com/security/cve/CVE-2022-48853/ SUSE CVE CVE-2022-48853 page https://www.suse.com/security/cve/CVE-2022-50282/ SUSE CVE CVE-2022-50282 page https://www.suse.com/security/cve/CVE-2022-50623/ SUSE CVE CVE-2022-50623 page https://www.suse.com/security/cve/CVE-2022-50630/ SUSE CVE CVE-2022-50630 page https://www.suse.com/security/cve/CVE-2022-50635/ SUSE CVE CVE-2022-50635 page https://www.suse.com/security/cve/CVE-2022-50640/ SUSE CVE CVE-2022-50640 page https://www.suse.com/security/cve/CVE-2022-50641/ SUSE CVE CVE-2022-50641 page https://www.suse.com/security/cve/CVE-2022-50644/ SUSE CVE CVE-2022-50644 page https://www.suse.com/security/cve/CVE-2022-50646/ SUSE CVE CVE-2022-50646 page https://www.suse.com/security/cve/CVE-2022-50649/ SUSE CVE CVE-2022-50649 page https://www.suse.com/security/cve/CVE-2022-50668/ SUSE CVE CVE-2022-50668 page https://www.suse.com/security/cve/CVE-2022-50671/ SUSE CVE CVE-2022-50671 page https://www.suse.com/security/cve/CVE-2022-50678/ SUSE CVE CVE-2022-50678 page https://www.suse.com/security/cve/CVE-2022-50700/ SUSE CVE CVE-2022-50700 page https://www.suse.com/security/cve/CVE-2022-50703/ SUSE CVE CVE-2022-50703 page https://www.suse.com/security/cve/CVE-2022-50709/ SUSE CVE CVE-2022-50709 page https://www.suse.com/security/cve/CVE-2022-50717/ SUSE CVE CVE-2022-50717 page https://www.suse.com/security/cve/CVE-2022-50726/ SUSE CVE CVE-2022-50726 page https://www.suse.com/security/cve/CVE-2022-50730/ SUSE CVE CVE-2022-50730 page https://www.suse.com/security/cve/CVE-2022-50731/ SUSE CVE CVE-2022-50731 page https://www.suse.com/security/cve/CVE-2022-50733/ SUSE CVE CVE-2022-50733 page https://www.suse.com/security/cve/CVE-2022-50736/ SUSE CVE CVE-2022-50736 page https://www.suse.com/security/cve/CVE-2022-50742/ SUSE CVE CVE-2022-50742 page https://www.suse.com/security/cve/CVE-2022-50744/ SUSE CVE CVE-2022-50744 page https://www.suse.com/security/cve/CVE-2022-50756/ SUSE CVE CVE-2022-50756 page https://www.suse.com/security/cve/CVE-2022-50758/ SUSE CVE CVE-2022-50758 page https://www.suse.com/security/cve/CVE-2022-50767/ SUSE CVE CVE-2022-50767 page https://www.suse.com/security/cve/CVE-2022-50814/ SUSE CVE CVE-2022-50814 page https://www.suse.com/security/cve/CVE-2022-50821/ SUSE CVE CVE-2022-50821 page https://www.suse.com/security/cve/CVE-2022-50823/ SUSE CVE CVE-2022-50823 page https://www.suse.com/security/cve/CVE-2022-50827/ SUSE CVE CVE-2022-50827 page https://www.suse.com/security/cve/CVE-2022-50828/ SUSE CVE CVE-2022-50828 page https://www.suse.com/security/cve/CVE-2022-50840/ SUSE CVE CVE-2022-50840 page https://www.suse.com/security/cve/CVE-2022-50843/ SUSE CVE CVE-2022-50843 page https://www.suse.com/security/cve/CVE-2022-50850/ SUSE CVE CVE-2022-50850 page https://www.suse.com/security/cve/CVE-2022-50870/ SUSE CVE CVE-2022-50870 page https://www.suse.com/security/cve/CVE-2022-50876/ SUSE CVE CVE-2022-50876 page https://www.suse.com/security/cve/CVE-2022-50880/ SUSE CVE CVE-2022-50880 page https://www.suse.com/security/cve/CVE-2022-50884/ SUSE CVE CVE-2022-50884 page https://www.suse.com/security/cve/CVE-2022-50889/ SUSE CVE CVE-2022-50889 page https://www.suse.com/security/cve/CVE-2023-23559/ SUSE CVE CVE-2023-23559 page https://www.suse.com/security/cve/CVE-2023-4132/ SUSE CVE CVE-2023-4132 page https://www.suse.com/security/cve/CVE-2023-53215/ SUSE CVE CVE-2023-53215 page https://www.suse.com/security/cve/CVE-2023-53254/ SUSE CVE CVE-2023-53254 page https://www.suse.com/security/cve/CVE-2023-53761/ SUSE CVE CVE-2023-53761 page https://www.suse.com/security/cve/CVE-2023-53781/ SUSE CVE CVE-2023-53781 page https://www.suse.com/security/cve/CVE-2023-54019/ SUSE CVE CVE-2023-54019 page https://www.suse.com/security/cve/CVE-2023-54024/ SUSE CVE CVE-2023-54024 page https://www.suse.com/security/cve/CVE-2023-54110/ SUSE CVE CVE-2023-54110 page https://www.suse.com/security/cve/CVE-2023-54142/ SUSE CVE CVE-2023-54142 page https://www.suse.com/security/cve/CVE-2023-54168/ SUSE CVE CVE-2023-54168 page https://www.suse.com/security/cve/CVE-2023-54170/ SUSE CVE CVE-2023-54170 page https://www.suse.com/security/cve/CVE-2023-54242/ SUSE CVE CVE-2023-54242 page https://www.suse.com/security/cve/CVE-2023-54243/ SUSE CVE CVE-2023-54243 page https://www.suse.com/security/cve/CVE-2023-54270/ SUSE CVE CVE-2023-54270 page https://www.suse.com/security/cve/CVE-2025-38068/ SUSE CVE CVE-2025-38068 page https://www.suse.com/security/cve/CVE-2025-38159/ SUSE CVE CVE-2025-38159 page https://www.suse.com/security/cve/CVE-2025-40019/ SUSE CVE CVE-2025-40019 page https://www.suse.com/security/cve/CVE-2025-40215/ SUSE CVE CVE-2025-40215 page https://www.suse.com/security/cve/CVE-2025-40220/ SUSE CVE CVE-2025-40220 page https://www.suse.com/security/cve/CVE-2025-40233/ SUSE CVE CVE-2025-40233 page https://www.suse.com/security/cve/CVE-2025-40256/ SUSE CVE CVE-2025-40256 page https://www.suse.com/security/cve/CVE-2025-40277/ SUSE CVE CVE-2025-40277 page https://www.suse.com/security/cve/CVE-2025-40280/ SUSE CVE CVE-2025-40280 page https://www.suse.com/security/cve/CVE-2025-40331/ SUSE CVE CVE-2025-40331 page https://www.suse.com/security/cve/CVE-2025-68813/ SUSE CVE CVE-2025-68813 page https://www.suse.com/security/cve/CVE-2025-71120/ SUSE CVE CVE-2025-71120 page Container suse/sle-micro-rancher/5.2:latest SUSE Linux Enterprise Micro 5.2 kernel-default-5.3.18-150300.59.232.1 cluster-md-kmp-64kb-5.3.18-150300.59.232.1 cluster-md-kmp-default-5.3.18-150300.59.232.1 cluster-md-kmp-preempt-5.3.18-150300.59.232.1 dlm-kmp-64kb-5.3.18-150300.59.232.1 dlm-kmp-default-5.3.18-150300.59.232.1 dlm-kmp-preempt-5.3.18-150300.59.232.1 dtb-al-5.3.18-150300.59.232.1 dtb-allwinner-5.3.18-150300.59.232.1 dtb-altera-5.3.18-150300.59.232.1 dtb-amd-5.3.18-150300.59.232.1 dtb-amlogic-5.3.18-150300.59.232.1 dtb-apm-5.3.18-150300.59.232.1 dtb-arm-5.3.18-150300.59.232.1 dtb-broadcom-5.3.18-150300.59.232.1 dtb-cavium-5.3.18-150300.59.232.1 dtb-exynos-5.3.18-150300.59.232.1 dtb-freescale-5.3.18-150300.59.232.1 dtb-hisilicon-5.3.18-150300.59.232.1 dtb-lg-5.3.18-150300.59.232.1 dtb-marvell-5.3.18-150300.59.232.1 dtb-mediatek-5.3.18-150300.59.232.1 dtb-nvidia-5.3.18-150300.59.232.1 dtb-qcom-5.3.18-150300.59.232.1 dtb-renesas-5.3.18-150300.59.232.1 dtb-rockchip-5.3.18-150300.59.232.1 dtb-socionext-5.3.18-150300.59.232.1 dtb-sprd-5.3.18-150300.59.232.1 dtb-xilinx-5.3.18-150300.59.232.1 dtb-zte-5.3.18-150300.59.232.1 gfs2-kmp-64kb-5.3.18-150300.59.232.1 gfs2-kmp-default-5.3.18-150300.59.232.1 gfs2-kmp-preempt-5.3.18-150300.59.232.1 kernel-64kb-5.3.18-150300.59.232.1 kernel-64kb-devel-5.3.18-150300.59.232.1 kernel-64kb-extra-5.3.18-150300.59.232.1 kernel-64kb-optional-5.3.18-150300.59.232.1 kernel-default-base-5.3.18-150300.59.232.1.150300.18.138.1 kernel-default-base-rebuild-5.3.18-150300.59.232.1.150300.18.138.1 kernel-default-devel-5.3.18-150300.59.232.1 kernel-default-extra-5.3.18-150300.59.232.1 kernel-default-livepatch-5.3.18-150300.59.232.1 kernel-default-livepatch-devel-5.3.18-150300.59.232.1 kernel-default-optional-5.3.18-150300.59.232.1 kernel-devel-5.3.18-150300.59.232.1 kernel-docs-5.3.18-150300.59.232.1 kernel-docs-html-5.3.18-150300.59.232.1 kernel-kvmsmall-5.3.18-150300.59.232.1 kernel-kvmsmall-devel-5.3.18-150300.59.232.1 kernel-macros-5.3.18-150300.59.232.1 kernel-obs-build-5.3.18-150300.59.232.1 kernel-obs-qa-5.3.18-150300.59.232.1 kernel-preempt-5.3.18-150300.59.232.1 kernel-preempt-devel-5.3.18-150300.59.232.1 kernel-preempt-extra-5.3.18-150300.59.232.1 kernel-preempt-optional-5.3.18-150300.59.232.1 kernel-source-5.3.18-150300.59.232.1 kernel-source-vanilla-5.3.18-150300.59.232.1 kernel-syms-5.3.18-150300.59.232.1 kernel-zfcpdump-5.3.18-150300.59.232.1 kselftests-kmp-64kb-5.3.18-150300.59.232.1 kselftests-kmp-default-5.3.18-150300.59.232.1 kselftests-kmp-preempt-5.3.18-150300.59.232.1 ocfs2-kmp-64kb-5.3.18-150300.59.232.1 ocfs2-kmp-default-5.3.18-150300.59.232.1 ocfs2-kmp-preempt-5.3.18-150300.59.232.1 reiserfs-kmp-64kb-5.3.18-150300.59.232.1 reiserfs-kmp-default-5.3.18-150300.59.232.1 reiserfs-kmp-preempt-5.3.18-150300.59.232.1 kernel-default-5.3.18-150300.59.232.1 as a component of Container suse/sle-micro-rancher/5.2:latest kernel-default-5.3.18-150300.59.232.1 as a component of SUSE Linux Enterprise Micro 5.2 kernel-default-base-5.3.18-150300.59.232.1.150300.18.138.1 as a component of SUSE Linux Enterprise Micro 5.2 A memory leak flaw was found in the Linux kernel's DMA subsystem, in the way a user calls DMA_FROM_DEVICE. This flaw allows a local user to read random memory from the kernel space. CVE-2022-0854 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.232.1.150300.18.138.1 important 2.1 AV:L/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260369-1/ https://www.suse.com/security/cve/CVE-2022-0854.html CVE-2022-0854 https://bugzilla.suse.com/1196823 SUSE Bug 1196823 In the Linux kernel, the following vulnerability has been resolved: swiotlb: fix info leak with DMA_FROM_DEVICE The problem I'm addressing was discovered by the LTP test covering cve-2018-1000204. A short description of what happens follows: 1) The test case issues a command code 00 (TEST UNIT READY) via the SG_IO interface with: dxfer_len == 524288, dxdfer_dir == SG_DXFER_FROM_DEV and a corresponding dxferp. The peculiar thing about this is that TUR is not reading from the device. 2) In sg_start_req() the invocation of blk_rq_map_user() effectively bounces the user-space buffer. As if the device was to transfer into it. Since commit a45b599ad808 ("scsi: sg: allocate with __GFP_ZERO in sg_build_indirect()") we make sure this first bounce buffer is allocated with GFP_ZERO. 3) For the rest of the story we keep ignoring that we have a TUR, so the device won't touch the buffer we prepare as if the we had a DMA_FROM_DEVICE type of situation. My setup uses a virtio-scsi device and the buffer allocated by SG is mapped by the function virtqueue_add_split() which uses DMA_FROM_DEVICE for the "in" sgs (here scatter-gather and not scsi generics). This mapping involves bouncing via the swiotlb (we need swiotlb to do virtio in protected guest like s390 Secure Execution, or AMD SEV). 4) When the SCSI TUR is done, we first copy back the content of the second (that is swiotlb) bounce buffer (which most likely contains some previous IO data), to the first bounce buffer, which contains all zeros. Then we copy back the content of the first bounce buffer to the user-space buffer. 5) The test case detects that the buffer, which it zero-initialized, ain't all zeros and fails. One can argue that this is an swiotlb problem, because without swiotlb we leak all zeros, and the swiotlb should be transparent in a sense that it does not affect the outcome (if all other participants are well behaved). Copying the content of the original buffer into the swiotlb buffer is the only way I can think of to make swiotlb transparent in such scenarios. So let's do just that if in doubt, but allow the driver to tell us that the whole mapped buffer is going to be overwritten, in which case we can preserve the old behavior and avoid the performance impact of the extra bounce. CVE-2022-48853 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.232.1.150300.18.138.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260369-1/ https://www.suse.com/security/cve/CVE-2022-48853.html CVE-2022-48853 https://bugzilla.suse.com/1228015 SUSE Bug 1228015 In the Linux kernel, the following vulnerability has been resolved: chardev: fix error handling in cdev_device_add() While doing fault injection test, I got the following report: ------------[ cut here ]------------ kobject: '(null)' (0000000039956980): is not initialized, yet kobject_put() is being called. WARNING: CPU: 3 PID: 6306 at kobject_put+0x23d/0x4e0 CPU: 3 PID: 6306 Comm: 283 Tainted: G W 6.1.0-rc2-00005-g307c1086d7c9 #1253 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 RIP: 0010:kobject_put+0x23d/0x4e0 Call Trace: <TASK> cdev_device_add+0x15e/0x1b0 __iio_device_register+0x13b4/0x1af0 [industrialio] __devm_iio_device_register+0x22/0x90 [industrialio] max517_probe+0x3d8/0x6b4 [max517] i2c_device_probe+0xa81/0xc00 When device_add() is injected fault and returns error, if dev->devt is not set, cdev_add() is not called, cdev_del() is not needed. Fix this by checking dev->devt in error path. CVE-2022-50282 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.232.1.150300.18.138.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260369-1/ https://www.suse.com/security/cve/CVE-2022-50282.html CVE-2022-50282 https://bugzilla.suse.com/1249739 SUSE Bug 1249739 https://bugzilla.suse.com/1249764 SUSE Bug 1249764 In the Linux kernel, the following vulnerability has been resolved: fpga: prevent integer overflow in dfl_feature_ioctl_set_irq() The "hdr.count * sizeof(s32)" multiplication can overflow on 32 bit systems leading to memory corruption. Use array_size() to fix that. CVE-2022-50623 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.232.1.150300.18.138.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260369-1/ https://www.suse.com/security/cve/CVE-2022-50623.html CVE-2022-50623 https://bugzilla.suse.com/1254792 SUSE Bug 1254792 In the Linux kernel, the following vulnerability has been resolved: mm: hugetlb: fix UAF in hugetlb_handle_userfault The vma_lock and hugetlb_fault_mutex are dropped before handling userfault and reacquire them again after handle_userfault(), but reacquire the vma_lock could lead to UAF[1,2] due to the following race, hugetlb_fault hugetlb_no_page /*unlock vma_lock */ hugetlb_handle_userfault handle_userfault /* unlock mm->mmap_lock*/ vm_mmap_pgoff do_mmap mmap_region munmap_vma_range /* clean old vma */ /* lock vma_lock again <--- UAF */ /* unlock vma_lock */ Since the vma_lock will unlock immediately after hugetlb_handle_userfault(), let's drop the unneeded lock and unlock in hugetlb_handle_userfault() to fix the issue. [1] https://lore.kernel.org/linux-mm/000000000000d5e00a05e834962e@google.com/ [2] https://lore.kernel.org/linux-mm/20220921014457.1668-1-liuzixian4@huawei.com/ CVE-2022-50630 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.232.1.150300.18.138.