Security update for the Linux Kernel SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2026:20667-1 Final 1 1 2026-03-11T15:14:55Z current 2026-03-11T15:14:55Z 2026-03-11T15:14:55Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for the Linux Kernel The SUSE Linux Enterprise Micro 6.0 and Micro 6.1 kernel was updated to fix various security issues The following security issues were fixed: - CVE-2023-53817: crypto: lib/mpi - avoid null pointer deref in mpi_cmp_ui() (bsc#1254992). - CVE-2025-37861: scsi: mpi3mr: Synchronous access b/w reset and tm thread for reply queue (bsc#1243055). - CVE-2025-39748: bpf: Forget ranges when refining tnum after JSET (bsc#1249587). - CVE-2025-39964: crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg (bsc#1251966). - CVE-2025-40099: cifs: parse_dfs_referrals: prevent oob on malformed input (bsc#1252911). - CVE-2025-40103: smb: client: Fix refcount leak for cifs_sb_tlink (bsc#1252924). - CVE-2025-68283: libceph: replace BUG_ON with bounds check for map->max_osd (bsc#1255379). - CVE-2025-68295: smb: client: fix memory leak in cifs_construct_tcon() (bsc#1255129). - CVE-2025-68374: md: fix rcu protection in md_wakeup_thread (bsc#1255530). - CVE-2025-68736: landlock: Fix handling of disconnected directories (bsc#1255698). - CVE-2025-68778: btrfs: don't log conflicting inode if it's a dir moved in the current transaction (bsc#1256683). - CVE-2025-68785: net: openvswitch: fix middle attribute validation in push_nsh() action (bsc#1256640). - CVE-2025-68810: KVM: Disallow toggling KVM_MEM_GUEST_MEMFD on an existing memslot (bsc#1256679). - CVE-2025-71071: iommu/mediatek: fix use-after-free on probe deferral (bsc#1256802). - CVE-2025-71104: KVM: x86: Fix VM hard lockup after prolonged inactivity with periodic HV timer (bsc#1256708). - CVE-2025-71113: crypto: af_alg - zero initialize memory allocated via sock_kmalloc (bsc#1256716). - CVE-2025-71126: mptcp: reset fallback status gracefully at disconnect() time (bsc#1256755). - CVE-2025-71148: net/handshake: restore destructor on submit failure (bsc#1257159). - CVE-2025-71184: btrfs: fix NULL dereference on root when tracing inode eviction (bsc#1257635). - CVE-2025-71194: btrfs: fix deadlock in wait_current_trans() due to ignored transaction type (bsc#1257687). - CVE-2025-71225: md: suspend array while updating raid_disks via sysfs (bsc#1258411). - CVE-2026-22979: net: fix memory leak in skb_segment_list for GRO packets (bsc#1257228). - CVE-2026-22982: net: mscc: ocelot: Fix crash when adding interface under a lag (bsc#1257179). - CVE-2026-22998: nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec (bsc#1257209). - CVE-2026-23003: geneve: Fix incorrect inner network header offset when innerprotoinherit is set (bsc#1257246). - CVE-2026-23004: dst: fix races in rt6_uncached_list_del() and rt_del_uncached_list() (bsc#1257231). - CVE-2026-23017: idpf: fix error handling in the init_task on load (bsc#1257552). - CVE-2026-23035: net/mlx5e: Pass netdev to mlx5e_destroy_netdev instead of priv (bsc#1257559). - CVE-2026-23053: NFS: Fix a deadlock involving nfs_release_folio() (bsc#1257718). - CVE-2026-23057: vsock/virtio: Coalesce only linear skb (bsc#1257740). - CVE-2026-23060: crypto: authencesn - reject too-short AAD (assoclen<8) to match ESP/ESN spec (bsc#1257735). - CVE-2026-23064: net/sched: act_ife: avoid possible NULL deref (bsc#1257765). - CVE-2026-23074: net/sched: Enforce that teql can only be used as root qdisc (bsc#1257749). - CVE-2026-23083: fou: Don't allow 0 for FOU_ATTR_IPPROTO (bsc#1257745). - CVE-2026-23084: be2net: Fix NULL pointer dereference in be_cmd_get_mac_from_list (bsc#1257830). - CVE-2026-23085: irqchip/gic-v3-its: Avoid truncating memory addresses (bsc#1257758). - CVE-2026-23086: vsock/virtio: cap TX credit to local buffer size (bsc#1257757). - CVE-2026-23089: ALSA: usb-audio: Fix use-after-free in snd_usb_mixer_free() (bsc#1257790). - CVE-2026-23095: gue: Fix skb memleak with inner IP protocol 0 (bsc#1257808). - CVE-2026-23099: bonding: limit BOND_MODE_8023AD to Ethernet devices (bsc#1257816). - CVE-2026-23102: arm64/fpsimd: signal: Mandate SVE payload for streaming-mode state (bsc#1257772). - CVE-2026-23104: ice: fix devlink reload call trace (bsc#1257763). - CVE-2026-23105: net/sched: qfq: Use cl_is_active to determine whether class is active in qfq_rm_from_ag (bsc#1257775). - CVE-2026-23107: arm64/fpsimd: signal: Allocate SSVE storage when restoring ZA (bsc#1257762). - CVE-2026-23110: scsi: core: Wake up the error handler when final completions race against each other (bsc#1257761). - CVE-2026-23111: netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate() (bsc#1258181). - CVE-2026-23112: nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec (bsc#1258184). - CVE-2026-23113: io_uring/io-wq: check IO_WQ_BIT_EXIT inside work run loop (bsc#1258278). - CVE-2026-23116: pmdomain: imx8m-blk-ctrl: Remove separate rst and clk mask for 8mq vpu (bsc#1258277). - CVE-2026-23119: bonding: provide a net pointer to __skb_flow_dissect() (bsc#1258273). - CVE-2026-23139: netfilter: nf_conncount: update last_gc only when GC has been performed (bsc#1258304). - CVE-2026-23141: btrfs: send: check for inline extents in range_is_hole_in_parent() (bsc#1258377). - CVE-2026-23166: ice: Fix NULL pointer dereference in ice_vsi_set_napi_queues (bsc#1258272). - CVE-2026-23171: net: bonding: update the slave array for broadcast mode (bsc#1258349). - CVE-2026-23173: net/mlx5e: TC, delete flows only for existing peers (bsc#1258520). - CVE-2026-23179: nvmet-tcp: fixup hang in nvmet_tcp_listen_data_ready() (bsc#1258394). - CVE-2026-23191: ALSA: aloop: Fix racy access at PCM trigger (bsc#1258395). - CVE-2026-23198: KVM: Don't clobber irqfd routing type when deassigning irqfd (bsc#1258321). - CVE-2026-23208: ALSA: usb-audio: Prevent excessive number of frames (bsc#1258468). - CVE-2026-23209: macvlan: fix error recovery in macvlan_common_newlink() (bsc#1258518). - CVE-2026-23213: drm/amd/pm: Disable MMIO access during SMU Mode 1 reset (bsc#1258465). - CVE-2026-23214: btrfs: reject new transactions if the fs is fully read-only (bsc#1258464). The following non security issues were fixed: - ALSA: usb-audio: Update the number of packets properly at receiving (stable-fixes). - ALSA: usb-audio: fix broken logic in snd_audigy2nx_led_update() (git-fixes). - ASoC: SOF: ipc4-control: If there is no data do not send bytes update (git-fixes). - HID: intel-ish-hid: Update ishtp bus match to support device ID table (stable-fixes). - PM: sleep: wakeirq: Update outdated documentation comments (git-fixes). - Update "drm/mgag200: fix mgag200_bmc_stop_scanout()" bug number (bsc#1258153) - Update upstreamed net and powerpc patch references and sorting - bonding: only set speed/duplex to unknown, if getting speed failed (bsc#1253691). - btrfs: scrub: always update btrfs_scrub_progress::last_physical (git-fixes). - clocksource: Print durations for sync check unconditionally (bsc#1241345). - clocksource: Reduce watchdog readout delay limit to prevent false positives (bsc#1241345). - drm/radeon: delete radeon_fence_process in is_signaled, no deadlock (stable-fixes). - ext4: fix iloc.bh leak in ext4_xattr_inode_update_ref (git-fixes). - landlock: Optimize file path walks and prepare for audit support (bsc#1255698). - media: qcom: camss: vfe: Fix out-of-bounds access in vfe_isr_reg_update() (git-fixes). - shrink_slab_memcg: clear_bits of skipped shrinkers (bsc#1256564). - spi: tegra210-quad: Move curr_xfer read inside spinlock (bsc#1257952) - spi: tegra210-quad: Protect curr_xfer assignment in (bsc#1257952) - spi: tegra210-quad: Protect curr_xfer check in IRQ handler (bsc#1257952) - spi: tegra210-quad: Protect curr_xfer clearing in (bsc#1257952) - spi: tegra210-quad: Protect curr_xfer in tegra_qspi_combined_seq_xfer (bsc#1257952) - spi: tegra210-quad: Return IRQ_HANDLED when timeout already processed (bsc#1257952) - staging: rtl8723bs: fix missing status update on sdio_alloc_irq() failure (stable-fixes). - wifi: cfg80211: Fix use_for flag update on BSS refresh (git-fixes). - workqueue: mark power efficient workqueue as unbounded if (bsc#1257891) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-Micro-6.1-kernel-291 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ Link for SUSE-SU-2026:20667-1 https://lists.suse.com/pipermail/sle-security-updates/2026-March/024746.html E-Mail link for SUSE-SU-2026:20667-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1241345 SUSE Bug 1241345 https://bugzilla.suse.com/1243055 SUSE Bug 1243055 https://bugzilla.suse.com/1249587 SUSE Bug 1249587 https://bugzilla.suse.com/1251966 SUSE Bug 1251966 https://bugzilla.suse.com/1252911 SUSE Bug 1252911 https://bugzilla.suse.com/1252924 SUSE Bug 1252924 https://bugzilla.suse.com/1253691 SUSE Bug 1253691 https://bugzilla.suse.com/1254992 SUSE Bug 1254992 https://bugzilla.suse.com/1255129 SUSE Bug 1255129 https://bugzilla.suse.com/1255265 SUSE Bug 1255265 https://bugzilla.suse.com/1255379 SUSE Bug 1255379 https://bugzilla.suse.com/1255530 SUSE Bug 1255530 https://bugzilla.suse.com/1255698 SUSE Bug 1255698 https://bugzilla.suse.com/1256564 SUSE Bug 1256564 https://bugzilla.suse.com/1256640 SUSE Bug 1256640 https://bugzilla.suse.com/1256679 SUSE Bug 1256679 https://bugzilla.suse.com/1256683 SUSE Bug 1256683 https://bugzilla.suse.com/1256708 SUSE Bug 1256708 https://bugzilla.suse.com/1256716 SUSE Bug 1256716 https://bugzilla.suse.com/1256755 SUSE Bug 1256755 https://bugzilla.suse.com/1256802 SUSE Bug 1256802 https://bugzilla.suse.com/1256863 SUSE Bug 1256863 https://bugzilla.suse.com/1257159 SUSE Bug 1257159 https://bugzilla.suse.com/1257179 SUSE Bug 1257179 https://bugzilla.suse.com/1257209 SUSE Bug 1257209 https://bugzilla.suse.com/1257228 SUSE Bug 1257228 https://bugzilla.suse.com/1257231 SUSE Bug 1257231 https://bugzilla.suse.com/1257246 SUSE Bug 1257246 https://bugzilla.suse.com/1257552 SUSE Bug 1257552 https://bugzilla.suse.com/1257554 SUSE Bug 1257554 https://bugzilla.suse.com/1257557 SUSE Bug 1257557 https://bugzilla.suse.com/1257559 SUSE Bug 1257559 https://bugzilla.suse.com/1257560 SUSE Bug 1257560 https://bugzilla.suse.com/1257562 SUSE Bug 1257562 https://bugzilla.suse.com/1257570 SUSE Bug 1257570 https://bugzilla.suse.com/1257573 SUSE Bug 1257573 https://bugzilla.suse.com/1257576 SUSE Bug 1257576 https://bugzilla.suse.com/1257579 SUSE Bug 1257579 https://bugzilla.suse.com/1257580 SUSE Bug 1257580 https://bugzilla.suse.com/1257586 SUSE Bug 1257586 https://bugzilla.suse.com/1257635 SUSE Bug 1257635 https://bugzilla.suse.com/1257679 SUSE Bug 1257679 https://bugzilla.suse.com/1257687 SUSE Bug 1257687 https://bugzilla.suse.com/1257704 SUSE Bug 1257704 https://bugzilla.suse.com/1257706 SUSE Bug 1257706 https://bugzilla.suse.com/1257707 SUSE Bug 1257707 https://bugzilla.suse.com/1257714 SUSE Bug 1257714 https://bugzilla.suse.com/1257715 SUSE Bug 1257715 https://bugzilla.suse.com/1257716 SUSE Bug 1257716 https://bugzilla.suse.com/1257718 SUSE Bug 1257718 https://bugzilla.suse.com/1257722 SUSE Bug 1257722 https://bugzilla.suse.com/1257723 SUSE Bug 1257723 https://bugzilla.suse.com/1257729 SUSE Bug 1257729 https://bugzilla.suse.com/1257735 SUSE Bug 1257735 https://bugzilla.suse.com/1257739 SUSE Bug 1257739 https://bugzilla.suse.com/1257740 SUSE Bug 1257740 https://bugzilla.suse.com/1257741 SUSE Bug 1257741 https://bugzilla.suse.com/1257743 SUSE Bug 1257743 https://bugzilla.suse.com/1257745 SUSE Bug 1257745 https://bugzilla.suse.com/1257749 SUSE Bug 1257749 https://bugzilla.suse.com/1257750 SUSE Bug 1257750 https://bugzilla.suse.com/1257757 SUSE Bug 1257757 https://bugzilla.suse.com/1257758 SUSE Bug 1257758 https://bugzilla.suse.com/1257759 SUSE Bug 1257759 https://bugzilla.suse.com/1257761 SUSE Bug 1257761 https://bugzilla.suse.com/1257762 SUSE Bug 1257762 https://bugzilla.suse.com/1257763 SUSE Bug 1257763 https://bugzilla.suse.com/1257765 SUSE Bug 1257765 https://bugzilla.suse.com/1257768 SUSE Bug 1257768 https://bugzilla.suse.com/1257770 SUSE Bug 1257770 https://bugzilla.suse.com/1257772 SUSE Bug 1257772 https://bugzilla.suse.com/1257775 SUSE Bug 1257775 https://bugzilla.suse.com/1257776 SUSE Bug 1257776 https://bugzilla.suse.com/1257788 SUSE Bug 1257788 https://bugzilla.suse.com/1257789 SUSE Bug 1257789 https://bugzilla.suse.com/1257790 SUSE Bug 1257790 https://bugzilla.suse.com/1257805 SUSE Bug 1257805 https://bugzilla.suse.com/1257808 SUSE Bug 1257808 https://bugzilla.suse.com/1257809 SUSE Bug 1257809 https://bugzilla.suse.com/1257811 SUSE Bug 1257811 https://bugzilla.suse.com/1257813 SUSE Bug 1257813 https://bugzilla.suse.com/1257816 SUSE Bug 1257816 https://bugzilla.suse.com/1257830 SUSE Bug 1257830 https://bugzilla.suse.com/1257891 SUSE Bug 1257891 https://bugzilla.suse.com/1257942 SUSE Bug 1257942 https://bugzilla.suse.com/1257952 SUSE Bug 1257952 https://bugzilla.suse.com/1258153 SUSE Bug 1258153 https://bugzilla.suse.com/1258181 