Security update for the Linux Kernel SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2026:0928-1 Final 1 1 2026-03-18T13:32:23Z current 2026-03-18T13:32:23Z 2026-03-18T13:32:23Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for the Linux Kernel The SUSE Linux Enterprise 15 SP3 kernel was updated to fix various security issues The following security issues were fixed: - CVE-2023-53794: cifs: fix session state check in reconnect to avoid use-after-free issue (bsc#1255163). - CVE-2023-53827: Bluetooth: L2CAP: Fix use-after-free in l2cap_disconnect_{req,rsp} (bsc#1255049). - CVE-2025-21738: ata: libata-sff: Ensure that we cannot write outside the allocated buffer (bsc#1238917). - CVE-2025-38375: virtio-net: ensure the received length does not exceed allocated size (bsc#1247177). - CVE-2025-68285: libceph: fix potential use-after-free in have_mon_and_osd_map() (bsc#1255401). - CVE-2025-71066: net/sched: ets: Always remove class from active list before deleting in ets_qdisc_change (bsc#1256645). - CVE-2026-23004: dst: fix races in rt6_uncached_list_del() and rt_del_uncached_list() (bsc#1257231). - CVE-2026-23060: crypto: authencesn - reject too-short AAD (assoclen<8) to match ESP/ESN spec (bsc#1257735). - CVE-2026-23074: net/sched: Enforce that teql can only be used as root qdisc (bsc#1257749). - CVE-2026-23089: ALSA: usb-audio: Fix use-after-free in snd_usb_mixer_free() (bsc#1257790). - CVE-2026-23191: ALSA: aloop: Fix racy access at PCM trigger (bsc#1258395). - CVE-2026-23204: net: add skb_header_pointer_careful() helper (bsc#1258340). The following non security issues were fixed: - apparmor: fix differential encoding verification (bsc#1258849). - apparmor: Fix double free of ns_name in aa_replace_profiles() (bsc#1258849). - apparmor: fix memory leak in verify_header (bsc#1258849). - apparmor: fix missing bounds check on DEFAULT table in verify_dfa() (bsc#1258849). - apparmor: fix side-effect bug in match_char() macro usage (bsc#1258849). - apparmor: fix unprivileged local user can do privileged policy management (bsc#1258849). - apparmor: fix: limit the number of levels of policy namespaces (bsc#1258849). - apparmor: replace recursive profile removal with iterative approach (bsc#1258849). - apparmor: validate DFA start states are in bounds in unpack_pdb (bsc#1258849). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Container suse/sle-micro-rancher/5.2:latest-2026-928,SUSE-2026-928,SUSE-SUSE-MicroOS-5.2-2026-928 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2026/suse-su-20260928-1/ Link for SUSE-SU-2026:0928-1 https://lists.suse.com/pipermail/sle-security-updates/2026-March/024762.html E-Mail link for SUSE-SU-2026:0928-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1238917 SUSE Bug 1238917 https://bugzilla.suse.com/1246166 SUSE Bug 1246166 https://bugzilla.suse.com/1247177 SUSE Bug 1247177 https://bugzilla.suse.com/1255049 SUSE Bug 1255049 https://bugzilla.suse.com/1255163 SUSE Bug 1255163 https://bugzilla.suse.com/1255401 SUSE Bug 1255401 https://bugzilla.suse.com/1256645 SUSE Bug 1256645 https://bugzilla.suse.com/1257231 SUSE Bug 1257231 https://bugzilla.suse.com/1257735 SUSE Bug 1257735 https://bugzilla.suse.com/1257749 SUSE Bug 1257749 https://bugzilla.suse.com/1257790 SUSE Bug 1257790 https://bugzilla.suse.com/1258340 SUSE Bug 1258340 https://bugzilla.suse.com/1258395 SUSE Bug 1258395 https://bugzilla.suse.com/1258849 SUSE Bug 1258849 https://www.suse.com/security/cve/CVE-2023-53794/ SUSE CVE CVE-2023-53794 page https://www.suse.com/security/cve/CVE-2023-53827/ SUSE CVE CVE-2023-53827 page https://www.suse.com/security/cve/CVE-2025-21738/ SUSE CVE CVE-2025-21738 page https://www.suse.com/security/cve/CVE-2025-38224/ SUSE CVE CVE-2025-38224 page https://www.suse.com/security/cve/CVE-2025-38375/ SUSE CVE CVE-2025-38375 page