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260369-1/ https://www.suse.com/security/cve/CVE-2022-50630.html CVE-2022-50630 https://bugzilla.suse.com/1254785 SUSE Bug 1254785 In the Linux kernel, the following vulnerability has been resolved: powerpc/kprobes: Fix null pointer reference in arch_prepare_kprobe() I found a null pointer reference in arch_prepare_kprobe(): # echo 'p cmdline_proc_show' > kprobe_events # echo 'p cmdline_proc_show+16' >> kprobe_events Kernel attempted to read user page (0) - exploit attempt? (uid: 0) BUG: Kernel NULL pointer dereference on read at 0x00000000 Faulting instruction address: 0xc000000000050bfc Oops: Kernel access of bad area, sig: 11 [#1] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV Modules linked in: CPU: 0 PID: 122 Comm: sh Not tainted 6.0.0-rc3-00007-gdcf8e5633e2e #10 NIP: c000000000050bfc LR: c000000000050bec CTR: 0000000000005bdc REGS: c0000000348475b0 TRAP: 0300 Not tainted (6.0.0-rc3-00007-gdcf8e5633e2e) MSR: 9000000000009033 <SF,HV,EE,ME,IR,DR,RI,LE> CR: 88002444 XER: 20040006 CFAR: c00000000022d100 DAR: 0000000000000000 DSISR: 40000000 IRQMASK: 0 ... NIP arch_prepare_kprobe+0x10c/0x2d0 LR arch_prepare_kprobe+0xfc/0x2d0 Call Trace: 0xc0000000012f77a0 (unreliable) register_kprobe+0x3c0/0x7a0 __register_trace_kprobe+0x140/0x1a0 __trace_kprobe_create+0x794/0x1040 trace_probe_create+0xc4/0xe0 create_or_delete_trace_kprobe+0x2c/0x80 trace_parse_run_command+0xf0/0x210 probes_write+0x20/0x40 vfs_write+0xfc/0x450 ksys_write+0x84/0x140 system_call_exception+0x17c/0x3a0 system_call_vectored_common+0xe8/0x278 --- interrupt: 3000 at 0x7fffa5682de0 NIP: 00007fffa5682de0 LR: 0000000000000000 CTR: 0000000000000000 REGS: c000000034847e80 TRAP: 3000 Not tainted (6.0.0-rc3-00007-gdcf8e5633e2e) MSR: 900000000280f033 <SF,HV,VEC,VSX,EE,PR,FP,ME,IR,DR,RI,LE> CR: 44002408 XER: 00000000 The address being probed has some special: cmdline_proc_show: Probe based on ftrace cmdline_proc_show+16: Probe for the next instruction at the ftrace location The ftrace-based kprobe does not generate kprobe::ainsn::insn, it gets set to NULL. In arch_prepare_kprobe() it will check for: ... prev = get_kprobe(p->addr - 1); preempt_enable_no_resched(); if (prev && ppc_inst_prefixed(ppc_inst_read(prev->ainsn.insn))) { ... If prev is based on ftrace, 'ppc_inst_read(prev->ainsn.insn)' will occur with a null pointer reference. At this point prev->addr will not be a prefixed instruction, so the check can be skipped. Check if prev is ftrace-based kprobe before reading 'prev->ainsn.insn' to fix this problem. [mpe: Trim oops] CVE-2022-50635 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.232.1.150300.18.138.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260369-1/ https://www.suse.com/security/cve/CVE-2022-50635.html CVE-2022-50635 https://bugzilla.suse.com/1254592 SUSE Bug 1254592 In the Linux kernel, the following vulnerability has been resolved: mmc: core: Fix kernel panic when remove non-standard SDIO card SDIO tuple is only allocated for standard SDIO card, especially it causes memory corruption issues when the non-standard SDIO card has removed, which is because the card device's reference counter does not increase for it at sdio_init_func(), but all SDIO card device reference counter gets decreased at sdio_release_func(). CVE-2022-50640 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.232.1.150300.18.138.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260369-1/ https://www.suse.com/security/cve/CVE-2022-50640.html CVE-2022-50640 https://bugzilla.suse.com/1254686 SUSE Bug 1254686 In the Linux kernel, the following vulnerability has been resolved: HSI: omap_ssi: Fix refcount leak in ssi_probe When returning or breaking early from a for_each_available_child_of_node() loop, we need to explicitly call of_node_put() on the child node to possibly release the node. CVE-2022-50641 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.232.1.150300.18.138.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260369-1/ https://www.suse.com/security/cve/CVE-2022-50641.html CVE-2022-50641 https://bugzilla.suse.com/1254614 SUSE Bug 1254614 In the Linux kernel, the following vulnerability has been resolved: clk: ti: dra7-atl: Fix reference leak in of_dra7_atl_clk_probe pm_runtime_get_sync() will increment pm usage counter. Forgetting to putting operation will result in reference leak. Add missing pm_runtime_put_sync in some error paths. CVE-2022-50644 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.232.1.150300.18.138.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260369-1/ https://www.suse.com/security/cve/CVE-2022-50644.html CVE-2022-50644 https://bugzilla.suse.com/1254632 SUSE Bug 1254632 In the Linux kernel, the following vulnerability has been resolved: scsi: hpsa: Fix possible memory leak in hpsa_init_one() The hpda_alloc_ctlr_info() allocates h and its field reply_map. However, in hpsa_init_one(), if alloc_percpu() failed, the hpsa_init_one() jumps to clean1 directly, which frees h and leaks the h->reply_map. Fix by calling hpda_free_ctlr_info() to release h->replay_map and h instead free h directly. CVE-2022-50646 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.232.1.150300.18.138.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260369-1/ https://www.suse.com/security/cve/CVE-2022-50646.html CVE-2022-50646 https://bugzilla.suse.com/1254634 SUSE Bug 1254634 In the Linux kernel, the following vulnerability has been resolved: power: supply: adp5061: fix out-of-bounds read in adp5061_get_chg_type() ADP5061_CHG_STATUS_1_CHG_STATUS is masked with 0x07, which means a length of 8, but adp5061_chg_type array size is 4, may end up reading 4 elements beyond the end of the adp5061_chg_type[] array. CVE-2022-50649 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.232.1.150300.18.138.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260369-1/ https://www.suse.com/security/cve/CVE-2022-50649.html CVE-2022-50649 https://bugzilla.suse.com/1254775 SUSE Bug 1254775 In the Linux kernel, the following vulnerability has been resolved: ext4: fix deadlock due to mbcache entry corruption When manipulating xattr blocks, we can deadlock infinitely looping inside ext4_xattr_block_set() where we constantly keep finding xattr block for reuse in mbcache but we are unable to reuse it because its reference count is too big. This happens because cache entry for the xattr block is marked as reusable (e_reusable set) although its reference count is too big. When this inconsistency happens, this inconsistent state is kept indefinitely and so ext4_xattr_block_set() keeps retrying indefinitely. The inconsistent state is caused by non-atomic update of e_reusable bit. e_reusable is part of a bitfield and e_reusable update can race with update of e_referenced bit in the same bitfield resulting in loss of one of the updates. Fix the problem by using atomic bitops instead. This bug has been around for many years, but it became *much* easier to hit after commit 65f8b80053a1 ("ext4: fix race when reusing xattr blocks"). CVE-2022-50668 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.232.1.150300.18.138.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260369-1/ https://www.suse.com/security/cve/CVE-2022-50668.html CVE-2022-50668 https://bugzilla.suse.com/1254763 SUSE Bug 1254763 In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix "kernel NULL pointer dereference" error When rxe_queue_init in the function rxe_qp_init_req fails, both qp->req.task.func and qp->req.task.arg are not initialized. Because of creation of qp fails, the function rxe_create_qp will call rxe_qp_do_cleanup to handle allocated resource. Before calling __rxe_do_task, both qp->req.task.func and qp->req.task.arg should be checked. CVE-2022-50671 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.232.1.150300.18.138.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260369-1/ https://www.suse.com/security/cve/CVE-2022-50671.html CVE-2022-50671 https://bugzilla.suse.com/1254711 SUSE Bug 1254711 In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: fix invalid address access when enabling SCAN log level The variable i is changed when setting random MAC address and causes invalid address access when printing the value of pi->reqs[i]->reqid. We replace reqs index with ri to fix the issue. [ 136.726473] Unable to handle kernel access to user memory outside uaccess routines at virtual address 0000000000000000 [ 136.737365] Mem abort info: [ 136.740172] ESR = 0x96000004 [ 136.743359] Exception class = DABT (current EL), IL = 32 bits [ 136.749294] SET = 0, FnV = 0 [ 136.752481] EA = 0, S1PTW = 0 [ 136.755635] Data abort info: [ 136.758514] ISV = 0, ISS = 0x00000004 [ 136.762487] CM = 0, WnR = 0 [ 136.765522] user pgtable: 4k pages, 48-bit VAs, pgdp = 000000005c4e2577 [ 136.772265] [0000000000000000] pgd=0000000000000000 [ 136.777160] Internal error: Oops: 96000004 [#1] PREEMPT SMP [ 136.782732] Modules linked in: brcmfmac(O) brcmutil(O) cfg80211(O) compat(O) [ 136.789788] Process wificond (pid: 3175, stack limit = 0x00000000053048fb) [ 136.796664] CPU: 3 PID: 3175 Comm: wificond Tainted: G O 4.19.42-00001-g531a5f5 #1 [ 136.805532] Hardware name: Freescale i.MX8MQ EVK (DT) [ 136.810584] pstate: 60400005 (nZCv daif +PAN -UAO) [ 136.815429] pc : brcmf_pno_config_sched_scans+0x6cc/0xa80 [brcmfmac] [ 136.821811] lr : brcmf_pno_config_sched_scans+0x67c/0xa80 [brcmfmac] [ 136.828162] sp : ffff00000e9a3880 [ 136.831475] x29: ffff00000e9a3890 x28: ffff800020543400 [ 136.836786] x27: ffff8000b1008880 x26: ffff0000012bf6a0 [ 136.842098] x25: ffff80002054345c x24: ffff800088d22400 [ 136.847409] x23: ffff0000012bf638 x22: ffff0000012bf6d8 [ 136.852721] x21: ffff8000aced8fc0 x20: ffff8000ac164400 [ 136.858032] x19: ffff00000e9a3946 x18: 0000000000000000 [ 136.863343] x17: 0000000000000000 x16: 0000000000000000 [ 136.868655] x15: ffff0000093f3b37 x14: 0000000000000050 [ 136.873966] x13: 0000000000003135 x12: 0000000000000000 [ 136.879277] x11: 0000000000000000 x10: ffff000009a61888 [ 136.884589] x9 : 000000000000000f x8 : 0000000000000008 [ 136.889900] x7 : 303a32303d726464 x6 : ffff00000a1f957d [ 136.895211] x5 : 0000000000000000 x4 : ffff00000e9a3942 [ 136.900523] x3 : 0000000000000000 x2 : ffff0000012cead8 [ 136.905834] x1 : ffff0000012bf6d8 x0 : 0000000000000000 [ 136.911146] Call trace: [ 136.913623] brcmf_pno_config_sched_scans+0x6cc/0xa80 [brcmfmac] [ 136.919658] brcmf_pno_start_sched_scan+0xa4/0x118 [brcmfmac] [ 136.925430] brcmf_cfg80211_sched_scan_start+0x80/0xe0 [brcmfmac] [ 136.931636] nl80211_start_sched_scan+0x140/0x308 [cfg80211] [ 136.937298] genl_rcv_msg+0x358/0x3f4 [ 136.940960] netlink_rcv_skb+0xb4/0x118 [ 136.944795] genl_rcv+0x34/0x48 [ 136.947935] netlink_unicast+0x264/0x300 [ 136.951856] netlink_sendmsg+0x2e4/0x33c [ 136.955781] __sys_sendto+0x120/0x19c CVE-2022-50678 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.232.1.150300.18.138.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260369-1/ https://www.suse.com/security/cve/CVE-2022-50678.html CVE-2022-50678 https://bugzilla.suse.com/1254902 SUSE Bug 1254902 In the Linux kernel, the following vulnerability has been resolved: wifi: ath10k: Delay the unmapping of the buffer On WCN3990, we are seeing a rare scenario where copy engine hardware is sending a copy complete interrupt to the host driver while still processing the buffer that the driver has sent, this is leading into an SMMU fault triggering kernel panic. This is happening on copy engine channel 3 (CE3) where the driver normally enqueues WMI commands to the firmware. Upon receiving a copy complete interrupt, host driver will immediately unmap and frees the buffer presuming that hardware has processed the buffer. In the issue case, upon receiving copy complete interrupt, host driver will unmap and free the buffer but since hardware is still accessing the buffer (which in this case got unmapped in parallel), SMMU hardware will trigger an SMMU fault resulting in a kernel panic. In order to avoid this, as a work around, add a delay before unmapping the copy engine source DMA buffer. This is conditionally done for WCN3990 and only for the CE3 channel where issue is seen. Below is the crash signature: wifi smmu error: kernel: [ 10.120965] arm-smmu 15000000.iommu: Unhandled context fault: fsr=0x402, iova=0x7fdfd8ac0, fsynr=0x500003,cbfrsynra=0xc1, cb=6 arm-smmu 15000000.iommu: Unhandled context fault:fsr=0x402, iova=0x7fe06fdc0, fsynr=0x710003, cbfrsynra=0xc1, cb=6 qcom-q6v5-mss 4080000.remoteproc: fatal error received: err_qdi.c:1040:EF:wlan_process:0x1:WLAN RT:0x2091: cmnos_thread.c:3998:Asserted in copy_engine.c:AXI_ERROR_DETECTED:2149 remoteproc remoteproc0: crash detected in 4080000.remoteproc: type fatal error <3> remoteproc remoteproc0: handling crash #1 in 4080000.remoteproc pc : __arm_lpae_unmap+0x500/0x514 lr : __arm_lpae_unmap+0x4bc/0x514 sp : ffffffc011ffb530 x29: ffffffc011ffb590 x28: 0000000000000000 x27: 0000000000000000 x26: 0000000000000004 x25: 0000000000000003 x24: ffffffc011ffb890 x23: ffffffa762ef9be0 x22: ffffffa77244ef00 x21: 0000000000000009 x20: 00000007fff7c000 x19: 0000000000000003 x18: 0000000000000000 x17: 0000000000000004 x16: ffffffd7a357d9f0 x15: 0000000000000000 x14: 00fd5d4fa7ffffff x13: 000000000000000e x12: 0000000000000000 x11: 00000000ffffffff x10: 00000000fffffe00 x9 : 000000000000017c x8 : 000000000000000c x7 : 0000000000000000 x6 : ffffffa762ef9000 x5 : 0000000000000003 x4 : 0000000000000004 x3 : 0000000000001000 x2 : 00000007fff7c000 x1 : ffffffc011ffb890 x0 : 0000000000000000 Call trace: __arm_lpae_unmap+0x500/0x514 __arm_lpae_unmap+0x4bc/0x514 __arm_lpae_unmap+0x4bc/0x514 arm_lpae_unmap_pages+0x78/0xa4 arm_smmu_unmap_pages+0x78/0x104 __iommu_unmap+0xc8/0x1e4 iommu_unmap_fast+0x38/0x48 __iommu_dma_unmap+0x84/0x104 iommu_dma_free+0x34/0x50 dma_free_attrs+0xa4/0xd0 ath10k_htt_rx_free+0xc4/0xf4 [ath10k_core] ath10k_core_stop+0x64/0x7c [ath10k_core] ath10k_halt+0x11c/0x180 [ath10k_core] ath10k_stop+0x54/0x94 [ath10k_core] drv_stop+0x48/0x1c8 [mac80211] ieee80211_do_open+0x638/0x77c [mac80211] ieee80211_open+0x48/0x5c [mac80211] __dev_open+0xb4/0x174 __dev_change_flags+0xc4/0x1dc dev_change_flags+0x3c/0x7c devinet_ioctl+0x2b4/0x580 inet_ioctl+0xb0/0x1b4 sock_do_ioctl+0x4c/0x16c compat_ifreq_ioctl+0x1cc/0x35c compat_sock_ioctl+0x110/0x2ac __arm64_compat_sys_ioctl+0xf4/0x3e0 el0_svc_common+0xb4/0x17c el0_svc_compat_handler+0x2c/0x58 el0_svc_compat+0x8/0x2c Tested-on: WCN3990 hw1.0 SNOC WLAN.HL.2.0-01387-QCAHLSWMTPLZ-1 CVE-2022-50700 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.232.1.150300.18.138.