SUSE Bug 1258181 https://bugzilla.suse.com/1258184 SUSE Bug 1258184 https://bugzilla.suse.com/1258222 SUSE Bug 1258222 https://bugzilla.suse.com/1258234 SUSE Bug 1258234 https://bugzilla.suse.com/1258237 SUSE Bug 1258237 https://bugzilla.suse.com/1258245 SUSE Bug 1258245 https://bugzilla.suse.com/1258249 SUSE Bug 1258249 https://bugzilla.suse.com/1258252 SUSE Bug 1258252 https://bugzilla.suse.com/1258256 SUSE Bug 1258256 https://bugzilla.suse.com/1258259 SUSE Bug 1258259 https://bugzilla.suse.com/1258272 SUSE Bug 1258272 https://bugzilla.suse.com/1258273 SUSE Bug 1258273 https://bugzilla.suse.com/1258277 SUSE Bug 1258277 https://bugzilla.suse.com/1258278 SUSE Bug 1258278 https://bugzilla.suse.com/1258279 SUSE Bug 1258279 https://bugzilla.suse.com/1258299 SUSE Bug 1258299 https://bugzilla.suse.com/1258304 SUSE Bug 1258304 https://bugzilla.suse.com/1258309 SUSE Bug 1258309 https://bugzilla.suse.com/1258313 SUSE Bug 1258313 https://bugzilla.suse.com/1258317 SUSE Bug 1258317 https://bugzilla.suse.com/1258321 SUSE Bug 1258321 https://bugzilla.suse.com/1258326 SUSE Bug 1258326 https://bugzilla.suse.com/1258338 SUSE Bug 1258338 https://bugzilla.suse.com/1258349 SUSE Bug 1258349 https://bugzilla.suse.com/1258354 SUSE Bug 1258354 https://bugzilla.suse.com/1258358 SUSE Bug 1258358 https://bugzilla.suse.com/1258374 SUSE Bug 1258374 https://bugzilla.suse.com/1258377 SUSE Bug 1258377 https://bugzilla.suse.com/1258379 SUSE Bug 1258379 https://bugzilla.suse.com/1258394 SUSE Bug 1258394 https://bugzilla.suse.com/1258395 SUSE Bug 1258395 https://bugzilla.suse.com/1258397 SUSE Bug 1258397 https://bugzilla.suse.com/1258411 SUSE Bug 1258411 https://bugzilla.suse.com/1258415 SUSE Bug 1258415 https://bugzilla.suse.com/1258419 SUSE Bug 1258419 https://bugzilla.suse.com/1258422 SUSE Bug 1258422 https://bugzilla.suse.com/1258424 SUSE Bug 1258424 https://bugzilla.suse.com/1258429 SUSE Bug 1258429 https://bugzilla.suse.com/1258442 SUSE Bug 1258442 https://bugzilla.suse.com/1258464 SUSE Bug 1258464 https://bugzilla.suse.com/1258465 SUSE Bug 1258465 https://bugzilla.suse.com/1258468 SUSE Bug 1258468 https://bugzilla.suse.com/1258469 SUSE Bug 1258469 https://bugzilla.suse.com/1258484 SUSE Bug 1258484 https://bugzilla.suse.com/1258518 SUSE Bug 1258518 https://bugzilla.suse.com/1258519 SUSE Bug 1258519 https://bugzilla.suse.com/1258520 SUSE Bug 1258520 https://bugzilla.suse.com/1258524 SUSE Bug 1258524 https://bugzilla.suse.com/1258544 SUSE Bug 1258544 https://bugzilla.suse.com/1258660 SUSE Bug 1258660 https://bugzilla.suse.com/1258824 SUSE Bug 1258824 https://bugzilla.suse.com/1258928 SUSE Bug 1258928 https://bugzilla.suse.com/1259070 SUSE Bug 1259070 https://www.suse.com/security/cve/CVE-2023-53817/ SUSE CVE CVE-2023-53817 page https://www.suse.com/security/cve/CVE-2025-37861/ SUSE CVE CVE-2025-37861 page https://www.suse.com/security/cve/CVE-2025-39748/ SUSE CVE CVE-2025-39748 page https://www.suse.com/security/cve/CVE-2025-39964/ SUSE CVE CVE-2025-39964 page https://www.suse.com/security/cve/CVE-2025-40099/ SUSE CVE CVE-2025-40099 page https://www.suse.com/security/cve/CVE-2025-40103/ SUSE CVE CVE-2025-40103 page https://www.suse.com/security/cve/CVE-2025-68283/ SUSE CVE CVE-2025-68283 page https://www.suse.com/security/cve/CVE-2025-68295/ SUSE CVE CVE-2025-68295 page https://www.suse.com/security/cve/CVE-2025-68374/ SUSE CVE CVE-2025-68374 page https://www.suse.com/security/cve/CVE-2025-68736/ SUSE CVE CVE-2025-68736 page https://www.suse.com/security/cve/CVE-2025-68778/ SUSE CVE CVE-2025-68778 page https://www.suse.com/security/cve/CVE-2025-68785/ SUSE CVE CVE-2025-68785 page https://www.suse.com/security/cve/CVE-2025-68810/ SUSE CVE CVE-2025-68810 page https://www.suse.com/security/cve/CVE-2025-71071/ SUSE CVE CVE-2025-71071 page https://www.suse.com/security/cve/CVE-2025-71104/ SUSE CVE CVE-2025-71104 page https://www.suse.com/security/cve/CVE-2025-71113/ SUSE CVE CVE-2025-71113 page https://www.suse.com/security/cve/CVE-2025-71126/ SUSE CVE CVE-2025-71126 page https://www.suse.com/security/cve/CVE-2025-71148/ SUSE CVE CVE-2025-71148 page https://www.suse.com/security/cve/CVE-2025-71182/ SUSE CVE CVE-2025-71182 page https://www.suse.com/security/cve/CVE-2025-71184/ SUSE CVE CVE-2025-71184 page https://www.suse.com/security/cve/CVE-2025-71185/ SUSE CVE CVE-2025-71185 page https://www.suse.com/security/cve/CVE-2025-71188/ SUSE CVE CVE-2025-71188 page https://www.suse.com/security/cve/CVE-2025-71189/ SUSE CVE CVE-2025-71189 page https://www.suse.com/security/cve/CVE-2025-71190/ SUSE CVE CVE-2025-71190 page https://www.suse.com/security/cve/CVE-2025-71191/ SUSE CVE CVE-2025-71191 page https://www.suse.com/security/cve/CVE-2025-71192/ SUSE CVE CVE-2025-71192 page https://www.suse.com/security/cve/CVE-2025-71194/ SUSE CVE CVE-2025-71194 page https://www.suse.com/security/cve/CVE-2025-71195/ SUSE CVE CVE-2025-71195 page https://www.suse.com/security/cve/CVE-2025-71196/ SUSE CVE CVE-2025-71196 page https://www.suse.com/security/cve/CVE-2025-71197/ SUSE CVE CVE-2025-71197 page https://www.suse.com/security/cve/CVE-2025-71198/ SUSE CVE CVE-2025-71198 page https://www.suse.com/security/cve/CVE-2025-71199/ SUSE CVE CVE-2025-71199 page https://www.suse.com/security/cve/CVE-2025-71200/ SUSE CVE CVE-2025-71200 page https://www.suse.com/security/cve/CVE-2025-71222/ SUSE CVE CVE-2025-71222 page https://www.suse.com/security/cve/CVE-2025-71224/ SUSE CVE CVE-2025-71224 page https://www.suse.com/security/cve/CVE-2025-71225/ SUSE CVE CVE-2025-71225 page https://www.suse.com/security/cve/CVE-2025-71229/ SUSE CVE CVE-2025-71229 page https://www.suse.com/security/cve/CVE-2025-71231/ SUSE CVE CVE-2025-71231 page https://www.suse.com/security/cve/CVE-2025-71232/ SUSE CVE CVE-2025-71232 page https://www.suse.com/security/cve/CVE-2025-71234/ SUSE CVE CVE-2025-71234 page https://www.suse.com/security/cve/CVE-2025-71235/ SUSE CVE CVE-2025-71235 page https://www.suse.com/security/cve/CVE-2025-71236/ SUSE CVE CVE-2025-71236 page https://www.suse.com/security/cve/CVE-2026-22979/ SUSE CVE CVE-2026-22979 page https://www.suse.com/security/cve/CVE-2026-22982/ SUSE CVE CVE-2026-22982 page https://www.suse.com/security/cve/CVE-2026-22998/ SUSE CVE CVE-2026-22998 page https://www.suse.com/security/cve/CVE-2026-23003/ SUSE CVE CVE-2026-23003 page https://www.suse.com/security/cve/CVE-2026-23004/ SUSE CVE CVE-2026-23004 page https://www.suse.com/security/cve/CVE-2026-23017/ SUSE CVE CVE-2026-23017 page https://www.suse.com/security/cve/CVE-2026-23021/ SUSE CVE CVE-2026-23021 page https://www.suse.com/security/cve/CVE-2026-23026/ SUSE CVE CVE-2026-23026 page https://www.suse.com/security/cve/CVE-2026-23033/ SUSE CVE CVE-2026-23033 page https://www.suse.com/security/cve/CVE-2026-23035/ SUSE CVE CVE-2026-23035 page https://www.suse.com/security/cve/CVE-2026-23037/ SUSE CVE CVE-2026-23037 page https://www.suse.com/security/cve/CVE-2026-23049/ SUSE CVE CVE-2026-23049 page https://www.suse.com/security/cve/CVE-2026-23053/ SUSE CVE CVE-2026-23053 page https://www.suse.com/security/cve/CVE-2026-23056/ SUSE CVE CVE-2026-23056 page https://www.suse.com/security/cve/CVE-2026-23057/ SUSE CVE CVE-2026-23057 page https://www.suse.com/security/cve/CVE-2026-23058/ SUSE CVE CVE-2026-23058 page https://www.suse.com/security/cve/CVE-2026-23060/ SUSE CVE CVE-2026-23060 page https://www.suse.com/security/cve/CVE-2026-23061/ SUSE CVE CVE-2026-23061 page https://www.suse.com/security/cve/CVE-2026-23063/ SUSE CVE CVE-2026-23063 page https://www.suse.com/security/cve/CVE-2026-23064/ SUSE CVE CVE-2026-23064 page https://www.suse.com/security/cve/CVE-2026-23068/ SUSE CVE CVE-2026-23068 page https://www.suse.com/security/cve/CVE-2026-23071/ SUSE CVE CVE-2026-23071 page https://www.suse.com/security/cve/CVE-2026-23073/ SUSE CVE CVE-2026-23073 page https://www.suse.com/security/cve/CVE-2026-23074/ SUSE CVE CVE-2026-23074 page https://www.suse.com/security/cve/CVE-2026-23076/ SUSE CVE CVE-2026-23076 page https://www.suse.com/security/cve/CVE-2026-23078/ SUSE CVE CVE-2026-23078 page https://www.suse.com/security/cve/CVE-2026-23080/ SUSE CVE CVE-2026-23080 page https://www.suse.com/security/cve/CVE-2026-23082/ SUSE CVE CVE-2026-23082 page https://www.suse.com/security/cve/CVE-2026-23083/ SUSE CVE CVE-2026-23083 page https://www.suse.com/security/cve/CVE-2026-23084/ SUSE CVE CVE-2026-23084 page https://www.suse.com/security/cve/CVE-2026-23085/ SUSE CVE CVE-2026-23085 page https://www.suse.com/security/cve/CVE-2026-23086/ SUSE CVE CVE-2026-23086 page https://www.suse.com/security/cve/CVE-2026-23089/ SUSE CVE CVE-2026-23089 page https://www.suse.com/security/cve/CVE-2026-23090/ SUSE CVE CVE-2026-23090 page https://www.suse.com/security/cve/CVE-2026-23091/ SUSE CVE CVE-2026-23091 page https://www.suse.com/security/cve/CVE-2026-23094/ SUSE CVE CVE-2026-23094 page https://www.suse.com/security/cve/CVE-2026-23095/ SUSE CVE CVE-2026-23095 page https://www.suse.com/security/cve/CVE-2026-23096/ SUSE CVE CVE-2026-23096 page https://www.suse.com/security/cve/CVE-2026-23099/ SUSE CVE CVE-2026-23099 page https://www.suse.com/security/cve/CVE-2026-23101/ SUSE CVE CVE-2026-23101 page https://www.suse.com/security/cve/CVE-2026-23102/ SUSE CVE CVE-2026-23102 page https://www.suse.com/security/cve/CVE-2026-23104/ SUSE CVE CVE-2026-23104 page https://www.suse.com/security/cve/CVE-2026-23105/ SUSE CVE CVE-2026-23105 page https://www.suse.com/security/cve/CVE-2026-23107/ SUSE CVE CVE-2026-23107 page https://www.suse.com/security/cve/CVE-2026-23108/ SUSE CVE CVE-2026-23108 page https://www.suse.com/security/cve/CVE-2026-23110/ SUSE CVE CVE-2026-23110 page https://www.suse.com/security/cve/CVE-2026-23111/ SUSE CVE CVE-2026-23111 page https://www.suse.com/security/cve/CVE-2026-23112/ SUSE CVE CVE-2026-23112 page https://www.suse.com/security/cve/CVE-2026-23113/ SUSE CVE CVE-2026-23113 page https://www.suse.com/security/cve/CVE-2026-23116/ SUSE CVE CVE-2026-23116 page https://www.suse.com/security/cve/CVE-2026-23119/ SUSE CVE CVE-2026-23119 page https://www.suse.com/security/cve/CVE-2026-23121/ SUSE CVE CVE-2026-23121 page https://www.suse.com/security/cve/CVE-2026-23129/ SUSE CVE CVE-2026-23129 page https://www.suse.com/security/cve/CVE-2026-23133/ SUSE CVE CVE-2026-23133 page https://www.suse.com/security/cve/CVE-2026-23135/ SUSE CVE CVE-2026-23135 page https://www.suse.com/security/cve/CVE-2026-23139/ SUSE CVE CVE-2026-23139 page https://www.suse.com/security/cve/CVE-2026-23141/ SUSE CVE CVE-2026-23141 page https://www.suse.com/security/cve/CVE-2026-23145/ SUSE CVE CVE-2026-23145 page https://www.suse.com/security/cve/CVE-2026-23146/ SUSE CVE CVE-2026-23146 page https://www.suse.com/security/cve/CVE-2026-23150/ SUSE CVE CVE-2026-23150 page https://www.suse.com/security/cve/CVE-2026-23151/ SUSE CVE CVE-2026-23151 page https://www.suse.com/security/cve/CVE-2026-23152/ SUSE CVE CVE-2026-23152 page https://www.suse.com/security/cve/CVE-2026-23155/ SUSE CVE CVE-2026-23155 page https://www.suse.com/security/cve/CVE-2026-23156/ SUSE CVE CVE-2026-23156 page https://www.suse.com/security/cve/CVE-2026-23163/ SUSE CVE CVE-2026-23163 page https://www.suse.com/security/cve/CVE-2026-23166/ SUSE CVE CVE-2026-23166 page https://www.suse.com/security/cve/CVE-2026-23167/ SUSE CVE CVE-2026-23167 page https://www.suse.com/security/cve/CVE-2026-23170/ SUSE CVE CVE-2026-23170 page https://www.suse.com/security/cve/CVE-2026-23171/ SUSE CVE CVE-2026-23171 page https://www.suse.com/security/cve/CVE-2026-23172/ SUSE CVE CVE-2026-23172 page https://www.suse.com/security/cve/CVE-2026-23173/ SUSE CVE CVE-2026-23173 page https://www.suse.com/security/cve/CVE-2026-23176/ SUSE CVE CVE-2026-23176 page https://www.suse.com/security/cve/CVE-2026-23178/ SUSE CVE CVE-2026-23178 page https://www.suse.com/security/cve/CVE-2026-23179/ SUSE CVE CVE-2026-23179 page https://www.suse.com/security/cve/CVE-2026-23182/ SUSE CVE CVE-2026-23182 page https://www.suse.com/security/cve/CVE-2026-23190/ SUSE CVE CVE-2026-23190 page https://www.suse.com/security/cve/CVE-2026-23191/ SUSE CVE CVE-2026-23191 page https://www.suse.com/security/cve/CVE-2026-23198/ SUSE CVE CVE-2026-23198 page https://www.suse.com/security/cve/CVE-2026-23202/ SUSE CVE CVE-2026-23202 page https://www.suse.com/security/cve/CVE-2026-23207/ SUSE CVE CVE-2026-23207 page https://www.suse.com/security/cve/CVE-2026-23208/ SUSE CVE CVE-2026-23208 page https://www.suse.com/security/cve/CVE-2026-23209/ SUSE CVE CVE-2026-23209 page https://www.suse.com/security/cve/CVE-2026-23213/ SUSE CVE CVE-2026-23213 page https://www.suse.com/security/cve/CVE-2026-23214/ SUSE CVE CVE-2026-23214 page https://www.suse.com/security/cve/CVE-2026-23221/ SUSE CVE CVE-2026-23221 page https://www.suse.com/security/cve/CVE-2026-23222/ SUSE CVE CVE-2026-23222 page https://www.suse.com/security/cve/CVE-2026-23229/ SUSE CVE CVE-2026-23229 page SUSE Linux Micro 6.1 kernel-default-6.4.0-40.1 