https://www.suse.com/security/cve/CVE-2025-68285/ SUSE CVE CVE-2025-68285 page https://www.suse.com/security/cve/CVE-2025-71066/ SUSE CVE CVE-2025-71066 page https://www.suse.com/security/cve/CVE-2026-23004/ SUSE CVE CVE-2026-23004 page https://www.suse.com/security/cve/CVE-2026-23060/ SUSE CVE CVE-2026-23060 page https://www.suse.com/security/cve/CVE-2026-23074/ SUSE CVE CVE-2026-23074 page https://www.suse.com/security/cve/CVE-2026-23089/ SUSE CVE CVE-2026-23089 page https://www.suse.com/security/cve/CVE-2026-23191/ SUSE CVE CVE-2026-23191 page https://www.suse.com/security/cve/CVE-2026-23204/ SUSE CVE CVE-2026-23204 page Container suse/sle-micro-rancher/5.2:latest SUSE Linux Enterprise Micro 5.2 kernel-default-5.3.18-150300.59.238.1 cluster-md-kmp-64kb-5.3.18-150300.59.238.1 cluster-md-kmp-default-5.3.18-150300.59.238.1 cluster-md-kmp-preempt-5.3.18-150300.59.238.1 dlm-kmp-64kb-5.3.18-150300.59.238.1 dlm-kmp-default-5.3.18-150300.59.238.1 dlm-kmp-preempt-5.3.18-150300.59.238.1 dtb-al-5.3.18-150300.59.238.1 dtb-allwinner-5.3.18-150300.59.238.1 dtb-altera-5.3.18-150300.59.238.1 dtb-amd-5.3.18-150300.59.238.1 dtb-amlogic-5.3.18-150300.59.238.1 dtb-apm-5.3.18-150300.59.238.1 dtb-arm-5.3.18-150300.59.238.1 dtb-broadcom-5.3.18-150300.59.238.1 dtb-cavium-5.3.18-150300.59.238.1 dtb-exynos-5.3.18-150300.59.238.1 dtb-freescale-5.3.18-150300.59.238.1 dtb-hisilicon-5.3.18-150300.59.238.1 dtb-lg-5.3.18-150300.59.238.1 dtb-marvell-5.3.18-150300.59.238.1 dtb-mediatek-5.3.18-150300.59.238.1 dtb-nvidia-5.3.18-150300.59.238.1 dtb-qcom-5.3.18-150300.59.238.1 dtb-renesas-5.3.18-150300.59.238.1 dtb-rockchip-5.3.18-150300.59.238.1 dtb-socionext-5.3.18-150300.59.238.1 dtb-sprd-5.3.18-150300.59.238.1 dtb-xilinx-5.3.18-150300.59.238.1 dtb-zte-5.3.18-150300.59.238.1 gfs2-kmp-64kb-5.3.18-150300.59.238.1 gfs2-kmp-default-5.3.18-150300.59.238.1 gfs2-kmp-preempt-5.3.18-150300.59.238.1 kernel-64kb-5.3.18-150300.59.238.1 kernel-64kb-devel-5.3.18-150300.59.238.1 kernel-64kb-extra-5.3.18-150300.59.238.1 kernel-64kb-optional-5.3.18-150300.59.238.1 kernel-default-base-5.3.18-150300.59.238.1.150300.18.142.1 kernel-default-base-rebuild-5.3.18-150300.59.238.1.150300.18.142.1 kernel-default-devel-5.3.18-150300.59.238.1 kernel-default-extra-5.3.18-150300.59.238.1 kernel-default-livepatch-5.3.18-150300.59.238.1 kernel-default-livepatch-devel-5.3.18-150300.59.238.1 kernel-default-optional-5.3.18-150300.59.238.1 kernel-devel-5.3.18-150300.59.238.1 kernel-docs-5.3.18-150300.59.238.1 kernel-docs-html-5.3.18-150300.59.238.1 kernel-kvmsmall-5.3.18-150300.59.238.1 kernel-kvmsmall-devel-5.3.18-150300.59.238.1 kernel-macros-5.3.18-150300.59.238.1 kernel-obs-build-5.3.18-150300.59.238.1 kernel-obs-qa-5.3.18-150300.59.238.1 kernel-preempt-5.3.18-150300.59.238.1 kernel-preempt-devel-5.3.18-150300.59.238.1 kernel-preempt-extra-5.3.18-150300.59.238.1 kernel-preempt-optional-5.3.18-150300.59.238.1 kernel-source-5.3.18-150300.59.238.1 kernel-source-vanilla-5.3.18-150300.59.238.1 kernel-syms-5.3.18-150300.59.238.1 kernel-zfcpdump-5.3.18-150300.59.238.1 kselftests-kmp-64kb-5.3.18-150300.59.238.1 kselftests-kmp-default-5.3.18-150300.59.238.1 kselftests-kmp-preempt-5.3.18-150300.59.238.1 ocfs2-kmp-64kb-5.3.18-150300.59.238.1 ocfs2-kmp-default-5.3.18-150300.59.238.1 ocfs2-kmp-preempt-5.3.18-150300.59.238.1 reiserfs-kmp-64kb-5.3.18-150300.59.238.1 reiserfs-kmp-default-5.3.18-150300.59.238.1 reiserfs-kmp-preempt-5.3.18-150300.59.238.1 kernel-default-5.3.18-150300.59.238.1 as a component of Container suse/sle-micro-rancher/5.2:latest kernel-default-5.3.18-150300.59.238.1 as a component of SUSE Linux Enterprise Micro 5.2 kernel-default-base-5.3.18-150300.59.238.1.150300.18.142.1 as a component of SUSE Linux Enterprise Micro 5.2 In the Linux kernel, the following vulnerability has been resolved: cifs: fix session state check in reconnect to avoid use-after-free issue Don't collect exiting session in smb2_reconnect_server(), because it will be released soon. Note that the exiting session will stay in server->smb_ses_list until it complete the cifs_free_ipc() and logoff() and then delete itself from the list. CVE-2023-53794 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.238.