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260369-1/ https://www.suse.com/security/cve/CVE-2022-50700.html CVE-2022-50700 https://bugzilla.suse.com/1255576 SUSE Bug 1255576 https://bugzilla.suse.com/1255577 SUSE Bug 1255577 In the Linux kernel, the following vulnerability has been resolved: soc: qcom: smsm: Fix refcount leak bugs in qcom_smsm_probe() There are two refcount leak bugs in qcom_smsm_probe(): (1) The 'local_node' is escaped out from for_each_child_of_node() as the break of iteration, we should call of_node_put() for it in error path or when it is not used anymore. (2) The 'node' is escaped out from for_each_available_child_of_node() as the 'goto', we should call of_node_put() for it in goto target. CVE-2022-50703 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.232.1.150300.18.138.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260369-1/ https://www.suse.com/security/cve/CVE-2022-50703.html CVE-2022-50703 https://bugzilla.suse.com/1255607 SUSE Bug 1255607 In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k: avoid uninit memory read in ath9k_htc_rx_msg() syzbot is reporting uninit value at ath9k_htc_rx_msg() [1], for ioctl(USB_RAW_IOCTL_EP_WRITE) can call ath9k_hif_usb_rx_stream() with pkt_len = 0 but ath9k_hif_usb_rx_stream() uses __dev_alloc_skb(pkt_len + 32, GFP_ATOMIC) based on an assumption that pkt_len is valid. As a result, ath9k_hif_usb_rx_stream() allocates skb with uninitialized memory and ath9k_htc_rx_msg() is reading from uninitialized memory. Since bytes accessed by ath9k_htc_rx_msg() is not known until ath9k_htc_rx_msg() is called, it would be difficult to check minimal valid pkt_len at "if (pkt_len > 2 * MAX_RX_BUF_SIZE) {" line in ath9k_hif_usb_rx_stream(). We have two choices. One is to workaround by adding __GFP_ZERO so that ath9k_htc_rx_msg() sees 0 if pkt_len is invalid. The other is to let ath9k_htc_rx_msg() validate pkt_len before accessing. This patch chose the latter. Note that I'm not sure threshold condition is correct, for I can't find details on possible packet length used by this protocol. CVE-2022-50709 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.232.1.150300.18.138.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260369-1/ https://www.suse.com/security/cve/CVE-2022-50709.html CVE-2022-50709 https://bugzilla.suse.com/1255565 SUSE Bug 1255565 In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: add bounds check on Transfer Tag ttag is used as an index to get cmd in nvmet_tcp_handle_h2c_data_pdu(), add a bounds check to avoid out-of-bounds access. CVE-2022-50717 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.232.1.150300.18.138.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260369-1/ https://www.suse.com/security/cve/CVE-2022-50717.html CVE-2022-50717 https://bugzilla.suse.com/1255844 SUSE Bug 1255844 https://bugzilla.suse.com/1255845 SUSE Bug 1255845 In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix possible use-after-free in async command interface mlx5_cmd_cleanup_async_ctx should return only after all its callback handlers were completed. Before this patch, the below race between mlx5_cmd_cleanup_async_ctx and mlx5_cmd_exec_cb_handler was possible and lead to a use-after-free: 1. mlx5_cmd_cleanup_async_ctx is called while num_inflight is 2 (i.e. elevated by 1, a single inflight callback). 2. mlx5_cmd_cleanup_async_ctx decreases num_inflight to 1. 3. mlx5_cmd_exec_cb_handler is called, decreases num_inflight to 0 and is about to call wake_up(). 4. mlx5_cmd_cleanup_async_ctx calls wait_event, which returns immediately as the condition (num_inflight == 0) holds. 5. mlx5_cmd_cleanup_async_ctx returns. 6. The caller of mlx5_cmd_cleanup_async_ctx frees the mlx5_async_ctx object. 7. mlx5_cmd_exec_cb_handler goes on and calls wake_up() on the freed object. Fix it by syncing using a completion object. Mark it completed when num_inflight reaches 0. Trace: BUG: KASAN: use-after-free in do_raw_spin_lock+0x23d/0x270 Read of size 4 at addr ffff888139cd12f4 by task swapper/5/0 CPU: 5 PID: 0 Comm: swapper/5 Not tainted 6.0.0-rc3_for_upstream_debug_2022_08_30_13_10 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Call Trace: <IRQ> dump_stack_lvl+0x57/0x7d print_report.cold+0x2d5/0x684 ? do_raw_spin_lock+0x23d/0x270 kasan_report+0xb1/0x1a0 ? do_raw_spin_lock+0x23d/0x270 do_raw_spin_lock+0x23d/0x270 ? rwlock_bug.part.0+0x90/0x90 ? __delete_object+0xb8/0x100 ? lock_downgrade+0x6e0/0x6e0 _raw_spin_lock_irqsave+0x43/0x60 ? __wake_up_common_lock+0xb9/0x140 __wake_up_common_lock+0xb9/0x140 ? __wake_up_common+0x650/0x650 ? destroy_tis_callback+0x53/0x70 [mlx5_core] ? kasan_set_track+0x21/0x30 ? destroy_tis_callback+0x53/0x70 [mlx5_core] ? kfree+0x1ba/0x520 ? do_raw_spin_unlock+0x54/0x220 mlx5_cmd_exec_cb_handler+0x136/0x1a0 [mlx5_core] ? mlx5_cmd_cleanup_async_ctx+0x220/0x220 [mlx5_core] ? mlx5_cmd_cleanup_async_ctx+0x220/0x220 [mlx5_core] mlx5_cmd_comp_handler+0x65a/0x12b0 [mlx5_core] ? dump_command+0xcc0/0xcc0 [mlx5_core] ? lockdep_hardirqs_on_prepare+0x400/0x400 ? cmd_comp_notifier+0x7e/0xb0 [mlx5_core] cmd_comp_notifier+0x7e/0xb0 [mlx5_core] atomic_notifier_call_chain+0xd7/0x1d0 mlx5_eq_async_int+0x3ce/0xa20 [mlx5_core] atomic_notifier_call_chain+0xd7/0x1d0 ? irq_release+0x140/0x140 [mlx5_core] irq_int_handler+0x19/0x30 [mlx5_core] __handle_irq_event_percpu+0x1f2/0x620 handle_irq_event+0xb2/0x1d0 handle_edge_irq+0x21e/0xb00 __common_interrupt+0x79/0x1a0 common_interrupt+0x78/0xa0 </IRQ> <TASK> asm_common_interrupt+0x22/0x40 RIP: 0010:default_idle+0x42/0x60 Code: c1 83 e0 07 48 c1 e9 03 83 c0 03 0f b6 14 11 38 d0 7c 04 84 d2 75 14 8b 05 eb 47 22 02 85 c0 7e 07 0f 00 2d e0 9f 48 00 fb f4 <c3> 48 c7 c7 80 08 7f 85 e8 d1 d3 3e fe eb de 66 66 2e 0f 1f 84 00 RSP: 0018:ffff888100dbfdf0 EFLAGS: 00000242 RAX: 0000000000000001 RBX: ffffffff84ecbd48 RCX: 1ffffffff0afe110 RDX: 0000000000000004 RSI: 0000000000000000 RDI: ffffffff835cc9bc RBP: 0000000000000005 R08: 0000000000000001 R09: ffff88881dec4ac3 R10: ffffed1103bd8958 R11: 0000017d0ca571c9 R12: 0000000000000005 R13: ffffffff84f024e0 R14: 0000000000000000 R15: dffffc0000000000 ? default_idle_call+0xcc/0x450 default_idle_call+0xec/0x450 do_idle+0x394/0x450 ? arch_cpu_idle_exit+0x40/0x40 ? do_idle+0x17/0x450 cpu_startup_entry+0x19/0x20 start_secondary+0x221/0x2b0 ? set_cpu_sibling_map+0x2070/0x2070 secondary_startup_64_no_verify+0xcd/0xdb </TASK> Allocated by task 49502: kasan_save_stack+0x1e/0x40 __kasan_kmalloc+0x81/0xa0 kvmalloc_node+0x48/0xe0 mlx5e_bulk_async_init+0x35/0x110 [mlx5_core] mlx5e_tls_priv_tx_list_cleanup+0x84/0x3e0 [mlx5_core] mlx5e_ktls_cleanup_tx+0x38f/0x760 [mlx5_core] mlx5e_cleanup_nic_tx+0xa7/0x100 [mlx5_core] mlx5e_detach_netdev+0x1c ---truncated--- CVE-2022-50726 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.232.1.150300.18.138.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260369-1/ https://www.suse.com/security/cve/CVE-2022-50726.html CVE-2022-50726 https://bugzilla.suse.com/1256040 SUSE Bug 1256040 https://bugzilla.suse.com/1256255 SUSE Bug 1256255 In the Linux kernel, the following vulnerability has been resolved: ext4: silence the warning when evicting inode with dioread_nolock When evicting an inode with default dioread_nolock, it could be raced by the unwritten extents converting kworker after writeback some new allocated dirty blocks. It convert unwritten extents to written, the extents could be merged to upper level and free extent blocks, so it could mark the inode dirty again even this inode has been marked I_FREEING. But the inode->i_io_list check and warning in ext4_evict_inode() missing this corner case. Fortunately, ext4_evict_inode() will wait all extents converting finished before this check, so it will not lead to inode use-after-free problem, every thing is OK besides this warning. The WARN_ON_ONCE was originally designed for finding inode use-after-free issues in advance, but if we add current dioread_nolock case in, it will become not quite useful, so fix this warning by just remove this check. ====== WARNING: CPU: 7 PID: 1092 at fs/ext4/inode.c:227 ext4_evict_inode+0x875/0xc60 ... RIP: 0010:ext4_evict_inode+0x875/0xc60 ... Call Trace: <TASK> evict+0x11c/0x2b0 iput+0x236/0x3a0 do_unlinkat+0x1b4/0x490 __x64_sys_unlinkat+0x4c/0xb0 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x46/0xb0 RIP: 0033:0x7fa933c1115b ====== rm kworker ext4_end_io_end() vfs_unlink() ext4_unlink() ext4_convert_unwritten_io_end_vec() ext4_convert_unwritten_extents() ext4_map_blocks() ext4_ext_map_blocks() ext4_ext_try_to_merge_up() __mark_inode_dirty() check !I_FREEING locked_inode_to_wb_and_lock_list() iput() iput_final() evict() ext4_evict_inode() truncate_inode_pages_final() //wait release io_end inode_io_list_move_locked() ext4_release_io_end() trigger WARN_ON_ONCE() CVE-2022-50730 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.232.1.150300.18.138.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260369-1/ https://www.suse.com/security/cve/CVE-2022-50730.html CVE-2022-50730 https://bugzilla.suse.com/1256048 SUSE Bug 1256048 In the Linux kernel, the following vulnerability has been resolved: crypto: akcipher - default implementation for setting a private key Changes from v1: * removed the default implementation from set_pub_key: it is assumed that an implementation must always have this callback defined as there are no use case for an algorithm, which doesn't need a public key Many akcipher implementations (like ECDSA) support only signature verifications, so they don't have all callbacks defined. Commit 78a0324f4a53 ("crypto: akcipher - default implementations for request callbacks") introduced default callbacks for sign/verify operations, which just return an error code. However, these are not enough, because before calling sign the caller would likely call set_priv_key first on the instantiated transform (as the in-kernel testmgr does). This function does not have a default stub, so the kernel crashes, when trying to set a private key on an akcipher, which doesn't support signature generation. I've noticed this, when trying to add a KAT vector for ECDSA signature to the testmgr. With this patch the testmgr returns an error in dmesg (as it should) instead of crashing the kernel NULL ptr dereference. CVE-2022-50731 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.232.1.150300.18.138.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260369-1/ https://www.suse.com/security/cve/CVE-2022-50731.html CVE-2022-50731 https://bugzilla.suse.com/1256049 SUSE Bug 1256049 In the Linux kernel, the following vulnerability has been resolved: usb: idmouse: fix an uninit-value in idmouse_open In idmouse_create_image, if any ftip_command fails, it will go to the reset label. However, this leads to the data in bulk_in_buffer[HEADER..IMGSIZE] uninitialized. And the check for valid image incurs an uninitialized dereference. Fix this by moving the check before reset label since this check only be valid if the data after bulk_in_buffer[HEADER] has concrete data. Note that this is found by KMSAN, so only kernel compilation is tested. CVE-2022-50733 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.232.1.150300.18.138.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260369-1/ https://www.suse.com/security/cve/CVE-2022-50733.html CVE-2022-50733 https://bugzilla.suse.com/1256064 SUSE Bug 1256064 In the Linux kernel, the following vulnerability has been resolved: RDMA/siw: Fix immediate work request flush to completion queue Correctly set send queue element opcode during immediate work request flushing in post sendqueue operation, if the QP is in ERROR state. An undefined ocode value results in out-of-bounds access to an array for mapping the opcode between siw internal and RDMA core representation in work completion generation. It resulted in a KASAN BUG report of type 'global-out-of-bounds' during NFSoRDMA testing. This patch further fixes a potential case of a malicious user which may write undefined values for completion queue elements status or opcode, if the CQ is memory mapped to user land. It avoids the same out-of-bounds access to arrays for status and opcode mapping as described above. CVE-2022-50736 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.232.1.150300.18.138.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260369-1/ https://www.suse.com/security/cve/CVE-2022-50736.html CVE-2022-50736 https://bugzilla.suse.com/1256137 SUSE Bug 1256137 https://bugzilla.suse.com/1256138 SUSE Bug 1256138 In the Linux kernel, the following vulnerability has been resolved: misc: ocxl: fix possible refcount leak in afu_ioctl() eventfd_ctx_put need to be called to put the refcount that gotten by eventfd_ctx_fdget when ocxl_irq_set_handler fails. CVE-2022-50742 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.232.1.150300.18.138.