kernel-default-base-6.4.0-40.1.21.17 kernel-default-devel-6.4.0-40.1 kernel-default-livepatch-6.4.0-40.1 kernel-devel-6.4.0-40.1 kernel-kvmsmall-6.4.0-40.1 kernel-macros-6.4.0-40.1 kernel-source-6.4.0-40.1 kernel-default-6.4.0-40.1 as a component of SUSE Linux Micro 6.1 kernel-default-base-6.4.0-40.1.21.17 as a component of SUSE Linux Micro 6.1 kernel-default-devel-6.4.0-40.1 as a component of SUSE Linux Micro 6.1 kernel-default-livepatch-6.4.0-40.1 as a component of SUSE Linux Micro 6.1 kernel-devel-6.4.0-40.1 as a component of SUSE Linux Micro 6.1 kernel-kvmsmall-6.4.0-40.1 as a component of SUSE Linux Micro 6.1 kernel-macros-6.4.0-40.1 as a component of SUSE Linux Micro 6.1 kernel-source-6.4.0-40.1 as a component of SUSE Linux Micro 6.1 In the Linux kernel, the following vulnerability has been resolved: crypto: lib/mpi - avoid null pointer deref in mpi_cmp_ui() During NVMeTCP Authentication a controller can trigger a kernel oops by specifying the 8192 bit Diffie Hellman group and passing a correctly sized, but zeroed Diffie Hellamn value. mpi_cmp_ui() was detecting this if the second parameter was 0, but 1 is passed from dh_is_pubkey_valid(). This causes the null pointer u->d to be dereferenced towards the end of mpi_cmp_ui() CVE-2023-53817 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2023-53817.html CVE-2023-53817 https://bugzilla.suse.com/1254992 SUSE Bug 1254992 In the Linux kernel, the following vulnerability has been resolved: scsi: mpi3mr: Synchronous access b/w reset and tm thread for reply queue When the task management thread processes reply queues while the reset thread resets them, the task management thread accesses an invalid queue ID (0xFFFF), set by the reset thread, which points to unallocated memory, causing a crash. Add flag 'io_admin_reset_sync' to synchronize access between the reset, I/O, and admin threads. Before a reset, the reset handler sets this flag to block I/O and admin processing threads. If any thread bypasses the initial check, the reset thread waits up to 10 seconds for processing to finish. If the wait exceeds 10 seconds, the controller is marked as unrecoverable. CVE-2025-37861 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2025-37861.html CVE-2025-37861 https://bugzilla.suse.com/1243055 SUSE Bug 1243055 In the Linux kernel, the following vulnerability has been resolved: bpf: Forget ranges when refining tnum after JSET Syzbot reported a kernel warning due to a range invariant violation on the following BPF program. 0: call bpf_get_netns_cookie 1: if r0 == 0 goto <exit> 2: if r0 & Oxffffffff goto <exit> The issue is on the path where we fall through both jumps. That path is unreachable at runtime: after insn 1, we know r0 != 0, but with the sign extension on the jset, we would only fallthrough insn 2 if r0 == 0. Unfortunately, is_branch_taken() isn't currently able to figure this out, so the verifier walks all branches. The verifier then refines the register bounds using the second condition and we end up with inconsistent bounds on this unreachable path: 1: if r0 == 0 goto <exit> r0: u64=[0x1, 0xffffffffffffffff] var_off=(0, 0xffffffffffffffff) 2: if r0 & 0xffffffff goto <exit> r0 before reg_bounds_sync: u64=[0x1, 0xffffffffffffffff] var_off=(0, 0) r0 after reg_bounds_sync: u64=[0x1, 0] var_off=(0, 0) Improving the range refinement for JSET to cover all cases is tricky. We also don't expect many users to rely on JSET given LLVM doesn't generate those instructions. So instead of improving the range refinement for JSETs, Eduard suggested we forget the ranges whenever we're narrowing tnums after a JSET. This patch implements that approach. CVE-2025-39748 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2025-39748.html CVE-2025-39748 https://bugzilla.suse.com/1249587 SUSE Bug 1249587 In the Linux kernel, the following vulnerability has been resolved: crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg Issuing two writes to the same af_alg socket is bogus as the data will be interleaved in an unpredictable fashion. Furthermore, concurrent writes may create inconsistencies in the internal socket state. Disallow this by adding a new ctx->write field that indiciates exclusive ownership for writing. CVE-2025-39964 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2025-39964.html CVE-2025-39964 https://bugzilla.suse.com/1251966 SUSE Bug 1251966 In the Linux kernel, the following vulnerability has been resolved: cifs: parse_dfs_referrals: prevent oob on malformed input Malicious SMB server can send invalid reply to FSCTL_DFS_GET_REFERRALS - reply smaller than sizeof(struct get_dfs_referral_rsp) - reply with number of referrals smaller than NumberOfReferrals in the header Processing of such replies will cause oob. Return -EINVAL error on such replies to prevent oob-s. CVE-2025-40099 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2025-40099.html CVE-2025-40099 https://bugzilla.suse.com/1252911 SUSE Bug 1252911 In the Linux kernel, the following vulnerability has been resolved: smb: client: Fix refcount leak for cifs_sb_tlink Fix three refcount inconsistency issues related to `cifs_sb_tlink`. Comments for `cifs_sb_tlink` state that `cifs_put_tlink()` needs to be called after successful calls to `cifs_sb_tlink()`. Three calls fail to update refcount accordingly, leading to possible resource leaks. CVE-2025-40103 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2025-40103.html CVE-2025-40103 https://bugzilla.suse.com/1252924 SUSE Bug 1252924 In the Linux kernel, the following vulnerability has been resolved: libceph: replace BUG_ON with bounds check for map->max_osd OSD indexes come from untrusted network packets. Boundary checks are added to validate these against map->max_osd. [ idryomov: drop BUG_ON in ceph_get_primary_affinity(), minor cosmetic edits ] CVE-2025-68283 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2025-68283.html CVE-2025-68283 https://bugzilla.suse.com/1255379 SUSE Bug 1255379 In the Linux kernel, the following vulnerability has been resolved: smb: client: fix memory leak in cifs_construct_tcon() When having a multiuser mount with domain= specified and using cifscreds, cifs_set_cifscreds() will end up setting @ctx->domainname, so it needs to be freed before leaving cifs_construct_tcon(). This fixes the following memory leak reported by kmemleak: mount.cifs //srv/share /mnt -o domain=ZELDA,multiuser,... su - testuser cifscreds add -d ZELDA -u testuser ... ls /mnt/1 ... umount /mnt echo scan > /sys/kernel/debug/kmemleak cat /sys/kernel/debug/kmemleak unreferenced object 0xffff8881203c3f08 (size 8): comm "ls", pid 5060, jiffies 4307222943 hex dump (first 8 bytes): 5a 45 4c 44 41 00 cc cc ZELDA... backtrace (crc d109a8cf): __kmalloc_node_track_caller_noprof+0x572/0x710 kstrdup+0x3a/0x70 cifs_sb_tlink+0x1209/0x1770 [cifs] cifs_get_fattr+0xe1/0xf50 [cifs] cifs_get_inode_info+0xb5/0x240 [cifs] cifs_revalidate_dentry_attr+0x2d1/0x470 [cifs] cifs_getattr+0x28e/0x450 [cifs] vfs_getattr_nosec+0x126/0x180 vfs_statx+0xf6/0x220 do_statx+0xab/0x110 __x64_sys_statx+0xd5/0x130 do_syscall_64+0xbb/0x380 entry_SYSCALL_64_after_hwframe+0x77/0x7f CVE-2025-68295 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2025-68295.html CVE-2025-68295 https://bugzilla.suse.com/1255129 SUSE Bug 1255129 In the Linux kernel, the following vulnerability has been resolved: md: fix rcu protection in md_wakeup_thread We attempted to use RCU to protect the pointer 'thread', but directly passed the value when calling md_wakeup_thread(). This means that the RCU pointer has been acquired before rcu_read_lock(), which renders rcu_read_lock() ineffective and could lead to a use-after-free. CVE-2025-68374 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2025-68374.html CVE-2025-68374 https://bugzilla.suse.com/1255530 SUSE Bug 1255530 In the Linux kernel, the following vulnerability has been resolved: landlock: Fix handling of disconnected directories Disconnected files or directories can appear when they are visible and opened from a bind mount, but have been renamed or moved from the source of the bind mount in a way that makes them inaccessible from the mount point (i.e. out of scope). Previously, access rights tied to files or directories opened through a disconnected directory were collected by walking the related hierarchy down to the root of the filesystem, without taking into account the mount point because it couldn't be found. This could lead to inconsistent access results, potential access right widening, and hard-to-debug renames, especially since such paths cannot be printed. For a sandboxed task to create a disconnected directory, it needs to have write access (i.e. FS_MAKE_REG, FS_REMOVE_FILE, and FS_REFER) to the underlying source of the bind mount, and read access to the related mount point. Because a sandboxed task cannot acquire more access rights than those defined by its Landlock domain, this could lead to inconsistent access rights due to missing permissions that should be inherited from the mount point hierarchy, while inheriting permissions from the filesystem hierarchy hidden by this mount point instead. Landlock now handles files and directories opened from disconnected directories by taking into account the filesystem hierarchy when the mount point is not found in the hierarchy walk, and also always taking into account the mount point from which these disconnected directories were opened. This ensures that a rename is not allowed if it would widen access rights [1]. The rationale is that, even if disconnected hierarchies might not be visible or accessible to a sandboxed task, relying on the collected access rights from them improves the guarantee that access rights will not be widened during a rename because of the access right comparison between the source and the destination (see LANDLOCK_ACCESS_FS_REFER). It may look like this would grant more access on disconnected files and directories, but the security policies are always enforced for all the evaluated hierarchies. This new behavior should be less surprising to users and safer from an access control perspective. Remove a wrong WARN_ON_ONCE() canary in collect_domain_accesses() and fix the related comment. Because opened files have their access rights stored in the related file security properties, there is no impact for disconnected or unlinked files. CVE-2025-68736 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2025-68736.html CVE-2025-68736 https://bugzilla.suse.com/1255698 SUSE Bug 1255698 In the Linux kernel, the following vulnerability has been resolved: btrfs: don't log conflicting inode if it's a dir moved in the current transaction We can't log a conflicting inode if it's a directory and it was moved from one parent directory to another parent directory in the current transaction, as this can result an attempt to have a directory with two hard links during log replay, one for the old parent directory and another for the new parent directory. The following scenario triggers that issue: 1) We have directories "dir1" and "dir2" created in a past transaction. Directory "dir1" has inode A as its parent directory; 2) We move "dir1" to some other directory; 3) We create a file with the name "dir1" in directory inode A; 4) We fsync the new file. This results in logging the inode of the new file and the inode for the directory "dir1" that was previously moved in the current transaction. So the log tree has the INODE_REF item for the new location of "dir1"; 5) We move the new file to some other directory. This results in updating the log tree to included the new INODE_REF for the new location of the file and removes the INODE_REF for the old location. This happens during the rename when we call btrfs_log_new_name(); 6) We fsync the file, and that persists the log tree changes done in the previous step (btrfs_log_new_name() only updates the log tree in memory); 7) We have a power failure; 8) Next time the fs is mounted, log replay happens and when processing the inode for directory "dir1" we find a new INODE_REF and add that link, but we don't remove the old link of the inode since we have not logged the old parent directory of the directory inode "dir1". As a result after log replay finishes when we trigger writeback of the subvolume tree's extent buffers, the tree check will detect that we have a directory a hard link count of 2 and we get a mount failure. The errors and stack traces reported in dmesg/syslog are like this: [ 3845.729764] BTRFS info (device dm-0): start tree-log replay [ 3845.730304] page: refcount:3 mapcount:0 mapping:000000005c8a3027 index:0x1d00 pfn:0x11510c [ 3845.731236] memcg:ffff9264c02f4e00 [ 3845.731751] aops:btree_aops [btrfs] ino:1 [ 3845.732300] flags: 0x17fffc00000400a(uptodate|private|writeback|node=0|zone=2|lastcpupid=0x1ffff) [ 3845.733346] raw: 017fffc00000400a 0000000000000000 dead000000000122 ffff9264d978aea8 [ 3845.734265] raw: 0000000000001d00 ffff92650e6d4738 00000003ffffffff ffff9264c02f4e00 [ 3845.735305] page dumped because: eb page dump [ 3845.735981] BTRFS critical (device dm-0): corrupt leaf: root=5 block=30408704 slot=6 ino=257, invalid nlink: has 2 expect no more than 1 for dir [ 3845.737786] BTRFS info (device dm-0): leaf 30408704 gen 10 total ptrs 17 free space 14881 owner 5 [ 3845.737789] BTRFS info (device dm-0): refs 4 lock_owner 0 current 30701 [ 3845.737792] item 0 key (256 INODE_ITEM 0) itemoff 16123 itemsize 160 [ 3845.737794] inode generation 3 transid 9 size 16 nbytes 16384 [ 3845.737795] block group 0 mode 40755 links 1 uid 0 gid 0 [ 3845.737797] rdev 0 sequence 2 flags 0x0 [ 3845.737798] atime 1764259517.0 [ 3845.737800] ctime 1764259517.572889464 [ 3845.737801] mtime 1764259517.572889464 [ 3845.737802] otime 1764259517.0 [ 3845.737803] item 1 key (256 INODE_REF 256) itemoff 16111 itemsize 12 [ 3845.737805] index 0 name_len 2 [ 3845.737807] item 2 key (256 DIR_ITEM 2363071922) itemoff 16077 itemsize 34 [ 3845.737808] location key (257 1 0) type 2 [ 3845.737810] transid 9 data_len 0 name_len 4 [ 3845.737811] item 3 key (256 DIR_ITEM 2676584006) itemoff 16043 itemsize 34 [ 3845.737813] location key (258 1 0) type 2 [ 3845.737814] transid 9 data_len 0 name_len 4 [ 3845.737815] item 4 key (256 DIR_INDEX 2) itemoff 16009 itemsize 34 [ 3845.737816] location key (257 1 0) type 2 [ ---truncated--- CVE-2025-68778 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2025-68778.html CVE-2025-68778 https://bugzilla.suse.com/1256683 SUSE Bug 1256683 In the Linux kernel, the following vulnerability has been resolved: net: openvswitch: fix middle attribute validation in push_nsh() action The push_nsh() action structure looks like this: OVS_ACTION_ATTR_PUSH_NSH(OVS_KEY_ATTR_NSH(OVS_NSH_KEY_ATTR_BASE,...)) The outermost OVS_ACTION_ATTR_PUSH_NSH attribute is OK'ed by the nla_for_each_nested() inside __ovs_nla_copy_actions(). The innermost OVS_NSH_KEY_ATTR_BASE/MD1/MD2 are OK'ed by the nla_for_each_nested() inside nsh_key_put_from_nlattr(). But nothing checks if the attribute in the middle is OK. We don't even check that this attribute is the OVS_KEY_ATTR_NSH. We just do a double unwrap with a pair of nla_data() calls - first time directly while calling validate_push_nsh() and the second time as part of the nla_for_each_nested() macro, which isn't safe, potentially causing invalid memory access if the size of this attribute is incorrect. The failure may not be noticed during validation due to larger netlink buffer, but cause trouble later during action execution where the buffer is allocated exactly to the size: BUG: KASAN: slab-out-of-bounds in nsh_hdr_from_nlattr+0x1dd/0x6a0 [openvswitch] Read of size 184 at addr ffff88816459a634 by task a.out/22624 CPU: 8 UID: 0 PID: 22624 6.18.0-rc7+ #115 PREEMPT(voluntary) Call Trace: <TASK> dump_stack_lvl+0x51/0x70 print_address_description.constprop.0+0x2c/0x390 kasan_report+0xdd/0x110 kasan_check_range+0x35/0x1b0 __asan_memcpy+0x20/0x60 nsh_hdr_from_nlattr+0x1dd/0x6a0 [openvswitch] push_nsh+0x82/0x120 [openvswitch] do_execute_actions+0x1405/0x2840 [openvswitch] ovs_execute_actions+0xd5/0x3b0 [openvswitch] ovs_packet_cmd_execute+0x949/0xdb0 [openvswitch] genl_family_rcv_msg_doit+0x1d6/0x2b0 genl_family_rcv_msg+0x336/0x580 genl_rcv_msg+0x9f/0x130 netlink_rcv_skb+0x11f/0x370 genl_rcv+0x24/0x40 netlink_unicast+0x73e/0xaa0 netlink_sendmsg+0x744/0xbf0 __sys_sendto+0x3d6/0x450 do_syscall_64+0x79/0x2c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e </TASK> Let's add some checks that the attribute is properly sized and it's the only one attribute inside the action. Technically, there is no real reason for OVS_KEY_ATTR_NSH to be there, as we know that we're pushing an NSH header already, it just creates extra nesting, but that's how uAPI works today. So, keeping as it is. CVE-2025-68785 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2025-68785.html CVE-2025-68785 https://bugzilla.suse.com/1256640 SUSE Bug 1256640 In the Linux kernel, the following vulnerability has been resolved: KVM: Disallow toggling KVM_MEM_GUEST_MEMFD on an existing memslot Reject attempts to disable KVM_MEM_GUEST_MEMFD on a memslot that was initially created with a guest_memfd binding, as KVM doesn't support toggling KVM_MEM_GUEST_MEMFD on existing memslots. KVM prevents enabling KVM_MEM_GUEST_MEMFD, but doesn't prevent clearing the flag. Failure to reject the new memslot results in a use-after-free due to KVM not unbinding from the guest_memfd instance. Unbinding on a FLAGS_ONLY change is easy enough, and can/will be done as a hardening measure (in anticipation of KVM supporting dirty logging on guest_memfd at some point), but fixing the use-after-free would only address the immediate symptom. ================================================================== BUG: KASAN: slab-use-after-free in kvm_gmem_release+0x362/0x400 [kvm] Write of size 8 at addr ffff8881111ae908 by task repro/745 CPU: 7 UID: 1000 PID: 745 Comm: repro Not tainted 6.18.0-rc6-115d5de2eef3-next-kasan #3 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 Call Trace: <TASK> dump_stack_lvl+0x51/0x60 print_report+0xcb/0x5c0 kasan_report+0xb4/0xe0 kvm_gmem_release+0x362/0x400 [kvm] __fput+0x2fa/0x9d0 task_work_run+0x12c/0x200 do_exit+0x6ae/0x2100 do_group_exit+0xa8/0x230 __x64_sys_exit_group+0x3a/0x50 x64_sys_call+0x737/0x740 do_syscall_64+0x5b/0x900 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7f581f2eac31 </TASK> Allocated by task 745 on cpu 6 at 9.746971s: kasan_save_stack+0x20/0x40 kasan_save_track+0x13/0x50 __kasan_kmalloc+0x77/0x90 kvm_set_memory_region.part.0+0x652/0x1110 [kvm] kvm_vm_ioctl+0x14b0/0x3290 [kvm] __x64_sys_ioctl+0x129/0x1a0 do_syscall_64+0x5b/0x900 entry_SYSCALL_64_after_hwframe+0x4b/0x53 Freed by task 745 on cpu 6 at 9.747467s: kasan_save_stack+0x20/0x40 kasan_save_track+0x13/0x50 __kasan_save_free_info+0x37/0x50 __kasan_slab_free+0x3b/0x60 kfree+0xf5/0x440 kvm_set_memslot+0x3c2/0x1160 [kvm] kvm_set_memory_region.part.0+0x86a/0x1110 [kvm] kvm_vm_ioctl+0x14b0/0x3290 [kvm] __x64_sys_ioctl+0x129/0x1a0 do_syscall_64+0x5b/0x900 entry_SYSCALL_64_after_hwframe+0x4b/0x53 CVE-2025-68810 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2025-68810.html CVE-2025-68810 https://bugzilla.suse.com/1256679 SUSE Bug 1256679 In the Linux kernel, the following vulnerability has been resolved: iommu/mediatek: fix use-after-free on probe deferral The driver is dropping the references taken to the larb devices during probe after successful lookup as well as on errors. This can potentially lead to a use-after-free in case a larb device has not yet been bound to its driver so that the iommu driver probe defers. Fix this by keeping the references as expected while the iommu driver is bound. CVE-2025-71071 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2025-71071.html CVE-2025-71071 https://bugzilla.suse.com/1256802 SUSE Bug 1256802 In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Fix VM hard lockup after prolonged inactivity with periodic HV timer When advancing the target expiration for the guest's APIC timer in periodic mode, set the expiration to "now" if the target expiration is in the past (similar to what is done in update_target_expiration()). Blindly adding the period to the previous target expiration can result in KVM generating a practically unbounded number of hrtimer IRQs due to programming an expired timer over and over. In extreme scenarios, e.g. if userspace pauses/suspends a VM for an extended duration, this can even cause hard lockups in the host. Currently, the bug only affects Intel CPUs when using the hypervisor timer (HV timer), a.k.a. the VMX preemption timer. Unlike the software timer, a.k.a. hrtimer, which KVM keeps running even on exits to userspace, the HV timer only runs while the guest is active. As a result, if the vCPU does not run for an extended duration, there will be a huge gap between the target expiration and the current time the vCPU resumes running. Because the target expiration is incremented by only one period on each timer expiration, this leads to a series of timer expirations occurring rapidly after the vCPU/VM resumes. More critically, when the vCPU first triggers a periodic HV timer expiration after resuming, advancing the expiration by only one period will result in a target expiration in the past. As a result, the delta may be calculated as a negative value. When the delta is converted into an absolute value (tscdeadline is an unsigned u64), the resulting value can overflow what the HV timer is capable of programming. I.e. the large value will exceed the VMX Preemption Timer's maximum bit width of cpu_preemption_timer_multi + 32, and thus cause KVM to switch from the HV timer to the software timer (hrtimers). After switching to the software timer, periodic timer expiration callbacks may be executed consecutively within a single clock interrupt handler, because hrtimers honors KVM's request for an expiration in the past and immediately re-invokes KVM's callback after reprogramming. And because the interrupt handler runs with IRQs disabled, restarting KVM's hrtimer over and over until the target expiration is advanced to "now" can result in a hard lockup. E.g. the following hard lockup was triggered in the host when running a Windows VM (only relevant because it used the APIC timer in periodic mode) after resuming the VM from a long suspend (in the host). NMI watchdog: Watchdog detected hard LOCKUP on cpu 45 ... RIP: 0010:advance_periodic_target_expiration+0x4d/0x80 [kvm] ... RSP: 0018:ff4f88f5d98d8ef0 EFLAGS: 00000046 RAX: fff0103f91be678e RBX: fff0103f91be678e RCX: 00843a7d9e127bcc RDX: 0000000000000002 RSI: 0052ca4003697505 RDI: ff440d5bfbdbd500 RBP: ff440d5956f99200 R08: ff2ff2a42deb6a84 R09: 000000000002a6c0 R10: 0122d794016332b3 R11: 0000000000000000 R12: ff440db1af39cfc0 R13: ff440db1af39cfc0 R14: ffffffffc0d4a560 R15: ff440db1af39d0f8 FS: 00007f04a6ffd700(0000) GS:ff440db1af380000(0000) knlGS:000000e38a3b8000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000d5651feff8 CR3: 000000684e038002 CR4: 0000000000773ee0 PKRU: 55555554 Call Trace: <IRQ> apic_timer_fn+0x31/0x50 [kvm] __hrtimer_run_queues+0x100/0x280 hrtimer_interrupt+0x100/0x210 ? ttwu_do_wakeup+0x19/0x160 smp_apic_timer_interrupt+0x6a/0x130 apic_timer_interrupt+0xf/0x20 </IRQ> Moreover, if the suspend duration of the virtual machine is not long enough to trigger a hard lockup in this scenario, since commit 98c25ead5eda ("KVM: VMX: Move preemption timer <=> hrtimer dance to common x86"), KVM will continue using the software timer until the guest reprograms the APIC timer in some way. Since the periodic timer does not require frequent APIC timer register programming, the guest may continue to use the software timer in ---truncated--- CVE-2025-71104 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2025-71104.html CVE-2025-71104 https://bugzilla.suse.com/1256708 SUSE Bug 1256708 In the Linux kernel, the following vulnerability has been resolved: crypto: af_alg - zero initialize memory allocated via sock_kmalloc Several crypto user API contexts and requests allocated with sock_kmalloc() were left uninitialized, relying on callers to set fields explicitly. This resulted in the use of uninitialized data in certain error paths or when new fields are added in the future. The ACVP patches also contain two user-space interface files: algif_kpp.c and algif_akcipher.c. These too rely on proper initialization of their context structures. A particular issue has been observed with the newly added 'inflight' variable introduced in af_alg_ctx by commit: 67b164a871af ("crypto: af_alg - Disallow multiple in-flight AIO requests") Because the context is not memset to zero after allocation, the inflight variable has contained garbage values. As a result, af_alg_alloc_areq() has incorrectly returned -EBUSY randomly when the garbage value was interpreted as true: https://github.com/gregkh/linux/blame/master/crypto/af_alg.c#L1209 The check directly tests ctx->inflight without explicitly comparing against true/false. Since inflight is only ever set to true or false later, an uninitialized value has triggered -EBUSY failures. Zero-initializing memory allocated with sock_kmalloc() ensures inflight and other fields start in a known state, removing random issues caused by uninitialized data. CVE-2025-71113 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2025-71113.html CVE-2025-71113 https://bugzilla.suse.com/1256716 SUSE Bug 1256716 In the Linux kernel, the following vulnerability has been resolved: mptcp: avoid deadlock on fallback while reinjecting Jakub reported an MPTCP deadlock at fallback time: WARNING: possible recursive locking detected 6.18.0-rc7-virtme #1 Not tainted -------------------------------------------- mptcp_connect/20858 is trying to acquire lock: ff1100001da18b60 (&msk->fallback_lock){+.