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.238.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.238.1.150300.18.142.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260928-1/ https://www.suse.com/security/cve/CVE-2023-53794.html CVE-2023-53794 https://bugzilla.suse.com/1255163 SUSE Bug 1255163 https://bugzilla.suse.com/1255235 SUSE Bug 1255235 In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix use-after-free in l2cap_disconnect_{req,rsp} Similar to commit d0be8347c623 ("Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put"), just use l2cap_chan_hold_unless_zero to prevent referencing a channel that is about to be destroyed. CVE-2023-53827 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.238.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.238.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.238.1.150300.18.142.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260928-1/ https://www.suse.com/security/cve/CVE-2023-53827.html CVE-2023-53827 https://bugzilla.suse.com/1255049 SUSE Bug 1255049 https://bugzilla.suse.com/1255050 SUSE Bug 1255050 In the Linux kernel, the following vulnerability has been resolved: ata: libata-sff: Ensure that we cannot write outside the allocated buffer reveliofuzzing reported that a SCSI_IOCTL_SEND_COMMAND ioctl with out_len set to 0xd42, SCSI command set to ATA_16 PASS-THROUGH, ATA command set to ATA_NOP, and protocol set to ATA_PROT_PIO, can cause ata_pio_sector() to write outside the allocated buffer, overwriting random memory. While a ATA device is supposed to abort a ATA_NOP command, there does seem to be a bug either in libata-sff or QEMU, where either this status is not set, or the status is cleared before read by ata_sff_hsm_move(). Anyway, that is most likely a separate bug. Looking at __atapi_pio_bytes(), it already has a safety check to ensure that __atapi_pio_bytes() cannot write outside the allocated buffer. Add a similar check to ata_pio_sector(), such that also ata_pio_sector() cannot write outside the allocated buffer. CVE-2025-21738 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.238.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.238.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.238.1.150300.18.142.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260928-1/ https://www.suse.com/security/cve/CVE-2025-21738.html CVE-2025-21738 https://bugzilla.suse.com/1238917 SUSE Bug 1238917 https://bugzilla.suse.com/1257118 SUSE Bug 1257118 In the Linux kernel, the following vulnerability has been resolved: can: kvaser_pciefd: refine error prone echo_skb_max handling logic echo_skb_max should define the supported upper limit of echo_skb[] allocated inside the netdevice's priv. The corresponding size value provided by this driver to alloc_candev() is KVASER_PCIEFD_CAN_TX_MAX_COUNT which is 17. But later echo_skb_max is rounded up to the nearest power of two (for the max case, that would be 32) and the tx/ack indices calculated further during tx/rx may exceed the upper array boundary. Kasan reported this for the ack case inside kvaser_pciefd_handle_ack_packet(), though the xmit function has actually caught the same thing earlier. BUG: KASAN: slab-out-of-bounds in kvaser_pciefd_handle_ack_packet+0x2d7/0x92a drivers/net/can/kvaser_pciefd.c:1528 Read of size 8 at addr ffff888105e4f078 by task swapper/4/0 CPU: 4 UID: 0 PID: 0 Comm: swapper/4 Not tainted 6.15.0 #12 PREEMPT(voluntary) Call Trace: <IRQ> dump_stack_lvl