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260369-1/ https://www.suse.com/security/cve/CVE-2022-50742.html CVE-2022-50742 https://bugzilla.suse.com/1256143 SUSE Bug 1256143 In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Fix hard lockup when reading the rx_monitor from debugfs During I/O and simultaneous cat of /sys/kernel/debug/lpfc/fnX/rx_monitor, a hard lockup similar to the call trace below may occur. The spin_lock_bh in lpfc_rx_monitor_report is not protecting from timer interrupts as expected, so change the strength of the spin lock to _irq. Kernel panic - not syncing: Hard LOCKUP CPU: 3 PID: 110402 Comm: cat Kdump: loaded exception RIP: native_queued_spin_lock_slowpath+91 [IRQ stack] native_queued_spin_lock_slowpath at ffffffffb814e30b _raw_spin_lock at ffffffffb89a667a lpfc_rx_monitor_record at ffffffffc0a73a36 [lpfc] lpfc_cmf_timer at ffffffffc0abbc67 [lpfc] __hrtimer_run_queues at ffffffffb8184250 hrtimer_interrupt at ffffffffb8184ab0 smp_apic_timer_interrupt at ffffffffb8a026ba apic_timer_interrupt at ffffffffb8a01c4f [End of IRQ stack] apic_timer_interrupt at ffffffffb8a01c4f lpfc_rx_monitor_report at ffffffffc0a73c80 [lpfc] lpfc_rx_monitor_read at ffffffffc0addde1 [lpfc] full_proxy_read at ffffffffb83e7fc3 vfs_read at ffffffffb833fe71 ksys_read at ffffffffb83402af do_syscall_64 at ffffffffb800430b entry_SYSCALL_64_after_hwframe at ffffffffb8a000ad CVE-2022-50744 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.232.1.150300.18.138.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260369-1/ https://www.suse.com/security/cve/CVE-2022-50744.html CVE-2022-50744 https://bugzilla.suse.com/1256165 SUSE Bug 1256165 In the Linux kernel, the following vulnerability has been resolved: nvme-pci: fix mempool alloc size Convert the max size to bytes to match the units of the divisor that calculates the worst-case number of PRP entries. The result is used to determine how many PRP Lists are required. The code was previously rounding this to 1 list, but we can require 2 in the worst case. In that scenario, the driver would corrupt memory beyond the size provided by the mempool. While unlikely to occur (you'd need a 4MB in exactly 127 phys segments on a queue that doesn't support SGLs), this memory corruption has been observed by kfence. CVE-2022-50756 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.232.1.150300.18.138.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260369-1/ https://www.suse.com/security/cve/CVE-2022-50756.html CVE-2022-50756 https://bugzilla.suse.com/1256216 SUSE Bug 1256216 https://bugzilla.suse.com/1256217 SUSE Bug 1256217 In the Linux kernel, the following vulnerability has been resolved: staging: vt6655: fix potential memory leak In function device_init_td0_ring, memory is allocated for member td_info of priv->apTD0Rings[i], with i increasing from 0. In case of allocation failure, the memory is freed in reversed order, with i decreasing to 0. However, the case i=0 is left out and thus memory is leaked. Modify the memory freeing loop to include the case i=0. CVE-2022-50758 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.232.1.150300.18.138.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260369-1/ https://www.suse.com/security/cve/CVE-2022-50758.html CVE-2022-50758 https://bugzilla.suse.com/1256207 SUSE Bug 1256207 In the Linux kernel, the following vulnerability has been resolved: fbdev: smscufx: Fix several use-after-free bugs Several types of UAFs can occur when physically removing a USB device. Adds ufx_ops_destroy() function to .fb_destroy of fb_ops, and in this function, there is kref_put() that finally calls ufx_free(). This fix prevents multiple UAFs. CVE-2022-50767 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.232.1.150300.18.138.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260369-1/ https://www.suse.com/security/cve/CVE-2022-50767.html CVE-2022-50767 https://bugzilla.suse.com/1256426 SUSE Bug 1256426 In the Linux kernel, the following vulnerability has been resolved: crypto: hisilicon/zip - fix mismatch in get/set sgl_sge_nr KASAN reported this Bug: [17619.659757] BUG: KASAN: global-out-of-bounds in param_get_int+0x34/0x60 [17619.673193] Read of size 4 at addr fffff01332d7ed00 by task read_all/1507958 ... [17619.698934] The buggy address belongs to the variable: [17619.708371] sgl_sge_nr+0x0/0xffffffffffffa300 [hisi_zip] There is a mismatch in hisi_zip when get/set the variable sgl_sge_nr. The type of sgl_sge_nr is u16, and get/set sgl_sge_nr by param_get/set_int. Replacing param_get/set_int to param_get/set_ushort can fix this bug. CVE-2022-50814 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.232.1.150300.18.138.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260369-1/ https://www.suse.com/security/cve/CVE-2022-50814.html CVE-2022-50814 https://bugzilla.suse.com/1256248 SUSE Bug 1256248 In the Linux kernel, the following vulnerability has been resolved: SUNRPC: Don't leak netobj memory when gss_read_proxy_verf() fails CVE-2022-50821 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.232.1.150300.18.138.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260369-1/ https://www.suse.com/security/cve/CVE-2022-50821.html CVE-2022-50821 https://bugzilla.suse.com/1256242 SUSE Bug 1256242 In the Linux kernel, the following vulnerability has been resolved: clk: tegra: Fix refcount leak in tegra114_clock_init of_find_matching_node() returns a node pointer with refcount incremented, we should use of_node_put() on it when not need anymore. Add missing of_node_put() to avoid refcount leak. CVE-2022-50823 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.232.1.150300.18.138.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260369-1/ https://www.suse.com/security/cve/CVE-2022-50823.html CVE-2022-50823 https://bugzilla.suse.com/1256333 SUSE Bug 1256333 In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Fix memory leak in lpfc_create_port() Commit 5e633302ace1 ("scsi: lpfc: vmid: Add support for VMID in mailbox command") introduced allocations for the VMID resources in lpfc_create_port() after the call to scsi_host_alloc(). Upon failure on the VMID allocations, the new code would branch to the 'out' label, which returns NULL without unwinding anything, thus skipping the call to scsi_host_put(). Fix the problem by creating a separate label 'out_free_vmid' to unwind the VMID resources and make the 'out_put_shost' label call only scsi_host_put(), as was done before the introduction of allocations for VMID. CVE-2022-50827 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.232.1.150300.18.138.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260369-1/ https://www.suse.com/security/cve/CVE-2022-50827.html CVE-2022-50827 https://bugzilla.suse.com/1256344 SUSE Bug 1256344 In the Linux kernel, the following vulnerability has been resolved: clk: zynqmp: Fix stack-out-of-bounds in strncpy` "BUG: KASAN: stack-out-of-bounds in strncpy+0x30/0x68" Linux-ATF interface is using 16 bytes of SMC payload. In case clock name is longer than 15 bytes, string terminated NULL character will not be received by Linux. Add explicit NULL character at last byte to fix issues when clock name is longer. This fixes below bug reported by KASAN: ================================================================== BUG: KASAN: stack-out-of-bounds in strncpy+0x30/0x68 Read of size 1 at addr ffff0008c89a7410 by task swapper/0/1 CPU: 1 PID: 1 Comm: swapper/0 Not tainted 5.4.0-00396-g81ef9e7-dirty #3 Hardware name: Xilinx Versal vck190 Eval board revA (QSPI) (DT) Call trace: dump_backtrace+0x0/0x1e8 show_stack+0x14/0x20 dump_stack+0xd4/0x108 print_address_description.isra.0+0xbc/0x37c __kasan_report+0x144/0x198 kasan_report+0xc/0x18 __asan_load1+0x5c/0x68 strncpy+0x30/0x68 zynqmp_clock_probe+0x238/0x7b8 platform_drv_probe+0x6c/0xc8 really_probe+0x14c/0x418 driver_probe_device+0x74/0x130 __device_attach_driver+0xc4/0xe8 bus_for_each_drv+0xec/0x150 __device_attach+0x160/0x1d8 device_initial_probe+0x10/0x18 bus_probe_device+0xe0/0xf0 device_add+0x528/0x950 of_device_add+0x5c/0x80 of_platform_device_create_pdata+0x120/0x168 of_platform_bus_create+0x244/0x4e0 of_platform_populate+0x50/0xe8 zynqmp_firmware_probe+0x370/0x3a8 platform_drv_probe+0x6c/0xc8 really_probe+0x14c/0x418 driver_probe_device+0x74/0x130 device_driver_attach+0x94/0xa0 __driver_attach+0x70/0x108 bus_for_each_dev+0xe4/0x158 driver_attach+0x30/0x40 bus_add_driver+0x21c/0x2b8 driver_register+0xbc/0x1d0 __platform_driver_register+0x7c/0x88 zynqmp_firmware_driver_init+0x1c/0x24 do_one_initcall+0xa4/0x234 kernel_init_freeable+0x1b0/0x24c kernel_init+0x10/0x110 ret_from_fork+0x10/0x18 The buggy address belongs to the page: page:ffff0008f9be1c88 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 raw: 0008d00000000000 ffff0008f9be1c90 ffff0008f9be1c90 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff page dumped because: kasan: bad access detected addr ffff0008c89a7410 is located in stack of task swapper/0/1 at offset 112 in frame: zynqmp_clock_probe+0x0/0x7b8 this frame has 3 objects: [32, 44) 'response' [64, 80) 'ret_payload' [96, 112) 'name' Memory state around the buggy address: ffff0008c89a7300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff0008c89a7380: 00 00 00 00 f1 f1 f1 f1 00 04 f2 f2 00 00 f2 f2 >ffff0008c89a7400: 00 00 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 ^ ffff0008c89a7480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff0008c89a7500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ================================================================== CVE-2022-50828 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.232.1.150300.18.138.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260369-1/ https://www.suse.com/security/cve/CVE-2022-50828.html CVE-2022-50828 https://bugzilla.suse.com/1256230 SUSE Bug 1256230 In the Linux kernel, the following vulnerability has been resolved: scsi: snic: Fix possible UAF in snic_tgt_create() Smatch reports a warning as follows: drivers/scsi/snic/snic_disc.c:307 snic_tgt_create() warn: '&tgt->list' not removed from list If device_add() fails in snic_tgt_create(), tgt will be freed, but tgt->list will not be removed from snic->disc.tgt_list, then list traversal may cause UAF. Remove from snic->disc.tgt_list before free(). CVE-2022-50840 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.232.1.150300.18.138.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260369-1/ https://www.suse.com/security/cve/CVE-2022-50840.html CVE-2022-50840 https://bugzilla.suse.com/1256208 SUSE Bug 1256208 In the Linux kernel, the following vulnerability has been resolved: dm clone: Fix UAF in clone_dtr() Dm_clone also has the same UAF problem when dm_resume() and dm_destroy() are concurrent. Therefore, cancelling timer again in clone_dtr(). CVE-2022-50843 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.232.1.150300.18.138.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260369-1/ https://www.suse.com/security/cve/CVE-2022-50843.html CVE-2022-50843 https://bugzilla.suse.com/1256203 SUSE Bug 1256203 In the Linux kernel, the following vulnerability has been resolved: scsi: ipr: Fix WARNING in ipr_init() ipr_init() will not call unregister_reboot_notifier() when pci_register_driver() fails, which causes a WARNING. Call unregister_reboot_notifier() when pci_register_driver() fails. notifier callback ipr_halt [ipr] already registered WARNING: CPU: 3 PID: 299 at kernel/notifier.c:29 notifier_chain_register+0x16d/0x230 Modules linked in: ipr(+) xhci_pci_renesas xhci_hcd ehci_hcd usbcore led_class gpu_sched drm_buddy video wmi drm_ttm_helper ttm drm_display_helper drm_kms_helper drm drm_panel_orientation_quirks agpgart cfbft CPU: 3 PID: 299 Comm: modprobe Tainted: G W 6.1.0-rc1-00190-g39508d23b672-dirty #332 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014 RIP: 0010:notifier_chain_register+0x16d/0x230 Call Trace: <TASK> __blocking_notifier_chain_register+0x73/0xb0 ipr_init+0x30/0x1000 [ipr] do_one_initcall+0xdb/0x480 do_init_module+0x1cf/0x680 load_module+0x6a50/0x70a0 __do_sys_finit_module+0x12f/0x1c0 do_syscall_64+0x3f/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd CVE-2022-50850 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.232.1.150300.18.138.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260369-1/ https://www.suse.com/security/cve/CVE-2022-50850.html CVE-2022-50850 https://bugzilla.suse.com/1256194 SUSE Bug 1256194 In the Linux kernel, the following vulnerability has been resolved: powerpc/rtas: avoid device tree lookups in rtas_os_term() rtas_os_term() is called during panic. Its behavior depends on a couple of conditions in the /rtas node of the device tree, the traversal of which entails locking and local IRQ state changes. If the kernel panics while devtree_lock is held, rtas_os_term() as currently written could hang. Instead of discovering the relevant characteristics at panic time, cache them in file-static variables at boot. Note the lookup for "ibm,extended-os-term" is converted to of_property_read_bool() since it is a boolean property, not an RTAS function token. [mpe: Incorporate suggested change from Nick] CVE-2022-50870 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.232.1.150300.18.138.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260369-1/ https://www.suse.com/security/cve/CVE-2022-50870.html CVE-2022-50870 https://bugzilla.suse.com/1256154 SUSE Bug 1256154 In the Linux kernel, the following vulnerability has been resolved: usb: musb: Fix musb_gadget.c rxstate overflow bug The usb function device call musb_gadget_queue() adds the passed request to musb_ep::req_list,If the (request->length > musb_ep->packet_sz) and (is_buffer_mapped(req) return false),the rxstate() will copy all data in fifo to request->buf which may cause request->buf out of bounds. Fix it by add the length check : fifocnt = min_t(unsigned, request->length - request->actual, fifocnt); CVE-2022-50876 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.232.1.150300.18.138.