-.}-{3:3}, at: __mptcp_try_fallback+0xd8/0x280 but task is already holding lock: ff1100001da18b60 (&msk->fallback_lock){+.-.}-{3:3}, at: __mptcp_retrans+0x352/0xaa0 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&msk->fallback_lock); lock(&msk->fallback_lock); *** DEADLOCK *** May be due to missing lock nesting notation 3 locks held by mptcp_connect/20858: #0: ff1100001da18290 (sk_lock-AF_INET){+.+.}-{0:0}, at: mptcp_sendmsg+0x114/0x1bc0 #1: ff1100001db40fd0 (k-sk_lock-AF_INET#2){+.+.}-{0:0}, at: __mptcp_retrans+0x2cb/0xaa0 #2: ff1100001da18b60 (&msk->fallback_lock){+.-.}-{3:3}, at: __mptcp_retrans+0x352/0xaa0 stack backtrace: CPU: 0 UID: 0 PID: 20858 Comm: mptcp_connect Not tainted 6.18.0-rc7-virtme #1 PREEMPT(full) Hardware name: Bochs, BIOS Bochs 01/01/2011 Call Trace: <TASK> dump_stack_lvl+0x6f/0xa0 print_deadlock_bug.cold+0xc0/0xcd validate_chain+0x2ff/0x5f0 __lock_acquire+0x34c/0x740 lock_acquire.part.0+0xbc/0x260 _raw_spin_lock_bh+0x38/0x50 __mptcp_try_fallback+0xd8/0x280 mptcp_sendmsg_frag+0x16c2/0x3050 __mptcp_retrans+0x421/0xaa0 mptcp_release_cb+0x5aa/0xa70 release_sock+0xab/0x1d0 mptcp_sendmsg+0xd5b/0x1bc0 sock_write_iter+0x281/0x4d0 new_sync_write+0x3c5/0x6f0 vfs_write+0x65e/0xbb0 ksys_write+0x17e/0x200 do_syscall_64+0xbb/0xfd0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7fa5627cbc5e Code: 4d 89 d8 e8 14 bd 00 00 4c 8b 5d f8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 11 c9 c3 0f 1f 80 00 00 00 00 48 8b 45 10 0f 05 <c9> c3 83 e2 39 83 fa 08 75 e7 e8 13 ff ff ff 0f 1f 00 f3 0f 1e fa RSP: 002b:00007fff1fe14700 EFLAGS: 00000202 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00007fa5627cbc5e RDX: 0000000000001f9c RSI: 00007fff1fe16984 RDI: 0000000000000005 RBP: 00007fff1fe14710 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000202 R12: 00007fff1fe16920 R13: 0000000000002000 R14: 0000000000001f9c R15: 0000000000001f9c The packet scheduler could attempt a reinjection after receiving an MP_FAIL and before the infinite map has been transmitted, causing a deadlock since MPTCP needs to do the reinjection atomically from WRT fallback. Address the issue explicitly avoiding the reinjection in the critical scenario. Note that this is the only fallback critical section that could potentially send packets and hit the double-lock. CVE-2025-71126 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2025-71126.html CVE-2025-71126 https://bugzilla.suse.com/1256755 SUSE Bug 1256755 In the Linux kernel, the following vulnerability has been resolved: net/handshake: restore destructor on submit failure handshake_req_submit() replaces sk->sk_destruct but never restores it when submission fails before the request is hashed. handshake_sk_destruct() then returns early and the original destructor never runs, leaking the socket. Restore sk_destruct on the error path. CVE-2025-71148 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2025-71148.html CVE-2025-71148 https://bugzilla.suse.com/1257159 SUSE Bug 1257159 In the Linux kernel, the following vulnerability has been resolved: can: j1939: make j1939_session_activate() fail if device is no longer registered syzbot is still reporting unregister_netdevice: waiting for vcan0 to become free. Usage count = 2 even after commit 93a27b5891b8 ("can: j1939: add missing calls in NETDEV_UNREGISTER notification handler") was added. A debug printk() patch found that j1939_session_activate() can succeed even after j1939_cancel_active_session() from j1939_netdev_notify(NETDEV_UNREGISTER) has completed. Since j1939_cancel_active_session() is processed with the session list lock held, checking ndev->reg_state in j1939_session_activate() with the session list lock held can reliably close the race window. CVE-2025-71182 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2025-71182.html CVE-2025-71182 https://bugzilla.suse.com/1257586 SUSE Bug 1257586 In the Linux kernel, the following vulnerability has been resolved: btrfs: fix NULL dereference on root when tracing inode eviction When evicting an inode the first thing we do is to setup tracing for it, which implies fetching the root's id. But in btrfs_evict_inode() the root might be NULL, as implied in the next check that we do in btrfs_evict_inode(). Hence, we either should set the ->root_objectid to 0 in case the root is NULL, or we move tracing setup after checking that the root is not NULL. Setting the rootid to 0 at least gives us the possibility to trace this call even in the case when the root is NULL, so that's the solution taken here. CVE-2025-71184 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2025-71184.html CVE-2025-71184 https://bugzilla.suse.com/1257635 SUSE Bug 1257635 In the Linux kernel, the following vulnerability has been resolved: dmaengine: ti: dma-crossbar: fix device leak on am335x route allocation Make sure to drop the reference taken when looking up the crossbar platform device during am335x route allocation. CVE-2025-71185 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2025-71185.html CVE-2025-71185 https://bugzilla.suse.com/1257560 SUSE Bug 1257560 In the Linux kernel, the following vulnerability has been resolved: dmaengine: lpc18xx-dmamux: fix device leak on route allocation Make sure to drop the reference taken when looking up the DMA mux platform device during route allocation. Note that holding a reference to a device does not prevent its driver data from going away so there is no point in keeping the reference. CVE-2025-71188 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2025-71188.html CVE-2025-71188 https://bugzilla.suse.com/1257576 SUSE Bug 1257576 In the Linux kernel, the following vulnerability has been resolved: dmaengine: dw: dmamux: fix OF node leak on route allocation failure Make sure to drop the reference taken to the DMA master OF node also on late route allocation failures. CVE-2025-71189 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2025-71189.html CVE-2025-71189 https://bugzilla.suse.com/1257573 SUSE Bug 1257573 In the Linux kernel, the following vulnerability has been resolved: dmaengine: bcm-sba-raid: fix device leak on probe Make sure to drop the reference taken when looking up the mailbox device during probe on probe failures and on driver unbind. CVE-2025-71190 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2025-71190.html CVE-2025-71190 https://bugzilla.suse.com/1257580 SUSE Bug 1257580 In the Linux kernel, the following vulnerability has been resolved: dmaengine: at_hdmac: fix device leak on of_dma_xlate() Make sure to drop the reference taken when looking up the DMA platform device during of_dma_xlate() when releasing channel resources. Note that commit 3832b78b3ec2 ("dmaengine: at_hdmac: add missing put_device() call in at_dma_xlate()") fixed the leak in a couple of error paths but the reference is still leaking on successful allocation. CVE-2025-71191 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2025-71191.html CVE-2025-71191 https://bugzilla.suse.com/1257579 SUSE Bug 1257579 In the Linux kernel, the following vulnerability has been resolved: ALSA: ac97: fix a double free in snd_ac97_controller_register() If ac97_add_adapter() fails, put_device() is the correct way to drop the device reference. kfree() is not required. Add kfree() if idr_alloc() fails and in ac97_adapter_release() to do the cleanup. Found by code review. CVE-2025-71192 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2025-71192.html CVE-2025-71192 https://bugzilla.suse.com/1257679 SUSE Bug 1257679 In the Linux kernel, the following vulnerability has been resolved: btrfs: fix deadlock in wait_current_trans() due to ignored transaction type When wait_current_trans() is called during start_transaction(), it currently waits for a blocked transaction without considering whether the given transaction type actually needs to wait for that particular transaction state. The btrfs_blocked_trans_types[] array already defines which transaction types should wait for which transaction states, but this check was missing in wait_current_trans(). This can lead to a deadlock scenario involving two transactions and pending ordered extents: 1. Transaction A is in TRANS_STATE_COMMIT_DOING state 2. A worker processing an ordered extent calls start_transaction() with TRANS_JOIN 3. join_transaction() returns -EBUSY because Transaction A is in TRANS_STATE_COMMIT_DOING 4. Transaction A moves to TRANS_STATE_UNBLOCKED and completes 5. A new Transaction B is created (TRANS_STATE_RUNNING) 6. The ordered extent from step 2 is added to Transaction B's pending ordered extents 7. Transaction B immediately starts commit by another task and enters TRANS_STATE_COMMIT_START 8. The worker finally reaches wait_current_trans(), sees Transaction B in TRANS_STATE_COMMIT_START (a blocked state), and waits unconditionally 9. However, TRANS_JOIN should NOT wait for TRANS_STATE_COMMIT_START according to btrfs_blocked_trans_types[] 10. Transaction B is waiting for pending ordered extents to complete 11. Deadlock: Transaction B waits for ordered extent, ordered extent waits for Transaction B This can be illustrated by the following call stacks: CPU0 CPU1 btrfs_finish_ordered_io() start_transaction(TRANS_JOIN) join_transaction() # -EBUSY (Transaction A is # TRANS_STATE_COMMIT_DOING) # Transaction A completes # Transaction B created # ordered extent added to # Transaction B's pending list btrfs_commit_transaction() # Transaction B enters # TRANS_STATE_COMMIT_START # waiting for pending ordered # extents wait_current_trans() # waits for Transaction B # (should not wait!) Task bstore_kv_sync in btrfs_commit_transaction waiting for ordered extents: __schedule+0x2e7/0x8a0 schedule+0x64/0xe0 btrfs_commit_transaction+0xbf7/0xda0 [btrfs] btrfs_sync_file+0x342/0x4d0 [btrfs] __x64_sys_fdatasync+0x4b/0x80 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Task kworker in wait_current_trans waiting for transaction commit: Workqueue: btrfs-syno_nocow btrfs_work_helper [btrfs] __schedule+0x2e7/0x8a0 schedule+0x64/0xe0 wait_current_trans+0xb0/0x110 [btrfs] start_transaction+0x346/0x5b0 [btrfs] btrfs_finish_ordered_io.isra.0+0x49b/0x9c0 [btrfs] btrfs_work_helper+0xe8/0x350 [btrfs] process_one_work+0x1d3/0x3c0 worker_thread+0x4d/0x3e0 kthread+0x12d/0x150 ret_from_fork+0x1f/0x30 Fix this by passing the transaction type to wait_current_trans() and checking btrfs_blocked_trans_types[cur_trans->state] against the given type before deciding to wait. This ensures that transaction types which are allowed to join during certain blocked states will not unnecessarily wait and cause deadlocks. CVE-2025-71194 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2025-71194.html CVE-2025-71194 https://bugzilla.suse.com/1257687 SUSE Bug 1257687 In the Linux kernel, the following vulnerability has been resolved: dmaengine: xilinx: xdma: Fix regmap max_register The max_register field is assigned the size of the register memory region instead of the offset of the last register. The result is that reading from the regmap via debugfs can cause a segmentation fault: tail /sys/kernel/debug/regmap/xdma.1.auto/registers Unable to handle kernel paging request at virtual address ffff800082f70000 Mem abort info: ESR = 0x0000000096000007 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x07: level 3 translation fault [...] Call trace: regmap_mmio_read32le+0x10/0x30 _regmap_bus_reg_read+0x74/0xc0 _regmap_read+0x68/0x198 regmap_read+0x54/0x88 regmap_read_debugfs+0x140/0x380 regmap_map_read_file+0x30/0x48 full_proxy_read+0x68/0xc8 vfs_read+0xcc/0x310 ksys_read+0x7c/0x120 __arm64_sys_read+0x24/0x40 invoke_syscall.constprop.0+0x64/0x108 do_el0_svc+0xb0/0xd8 el0_svc+0x38/0x130 el0t_64_sync_handler+0x120/0x138 el0t_64_sync+0x194/0x198 Code: aa1e03e9 d503201f f9400000 8b214000 (b9400000) ---[ end trace 0000000000000000 ]--- note: tail[1217] exited with irqs disabled note: tail[1217] exited with preempt_count 1 Segmentation fault CVE-2025-71195 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2025-71195.html CVE-2025-71195 https://bugzilla.suse.com/1257704 SUSE Bug 1257704 In the Linux kernel, the following vulnerability has been resolved: phy: stm32-usphyc: Fix off by one in probe() The "index" variable is used as an index into the usbphyc->phys[] array which has usbphyc->nphys elements. So if it is equal to usbphyc->nphys then it is one element out of bounds. The "index" comes from the device tree so it's data that we trust and it's unlikely to be wrong, however it's obviously still worth fixing the bug. Change the > to >=. CVE-2025-71196 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2025-71196.html CVE-2025-71196 https://bugzilla.suse.com/1257716 SUSE Bug 1257716 In the Linux kernel, the following vulnerability has been resolved: w1: therm: Fix off-by-one buffer overflow in alarms_store The sysfs buffer passed to alarms_store() is allocated