lib/dump_stack.c:122 print_report mm/kasan/report.c:521 kasan_report mm/kasan/report.c:634 kvaser_pciefd_handle_ack_packet drivers/net/can/kvaser_pciefd.c:1528 kvaser_pciefd_read_packet drivers/net/can/kvaser_pciefd.c:1605 kvaser_pciefd_read_buffer drivers/net/can/kvaser_pciefd.c:1656 kvaser_pciefd_receive_irq drivers/net/can/kvaser_pciefd.c:1684 kvaser_pciefd_irq_handler drivers/net/can/kvaser_pciefd.c:1733 __handle_irq_event_percpu kernel/irq/handle.c:158 handle_irq_event kernel/irq/handle.c:210 handle_edge_irq kernel/irq/chip.c:833 __common_interrupt arch/x86/kernel/irq.c:296 common_interrupt arch/x86/kernel/irq.c:286 </IRQ> Tx max count definitely matters for kvaser_pciefd_tx_avail(), but for seq numbers' generation that's not the case - we're free to calculate them as would be more convenient, not taking tx max count into account. The only downside is that the size of echo_skb[] should correspond to the max seq number (not tx max count), so in some situations a bit more memory would be consumed than could be. Thus make the size of the underlying echo_skb[] sufficient for the rounded max tx value. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. CVE-2025-38224 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.238.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.238.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.238.1.150300.18.142.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260928-1/ https://www.suse.com/security/cve/CVE-2025-38224.html CVE-2025-38224 https://bugzilla.suse.com/1246166 SUSE Bug 1246166 In the Linux kernel, the following vulnerability has been resolved: virtio-net: ensure the received length does not exceed allocated size In xdp_linearize_page, when reading the following buffers from the ring, we forget to check the received length with the true allocate size. This can lead to an out-of-bound read. This commit adds that missing check. CVE-2025-38375 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.238.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.238.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.238.1.150300.18.142.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260928-1/ https://www.suse.com/security/cve/CVE-2025-38375.html CVE-2025-38375 https://bugzilla.suse.com/1247177 SUSE Bug 1247177 https://bugzilla.suse.com/1258073 SUSE Bug 1258073 In the Linux kernel, the following vulnerability has been resolved: libceph: fix potential use-after-free in have_mon_and_osd_map() The wait loop in __ceph_open_session() can race with the client receiving a new monmap or osdmap shortly after the initial map is received. Both ceph_monc_handle_map() and handle_one_map() install a new map immediately after freeing the old one kfree(monc->monmap); monc->monmap = monmap; ceph_osdmap_destroy(osdc->osdmap); osdc->osdmap = newmap; under client->monc.mutex and client->osdc.lock respectively, but because neither is taken in have_mon_and_osd_map() it's possible for client->monc.monmap->epoch and client->osdc.osdmap->epoch arms in client->monc.monmap && client->monc.monmap->epoch && client->osdc.osdmap && client->osdc.osdmap->epoch; condition to dereference an already freed map. This happens to be reproducible with generic/395 and generic/397 with KASAN enabled: BUG: KASAN: slab-use-after-free in have_mon_and_osd_map+0x56/0x70 Read of size 4 at addr ffff88811012d810 by task mount.ceph/13305 CPU: 2 UID: 0 PID: 13305 Comm: mount.ceph Not tainted 6.14.0-rc2-build2+ #1266 ... Call Trace: <TASK> have_mon_and_osd_map+0x56/0x70 ceph_open_session+0x182/0x290 ceph_get_tree+0x333/0x680 vfs_get_tree+0x49/0x180 do_new_mount+0x1a3/0x2d0 path_mount+0x6dd/0x730 do_mount+0x99/0xe0 __do_sys_mount+0x141/0x180 do_syscall_64+0x9f/0x100 entry_SYSCALL_64_after_hwframe+0x76/0x7e </TASK> Allocated by task 13305: ceph_osdmap_alloc+0x16/0x130 