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260369-1/ https://www.suse.com/security/cve/CVE-2022-50876.html CVE-2022-50876 https://bugzilla.suse.com/1256136 SUSE Bug 1256136 In the Linux kernel, the following vulnerability has been resolved: wifi: ath10k: add peer map clean up for peer delete in ath10k_sta_state() When peer delete failed in a disconnect operation, use-after-free detected by KFENCE in below log. It is because for each vdev_id and address, it has only one struct ath10k_peer, it is allocated in ath10k_peer_map_event(). When connected to an AP, it has more than one HTT_T2H_MSG_TYPE_PEER_MAP reported from firmware, then the array peer_map of struct ath10k will be set muti-elements to the same ath10k_peer in ath10k_peer_map_event(). When peer delete failed in ath10k_sta_state(), the ath10k_peer will be free for the 1st peer id in array peer_map of struct ath10k, and then use-after-free happened for the 2nd peer id because they map to the same ath10k_peer. And clean up all peers in array peer_map for the ath10k_peer, then user-after-free disappeared peer map event log: [ 306.911021] wlan0: authenticate with b0:2a:43:e6:75:0e [ 306.957187] ath10k_pci 0000:01:00.0: mac vdev 0 peer create b0:2a:43:e6:75:0e (new sta) sta 1 / 32 peer 1 / 33 [ 306.957395] ath10k_pci 0000:01:00.0: htt peer map vdev 0 peer b0:2a:43:e6:75:0e id 246 [ 306.957404] ath10k_pci 0000:01:00.0: htt peer map vdev 0 peer b0:2a:43:e6:75:0e id 198 [ 306.986924] ath10k_pci 0000:01:00.0: htt peer map vdev 0 peer b0:2a:43:e6:75:0e id 166 peer unmap event log: [ 435.715691] wlan0: deauthenticating from b0:2a:43:e6:75:0e by local choice (Reason: 3=DEAUTH_LEAVING) [ 435.716802] ath10k_pci 0000:01:00.0: mac vdev 0 peer delete b0:2a:43:e6:75:0e sta ffff990e0e9c2b50 (sta gone) [ 435.717177] ath10k_pci 0000:01:00.0: htt peer unmap vdev 0 peer b0:2a:43:e6:75:0e id 246 [ 435.717186] ath10k_pci 0000:01:00.0: htt peer unmap vdev 0 peer b0:2a:43:e6:75:0e id 198 [ 435.717193] ath10k_pci 0000:01:00.0: htt peer unmap vdev 0 peer b0:2a:43:e6:75:0e id 166 use-after-free log: [21705.888627] wlan0: deauthenticating from d0:76:8f:82:be:75 by local choice (Reason: 3=DEAUTH_LEAVING) [21713.799910] ath10k_pci 0000:01:00.0: failed to delete peer d0:76:8f:82:be:75 for vdev 0: -110 [21713.799925] ath10k_pci 0000:01:00.0: found sta peer d0:76:8f:82:be:75 (ptr 0000000000000000 id 102) entry on vdev 0 after it was supposedly removed [21713.799968] ================================================================== [21713.799991] BUG: KFENCE: use-after-free read in ath10k_sta_state+0x265/0xb8a [ath10k_core] [21713.799991] [21713.799997] Use-after-free read at 0x00000000abe1c75e (in kfence-#69): [21713.800010] ath10k_sta_state+0x265/0xb8a [ath10k_core] [21713.800041] drv_sta_state+0x115/0x677 [mac80211] [21713.800059] __sta_info_destroy_part2+0xb1/0x133 [mac80211] [21713.800076] __sta_info_flush+0x11d/0x162 [mac80211] [21713.800093] ieee80211_set_disassoc+0x12d/0x2f4 [mac80211] [21713.800110] ieee80211_mgd_deauth+0x26c/0x29b [mac80211] [21713.800137] cfg80211_mlme_deauth+0x13f/0x1bb [cfg80211] [21713.800153] nl80211_deauthenticate+0xf8/0x121 [cfg80211] [21713.800161] genl_rcv_msg+0x38e/0x3be [21713.800166] netlink_rcv_skb+0x89/0xf7 [21713.800171] genl_rcv+0x28/0x36 [21713.800176] netlink_unicast+0x179/0x24b [21713.800181] netlink_sendmsg+0x3a0/0x40e [21713.800187] sock_sendmsg+0x72/0x76 [21713.800192] ____sys_sendmsg+0x16d/0x1e3 [21713.800196] ___sys_sendmsg+0x95/0xd1 [21713.800200] __sys_sendmsg+0x85/0xbf [21713.800205] do_syscall_64+0x43/0x55 [21713.800210] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [21713.800213] [21713.800219] kfence-#69: 0x000000009149b0d5-0x000000004c0697fb, size=1064, cache=kmalloc-2k [21713.800219] [21713.800224] allocated by task 13 on cpu 0 at 21705.501373s: [21713.800241] ath10k_peer_map_event+0x7e/0x154 [ath10k_core] [21713.800254] ath10k_htt_t2h_msg_handler+0x586/0x1039 [ath10k_core] [21713.800265] ath10k_htt_htc_t2h_msg_handler+0x12/0x28 [ath10k_core] [21713.800277] ath10k_htc_rx_completion_handler+0x14c/0x1b5 [ath10k_core] [21713.800283] ath10k_pci_process_rx_cb+0x195/0x1d ---truncated--- CVE-2022-50880 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.232.1.150300.18.138.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260369-1/ https://www.suse.com/security/cve/CVE-2022-50880.html CVE-2022-50880 https://bugzilla.suse.com/1256132 SUSE Bug 1256132 In the Linux kernel, the following vulnerability has been resolved: drm: Prevent drm_copy_field() to attempt copying a NULL pointer There are some struct drm_driver fields that are required by drivers since drm_copy_field() attempts to copy them to user-space via DRM_IOCTL_VERSION. But it can be possible that a driver has a bug and did not set some of the fields, which leads to drm_copy_field() attempting to copy a NULL pointer: [ +10.395966] Unable to handle kernel access to user memory outside uaccess routines at virtual address 0000000000000000 [ +0.010955] Mem abort info: [ +0.002835] ESR = 0x0000000096000004 [ +0.003872] EC = 0x25: DABT (current EL), IL = 32 bits [ +0.005395] SET = 0, FnV = 0 [ +0.003113] EA = 0, S1PTW = 0 [ +0.003182] FSC = 0x04: level 0 translation fault [ +0.004964] Data abort info: [ +0.002919] ISV = 0, ISS = 0x00000004 [ +0.003886] CM = 0, WnR = 0 [ +0.003040] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000115dad000 [ +0.006536] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000 [ +0.006925] Internal error: Oops: 96000004 [#1] SMP ... [ +0.011113] pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ +0.007061] pc : __pi_strlen+0x14/0x150 [ +0.003895] lr : drm_copy_field+0x30/0x1a4 [ +0.004156] sp : ffff8000094b3a50 [ +0.003355] x29: ffff8000094b3a50 x28: ffff8000094b3b70 x27: 0000000000000040 [ +0.007242] x26: ffff443743c2ba00 x25: 0000000000000000 x24: 0000000000000040 [ +0.007243] x23: ffff443743c2ba00 x22: ffff8000094b3b70 x21: 0000000000000000 [ +0.007241] x20: 0000000000000000 x19: ffff8000094b3b90 x18: 0000000000000000 [ +0.007241] x17: 0000000000000000 x16: 0000000000000000 x15: 0000aaab14b9af40 [ +0.007241] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 [ +0.007239] x11: 0000000000000000 x10: 0000000000000000 x9 : ffffa524ad67d4d8 [ +0.007242] x8 : 0101010101010101 x7 : 7f7f7f7f7f7f7f7f x6 : 6c6e6263606e7141 [ +0.007239] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000 [ +0.007241] x2 : 0000000000000000 x1 : ffff8000094b3b90 x0 : 0000000000000000 [ +0.007240] Call trace: [ +0.002475] __pi_strlen+0x14/0x150 [ +0.003537] drm_version+0x84/0xac [ +0.003448] drm_ioctl_kernel+0xa8/0x16c [ +0.003975] drm_ioctl+0x270/0x580 [ +0.003448] __arm64_sys_ioctl+0xb8/0xfc [ +0.003978] invoke_syscall+0x78/0x100 [ +0.003799] el0_svc_common.constprop.0+0x4c/0xf4 [ +0.004767] do_el0_svc+0x38/0x4c [ +0.003357] el0_svc+0x34/0x100 [ +0.003185] el0t_64_sync_handler+0x11c/0x150 [ +0.004418] el0t_64_sync+0x190/0x194 [ +0.003716] Code: 92402c04 b200c3e8 f13fc09f 5400088c (a9400c02) [ +0.006180] ---[ end trace 0000000000000000 ]--- CVE-2022-50884 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.232.1.150300.18.138.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260369-1/ https://www.suse.com/security/cve/CVE-2022-50884.html CVE-2022-50884 https://bugzilla.suse.com/1256127 SUSE Bug 1256127 In the Linux kernel, the following vulnerability has been resolved: dm integrity: Fix UAF in dm_integrity_dtr() Dm_integrity also has the same UAF problem when dm_resume() and dm_destroy() are concurrent. Therefore, cancelling timer again in dm_integrity_dtr(). CVE-2022-50889 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.232.1.150300.18.138.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260369-1/ https://www.suse.com/security/cve/CVE-2022-50889.html CVE-2022-50889 https://bugzilla.suse.com/1256056 SUSE Bug 1256056 In rndis_query_oid in drivers/net/wireless/rndis_wlan.c in the Linux kernel through 6.1.5, there is an integer overflow in an addition. CVE-2023-23559 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.232.1.150300.18.138.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260369-1/ https://www.suse.com/security/cve/CVE-2023-23559.html CVE-2023-23559 https://bugzilla.suse.com/1207051 SUSE Bug 1207051 A use-after-free vulnerability was found in the siano smsusb module in the Linux kernel. The bug occurs during device initialization when the siano device is plugged in. This flaw allows a local user to crash the system, causing a denial of service condition. CVE-2023-4132 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.232.1.150300.18.138.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260369-1/ https://www.suse.com/security/cve/CVE-2023-4132.html CVE-2023-4132 https://bugzilla.suse.com/1213969 SUSE Bug 1213969 In the Linux kernel, the following vulnerability has been resolved: sched/fair: Don't balance task to its current running CPU We've run into the case that the balancer tries to balance a migration disabled task and trigger the warning in set_task_cpu() like below: ------------[ cut here ]------------ WARNING: CPU: 7 PID: 0 at kernel/sched/core.c:3115 set_task_cpu+0x188/0x240 Modules linked in: hclgevf xt_CHECKSUM ipt_REJECT nf_reject_ipv4 <...snip> CPU: 7 PID: 0 Comm: swapper/7 Kdump: loaded Tainted: G O 6.1.0-rc4+ #1 Hardware name: Huawei TaiShan 2280 V2/BC82AMDC, BIOS 2280-V2 CS V5.B221.01 12/09/2021 pstate: 604000c9 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : set_task_cpu+0x188/0x240 lr : load_balance+0x5d0/0xc60 sp : ffff80000803bc70 x29: ffff80000803bc70 x28: ffff004089e190e8 x27: ffff004089e19040 x26: ffff007effcabc38 x25: 0000000000000000 x24: 0000000000000001 x23: ffff80000803be84 x22: 000000000000000c x21: ffffb093e79e2a78 x20: 000000000000000c x19: ffff004089e19040 x18: 0000000000000000 x17: 0000000000001fad x16: 0000000000000030 x15: 0000000000000000 x14: 0000000000000003 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000001 x10: 0000000000000400 x9 : ffffb093e4cee530 x8 : 00000000fffffffe x7 : 0000000000ce168a x6 : 000000000000013e x5 : 00000000ffffffe1 x4 : 0000000000000001 x3 : 0000000000000b2a x2 : 0000000000000b2a x1 : ffffb093e6d6c510 x0 : 0000000000000001 Call trace: set_task_cpu+0x188/0x240 load_balance+0x5d0/0xc60 rebalance_domains+0x26c/0x380 _nohz_idle_balance.isra.0+0x1e0/0x370 run_rebalance_domains+0x6c/0x80 __do_softirq+0x128/0x3d8 ____do_softirq+0x18/0x24 call_on_irq_stack+0x2c/0x38 do_softirq_own_stack+0x24/0x3c __irq_exit_rcu+0xcc/0xf4 irq_exit_rcu+0x18/0x24 el1_interrupt+0x4c/0xe4 el1h_64_irq_handler+0x18/0x2c el1h_64_irq+0x74/0x78 arch_cpu_idle+0x18/0x4c default_idle_call+0x58/0x194 do_idle+0x244/0x2b0 cpu_startup_entry+0x30/0x3c secondary_start_kernel+0x14c/0x190 __secondary_switched+0xb0/0xb4 ---[ end trace 0000000000000000 ]--- Further investigation shows that the warning is superfluous, the migration disabled task is just going to be migrated to its current running CPU. This is because that on load balance if the dst_cpu is not allowed by the task, we'll re-select a new_dst_cpu as a candidate. If no task can be balanced to dst_cpu we'll try to balance the task to the new_dst_cpu instead. In this case when the migration disabled task is not on CPU it only allows to run on its current CPU, load balance will select its current CPU as new_dst_cpu and later triggers the warning above. The new_dst_cpu is chosen from the env->dst_grpmask. Currently it contains CPUs in sched_group_span() and if we have overlapped groups it's possible to run into this case. This patch makes env->dst_grpmask of group_balance_mask() which exclude any CPUs from the busiest group and solve the issue. For balancing in a domain with no overlapped groups the behaviour keeps same as before. CVE-2023-53215 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.232.1.150300.18.138.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260369-1/ https://www.suse.com/security/cve/CVE-2023-53215.html CVE-2023-53215 https://bugzilla.suse.com/1250397 SUSE Bug 1250397 In the Linux kernel, the following vulnerability has been resolved: cacheinfo: Fix shared_cpu_map to handle shared caches at different levels The cacheinfo sets up the shared_cpu_map by checking whether the caches with the same index are shared between CPUs. However, this will trigger slab-out-of-bounds access if the CPUs do not have the same cache hierarchy. Another problem is the mismatched shared_cpu_map when the shared cache does not have the same index between CPUs. CPU0 I D L3 index 0 1 2 x ^ ^ ^ ^ index 0 1 2 3 CPU1 I D L2 L3 This patch checks each cache is shared with all caches on other CPUs. CVE-2023-53254 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.232.1.150300.18.138.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260369-1/ https://www.suse.com/security/cve/CVE-2023-53254.html CVE-2023-53254 https://bugzilla.suse.com/1249871 SUSE Bug 1249871 https://bugzilla.suse.com/1250731 SUSE Bug 1250731 In the Linux kernel, the following vulnerability has been resolved: USB: usbtmc: Fix direction for 0-length ioctl control messages The syzbot fuzzer found a problem in the usbtmc driver: When a user submits an ioctl for a 0-length control transfer, the driver does not check that the direction is set to OUT: ------------[ cut here ]------------ usb 3-1: BOGUS control dir, pipe 80000b80 doesn't match bRequestType fd WARNING: CPU: 0 PID: 5100 at drivers/usb/core/urb.c:411 usb_submit_urb+0x14a7/0x1880 drivers/usb/core/urb.c:411 Modules linked in: CPU: 0 PID: 5100 Comm: syz-executor428 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 RIP: 0010:usb_submit_urb+0x14a7/0x1880 drivers/usb/core/urb.c:411 Code: 7c 24 40 e8 1b 13 5c fb 48 8b 7c 24 40 e8 21 1d f0 fe 45 89 e8 44 89 f1 4c 89 e2 48 89 c6 48 c7 c7 e0 b5 fc 8a e8 19 c8 23 fb <0f> 0b e9 9f ee ff ff e8 ed 12 5c fb 0f b6 1d 12 8a 3c 08 31 ff 41 RSP: 0018:ffffc90003d2fb00 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff8880789e9058 RCX: 0000000000000000 RDX: ffff888029593b80 RSI: ffffffff814c1447 RDI: 0000000000000001 RBP: ffff88801ea742f8 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000001 R12: ffff88802915e528 R13: 00000000000000fd R14: 0000000080000b80 R15: ffff8880222b3100 FS: 0000555556ca63c0(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f9ef4d18150 CR3: 0000000073e5b000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> usb_start_wait_urb+0x101/0x4b0 drivers/usb/core/message.c:58 usb_internal_control_msg drivers/usb/core/message.c:102 [inline] usb_control_msg+0x320/0x4a0 drivers/usb/core/message.c:153 usbtmc_ioctl_request drivers/usb/class/usbtmc.c:1954 [inline] usbtmc_ioctl+0x1b3d/0x2840 drivers/usb/class/usbtmc.c:2097 To fix this, we must override the direction in the bRequestType field of the control request structure when the length is 0. CVE-2023-53761 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.232.1.150300.18.138.