with 'size + 1' bytes and a NUL terminator is appended. However, the 'size' argument does not account for this extra byte. The original code then allocated 'size' bytes and used strcpy() to copy 'buf', which always writes one byte past the allocated buffer since strcpy() copies until the NUL terminator at index 'size'. Fix this by parsing the 'buf' parameter directly using simple_strtoll() without allocating any intermediate memory or string copying. This removes the overflow while simplifying the code. CVE-2025-71197 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2025-71197.html CVE-2025-71197 https://bugzilla.suse.com/1257743 SUSE Bug 1257743 In the Linux kernel, the following vulnerability has been resolved: iio: imu: st_lsm6dsx: fix iio_chan_spec for sensors without event detection The st_lsm6dsx_acc_channels array of struct iio_chan_spec has a non-NULL event_spec field, indicating support for IIO events. However, event detection is not supported for all sensors, and if userspace tries to configure accelerometer wakeup events on a sensor device that does not support them (e.g. LSM6DS0), st_lsm6dsx_write_event() dereferences a NULL pointer when trying to write to the wakeup register. Define an additional struct iio_chan_spec array whose members have a NULL event_spec field, and use this array instead of st_lsm6dsx_acc_channels for sensors without event detection capability. CVE-2025-71198 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2025-71198.html CVE-2025-71198 https://bugzilla.suse.com/1257741 SUSE Bug 1257741 In the Linux kernel, the following vulnerability has been resolved: iio: adc: at91-sama5d2_adc: Fix potential use-after-free in sama5d2_adc driver at91_adc_interrupt can call at91_adc_touch_data_handler function to start the work by schedule_work(&st->touch_st.workq). If we remove the module which will call at91_adc_remove to make cleanup, it will free indio_dev through iio_device_unregister but quite a bit later. While the work mentioned above will be used. The sequence of operations that may lead to a UAF bug is as follows: CPU0 CPU1 | at91_adc_workq_handler at91_adc_remove | iio_device_unregister(indio_dev) | //free indio_dev a bit later | | iio_push_to_buffers(indio_dev) | //use indio_dev Fix it by ensuring that the work is canceled before proceeding with the cleanup in at91_adc_remove. CVE-2025-71199 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2025-71199.html CVE-2025-71199 https://bugzilla.suse.com/1257750 SUSE Bug 1257750 In the Linux kernel, the following vulnerability has been resolved: mmc: sdhci-of-dwcmshc: Prevent illegal clock reduction in HS200/HS400 mode When operating in HS200 or HS400 timing modes, reducing the clock frequency below 52MHz will lead to link broken as the Rockchip DWC MSHC controller requires maintaining a minimum clock of 52MHz in these modes. Add a check to prevent illegal clock reduction through debugfs: root@debian:/# echo 50000000 > /sys/kernel/debug/mmc0/clock root@debian:/# [ 30.090146] mmc0: running CQE recovery mmc0: cqhci: Failed to halt mmc0: cqhci: spurious TCN for tag 0 WARNING: drivers/mmc/host/cqhci-core.c:797 at cqhci_irq+0x254/0x818, CPU#1: kworker/1:0H/24 Modules linked in: CPU: 1 UID: 0 PID: 24 Comm: kworker/1:0H Not tainted 6.19.0-rc1-00001-g09db0998649d-dirty #204 PREEMPT Hardware name: Rockchip RK3588 EVB1 V10 Board (DT) Workqueue: kblockd blk_mq_run_work_fn pstate: 604000c9 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : cqhci_irq+0x254/0x818 lr : cqhci_irq+0x254/0x818 ... CVE-2025-71200 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2025-71200.html CVE-2025-71200 https://bugzilla.suse.com/1258222 SUSE Bug 1258222 In the Linux kernel, the following vulnerability has been resolved: wifi: wlcore: ensure skb headroom before skb_push This avoids occasional skb_under_panic Oops from wl1271_tx_work. In this case, headroom is less than needed (typically 110 - 94 = 16 bytes). CVE-2025-71222 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2025-71222.html CVE-2025-71222 https://bugzilla.suse.com/1258279 SUSE Bug 1258279 In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: ocb: skip rx_no_sta when interface is not joined ieee80211_ocb_rx_no_sta() assumes a valid channel context, which is only present after JOIN_OCB. RX may run before JOIN_OCB is executed, in which case the OCB interface is not operational. Skip RX peer handling when the interface is not joined to avoid warnings in the RX path. CVE-2025-71224 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2025-71224.html CVE-2025-71224 https://bugzilla.suse.com/1258824 SUSE Bug 1258824 In the Linux kernel, the following vulnerability has been resolved: md: suspend array while updating raid_disks via sysfs In raid1_reshape(), freeze_array() is called before modifying the r1bio memory pool (conf->r1bio_pool) and conf->raid_disks, and unfreeze_array() is called after the update is completed. However, freeze_array() only waits until nr_sync_pending and (nr_pending - nr_queued) of all buckets reaches zero. When an I/O error occurs, nr_queued is increased and the corresponding r1bio is queued to either retry_list or bio_end_io_list. As a result, freeze_array() may unblock before these r1bios are released. This can lead to a situation where conf->raid_disks and the mempool have already been updated while queued r1bios, allocated with the old raid_disks value, are later released. Consequently, free_r1bio() may access memory out of bounds in put_all_bios() and release r1bios of the wrong size to the new mempool, potentially causing issues with the mempool as well. Since only normal I/O might increase nr_queued while an I/O error occurs, suspending the array avoids this issue. Note: Updating raid_disks via ioctl SET_ARRAY_INFO already suspends the array. Therefore, we suspend the array when updating raid_disks via sysfs to avoid this issue too. CVE-2025-71225 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2025-71225.html CVE-2025-71225 https://bugzilla.suse.com/1258411 SUSE Bug 1258411 In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: Fix alignment fault in rtw_core_enable_beacon() rtw_core_enable_beacon() reads 4 bytes from an address that is not a multiple of 4. This results in a crash on some systems. Do 1 byte reads/writes instead. Unable to handle kernel paging request at virtual address ffff8000827e0522 Mem abort info: ESR = 0x0000000096000021 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x21: alignment fault Data abort info: ISV = 0, ISS = 0x00000021, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000005492000 [ffff8000827e0522] pgd=0000000000000000, p4d=10000001021d9403, pud=10000001021da403, pmd=100000011061c403, pte=00780000f3200f13 Internal error: Oops: 0000000096000021 [#1] SMP Modules linked in: [...] rtw88_8822ce rtw88_8822c rtw88_pci rtw88_core [...] CPU: 0 UID: 0 PID: 73 Comm: kworker/u32:2 Tainted: G W 6.17.9 #1-NixOS VOLUNTARY Tainted: [W]=WARN Hardware name: FriendlyElec NanoPC-T6 LTS (DT) Workqueue: phy0 rtw_c2h_work [rtw88_core] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : rtw_pci_read32+0x18/0x40 [rtw88_pci] lr : rtw_core_enable_beacon+0xe0/0x148 [rtw88_core] sp : ffff800080cc3ca0 x29: ffff800080cc3ca0 x28: ffff0001031fc240 x27: ffff000102100828 x26: ffffd2cb7c9b4088 x25: ffff0001031fc2c0 x24: ffff000112fdef00 x23: ffff000112fdef18 x22: ffff000111c29970 x21: 0000000000000001 x20: 0000000000000001 x19: ffff000111c22040 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : ffffd2cb6507c090 x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000 x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000 x2 : 0000000000007f10 x1 : 0000000000000522 x0 : ffff8000827e0522 Call trace: rtw_pci_read32+0x18/0x40 [rtw88_pci] (P) rtw_hw_scan_chan_switch+0x124/0x1a8 [rtw88_core] rtw_fw_c2h_cmd_handle+0x254/0x290 [rtw88_core] rtw_c2h_work+0x50/0x98 [rtw88_core] process_one_work+0x178/0x3f8 worker_thread+0x208/0x418 kthread+0x120/0x220 ret_from_fork+0x10/0x20 Code: d28fe202 8b020000 f9524400 8b214000 (b9400000) ---[ end trace 0000000000000000 ]--- CVE-2025-71229 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2025-71229.html CVE-2025-71229 https://bugzilla.suse.com/1258415 SUSE Bug 1258415 In the Linux kernel, the following vulnerability has been resolved: crypto: iaa - Fix out-of-bounds index in find_empty_iaa_compression_mode The local variable 'i' is initialized with -EINVAL, but the for loop immediately overwrites it and -EINVAL is never returned. If no empty compression mode can be found, the function would return the out-of-bounds index IAA_COMP_MODES_MAX, which would cause an invalid array access in add_iaa_compression_mode(). Fix both issues by returning either a valid index or -EINVAL. CVE-2025-71231 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2025-71231.html CVE-2025-71231 https://bugzilla.suse.com/1258424 SUSE Bug 1258424 In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Free sp in error path to fix system crash System crash seen during load/unload test in a loop, [61110.449331] qla2xxx [0000:27:00.0]-0042:0: Disabled MSI-X. [61110.467494] ============================================================================= [61110.467498] BUG qla2xxx_srbs (Tainted: G OE -------- --- ): Objects remaining in qla2xxx_srbs on __kmem_cache_shutdown() [61110.467501] ----------------------------------------------------------------------------- [61110.467502] Slab 0x000000000ffc8162 objects=51 used=1 fp=0x00000000e25d3d85 flags=0x57ffffc0010200(slab|head|node=1|zone=2|lastcpupid=0x1fffff) [61110.467509] CPU: 53 PID: 455206 Comm: rmmod Kdump: loaded Tainted: G OE -------- --- 5.14.0-284.11.1.el9_2.x86_64 #1 [61110.467513] Hardware name: HPE ProLiant DL385 Gen10 Plus v2/ProLiant DL385 Gen10 Plus v2, BIOS A42 08/17/2023 [61110.467515] Call Trace: [61110.467516] <TASK> [61110.467519] dump_stack_lvl+0x34/0x48 [61110.467526] slab_err.cold+0x53/0x67 [61110.467534] __kmem_cache_shutdown+0x16e/0x320 [61110.467540] kmem_cache_destroy+0x51/0x160 [61110.467544] qla2x00_module_exit+0x93/0x99 [qla2xxx] [61110.467607] ? __do_sys_delete_module.constprop.0+0x178/0x280 [61110.467613] ? syscall_trace_enter.constprop.0+0x145/0x1d0 [61110.467616] ? do_syscall_64+0x5c/0x90 [61110.467619] ? exc_page_fault+0x62/0x150 [61110.467622] ? entry_SYSCALL_64_after_hwframe+0x63/0xcd [61110.467626] </TASK> [61110.467627] Disabling lock debugging due to kernel taint [61110.467635] Object 0x0000000026f7e6e6 @offset=16000 [61110.467639] ------------[ cut here ]------------ [61110.467639] kmem_cache_destroy qla2xxx_srbs: Slab cache still has objects when called from qla2x00_module_exit+0x93/0x99 [qla2xxx] [61110.467659] WARNING: CPU: 53 PID: 455206 at mm/slab_common.c:520 kmem_cache_destroy+0x14d/0x160 [61110.467718] CPU: 53 PID: 455206 Comm: rmmod Kdump: loaded Tainted: G B OE -------- --- 5.14.0-284.11.1.el9_2.x86_64 #1 [61110.467720] Hardware name: HPE ProLiant DL385 Gen10 Plus v2/ProLiant DL385 Gen10 Plus v2, BIOS A42 08/17/2023 [61110.467721] RIP: 0010:kmem_cache_destroy+0x14d/0x160 [61110.467724] Code: 99 7d 07 00 48 89 ef e8 e1 6a 07 00 eb b3 48 8b 55 60 48 8b 4c 24 20 48 c7 c6 70 fc 66 90 48 c7 c7 f8 ef a1 90 e8 e1 ed 7c 00 <0f> 0b eb 93 c3 cc cc cc cc 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 [61110.467725] RSP: 0018:ffffa304e489fe80 EFLAGS: 00010282 [61110.467727] RAX: 0000000000000000 RBX: ffffffffc0d9a860 RCX: 0000000000000027 [61110.467729] RDX: ffff8fd5ff9598a8 RSI: 0000000000000001 RDI: ffff8fd5ff9598a0 [61110.467730] RBP: ffff8fb6aaf78700 R08: 0000000000000000 R09: 0000000100d863b7 [61110.467731] R10: ffffa304e489fd20 R11: ffffffff913bef48 R12: 0000000040002000 [61110.467731] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [61110.467733] FS: 00007f64c89fb740(0000) GS:ffff8fd5ff940000(0000) knlGS:0000000000000000 [61110.467734] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [61110.467735] CR2: 00007f0f02bfe000 CR3: 00000020ad6dc005 CR4: 0000000000770ee0 [61110.467736] PKRU: 55555554 [61110.467737] Call Trace: [61110.467738] <TASK> [61110.467739] qla2x00_module_exit+0x93/0x99 [qla2xxx] [61110.467755] ? __do_sys_delete_module.constprop.0+0x178/0x280 Free sp in the error path to fix the crash. CVE-2025-71232 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2025-71232.html CVE-2025-71232 https://bugzilla.suse.com/1258422 SUSE Bug 1258422 In the Linux kernel, the following vulnerability has been resolved: wifi: rtl8xxxu: fix slab-out-of-bounds in rtl8xxxu_sta_add The driver does not set hw->sta_data_size, which causes mac80211 to allocate insufficient space for driver private station data in __sta_info_alloc(). When rtl8xxxu_sta_add() accesses members of struct rtl8xxxu_sta_info through sta->drv_priv, this results in a slab-out-of-bounds write. KASAN report on RISC-V (VisionFive 2) with RTL8192EU adapter: BUG: KASAN: slab-out-of-bounds in rtl8xxxu_sta_add+0x31c/0x346 