ceph_osdc_init+0x27a/0x4c0 ceph_create_client+0x153/0x190 create_fs_client+0x50/0x2a0 ceph_get_tree+0xff/0x680 vfs_get_tree+0x49/0x180 do_new_mount+0x1a3/0x2d0 path_mount+0x6dd/0x730 do_mount+0x99/0xe0 __do_sys_mount+0x141/0x180 do_syscall_64+0x9f/0x100 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 9475: kfree+0x212/0x290 handle_one_map+0x23c/0x3b0 ceph_osdc_handle_map+0x3c9/0x590 mon_dispatch+0x655/0x6f0 ceph_con_process_message+0xc3/0xe0 ceph_con_v1_try_read+0x614/0x760 ceph_con_workfn+0x2de/0x650 process_one_work+0x486/0x7c0 process_scheduled_works+0x73/0x90 worker_thread+0x1c8/0x2a0 kthread+0x2ec/0x300 ret_from_fork+0x24/0x40 ret_from_fork_asm+0x1a/0x30 Rewrite the wait loop to check the above condition directly with client->monc.mutex and client->osdc.lock taken as appropriate. While at it, improve the timeout handling (previously mount_timeout could be exceeded in case wait_event_interruptible_timeout() slept more than once) and access client->auth_err under client->monc.mutex to match how it's set in finish_auth(). monmap_show() and osdmap_show() now take the respective lock before accessing the map as well. CVE-2025-68285 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.238.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.238.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.238.1.150300.18.142.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260928-1/ https://www.suse.com/security/cve/CVE-2025-68285.html CVE-2025-68285 https://bugzilla.suse.com/1255401 SUSE Bug 1255401 https://bugzilla.suse.com/1255402 SUSE Bug 1255402 In the Linux kernel, the following vulnerability has been resolved: net/sched: ets: Always remove class from active list before deleting in ets_qdisc_change zdi-disclosures@trendmicro.com says: The vulnerability is a race condition between `ets_qdisc_dequeue` and `ets_qdisc_change`. It leads to UAF on `struct Qdisc` object. Attacker requires the capability to create new user and network namespace in order to trigger the bug. See my additional commentary at the end of the analysis. Analysis: static int ets_qdisc_change(struct Qdisc *sch, struct nlattr *opt, struct netlink_ext_ack *extack) { ... // (1) this lock is preventing .change handler (`ets_qdisc_change`) //to race with .dequeue handler (`ets_qdisc_dequeue`) sch_tree_lock(sch); for (i = nbands; i < oldbands; i++) { if (i >= q->nstrict && q->classes[i].qdisc->q.qlen) list_del_init(&q->classes[i].alist); qdisc_purge_queue(q->classes[i].qdisc); } WRITE_ONCE(q->nbands, nbands); for (i = nstrict; i < q->nstrict; i++) { if (q->classes[i].qdisc->q.qlen) { // (2) the class is added to the q->active list_add_tail(&q->classes[i].alist, &q->active); q->classes[i].deficit = quanta[i]; } } WRITE_ONCE(q->nstrict, nstrict); memcpy(q->prio2band, priomap, sizeof(priomap)); for (i = 0; i < q->nbands; i++) WRITE_ONCE(q->classes[i].quantum, quanta[i]); for (i = oldbands; i < q->nbands; i++) { q->classes[i].qdisc = queues[i]; if (q->classes[i].qdisc != &noop_qdisc) qdisc_hash_add(q->classes[i].qdisc, true); } // (3) the qdisc is unlocked, now dequeue can be called in parallel // to the rest of .change handler sch_tree_unlock(sch); ets_offload_change(sch); for (i = q->nbands; i < oldbands; i++) { // (4) we're reducing the refcount for our class's qdisc and // freeing it qdisc_put(q->classes[i].qdisc); // (5) If we call .dequeue between (4) and (5), we will have // a strong UAF and we can control RIP q->classes[i].qdisc = NULL; WRITE_ONCE(q->classes[i].quantum, 0); q->classes[i].deficit = 0; gnet_stats_basic_sync_init(&q->classes[i].bstats); memset(&q->classes[i].qstats, 0, sizeof(q->classes[i].qstats)); } return 0; } Comment: This happens because some of the classes have their qdiscs assigned to NULL, but remain in the active list. This commit fixes this issue by always removing the