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260369-1/ https://www.suse.com/security/cve/CVE-2023-53761.html CVE-2023-53761 https://bugzilla.suse.com/1255002 SUSE Bug 1255002 https://bugzilla.suse.com/1255003 SUSE Bug 1255003 In the Linux kernel, the following vulnerability has been resolved: smc: Fix use-after-free in tcp_write_timer_handler(). With Eric's ref tracker, syzbot finally found a repro for use-after-free in tcp_write_timer_handler() by kernel TCP sockets. [0] If SMC creates a kernel socket in __smc_create(), the kernel socket is supposed to be freed in smc_clcsock_release() by calling sock_release() when we close() the parent SMC socket. However, at the end of smc_clcsock_release(), the kernel socket's sk_state might not be TCP_CLOSE. This means that we have not called inet_csk_destroy_sock() in __tcp_close() and have not stopped the TCP timers. The kernel socket's TCP timers can be fired later, so we need to hold a refcnt for net as we do for MPTCP subflows in mptcp_subflow_create_socket(). [0]: leaked reference. sk_alloc (./include/net/net_namespace.h:335 net/core/sock.c:2108) inet_create (net/ipv4/af_inet.c:319 net/ipv4/af_inet.c:244) __sock_create (net/socket.c:1546) smc_create (net/smc/af_smc.c:3269 net/smc/af_smc.c:3284) __sock_create (net/socket.c:1546) __sys_socket (net/socket.c:1634 net/socket.c:1618 net/socket.c:1661) __x64_sys_socket (net/socket.c:1672) do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) ================================================================== BUG: KASAN: slab-use-after-free in tcp_write_timer_handler (net/ipv4/tcp_timer.c:378 net/ipv4/tcp_timer.c:624 net/ipv4/tcp_timer.c:594) Read of size 1 at addr ffff888052b65e0d by task syzrepro/18091 CPU: 0 PID: 18091 Comm: syzrepro Tainted: G W 6.3.0-rc4-01174-gb5d54eb5899a #7 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-1.amzn2022.0.1 04/01/2014 Call Trace: <IRQ> dump_stack_lvl (lib/dump_stack.c:107) print_report (mm/kasan/report.c:320 mm/kasan/report.c:430) kasan_report (mm/kasan/report.c:538) tcp_write_timer_handler (net/ipv4/tcp_timer.c:378 net/ipv4/tcp_timer.c:624 net/ipv4/tcp_timer.c:594) tcp_write_timer (./include/linux/spinlock.h:390 net/ipv4/tcp_timer.c:643) call_timer_fn (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/timer.h:127 kernel/time/timer.c:1701) __run_timers.part.0 (kernel/time/timer.c:1752 kernel/time/timer.c:2022) run_timer_softirq (kernel/time/timer.c:2037) __do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:572) __irq_exit_rcu (kernel/softirq.c:445 kernel/softirq.c:650) irq_exit_rcu (kernel/softirq.c:664) sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1107 (discriminator 14)) </IRQ> CVE-2023-53781 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.232.1.150300.18.138.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260369-1/ https://www.suse.com/security/cve/CVE-2023-53781.html CVE-2023-53781 https://bugzilla.suse.com/1254751 SUSE Bug 1254751 https://bugzilla.suse.com/1254755 SUSE Bug 1254755 In the Linux kernel, the following vulnerability has been resolved: sched/psi: use kernfs polling functions for PSI trigger polling Destroying psi trigger in cgroup_file_release causes UAF issues when a cgroup is removed from under a polling process. This is happening because cgroup removal causes a call to cgroup_file_release while the actual file is still alive. Destroying the trigger at this point would also destroy its waitqueue head and if there is still a polling process on that file accessing the waitqueue, it will step on the freed pointer: do_select vfs_poll do_rmdir cgroup_rmdir kernfs_drain_open_files cgroup_file_release cgroup_pressure_release psi_trigger_destroy wake_up_pollfree(&t->event_wait) // vfs_poll is unblocked synchronize_rcu kfree(t) poll_freewait -> UAF access to the trigger's waitqueue head Patch [1] fixed this issue for epoll() case using wake_up_pollfree(), however the same issue exists for synchronous poll() case. The root cause of this issue is that the lifecycles of the psi trigger's waitqueue and of the file associated with the trigger are different. Fix this by using kernfs_generic_poll function when polling on cgroup-specific psi triggers. It internally uses kernfs_open_node->poll waitqueue head with its lifecycle tied to the file's lifecycle. This also renders the fix in [1] obsolete, so revert it. [1] commit c2dbe32d5db5 ("sched/psi: Fix use-after-free in ep_remove_wait_queue()") CVE-2023-54019 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.232.1.150300.18.138.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260369-1/ https://www.suse.com/security/cve/CVE-2023-54019.html CVE-2023-54019 https://bugzilla.suse.com/1255636 SUSE Bug 1255636 In the Linux kernel, the following vulnerability has been resolved: KVM: Destroy target device if coalesced MMIO unregistration fails Destroy and free the target coalesced MMIO device if unregistering said device fails. As clearly noted in the code, kvm_io_bus_unregister_dev() does not destroy the target device. BUG: memory leak unreferenced object 0xffff888112a54880 (size 64): comm "syz-executor.2", pid 5258, jiffies 4297861402 (age 14.129s) hex dump (first 32 bytes): 38 c7 67 15 00 c9 ff ff 38 c7 67 15 00 c9 ff ff 8.g.....8.g..... e0 c7 e1 83 ff ff ff ff 00 30 67 15 00 c9 ff ff .........0g..... backtrace: [<0000000006995a8a>] kmalloc include/linux/slab.h:556 [inline] [<0000000006995a8a>] kzalloc include/linux/slab.h:690 [inline] [<0000000006995a8a>] kvm_vm_ioctl_register_coalesced_mmio+0x8e/0x3d0 arch/x86/kvm/../../../virt/kvm/coalesced_mmio.c:150 [<00000000022550c2>] kvm_vm_ioctl+0x47d/0x1600 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3323 [<000000008a75102f>] vfs_ioctl fs/ioctl.c:46 [inline] [<000000008a75102f>] file_ioctl fs/ioctl.c:509 [inline] [<000000008a75102f>] do_vfs_ioctl+0xbab/0x1160 fs/ioctl.c:696 [<0000000080e3f669>] ksys_ioctl+0x76/0xa0 fs/ioctl.c:713 [<0000000059ef4888>] __do_sys_ioctl fs/ioctl.c:720 [inline] [<0000000059ef4888>] __se_sys_ioctl fs/ioctl.c:718 [inline] [<0000000059ef4888>] __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:718 [<000000006444fa05>] do_syscall_64+0x9f/0x4e0 arch/x86/entry/common.c:290 [<000000009a4ed50b>] entry_SYSCALL_64_after_hwframe+0x49/0xbe BUG: leak checking failed CVE-2023-54024 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.232.1.150300.18.138.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260369-1/ https://www.suse.com/security/cve/CVE-2023-54024.html CVE-2023-54024 https://bugzilla.suse.com/1255609 SUSE Bug 1255609 In the Linux kernel, the following vulnerability has been resolved: usb: rndis_host: Secure rndis_query check against int overflow Variables off and len typed as uint32 in rndis_query function are controlled by incoming RNDIS response message thus their value may be manipulated. Setting off to a unexpectetly large value will cause the sum with len and 8 to overflow and pass the implemented validation step. Consequently the response pointer will be referring to a location past the expected buffer boundaries allowing information leakage e.g. via RNDIS_OID_802_3_PERMANENT_ADDRESS OID. CVE-2023-54110 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.232.1.150300.18.138.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260369-1/ https://www.suse.com/security/cve/CVE-2023-54110.html CVE-2023-54110 https://bugzilla.suse.com/1256353 SUSE Bug 1256353 In the Linux kernel, the following vulnerability has been resolved: gtp: Fix use-after-free in __gtp_encap_destroy(). syzkaller reported use-after-free in __gtp_encap_destroy(). [0] It shows the same process freed sk and touched it illegally. Commit e198987e7dd7 ("gtp: fix suspicious RCU usage") added lock_sock() and release_sock() in __gtp_encap_destroy() to protect sk->sk_user_data, but release_sock() is called after sock_put() releases the last refcnt. [0]: BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline] BUG: KASAN: slab-use-after-free in atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:541 [inline] BUG: KASAN: slab-use-after-free in queued_spin_lock include/asm-generic/qspinlock.h:111 [inline] BUG: KASAN: slab-use-after-free in do_raw_spin_lock include/linux/spinlock.h:186 [inline] BUG: KASAN: slab-use-after-free in __raw_spin_lock_bh include/linux/spinlock_api_smp.h:127 [inline] BUG: KASAN: slab-use-after-free in _raw_spin_lock_bh+0x75/0xe0 kernel/locking/spinlock.c:178 Write of size 4 at addr ffff88800dbef398 by task syz-executor.2/2401 CPU: 1 PID: 2401 Comm: syz-executor.2 Not tainted 6.4.0-rc5-01219-gfa0e21fa4443 #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x72/0xa0 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:351 [inline] print_report+0xcc/0x620 mm/kasan/report.c:462 kasan_report+0xb2/0xe0 mm/kasan/report.c:572 check_region_inline mm/kasan/generic.c:181 [inline] kasan_check_range+0x39/0x1c0 mm/kasan/generic.c:187 instrument_atomic_read_write include/linux/instrumented.h:96 [inline] atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:541 [inline] queued_spin_lock include/asm-generic/qspinlock.h:111 [inline] do_raw_spin_lock include/linux/spinlock.h:186 [inline] __raw_spin_lock_bh include/linux/spinlock_api_smp.h:127 [inline] _raw_spin_lock_bh+0x75/0xe0 kernel/locking/spinlock.c:178 spin_lock_bh include/linux/spinlock.h:355 [inline] release_sock+0x1f/0x1a0 net/core/sock.c:3526 gtp_encap_disable_sock drivers/net/gtp.c:651 [inline] gtp_encap_disable+0xb9/0x220 drivers/net/gtp.c:664 gtp_dev_uninit+0x19/0x50 drivers/net/gtp.c:728 unregister_netdevice_many_notify+0x97e/0x1520 net/core/dev.c:10841 rtnl_delete_link net/core/rtnetlink.c:3216 [inline] rtnl_dellink+0x3c0/0xb30 net/core/rtnetlink.c:3268 rtnetlink_rcv_msg+0x450/0xb10 net/core/rtnetlink.c:6423 netlink_rcv_skb+0x15d/0x450 net/netlink/af_netlink.c:2548 netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline] netlink_unicast+0x700/0x930 net/netlink/af_netlink.c:1365 netlink_sendmsg+0x91c/0xe30 net/netlink/af_netlink.c:1913 sock_sendmsg_nosec net/socket.c:724 [inline] sock_sendmsg+0x1b7/0x200 net/socket.c:747 ____sys_sendmsg+0x75a/0x990 net/socket.c:2493 ___sys_sendmsg+0x11d/0x1c0 net/socket.c:2547 __sys_sendmsg+0xfe/0x1d0 net/socket.c:2576 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x72/0xdc RIP: 0033:0x7f1168b1fe5d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48 RSP: 002b:00007f1167edccc8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00000000004bbf80 RCX: 00007f1168b1fe5d RDX: 0000000000000000 RSI: 00000000200002c0 RDI: 0000000000000003 RBP: 00000000004bbf80 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007f1168b80530 R15: 0000000000000000 </TASK> Allocated by task 1483: kasan_save_stack+0x22/0x50 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 __kasan_slab_alloc+0x ---truncated--- CVE-2023-54142 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.232.1.150300.18.138.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260369-1/ https://www.suse.com/security/cve/CVE-2023-54142.html CVE-2023-54142 https://bugzilla.suse.com/1256095 SUSE Bug 1256095 https://bugzilla.suse.com/1256097 SUSE Bug 1256097 In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx4: Prevent shift wrapping in set_user_sq_size() The ucmd->log_sq_bb_count variable is controlled by the user so this shift can wrap. Fix it by using check_shl_overflow() in the same way that it was done in commit 515f60004ed9 ("RDMA/hns: Prevent undefined behavior in hns_roce_set_user_sq_size()"). CVE-2023-54168 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.232.1.150300.18.138.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260369-1/ https://www.suse.com/security/cve/CVE-2023-54168.html CVE-2023-54168 https://bugzilla.suse.com/1256053 SUSE Bug 1256053 https://bugzilla.suse.com/1256054 SUSE Bug 1256054 In the Linux kernel, the following vulnerability has been resolved: keys: Fix linking a duplicate key to a keyring's assoc_array When making a DNS query inside the kernel using dns_query(), the request code can in rare cases end up creating a duplicate index key in the assoc_array of the destination keyring. It is eventually found by a BUG_ON() check in the assoc_array implementation and results in a crash. Example report: [2158499.700025] kernel BUG at ../lib/assoc_array.c:652! [2158499.700039] invalid opcode: 0000 [#1] SMP PTI [2158499.700065] CPU: 3 PID: 31985 Comm: kworker/3:1 Kdump: loaded Not tainted 5.3.18-150300.59.90-default #1 SLE15-SP3 [2158499.700096] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 [2158499.700351] Workqueue: cifsiod cifs_resolve_server [cifs] [2158499.700380] RIP: 0010:assoc_array_insert+0x85f/0xa40 [2158499.700401] Code: ff 74 2b 48 8b 3b 49 8b 45 18 4c 89 e6 48 83 e7 fe e8 95 ec 74 00 3b 45 88 7d db 85 c0 79 d4 0f 0b 0f 0b 0f 0b e8 41 f2 be ff <0f> 0b 0f 0b 81 7d 88 ff ff ff 7f 4c 89 eb 4c 8b ad 58 ff ff ff 0f [2158499.700448] RSP: 0018:ffffc0bd6187faf0 EFLAGS: 00010282 [2158499.700470] RAX: ffff9f1ea7da2fe8 RBX: ffff9f1ea7da2fc1 RCX: 0000000000000005 [2158499.700492] RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000000 [2158499.700515] RBP: ffffc0bd6187fbb0 R08: ffff9f185faf1100 R09: 0000000000000000 [2158499.700538] R10: ffff9f1ea7da2cc0 R11: 000000005ed8cec8 R12: ffffc0bd6187fc28 [2158499.700561] R13: ffff9f15feb8d000 R14: ffff9f1ea7da2fc0 R15: ffff9f168dc0d740 [2158499.700585] FS: 0000000000000000(0000) GS:ffff9f185fac0000(0000) knlGS:0000000000000000 [2158499.700610] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [2158499.700630] CR2: 00007fdd94fca238 CR3: 0000000809d8c006 CR4: 00000000003706e0 [2158499.700702] Call Trace: [2158499.700741] ? key_alloc+0x447/0x4b0 [2158499.700768] ? __key_link_begin+0x43/0xa0 [2158499.700790] __key_link_begin+0x43/0xa0 [2158499.700814] request_key_and_link+0x2c7/0x730 [2158499.700847] ? dns_resolver_read+0x20/0x20 [dns_resolver] [2158499.700873] ? key_default_cmp+0x20/0x20 [2158499.700898] request_key_tag+0x43/0xa0 [2158499.700926] dns_query+0x114/0x2ca [dns_resolver] [2158499.701127] dns_resolve_server_name_to_ip+0x194/0x310 [cifs] [2158499.701164] ? scnprintf+0x49/0x90 [2158499.701190] ? __switch_to_asm+0x40/0x70 [2158499.701211] ? __switch_to_asm+0x34/0x70 [2158499.701405] reconn_set_ipaddr_from_hostname+0x81/0x2a0 [cifs] [2158499.701603] cifs_resolve_server+0x4b/0xd0 [cifs] [2158499.701632] process_one_work+0x1f8/0x3e0 [2158499.701658] worker_thread+0x2d/0x3f0 [2158499.701682] ? process_one_work+0x3e0/0x3e0 [2158499.701703] kthread+0x10d/0x130 [2158499.701723] ? kthread_park+0xb0/0xb0 [2158499.701746] ret_from_fork+0x1f/0x40 The situation occurs as follows: * Some kernel facility invokes dns_query() to resolve a hostname, for example, "abcdef". The function registers its global DNS resolver cache as current->cred.thread_keyring and passes the query to request_key_net() -> request_key_tag() -> request_key_and_link(). * Function request_key_and_link() creates a keyring_search_context object. Its match_data.cmp method gets set via a call to type->match_preparse() (resolves to dns_resolver_match_preparse()) to dns_resolver_cmp(). * Function request_key_and_link() continues and invokes search_process_keyrings_rcu() which returns that a given key was not found. The control is then passed to request_key_and_link() -> construct_alloc_key(). * Concurrently to that, a second task similarly makes a DNS query for "abcdef." and its result gets inserted into the DNS resolver cache. * Back on the first task, function construct_alloc_key() first runs __key_link_begin() to determine an assoc_array_edit operation to insert a new key. Index keys in the array are compared exactly as-is, using keyring_compare_object(). The operation ---truncated--- CVE-2023-54170 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.232.1.150300.18.138.