Write of size 8 at addr ffffffd6d3e9ae88 by task kworker/u16:0/12 Set hw->sta_data_size to sizeof(struct rtl8xxxu_sta_info) during probe, similar to how hw->vif_data_size is configured. This ensures mac80211 allocates sufficient space for the driver's per-station private data. Tested on StarFive VisionFive 2 v1.2A board. CVE-2025-71234 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2025-71234.html CVE-2025-71234 https://bugzilla.suse.com/1258419 SUSE Bug 1258419 https://bugzilla.suse.com/1258420 SUSE Bug 1258420 In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Delay module unload while fabric scan in progress System crash seen during load/unload test in a loop. [105954.384919] RBP: ffff914589838dc0 R08: 0000000000000000 R09: 0000000000000086 [105954.384920] R10: 000000000000000f R11: ffffa31240904be5 R12: ffff914605f868e0 [105954.384921] R13: ffff914605f86910 R14: 0000000000008010 R15: 00000000ddb7c000 [105954.384923] FS: 0000000000000000(0000) GS:ffff9163fec40000(0000) knlGS:0000000000000000 [105954.384925] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [105954.384926] CR2: 000055d31ce1d6a0 CR3: 0000000119f5e001 CR4: 0000000000770ee0 [105954.384928] PKRU: 55555554 [105954.384929] Call Trace: [105954.384931] <IRQ> [105954.384934] qla24xx_sp_unmap+0x1f3/0x2a0 [qla2xxx] [105954.384962] ? qla_async_scan_sp_done+0x114/0x1f0 [qla2xxx] [105954.384980] ? qla24xx_els_ct_entry+0x4de/0x760 [qla2xxx] [105954.384999] ? __wake_up_common+0x80/0x190 [105954.385004] ? qla24xx_process_response_queue+0xc2/0xaa0 [qla2xxx] [105954.385023] ? qla24xx_msix_rsp_q+0x44/0xb0 [qla2xxx] [105954.385040] ? __handle_irq_event_percpu+0x3d/0x190 [105954.385044] ? handle_irq_event+0x58/0xb0 [105954.385046] ? handle_edge_irq+0x93/0x240 [105954.385050] ? __common_interrupt+0x41/0xa0 [105954.385055] ? common_interrupt+0x3e/0xa0 [105954.385060] ? asm_common_interrupt+0x22/0x40 The root cause of this was that there was a free (dma_free_attrs) in the interrupt context. There was a device discovery/fabric scan in progress. A module unload was issued which set the UNLOADING flag. As part of the discovery, after receiving an interrupt a work queue was scheduled (which involved a work to be queued). Since the UNLOADING flag is set, the work item was not allocated and the mapped memory had to be freed. The free occurred in interrupt context leading to system crash. Delay the driver unload until the fabric scan is complete to avoid the crash. CVE-2025-71235 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2025-71235.html CVE-2025-71235 https://bugzilla.suse.com/1258469 SUSE Bug 1258469 In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Validate sp before freeing associated memory System crash with the following signature [154563.214890] nvme nvme2: NVME-FC{1}: controller connect complete [154564.169363] qla2xxx [0000:b0:00.1]-3002:2: nvme: Sched: Set ZIO exchange threshold to 3. [154564.169405] qla2xxx [0000:b0:00.1]-ffffff:2: SET ZIO Activity exchange threshold to 5. [154565.539974] qla2xxx [0000:b0:00.1]-5013:2: RSCN database changed - 0078 0080 0000. [154565.545744] qla2xxx [0000:b0:00.1]-5013:2: RSCN database changed - 0078 00a0 0000. [154565.545857] qla2xxx [0000:b0:00.1]-11a2:2: FEC=enabled (data rate). [154565.552760] qla2xxx [0000:b0:00.1]-11a2:2: FEC=enabled (data rate). [154565.553079] BUG: kernel NULL pointer dereference, address: 00000000000000f8 [154565.553080] #PF: supervisor read access in kernel mode [154565.553082] #PF: error_code(0x0000) - not-present page [154565.553084] PGD 80000010488ab067 P4D 80000010488ab067 PUD 104978a067 PMD 0 [154565.553089] Oops: 0000 1 PREEMPT SMP PTI [154565.553092] CPU: 10 PID: 858 Comm: qla2xxx_2_dpc Kdump: loaded Tainted: G OE ------- --- 5.14.0-503.11.1.el9_5.x86_64 #1 [154565.553096] Hardware name: HPE Synergy 660 Gen10/Synergy 660 Gen10 Compute Module, BIOS I43 09/30/2024 [154565.553097] RIP: 0010:qla_fab_async_scan.part.0+0x40b/0x870 [qla2xxx] [154565.553141] Code: 00 00 e8 58 a3 ec d4 49 89 e9 ba 12 20 00 00 4c 89 e6 49 c7 c0 00 ee a8 c0 48 c7 c1 66 c0 a9 c0 bf 00 80 00 10 e8 15 69 00 00 <4c> 8b 8d f8 00 00 00 4d 85 c9 74 35 49 8b 84 24 00 19 00 00 48 8b [154565.553143] RSP: 0018:ffffb4dbc8aebdd0 EFLAGS: 00010286 [154565.553145] RAX: 0000000000000000 RBX: ffff8ec2cf0908d0 RCX: 0000000000000002 [154565.553147] RDX: 0000000000000000 RSI: ffffffffc0a9c896 RDI: ffffb4dbc8aebd47 [154565.553148] RBP: 0000000000000000 R08: ffffb4dbc8aebd45 R09: 0000000000ffff0a [154565.553150] R10: 0000000000000000 R11: 000000000000000f R12: ffff8ec2cf0908d0 [154565.553151] R13: ffff8ec2cf090900 R14: 0000000000000102 R15: ffff8ec2cf084000 [154565.553152] FS: 0000000000000000(0000) GS:ffff8ed27f800000(0000) knlGS:0000000000000000 [154565.553154] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [154565.553155] CR2: 00000000000000f8 CR3: 000000113ae0a005 CR4: 00000000007706f0 [154565.553157] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [154565.553158] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [154565.553159] PKRU: 55555554 [154565.553160] Call Trace: [154565.553162] <TASK> [154565.553165] ? show_trace_log_lvl+0x1c4/0x2df [154565.553172] ? show_trace_log_lvl+0x1c4/0x2df [154565.553177] ? qla_fab_async_scan.part.0+0x40b/0x870 [qla2xxx] [154565.553215] ? __die_body.cold+0x8/0xd [154565.553218] ? page_fault_oops+0x134/0x170 [154565.553223] ? snprintf+0x49/0x70 [154565.553229] ? exc_page_fault+0x62/0x150 [154565.553238] ? asm_exc_page_fault+0x22/0x30 Check for sp being non NULL before freeing any associated memory CVE-2025-71236 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2025-71236.html CVE-2025-71236 https://bugzilla.suse.com/1258442 SUSE Bug 1258442 In the Linux kernel, the following vulnerability has been resolved: net: fix memory leak in skb_segment_list for GRO packets When skb_segment_list() is called during packet forwarding, it handles packets that were aggregated by the GRO engine. Historically, the segmentation logic in skb_segment_list assumes that individual segments are split from a parent SKB and may need to carry their own socket memory accounting. Accordingly, the code transfers truesize from the parent to the newly created segments. Prior to commit ed4cccef64c1 ("gro: fix ownership transfer"), this truesize subtraction in skb_segment_list() was valid because fragments still carry a reference to the original socket. However, commit ed4cccef64c1 ("gro: fix ownership transfer") changed this behavior by ensuring that fraglist entries are explicitly orphaned (skb->sk = NULL) to prevent illegal orphaning later in the stack. This change meant that the entire socket memory charge remained with the head SKB, but the corresponding accounting logic in skb_segment_list() was never updated. As a result, the current code unconditionally adds each fragment's truesize to delta_truesize and subtracts it from the parent SKB. Since the fragments are no longer charged to the socket, this subtraction results in an effective under-count of memory when the head is freed. This causes sk_wmem_alloc to remain non-zero, preventing socket destruction and leading to a persistent memory leak. The leak can be observed via KMEMLEAK when tearing down the networking environment: unreferenced object 0xffff8881e6eb9100 (size 2048): comm "ping", pid 6720, jiffies 4295492526 backtrace: kmem_cache_alloc_noprof+0x5c6/0x800 sk_prot_alloc+0x5b/0x220 sk_alloc+0x35/0xa00 inet6_create.part.0+0x303/0x10d0 __sock_create+0x248/0x640 __sys_socket+0x11b/0x1d0 Since skb_segment_list() is exclusively used for SKB_GSO_FRAGLIST packets constructed by GRO, the truesize adjustment is removed. The call to skb_release_head_state() must be preserved. As documented in commit cf673ed0e057 ("net: fix fraglist segmentation reference count leak"), it is still required to correctly drop references to SKB extensions that may be overwritten during __copy_skb_header(). CVE-2026-22979 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-22979.html CVE-2026-22979 https://bugzilla.suse.com/1257228 SUSE Bug 1257228 In the Linux kernel, the following vulnerability has been resolved: net: mscc: ocelot: Fix crash when adding interface under a lag Commit 15faa1f67ab4 ("lan966x: Fix crash when adding interface under a lag") fixed a similar issue in the lan966x driver caused by a NULL pointer dereference. The ocelot_set_aggr_pgids() function in the ocelot driver has similar logic and is susceptible to the same crash. This issue specifically affects the ocelot_vsc7514.c frontend, which leaves unused ports as NULL pointers. The felix_vsc9959.c frontend is unaffected as it uses the DSA framework which registers all ports. Fix this by checking if the port pointer is valid before accessing it. CVE-2026-22982 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-22982.html CVE-2026-22982 https://bugzilla.suse.com/1257179 SUSE Bug 1257179 In the Linux kernel, the following vulnerability has been resolved: nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec Commit efa56305908b ("nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length") added ttag bounds checking and data_offset validation in nvmet_tcp_handle_h2c_data_pdu(), but it did not validate whether the command's data structures (cmd->req.sg and cmd->iov) have been properly initialized before processing H2C_DATA PDUs. The nvmet_tcp_build_pdu_iovec() function dereferences these pointers without NULL checks. This can be triggered by sending H2C_DATA PDU immediately after the ICREQ/ICRESP handshake, before sending a CONNECT command or NVMe write command. Attack vectors that trigger NULL pointer dereferences: 1. H2C_DATA PDU sent before CONNECT -> both pointers NULL 2. H2C_DATA PDU for READ command -> cmd->req.sg allocated, cmd->iov NULL 3. H2C_DATA PDU for uninitialized command slot -> both pointers NULL The fix validates both cmd->req.sg and cmd->iov before calling nvmet_tcp_build_pdu_iovec(). Both checks are required because: - Uninitialized commands: both NULL - READ commands: cmd->req.sg allocated, cmd->iov NULL - WRITE commands: both allocated CVE-2026-22998 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-22998.html CVE-2026-22998 https://bugzilla.suse.com/1257209 SUSE Bug 1257209 In the Linux kernel, the following vulnerability has been resolved: ip6_tunnel: use skb_vlan_inet_prepare() in __ip6_tnl_rcv() Blamed commit did not take care of VLAN encapsulations as spotted by syzbot [1]. Use skb_vlan_inet_prepare() instead of pskb_inet_may_pull(). [1] BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] BUG: KMSAN: uninit-value in IP6_ECN_decapsulate+0x7a8/0x1fa0 include/net/inet_ecn.h:321 __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] IP6_ECN_decapsulate+0x7a8/0x1fa0 include/net/inet_ecn.h:321 ip6ip6_dscp_ecn_decapsulate+0x16f/0x1b0 net/ipv6/ip6_tunnel.c:729 __ip6_tnl_rcv+0xed9/0x1b50 net/ipv6/ip6_tunnel.c:860 ip6_tnl_rcv+0xc3/0x100 net/ipv6/ip6_tunnel.c:903 gre_rcv+0x1529/0x1b90 net/ipv6/ip6_gre.c:-1 ip6_protocol_deliver_rcu+0x1c89/0x2c60 net/ipv6/ip6_input.c:438 ip6_input_finish+0x1f4/0x4a0 net/ipv6/ip6_input.c:489 NF_HOOK include/linux/netfilter.h:318 [inline] ip6_input+0x9c/0x330 net/ipv6/ip6_input.c:500 ip6_mc_input+0x7ca/0xc10 net/ipv6/ip6_input.c:590 dst_input include/net/dst.h:474 [inline] ip6_rcv_finish+0x958/0x990 net/ipv6/ip6_input.c:79 NF_HOOK include/linux/netfilter.h:318 [inline] ipv6_rcv+0xf1/0x3c0 net/ipv6/ip6_input.c:311 __netif_receive_skb_one_core net/core/dev.c:6139 [inline] __netif_receive_skb+0x1df/0xac0 net/core/dev.c:6252 netif_receive_skb_internal net/core/dev.c:6338 [inline] netif_receive_skb+0x57/0x630 net/core/dev.c:6397 tun_rx_batched+0x1df/0x980 drivers/net/tun.c:1485 tun_get_user+0x5c0e/0x6c60 drivers/net/tun.c:1953 tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1999 new_sync_write fs/read_write.c:593 [inline] vfs_write+0xbe2/0x15d0 fs/read_write.c:686 ksys_write fs/read_write.c:738 [inline] __do_sys_write fs/read_write.c:749 [inline] __se_sys_write fs/read_write.c:746 [inline] __x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746 x64_sys_call+0x30ab/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:2 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: slab_post_alloc_hook mm/slub.c:4960 [inline] slab_alloc_node mm/slub.c:5263 [inline] kmem_cache_alloc_node_noprof+0x9e7/0x17a0 mm/slub.c:5315 kmalloc_reserve+0x13c/0x4b0 net/core/skbuff.c:586 __alloc_skb+0x805/0x1040 net/core/skbuff.c:690 alloc_skb include/linux/skbuff.h:1383 [inline] alloc_skb_with_frags+0xc5/0xa60 net/core/skbuff.c:6712 sock_alloc_send_pskb+0xacc/0xc60 net/core/sock.c:2995 tun_alloc_skb drivers/net/tun.c:1461 [inline] tun_get_user+0x1142/0x6c60 drivers/net/tun.c:1794 tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1999 new_sync_write fs/read_write.c:593 [inline] vfs_write+0xbe2/0x15d0 fs/read_write.c:686 ksys_write fs/read_write.c:738 [inline] __do_sys_write fs/read_write.c:749 [inline] __se_sys_write