class from the active list before deleting and freeing its associated qdisc Reproducer Steps (trimmed version of what was sent by zdi-disclosures@trendmicro.com) ``` DEV="${DEV:-lo}" ROOT_HANDLE="${ROOT_HANDLE:-1:}" BAND2_HANDLE="${BAND2_HANDLE:-20:}" # child under 1:2 PING_BYTES="${PING_BYTES:-48}" PING_COUNT="${PING_COUNT:-200000}" PING_DST="${PING_DST:-127.0.0.1}" SLOW_TBF_RATE="${SLOW_TBF_RATE:-8bit}" SLOW_TBF_BURST="${SLOW_TBF_BURST:-100b}" SLOW_TBF_LAT="${SLOW_TBF_LAT:-1s}" cleanup() { tc qdisc del dev "$DEV" root 2>/dev/null } trap cleanup EXIT ip link set "$DEV" up tc qdisc del dev "$DEV" root 2>/dev/null || true tc qdisc add dev "$DEV" root handle "$ROOT_HANDLE" ets bands 2 strict 2 tc qdisc add dev "$DEV" parent 1:2 handle "$BAND2_HANDLE" \ tbf rate "$SLOW_TBF_RATE" burst "$SLOW_TBF_BURST" latency "$SLOW_TBF_LAT" tc filter add dev "$DEV" parent 1: protocol all prio 1 u32 match u32 0 0 flowid 1:2 tc -s qdisc ls dev $DEV ping -I "$DEV" -f -c "$PING_COUNT" -s "$PING_BYTES" -W 0.001 "$PING_DST" \ >/dev/null 2>&1 & tc qdisc change dev "$DEV" root handle "$ROOT_HANDLE" ets bands 2 strict 0 tc qdisc change dev "$DEV" root handle "$ROOT_HANDLE" ets bands 2 strict 2 tc -s qdisc ls dev $DEV tc qdisc del dev "$DEV" parent ---truncated--- CVE-2025-71066 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.238.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.238.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.238.1.150300.18.142.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260928-1/ https://www.suse.com/security/cve/CVE-2025-71066.html CVE-2025-71066 https://bugzilla.suse.com/1256645 SUSE Bug 1256645 https://bugzilla.suse.com/1258005 SUSE Bug 1258005 In the Linux kernel, the following vulnerability has been resolved: dst: fix races in rt6_uncached_list_del() and rt_del_uncached_list() syzbot was able to crash the kernel in rt6_uncached_list_flush_dev() in an interesting way [1] Crash happens in list_del_init()/INIT_LIST_HEAD() while writing list->prev, while the prior write on list->next went well. static inline void INIT_LIST_HEAD(struct list_head *list) { WRITE_ONCE(list->next, list); // This went well WRITE_ONCE(list->prev, list); // Crash, @list has been freed. } Issue here is that rt6_uncached_list_del() did not attempt to lock ul->lock, as list_empty(&rt->dst.rt_uncached) returned true because the WRITE_ONCE(list->next, list) happened on the other CPU. We might use list_del_init_careful() and list_empty_careful(), or make sure rt6_uncached_list_del() always grabs the spinlock whenever rt->dst.rt_uncached_list has been set. A similar fix is neeed for IPv4. [1] BUG: KASAN: slab-use-after-free in INIT_LIST_HEAD include/linux/list.h:46 [inline] BUG: KASAN: slab-use-after-free in list_del_init include/linux/list.h:296 [inline] BUG: KASAN: slab-use-after-free in rt6_uncached_list_flush_dev net/ipv6/route.c:191 [inline] BUG: KASAN: slab-use-after-free in rt6_disable_ip+0x633/0x730 net/ipv6/route.c:5020 Write of size 8 at addr ffff8880294cfa78 by task kworker/u8:14/3450 CPU: 0 UID: 0 PID: 3450 Comm: kworker/u8:14 Tainted: G L syzkaller #0 PREEMPT_{RT,(full)} Tainted: [L]=SOFTLOCKUP Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 Workqueue: netns cleanup_net Call Trace: <TASK> dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 INIT_LIST_HEAD include/linux/list.h:46 [inline] list_del_init include/linux/list.h:296 [inline] rt6_uncached_list_flush_dev net/ipv6/route.c:191 [inline] rt6_disable_ip+0x633/0x730 net/ipv6/route.c:5020 addrconf_ifdown+0x143/0x18a0 net/ipv6/addrconf.c:3853 addrconf_notify+0x1bc/0x1050 net/ipv6/addrconf.c:-1 notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85 call_netdevice_notifiers_extack net/core/dev.c:2268 [inline] call_netdevice_notifiers net/core/dev.c:2282 [inline] netif_close_many+0x29c/0x410 