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260369-1/ https://www.suse.com/security/cve/CVE-2023-54170.html CVE-2023-54170 https://bugzilla.suse.com/1256045 SUSE Bug 1256045 In the Linux kernel, the following vulnerability has been resolved: block, bfq: Fix division by zero error on zero wsum When the weighted sum is zero the calculation of limit causes a division by zero error. Fix this by continuing to the next level. This was discovered by running as root: stress-ng --ioprio 0 Fixes divison by error oops: [ 521.450556] divide error: 0000 [#1] SMP NOPTI [ 521.450766] CPU: 2 PID: 2684464 Comm: stress-ng-iopri Not tainted 6.2.1-1280.native #1 [ 521.451117] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.1-0-g3208b098f51a-prebuilt.qemu.org 04/01/2014 [ 521.451627] RIP: 0010:bfqq_request_over_limit+0x207/0x400 [ 521.451875] Code: 01 48 8d 0c c8 74 0b 48 8b 82 98 00 00 00 48 8d 0c c8 8b 85 34 ff ff ff 48 89 ca 41 0f af 41 50 48 d1 ea 48 98 48 01 d0 31 d2 <48> f7 f1 41 39 41 48 89 85 34 ff ff ff 0f 8c 7b 01 00 00 49 8b 44 [ 521.452699] RSP: 0018:ffffb1af84eb3948 EFLAGS: 00010046 [ 521.452938] RAX: 000000000000003c RBX: 0000000000000000 RCX: 0000000000000000 [ 521.453262] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffb1af84eb3978 [ 521.453584] RBP: ffffb1af84eb3a30 R08: 0000000000000001 R09: ffff8f88ab8a4ba0 [ 521.453905] R10: 0000000000000000 R11: 0000000000000001 R12: ffff8f88ab8a4b18 [ 521.454224] R13: ffff8f8699093000 R14: 0000000000000001 R15: ffffb1af84eb3970 [ 521.454549] FS: 00005640b6b0b580(0000) GS:ffff8f88b3880000(0000) knlGS:0000000000000000 [ 521.454912] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 521.455170] CR2: 00007ffcbcae4e38 CR3: 00000002e46de001 CR4: 0000000000770ee0 [ 521.455491] PKRU: 55555554 [ 521.455619] Call Trace: [ 521.455736] <TASK> [ 521.455837] ? bfq_request_merge+0x3a/0xc0 [ 521.456027] ? elv_merge+0x115/0x140 [ 521.456191] bfq_limit_depth+0xc8/0x240 [ 521.456366] __blk_mq_alloc_requests+0x21a/0x2c0 [ 521.456577] blk_mq_submit_bio+0x23c/0x6c0 [ 521.456766] __submit_bio+0xb8/0x140 [ 521.457236] submit_bio_noacct_nocheck+0x212/0x300 [ 521.457748] submit_bio_noacct+0x1a6/0x580 [ 521.458220] submit_bio+0x43/0x80 [ 521.458660] ext4_io_submit+0x23/0x80 [ 521.459116] ext4_do_writepages+0x40a/0xd00 [ 521.459596] ext4_writepages+0x65/0x100 [ 521.460050] do_writepages+0xb7/0x1c0 [ 521.460492] __filemap_fdatawrite_range+0xa6/0x100 [ 521.460979] file_write_and_wait_range+0xbf/0x140 [ 521.461452] ext4_sync_file+0x105/0x340 [ 521.461882] __x64_sys_fsync+0x67/0x100 [ 521.462305] ? syscall_exit_to_user_mode+0x2c/0x1c0 [ 521.462768] do_syscall_64+0x3b/0xc0 [ 521.463165] entry_SYSCALL_64_after_hwframe+0x5a/0xc4 [ 521.463621] RIP: 0033:0x5640b6c56590 [ 521.464006] Code: 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 80 3d 71 70 0e 00 00 74 17 b8 4a 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c CVE-2023-54242 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.232.1.150300.18.138.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260369-1/ https://www.suse.com/security/cve/CVE-2023-54242.html CVE-2023-54242 https://bugzilla.suse.com/1255919 SUSE Bug 1255919 In the Linux kernel, the following vulnerability has been resolved: netfilter: ebtables: fix table blob use-after-free We are not allowed to return an error at this point. Looking at the code it looks like ret is always 0 at this point, but its not. t = find_table_lock(net, repl->name, &ret, &ebt_mutex); ... this can return a valid table, with ret != 0. This bug causes update of table->private with the new blob, but then frees the blob right away in the caller. Syzbot report: BUG: KASAN: vmalloc-out-of-bounds in __ebt_unregister_table+0xc00/0xcd0 net/bridge/netfilter/ebtables.c:1168 Read of size 4 at addr ffffc90005425000 by task kworker/u4:4/74 Workqueue: netns cleanup_net Call Trace: kasan_report+0xbf/0x1f0 mm/kasan/report.c:517 __ebt_unregister_table+0xc00/0xcd0 net/bridge/netfilter/ebtables.c:1168 ebt_unregister_table+0x35/0x40 net/bridge/netfilter/ebtables.c:1372 ops_exit_list+0xb0/0x170 net/core/net_namespace.c:169 cleanup_net+0x4ee/0xb10 net/core/net_namespace.c:613 ... ip(6)tables appears to be ok (ret should be 0 at this point) but make this more obvious. CVE-2023-54243 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.232.1.150300.18.138.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260369-1/ https://www.suse.com/security/cve/CVE-2023-54243.html CVE-2023-54243 https://bugzilla.suse.com/1255908 SUSE Bug 1255908 In the Linux kernel, the following vulnerability has been resolved: media: usb: siano: Fix use after free bugs caused by do_submit_urb There are UAF bugs caused by do_submit_urb(). One of the KASan reports is shown below: [ 36.403605] BUG: KASAN: use-after-free in worker_thread+0x4a2/0x890 [ 36.406105] Read of size 8 at addr ffff8880059600e8 by task kworker/0:2/49 [ 36.408316] [ 36.408867] CPU: 0 PID: 49 Comm: kworker/0:2 Not tainted 6.2.0-rc3-15798-g5a41237ad1d4-dir8 [ 36.411696] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g15584 [ 36.416157] Workqueue: 0x0 (events) [ 36.417654] Call Trace: [ 36.418546] <TASK> [ 36.419320] dump_stack_lvl+0x96/0xd0 [ 36.420522] print_address_description+0x75/0x350 [ 36.421992] print_report+0x11b/0x250 [ 36.423174] ? _raw_spin_lock_irqsave+0x87/0xd0 [ 36.424806] ? __virt_addr_valid+0xcf/0x170 [ 36.426069] ? worker_thread+0x4a2/0x890 [ 36.427355] kasan_report+0x131/0x160 [ 36.428556] ? worker_thread+0x4a2/0x890 [ 36.430053] worker_thread+0x4a2/0x890 [ 36.431297] ? worker_clr_flags+0x90/0x90 [ 36.432479] kthread+0x166/0x190 [ 36.433493] ? kthread_blkcg+0x50/0x50 [ 36.434669] ret_from_fork+0x22/0x30 [ 36.435923] </TASK> [ 36.436684] [ 36.437215] Allocated by task 24: [ 36.438289] kasan_set_track+0x50/0x80 [ 36.439436] __kasan_kmalloc+0x89/0xa0 [ 36.440566] smsusb_probe+0x374/0xc90 [ 36.441920] usb_probe_interface+0x2d1/0x4c0 [ 36.443253] really_probe+0x1d5/0x580 [ 36.444539] __driver_probe_device+0xe3/0x130 [ 36.446085] driver_probe_device+0x49/0x220 [ 36.447423] __device_attach_driver+0x19e/0x1b0 [ 36.448931] bus_for_each_drv+0xcb/0x110 [ 36.450217] __device_attach+0x132/0x1f0 [ 36.451470] bus_probe_device+0x59/0xf0 [ 36.452563] device_add+0x4ec/0x7b0 [ 36.453830] usb_set_configuration+0xc63/0xe10 [ 36.455230] usb_generic_driver_probe+0x3b/0x80 [ 36.456166] printk: console [ttyGS0] disabled [ 36.456569] usb_probe_device+0x90/0x110 [ 36.459523] really_probe+0x1d5/0x580 [ 36.461027] __driver_probe_device+0xe3/0x130 [ 36.462465] driver_probe_device+0x49/0x220 [ 36.463847] __device_attach_driver+0x19e/0x1b0 [ 36.465229] bus_for_each_drv+0xcb/0x110 [ 36.466466] __device_attach+0x132/0x1f0 [ 36.467799] bus_probe_device+0x59/0xf0 [ 36.469010] device_add+0x4ec/0x7b0 [ 36.470125] usb_new_device+0x863/0xa00 [ 36.471374] hub_event+0x18c7/0x2220 [ 36.472746] process_one_work+0x34c/0x5b0 [ 36.474041] worker_thread+0x4b7/0x890 [ 36.475216] kthread+0x166/0x190 [ 36.476267] ret_from_fork+0x22/0x30 [ 36.477447] [ 36.478160] Freed by task 24: [ 36.479239] kasan_set_track+0x50/0x80 [ 36.480512] kasan_save_free_info+0x2b/0x40 [ 36.481808] ____kasan_slab_free+0x122/0x1a0 [ 36.483173] __kmem_cache_free+0xc4/0x200 [ 36.484563] smsusb_term_device+0xcd/0xf0 [ 36.485896] smsusb_probe+0xc85/0xc90 [ 36.486976] usb_probe_interface+0x2d1/0x4c0 [ 36.488303] really_probe+0x1d5/0x580 [ 36.489498] __driver_probe_device+0xe3/0x130 [ 36.491140] driver_probe_device+0x49/0x220 [ 36.492475] __device_attach_driver+0x19e/0x1b0 [ 36.493988] bus_for_each_drv+0xcb/0x110 [ 36.495171] __device_attach+0x132/0x1f0 [ 36.496617] bus_probe_device+0x59/0xf0 [ 36.497875] device_add+0x4ec/0x7b0 [ 36.498972] usb_set_configuration+0xc63/0xe10 [ 36.500264] usb_generic_driver_probe+0x3b/0x80 [ 36.501740] usb_probe_device+0x90/0x110 [ 36.503084] really_probe+0x1d5/0x580 [ 36.504241] __driver_probe_device+0xe3/0x130 [ 36.505548] driver_probe_device+0x49/0x220 [ 36.506766] __device_attach_driver+0x19e/0x1b0 [ 36.508368] bus_for_each_drv+0xcb/0x110 [ 36.509646] __device_attach+0x132/0x1f0 [ 36.510911] bus_probe_device+0x59/0xf0 [ 36.512103] device_add+0x4ec/0x7b0 [ 36.513215] usb_new_device+0x863/0xa00 [ 36.514736] hub_event+0x18c7/0x2220 [ 36.516130] process_one_work+ ---truncated--- CVE-2023-54270 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.232.1.150300.18.138.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260369-1/ https://www.suse.com/security/cve/CVE-2023-54270.html CVE-2023-54270 https://bugzilla.suse.com/1255901 SUSE Bug 1255901 In the Linux kernel, the following vulnerability has been resolved: crypto: lzo - Fix compression buffer overrun Unlike the decompression code, the compression code in LZO never checked for output overruns. It instead assumes that the caller always provides enough buffer space, disregarding the buffer length provided by the caller. Add a safe compression interface that checks for the end of buffer before each write. Use the safe interface in crypto/lzo. CVE-2025-38068 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.232.1.150300.18.138.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260369-1/ https://www.suse.com/security/cve/CVE-2025-38068.html CVE-2025-38068 https://bugzilla.suse.com/1245210 SUSE Bug 1245210 In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: fix the 'para' buffer size to avoid reading out of bounds Set the size to 6 instead of 2, since 'para' array is passed to 'rtw_fw_bt_wifi_control(rtwdev, para[0], &para[1])', which reads 5 bytes: void rtw_fw_bt_wifi_control(struct rtw_dev *rtwdev, u8 op_code, u8 *data) { ... SET_BT_WIFI_CONTROL_DATA1(h2c_pkt, *data); SET_BT_WIFI_CONTROL_DATA2(h2c_pkt, *(data + 1)); ... SET_BT_WIFI_CONTROL_DATA5(h2c_pkt, *(data + 4)); Detected using the static analysis tool - Svace. CVE-2025-38159 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.232.1.150300.18.138.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260369-1/ https://www.suse.com/security/cve/CVE-2025-38159.html CVE-2025-38159 https://bugzilla.suse.com/1245751 SUSE Bug 1245751 https://bugzilla.suse.com/1257629 SUSE Bug 1257629 In the Linux kernel, the following vulnerability has been resolved: crypto: essiv - Check ssize for decryption and in-place encryption Move the ssize check to the start in essiv_aead_crypt so that it's also checked for decryption and in-place encryption. CVE-2025-40019 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.232.1.150300.18.138.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260369-1/ https://www.suse.com/security/cve/CVE-2025-40019.html CVE-2025-40019 https://bugzilla.suse.com/1252678 SUSE Bug 1252678 https://bugzilla.suse.com/1252719 SUSE Bug 1252719 In the Linux kernel, the following vulnerability has been resolved: xfrm: delete x->tunnel as we delete x The ipcomp fallback tunnels currently get deleted (from the various lists and hashtables) as the last user state that needed that fallback is destroyed (not deleted). If a reference to that user state still exists, the fallback state will remain on the hashtables/lists, triggering the WARN in xfrm_state_fini. Because of those remaining references, the fix in commit f75a2804da39 ("xfrm: destroy xfrm_state synchronously on net exit path") is not complete. We recently fixed one such situation in TCP due to defered freeing of skbs (commit 9b6412e6979f ("tcp: drop secpath at the same time as we currently drop dst")). This can also happen due to IP reassembly: skbs with a secpath remain on the reassembly queue until netns destruction. If we can't guarantee that the queues are flushed by the time xfrm_state_fini runs, there may still be references to a (user) xfrm_state, preventing the timely deletion of the corresponding fallback state. Instead of chasing each instance of skbs holding a secpath one by one, this patch fixes the issue directly within xfrm, by deleting the fallback state as soon as the last user state depending on it has been deleted. Destruction will still happen when the final reference is dropped. A separate lockdep class for the fallback state is required since we're going to lock x->tunnel while x is locked. CVE-2025-40215 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.232.1.150300.18.138.