net/core/dev.c:1785 unregister_netdevice_many_notify+0xb50/0x2330 net/core/dev.c:12353 ops_exit_rtnl_list net/core/net_namespace.c:187 [inline] ops_undo_list+0x3dc/0x990 net/core/net_namespace.c:248 cleanup_net+0x4de/0x7b0 net/core/net_namespace.c:696 process_one_work kernel/workqueue.c:3257 [inline] process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 </TASK> Allocated by task 803: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 unpoison_slab_object mm/kasan/common.c:340 [inline] __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:366 kasan_slab_alloc include/linux/kasan.h:253 [inline] slab_post_alloc_hook mm/slub.c:4953 [inline] slab_alloc_node mm/slub.c:5263 [inline] kmem_cache_alloc_noprof+0x18d/0x6c0 mm/slub.c:5270 dst_alloc+0x105/0x170 net/core/dst.c:89 ip6_dst_alloc net/ipv6/route.c:342 [inline] icmp6_dst_alloc+0x75/0x460 net/ipv6/route.c:3333 mld_sendpack+0x683/0xe60 net/ipv6/mcast.c:1844 mld_send_cr net/ipv6/mcast.c:2154 [inline] mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693 process_one_work kernel/workqueue.c:3257 [inline] process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entr ---truncated--- CVE-2026-23004 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.238.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.238.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.238.1.150300.18.142.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260928-1/ https://www.suse.com/security/cve/CVE-2026-23004.html CVE-2026-23004 https://bugzilla.suse.com/1257231 SUSE Bug 1257231 https://bugzilla.suse.com/1258655 SUSE Bug 1258655 In the Linux kernel, the following vulnerability has been resolved: crypto: authencesn - reject too-short AAD (assoclen<8) to match ESP/ESN spec authencesn assumes an ESP/ESN-formatted AAD. When assoclen is shorter than the minimum expected length, crypto_authenc_esn_decrypt() can advance past the end of the destination scatterlist and trigger a NULL pointer dereference in scatterwalk_map_and_copy(), leading to a kernel panic (DoS). Add a minimum AAD length check to fail fast on invalid inputs. CVE-2026-23060 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.238.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.238.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.238.1.150300.18.142.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260928-1/ https://www.suse.com/security/cve/CVE-2026-23060.html CVE-2026-23060 https://bugzilla.suse.com/1257735 SUSE Bug 1257735 In the Linux kernel, the following vulnerability has been resolved: net/sched: Enforce that teql can only be used as root qdisc Design intent of teql is that it is only supposed to be used as root qdisc. We need to check for that constraint. Although not important, I will describe the scenario that unearthed this issue for the curious. GangMin Kim <km.kim1503@gmail.com> managed to concot a scenario as follows: ROOT qdisc 1:0 (QFQ) ├── class 1:1 (weight=15, lmax=16384) netem with delay 6.4s ── class 1:2 (weight=1, lmax=1514) teql GangMin sends a packet which is enqueued to 1:1 (netem). Any invocation of dequeue by QFQ from this class will not return a packet until after 6.4s. In the meantime, a second packet is sent and it lands on 1:2. teql's enqueue will return success and this will activate class 1:2. Main issue is that teql only updates the parent visible qlen (sch->q.qlen) at dequeue. Since QFQ will only call dequeue if peek succeeds (and teql's peek always returns NULL), dequeue will never be called and thus the qlen will remain as 0. With that in mind, when GangMin updates 1:2's lmax value, the qfq_change_class calls qfq_deact_rm_from_agg. Since the child qdisc's qlen was not incremented, qfq fails to deactivate the class, but still frees its pointers from the aggregate. So when the first packet is rescheduled after 6.4 seconds (netem's delay), a dangling pointer is accessed causing GangMin's causing a UAF. CVE-2026-23074 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.238.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.238.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.238.1.150300.18.142.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260928-1/ https://www.suse.com/security/cve/CVE-2026-23074.html CVE-2026-23074 https://bugzilla.suse.com/1257749 SUSE Bug 1257749 In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix use-after-free in snd_usb_mixer_free() When snd_usb_create_mixer() fails, snd_usb_mixer_free() frees mixer->id_elems but the controls already added to the card still reference the freed memory. Later when snd_card_register() runs, the OSS mixer layer calls their callbacks and hits a use-after-free read. Call trace: get_ctl_value+0x63f/0x820 sound/usb/mixer.c:411 get_min_max_with_quirks.isra.0+0x240/0x1f40 sound/usb/mixer.c:1241 mixer_ctl_feature_info+0x26b/0x490 sound/usb/mixer.c:1381 snd_mixer_oss_build_test+0x174/0x3a0 sound/core/oss/mixer_oss.c:887 ... snd_card_register+0x4ed/0x6d0 sound/core/init.c:923 usb_audio_probe+0x5ef/0x2a90 sound/usb/card.c:1025 Fix by calling snd_ctl_remove() for all mixer controls before freeing id_elems. We save the next pointer first because snd_ctl_remove() frees the current element. CVE-2026-23089 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.238.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.238.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.238.1.150300.18.142.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260928-1/ https://www.suse.com/security/cve/CVE-2026-23089.html CVE-2026-23089 https://bugzilla.suse.com/1257790 SUSE Bug 1257790 In the Linux kernel, the following vulnerability has been resolved: ALSA: aloop: Fix racy access at PCM trigger The PCM trigger callback of aloop driver tries to check the PCM state and stop the stream of the tied substream in the corresponding cable. Since both check and stop operations are performed outside the cable lock, this may result in UAF when a program attempts to trigger frequently while opening/closing the tied stream, as spotted by fuzzers. For addressing the UAF, this patch changes two things: - It covers the most of code in loopback_check_format() with cable->lock spinlock, and add the proper NULL checks. This avoids already some racy accesses. - In addition, now we try to check the state of the capture PCM stream that may be stopped in this function, which was the major pain point leading to UAF. CVE-2026-23191 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.238.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.238.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.238.1.150300.18.142.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260928-1/ https://www.suse.com/security/cve/CVE-2026-23191.html CVE-2026-23191 https://bugzilla.suse.com/1258395 SUSE Bug 1258395 https://bugzilla.suse.com/1258396 SUSE Bug 1258396 In the Linux kernel, the following vulnerability has been resolved: net/sched: cls_u32: use skb_header_pointer_careful() skb_header_pointer() does not fully validate negative @offset values. Use skb_header_pointer_careful() instead. GangMin Kim provided a report and a repro fooling u32_classify(): BUG: KASAN: slab-out-of-bounds in u32_classify+0x1180/0x11b0 net/sched/cls_u32.c:221 CVE-2026-23204 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.238.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.238.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.238.1.150300.18.142.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260928-1/ https://www.suse.com/security/cve/CVE-2026-23204.html CVE-2026-23204 https://bugzilla.suse.com/1258340 SUSE Bug 1258340 https://bugzilla.suse.com/1259126 SUSE Bug 1259126