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260369-1/ https://www.suse.com/security/cve/CVE-2025-40215.html CVE-2025-40215 https://bugzilla.suse.com/1254959 SUSE Bug 1254959 https://bugzilla.suse.com/1255054 SUSE Bug 1255054 In the Linux kernel, the following vulnerability has been resolved: fuse: fix livelock in synchronous file put from fuseblk workers I observed a hang when running generic/323 against a fuseblk server. This test opens a file, initiates a lot of AIO writes to that file descriptor, and closes the file descriptor before the writes complete. Unsurprisingly, the AIO exerciser threads are mostly stuck waiting for responses from the fuseblk server: # cat /proc/372265/task/372313/stack [<0>] request_wait_answer+0x1fe/0x2a0 [fuse] [<0>] __fuse_simple_request+0xd3/0x2b0 [fuse] [<0>] fuse_do_getattr+0xfc/0x1f0 [fuse] [<0>] fuse_file_read_iter+0xbe/0x1c0 [fuse] [<0>] aio_read+0x130/0x1e0 [<0>] io_submit_one+0x542/0x860 [<0>] __x64_sys_io_submit+0x98/0x1a0 [<0>] do_syscall_64+0x37/0xf0 [<0>] entry_SYSCALL_64_after_hwframe+0x4b/0x53 But the /weird/ part is that the fuseblk server threads are waiting for responses from itself: # cat /proc/372210/task/372232/stack [<0>] request_wait_answer+0x1fe/0x2a0 [fuse] [<0>] __fuse_simple_request+0xd3/0x2b0 [fuse] [<0>] fuse_file_put+0x9a/0xd0 [fuse] [<0>] fuse_release+0x36/0x50 [fuse] [<0>] __fput+0xec/0x2b0 [<0>] task_work_run+0x55/0x90 [<0>] syscall_exit_to_user_mode+0xe9/0x100 [<0>] do_syscall_64+0x43/0xf0 [<0>] entry_SYSCALL_64_after_hwframe+0x4b/0x53 The fuseblk server is fuse2fs so there's nothing all that exciting in the server itself. So why is the fuse server calling fuse_file_put? The commit message for the fstest sheds some light on that: "By closing the file descriptor before calling io_destroy, you pretty much guarantee that the last put on the ioctx will be done in interrupt context (during I/O completion). Aha. AIO fgets a new struct file from the fd when it queues the ioctx. The completion of the FUSE_WRITE command from userspace causes the fuse server to call the AIO completion function. The completion puts the struct file, queuing a delayed fput to the fuse server task. When the fuse server task returns to userspace, it has to run the delayed fput, which in the case of a fuseblk server, it does synchronously. Sending the FUSE_RELEASE command sychronously from fuse server threads is a bad idea because a client program can initiate enough simultaneous AIOs such that all the fuse server threads end up in delayed_fput, and now there aren't any threads left to handle the queued fuse commands. Fix this by only using asynchronous fputs when closing files, and leave a comment explaining why. CVE-2025-40220 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.232.1.150300.18.138.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260369-1/ https://www.suse.com/security/cve/CVE-2025-40220.html CVE-2025-40220 https://bugzilla.suse.com/1254520 SUSE Bug 1254520 In the Linux kernel, the following vulnerability has been resolved: ocfs2: clear extent cache after moving/defragmenting extents The extent map cache can become stale when extents are moved or defragmented, causing subsequent operations to see outdated extent flags. This triggers a BUG_ON in ocfs2_refcount_cal_cow_clusters(). The problem occurs when: 1. copy_file_range() creates a reflinked extent with OCFS2_EXT_REFCOUNTED 2. ioctl(FITRIM) triggers ocfs2_move_extents() 3. __ocfs2_move_extents_range() reads and caches the extent (flags=0x2) 4. ocfs2_move_extent()/ocfs2_defrag_extent() calls __ocfs2_move_extent() which clears OCFS2_EXT_REFCOUNTED flag on disk (flags=0x0) 5. The extent map cache is not invalidated after the move 6. Later write() operations read stale cached flags (0x2) but disk has updated flags (0x0), causing a mismatch 7. BUG_ON(!(rec->e_flags & OCFS2_EXT_REFCOUNTED)) triggers Fix by clearing the extent map cache after each extent move/defrag operation in __ocfs2_move_extents_range(). This ensures subsequent operations read fresh extent data from disk. CVE-2025-40233 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.232.1.150300.18.138.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260369-1/ https://www.suse.com/security/cve/CVE-2025-40233.html CVE-2025-40233 https://bugzilla.suse.com/1254813 SUSE Bug 1254813 In the Linux kernel, the following vulnerability has been resolved: xfrm: also call xfrm_state_delete_tunnel at destroy time for states that were never added In commit b441cf3f8c4b ("xfrm: delete x->tunnel as we delete x"), I missed the case where state creation fails between full initialization (->init_state has been called) and being inserted on the lists. In this situation, ->init_state has been called, so for IPcomp tunnels, the fallback tunnel has been created and added onto the lists, but the user state never gets added, because we fail before that. The user state doesn't go through __xfrm_state_delete, so we don't call xfrm_state_delete_tunnel for those states, and we end up leaking the FB tunnel. There are several codepaths affected by this: the add/update paths, in both net/key and xfrm, and the migrate code (xfrm_migrate, xfrm_state_migrate). A "proper" rollback of the init_state work would probably be doable in the add/update code, but for migrate it gets more complicated as multiple states may be involved. At some point, the new (not-inserted) state will be destroyed, so call xfrm_state_delete_tunnel during xfrm_state_gc_destroy. Most states will have their fallback tunnel cleaned up during __xfrm_state_delete, which solves the issue that b441cf3f8c4b (and other patches before it) aimed at. All states (including FB tunnels) will be removed from the lists once xfrm_state_fini has called flush_work(&xfrm_state_gc_work). CVE-2025-40256 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.232.1.150300.18.138.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260369-1/ https://www.suse.com/security/cve/CVE-2025-40256.html CVE-2025-40256 https://bugzilla.suse.com/1254851 SUSE Bug 1254851 In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE This data originates from userspace and is used in buffer offset calculations which could potentially overflow causing an out-of-bounds access. CVE-2025-40277 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.232.1.150300.18.138.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260369-1/ https://www.suse.com/security/cve/CVE-2025-40277.html CVE-2025-40277 https://bugzilla.suse.com/1254894 SUSE Bug 1254894 In the Linux kernel, the following vulnerability has been resolved: tipc: Fix use-after-free in tipc_mon_reinit_self(). syzbot reported use-after-free of tipc_net(net)->monitors[] in tipc_mon_reinit_self(). [0] The array is protected by RTNL, but tipc_mon_reinit_self() iterates over it without RTNL. tipc_mon_reinit_self() is called from tipc_net_finalize(), which is always under RTNL except for tipc_net_finalize_work(). Let's hold RTNL in tipc_net_finalize_work(). [0]: BUG: KASAN: slab-use-after-free in __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] BUG: KASAN: slab-use-after-free in _raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162 Read of size 1 at addr ffff88805eae1030 by task kworker/0:7/5989 CPU: 0 UID: 0 PID: 5989 Comm: kworker/0:7 Not tainted syzkaller #0 PREEMPT_{RT,(full)} Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 Workqueue: events tipc_net_finalize_work Call Trace: <TASK> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 __kasan_check_byte+0x2a/0x40 mm/kasan/common.c:568 kasan_check_byte include/linux/kasan.h:399 [inline] lock_acquire+0x8d/0x360 kernel/locking/lockdep.c:5842 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162 rtlock_slowlock kernel/locking/rtmutex.c:1894 [inline] rwbase_rtmutex_lock_state kernel/locking/spinlock_rt.c:160 [inline] rwbase_write_lock+0xd3/0x7e0 kernel/locking/rwbase_rt.c:244 rt_write_lock+0x76/0x110 kernel/locking/spinlock_rt.c:243 write_lock_bh include/linux/rwlock_rt.h:99 [inline] tipc_mon_reinit_self+0x79/0x430 net/tipc/monitor.c:718 tipc_net_finalize+0x115/0x190 net/tipc/net.c:140 process_one_work kernel/workqueue.c:3236 [inline] process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3319 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400 kthread+0x70e/0x8a0 kernel/kthread.c:463 ret_from_fork+0x439/0x7d0 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> Allocated by task 6089: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:388 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:405 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x1a8/0x320 mm/slub.c:4407 kmalloc_noprof include/linux/slab.h:905 [inline] kzalloc_noprof include/linux/slab.h:1039 [inline] tipc_mon_create+0xc3/0x4d0 net/tipc/monitor.c:657 tipc_enable_bearer net/tipc/bearer.c:357 [inline] __tipc_nl_bearer_enable+0xe16/0x13f0 net/tipc/bearer.c:1047 __tipc_nl_compat_doit net/tipc/netlink_compat.c:371 [inline] tipc_nl_compat_doit+0x3bc/0x5f0 net/tipc/netlink_compat.c:393 tipc_nl_compat_handle net/tipc/netlink_compat.c:-1 [inline] tipc_nl_compat_recv+0x83c/0xbe0 net/tipc/netlink_compat.c:1321 genl_family_rcv_msg_doit+0x215/0x300 net/netlink/genetlink.c:1115 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0x60e/0x790 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2552 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] netlink_unicast+0x846/0xa10 net/netlink/af_netlink.c:1346 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896 sock_sendmsg_nosec net/socket.c:714 [inline] __sock_sendmsg+0x21c/0x270 net/socket.c:729 ____sys_sendmsg+0x508/0x820 net/socket.c:2614 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2668 __sys_sendmsg net/socket.c:2700 [inline] __do_sys_sendmsg net/socket.c:2705 [inline] __se_sys_sendmsg net/socket.c:2703 [inline] __x64_sys_sendmsg+0x1a1/0x260 net/socket.c:2703 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/ ---truncated--- CVE-2025-40280 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.232.1.150300.18.138.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260369-1/ https://www.suse.com/security/cve/CVE-2025-40280.html CVE-2025-40280 https://bugzilla.suse.com/1254847 SUSE Bug 1254847 https://bugzilla.suse.com/1254951 SUSE Bug 1254951 In the Linux kernel, the following vulnerability has been resolved: sctp: Prevent TOCTOU out-of-bounds write For the following path not holding the sock lock, sctp_diag_dump() -> sctp_for_each_endpoint() -> sctp_ep_dump() make sure not to exceed bounds in case the address list has grown between buffer allocation (time-of-check) and write (time-of-use). CVE-2025-40331 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.232.1.150300.18.138.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260369-1/ https://www.suse.com/security/cve/CVE-2025-40331.html CVE-2025-40331 https://bugzilla.suse.com/1254615 SUSE Bug 1254615 In the Linux kernel, the following vulnerability has been resolved: ipvs: fix ipv4 null-ptr-deref in route error path The IPv4 code path in __ip_vs_get_out_rt() calls dst_link_failure() without ensuring skb->dev is set, leading to a NULL pointer dereference in fib_compute_spec_dst() when ipv4_link_failure() attempts to send ICMP destination unreachable messages. The issue emerged after commit ed0de45a1008 ("ipv4: recompile ip options in ipv4_link_failure") started calling __ip_options_compile() from ipv4_link_failure(). This code path eventually calls fib_compute_spec_dst() which dereferences skb->dev. An attempt was made to fix the NULL skb->dev dereference in commit 0113d9c9d1cc ("ipv4: fix null-deref in ipv4_link_failure"), but it only addressed the immediate dev_net(skb->dev) dereference by using a fallback device. The fix was incomplete because fib_compute_spec_dst() later in the call chain still accesses skb->dev directly, which remains NULL when IPVS calls dst_link_failure(). The crash occurs when: 1. IPVS processes a packet in NAT mode with a misconfigured destination 2. Route lookup fails in __ip_vs_get_out_rt() before establishing a route 3. The error path calls dst_link_failure(skb) with skb->dev == NULL 4. ipv4_link_failure() -> ipv4_send_dest_unreach() -> __ip_options_compile() -> fib_compute_spec_dst() 5. fib_compute_spec_dst() dereferences NULL skb->dev Apply the same fix used for IPv6 in commit 326bf17ea5d4 ("ipvs: fix ipv6 route unreach panic"): set skb->dev from skb_dst(skb)->dev before calling dst_link_failure(). KASAN: null-ptr-deref in range [0x0000000000000328-0x000000000000032f] CPU: 1 PID: 12732 Comm: syz.1.3469 Not tainted 6.6.114 #2 RIP: 0010:__in_dev_get_rcu include/linux/inetdevice.h:233 RIP: 0010:fib_compute_spec_dst+0x17a/0x9f0 net/ipv4/fib_frontend.c:285 Call Trace: <TASK> spec_dst_fill net/ipv4/ip_options.c:232 spec_dst_fill net/ipv4/ip_options.c:229 __ip_options_compile+0x13a1/0x17d0 net/ipv4/ip_options.c:330 ipv4_send_dest_unreach net/ipv4/route.c:1252 ipv4_link_failure+0x702/0xb80 net/ipv4/route.c:1265 dst_link_failure include/net/dst.h:437 __ip_vs_get_out_rt+0x15fd/0x19e0 net/netfilter/ipvs/ip_vs_xmit.c:412 ip_vs_nat_xmit+0x1d8/0xc80 net/netfilter/ipvs/ip_vs_xmit.c:764 CVE-2025-68813 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.232.1.150300.18.138.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260369-1/ https://www.suse.com/security/cve/CVE-2025-68813.html CVE-2025-68813 https://bugzilla.suse.com/1256641 SUSE Bug 1256641 https://bugzilla.suse.com/1256644 SUSE Bug 1256644 In the Linux kernel, the following vulnerability has been resolved: SUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf A zero length gss_token results in pages == 0 and in_token->pages[0] is NULL. The code unconditionally evaluates page_address(in_token->pages[0]) for the initial memcpy, which can dereference NULL even when the copy length is 0. Guard the first memcpy so it only runs when length > 0. CVE-2025-71120 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.232.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.232.1.150300.18.138.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260369-1/ https://www.suse.com/security/cve/CVE-2025-71120.html CVE-2025-71120 https://bugzilla.suse.com/1256779 SUSE Bug 1256779 https://bugzilla.suse.com/1256780 SUSE Bug 1256780