fs/read_write.c:746 [inline] __x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746 x64_sys_call+0x30ab/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:2 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f CPU: 0 UID: 0 PID: 6465 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(none) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 CVE-2026-23003 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23003.html CVE-2026-23003 https://bugzilla.suse.com/1257246 SUSE Bug 1257246 In the Linux kernel, the following vulnerability has been resolved: dst: fix races in rt6_uncached_list_del() and rt_del_uncached_list() syzbot was able to crash the kernel in rt6_uncached_list_flush_dev() in an interesting way [1] Crash happens in list_del_init()/INIT_LIST_HEAD() while writing list->prev, while the prior write on list->next went well. static inline void INIT_LIST_HEAD(struct list_head *list) { WRITE_ONCE(list->next, list); // This went well WRITE_ONCE(list->prev, list); // Crash, @list has been freed. } Issue here is that rt6_uncached_list_del() did not attempt to lock ul->lock, as list_empty(&rt->dst.rt_uncached) returned true because the WRITE_ONCE(list->next, list) happened on the other CPU. We might use list_del_init_careful() and list_empty_careful(), or make sure rt6_uncached_list_del() always grabs the spinlock whenever rt->dst.rt_uncached_list has been set. A similar fix is neeed for IPv4. [1] BUG: KASAN: slab-use-after-free in INIT_LIST_HEAD include/linux/list.h:46 [inline] BUG: KASAN: slab-use-after-free in list_del_init include/linux/list.h:296 [inline] BUG: KASAN: slab-use-after-free in rt6_uncached_list_flush_dev net/ipv6/route.c:191 [inline] BUG: KASAN: slab-use-after-free in rt6_disable_ip+0x633/0x730 net/ipv6/route.c:5020 Write of size 8 at addr ffff8880294cfa78 by task kworker/u8:14/3450 CPU: 0 UID: 0 PID: 3450 Comm: kworker/u8:14 Tainted: G L syzkaller #0 PREEMPT_{RT,(full)} Tainted: [L]=SOFTLOCKUP Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 Workqueue: netns cleanup_net Call Trace: <TASK> dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 INIT_LIST_HEAD include/linux/list.h:46 [inline] list_del_init include/linux/list.h:296 [inline] rt6_uncached_list_flush_dev net/ipv6/route.c:191 [inline] rt6_disable_ip+0x633/0x730 net/ipv6/route.c:5020 addrconf_ifdown+0x143/0x18a0 net/ipv6/addrconf.c:3853 addrconf_notify+0x1bc/0x1050 net/ipv6/addrconf.c:-1 notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85 call_netdevice_notifiers_extack net/core/dev.c:2268 [inline] call_netdevice_notifiers net/core/dev.c:2282 [inline] netif_close_many+0x29c/0x410 net/core/dev.c:1785 unregister_netdevice_many_notify+0xb50/0x2330 net/core/dev.c:12353 ops_exit_rtnl_list net/core/net_namespace.c:187 [inline] ops_undo_list+0x3dc/0x990 net/core/net_namespace.c:248 cleanup_net+0x4de/0x7b0 net/core/net_namespace.c:696 process_one_work kernel/workqueue.c:3257 [inline] process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 </TASK> Allocated by task 803: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 unpoison_slab_object mm/kasan/common.c:340 [inline] __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:366 kasan_slab_alloc include/linux/kasan.h:253 [inline] slab_post_alloc_hook mm/slub.c:4953 [inline] slab_alloc_node mm/slub.c:5263 [inline] kmem_cache_alloc_noprof+0x18d/0x6c0 mm/slub.c:5270 dst_alloc+0x105/0x170 net/core/dst.c:89 ip6_dst_alloc net/ipv6/route.c:342 [inline] icmp6_dst_alloc+0x75/0x460 net/ipv6/route.c:3333 mld_sendpack+0x683/0xe60 net/ipv6/mcast.c:1844 mld_send_cr net/ipv6/mcast.c:2154 [inline] mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693 process_one_work kernel/workqueue.c:3257 [inline] process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entr ---truncated--- CVE-2026-23004 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23004.html CVE-2026-23004 https://bugzilla.suse.com/1257231 SUSE Bug 1257231 https://bugzilla.suse.com/1258655 SUSE Bug 1258655 In the Linux kernel, the following vulnerability has been resolved: idpf: fix error handling in the init_task on load If the init_task fails during a driver load, we end up without vports and netdevs, effectively failing the entire process. In that state a subsequent reset will result in a crash as the service task attempts to access uninitialized resources. Following trace is from an error in the init_task where the CREATE_VPORT (op 501) is rejected by the FW: [40922.763136] idpf 0000:83:00.0: Device HW Reset initiated [40924.449797] idpf 0000:83:00.0: Transaction failed (op 501) [40958.148190] idpf 0000:83:00.0: HW reset detected [40958.161202] BUG: kernel NULL pointer dereference, address: 00000000000000a8 ... [40958.168094] Workqueue: idpf-0000:83:00.0-vc_event idpf_vc_event_task [idpf] [40958.168865] RIP: 0010:idpf_vc_event_task+0x9b/0x350 [idpf] ... [40958.177932] Call Trace: [40958.178491] <TASK> [40958.179040] process_one_work+0x226/0x6d0 [40958.179609] worker_thread+0x19e/0x340 [40958.180158] ? __pfx_worker_thread+0x10/0x10 [40958.180702] kthread+0x10f/0x250 [40958.181238] ? __pfx_kthread+0x10/0x10 [40958.181774] ret_from_fork+0x251/0x2b0 [40958.182307] ? __pfx_kthread+0x10/0x10 [40958.182834] ret_from_fork_asm+0x1a/0x30 [40958.183370] </TASK> Fix the error handling in the init_task to make sure the service and mailbox tasks are disabled if the error happens during load. These are started in idpf_vc_core_init(), which spawns the init_task and has no way of knowing if it failed. If the error happens on reset, following successful driver load, the tasks can still run, as that will allow the netdevs to attempt recovery through another reset. Stop the PTP callbacks either way as those will be restarted by the call to idpf_vc_core_init() during a successful reset. CVE-2026-23017 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23017.html CVE-2026-23017 https://bugzilla.suse.com/1257552 SUSE Bug 1257552 In the Linux kernel, the following vulnerability has been resolved: net: usb: pegasus: fix memory leak in update_eth_regs_async() When asynchronously writing to the device registers and if usb_submit_urb() fail, the code fail to release allocated to this point resources. CVE-2026-23021 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23021.html CVE-2026-23021 https://bugzilla.suse.com/1257557 SUSE Bug 1257557 In the Linux kernel, the following vulnerability has been resolved: dmaengine: qcom: gpi: Fix memory leak in gpi_peripheral_config() Fix a memory leak in gpi_peripheral_config() where the original memory pointed to by gchan->config could be lost if krealloc() fails. The issue occurs when: 1. gchan->config points to previously allocated memory 2. krealloc() fails and returns NULL 3. The function directly assigns NULL to gchan->config, losing the reference to the original memory 4. The original memory becomes unreachable and cannot be freed Fix this by using a temporary variable to hold the krealloc() result and only updating gchan->config when the allocation succeeds. Found via static analysis and code review. CVE-2026-23026 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23026.html CVE-2026-23026 https://bugzilla.suse.com/1257562 SUSE Bug 1257562 In the Linux kernel, the following vulnerability has been resolved: dmaengine: omap-dma: fix dma_pool resource leak in error paths The dma_pool created by dma_pool_create() is not destroyed when dma_async_device_register() or of_dma_controller_register() fails, causing a resource leak in the probe error paths. Add dma_pool_destroy() in both error paths to properly release the allocated dma_pool resource. CVE-2026-23033 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23033.html CVE-2026-23033 https://bugzilla.suse.com/1257570 SUSE Bug 1257570 In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Pass netdev to mlx5e_destroy_netdev instead of priv mlx5e_priv is an unstable structure that can be memset(0) if profile attaching fails. Pass netdev to mlx5e_destroy_netdev() to guarantee it will work on a valid netdev. On mlx5e_remove: Check validity of priv->profile, before attempting to cleanup any resources that might be not there. This fixes a kernel oops in mlx5e_remove when switchdev mode fails due to change profile failure. $ devlink dev eswitch set pci/0000:00:03.0 mode switchdev Error: mlx5_core: Failed setting eswitch to offloads. dmesg: workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12 mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: new profile init failed, -12 workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12 mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: failed to rollback to orig profile, -12 $ devlink dev reload pci/0000:00:03.0 ==> oops BUG: kernel NULL pointer dereference, address: 0000000000000370 PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 15 UID: 0 PID: 520 Comm: devlink Not tainted 6.18.0-rc5+ #115 PREEMPT(voluntary) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 RIP: 0010:mlx5e_dcbnl_dscp_app+0x23/0x100 RSP: 0018:ffffc9000083f8b8 EFLAGS: 00010286 RAX: ffff8881126fc380 RBX: ffff8881015ac400 RCX: ffffffff826ffc45 RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8881035109c0 RBP: ffff8881035109c0 R08: ffff888101e3e838 R09: ffff888100264e10 R10: ffffc9000083f898 R11: ffffc9000083f8a0 R12: ffff888101b921a0 R13: ffff888101b921a0 R14: ffff8881015ac9a0 R15: ffff8881015ac400 FS: 00007f789a3c8740(0000) GS:ffff88856aa59000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000370 CR3: 000000010b6c0001 CR4: 0000000000370ef0 Call Trace: <TASK> mlx5e_remove+0x57/0x110 device_release_driver_internal+0x19c/0x200 bus_remove_device+0xc6/0x130 device_del+0x160/0x3d0 ? devl_param_driverinit_value_get+0x2d/0x90 mlx5_detach_device+0x89/0xe0 mlx5_unload_one_devl_locked+0x3a/0x70 mlx5_devlink_reload_down+0xc8/0x220 devlink_reload+0x7d/0x260 devlink_nl_reload_doit+0x45b/0x5a0 genl_family_rcv_msg_doit+0xe8/0x140 CVE-2026-23035 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23035.html CVE-2026-23035 https://bugzilla.suse.com/1257559 SUSE Bug 1257559 In the Linux kernel, the following vulnerability has been resolved: can: etas_es58x: allow partial RX URB allocation to succeed When es58x_alloc_rx_urbs() fails to allocate the requested number of URBs but succeeds in allocating some, it returns an error code. This causes es58x_open() to return early, skipping the cleanup label 'free_urbs', which leads to the anchored URBs being leaked. As pointed out by maintainer Vincent Mailhol, the driver is designed to handle partial URB allocation gracefully. Therefore, partial allocation should not be treated as a fatal error. Modify es58x_alloc_rx_urbs() to return 0 if at least one URB has been allocated, restoring the intended behavior and preventing the leak in es58x_open(). CVE-2026-23037 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23037.html CVE-2026-23037 https://bugzilla.suse.com/1257554 SUSE Bug 1257554 In the Linux kernel, the following vulnerability has been resolved: drm/panel-simple: fix connector type for DataImage SCF0700C48GGU18 panel The connector type for the DataImage SCF0700C48GGU18 panel is missing and devm_drm_panel_bridge_add() requires connector type to be set. This leads to a warning and a backtrace in the kernel log and panel does not work: " WARNING: CPU: 3 PID: 38 at drivers/gpu/drm/bridge/panel.c:379 devm_drm_of_get_bridge+0xac/0xb8 " The warning is triggered by a check for valid connector type in devm_drm_panel_bridge_add(). If there is no valid connector type set for a panel, the warning is printed and panel is not added. Fill in the missing connector type to fix the warning and make the panel operational once again. CVE-2026-23049 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23049.html CVE-2026-23049 https://bugzilla.suse.com/1257723 SUSE Bug 1257723 In the Linux kernel, the following vulnerability has been resolved: NFS: Fix a deadlock involving nfs_release_folio() Wang Zhaolong reports a deadlock involving NFSv4.1 state recovery waiting on kthreadd, which is attempting to reclaim memory by calling nfs_release_folio(). The latter cannot make progress due to state recovery being needed. It seems that the only safe thing to do here is to kick off a writeback of the folio, without waiting for completion, or else kicking off an asynchronous commit. CVE-2026-23053 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23053.html CVE-2026-23053 https://bugzilla.suse.com/1257718 SUSE Bug 1257718 In the Linux kernel, the following vulnerability has been resolved: uacce: implement mremap in uacce_vm_ops to return -EPERM The current uacce_vm_ops does not support the mremap operation of vm_operations_struct. Implement .mremap to return -EPERM to remind users. The reason we need to explicitly disable mremap is that when the driver does not implement .mremap, it uses the default mremap method. This could lead to a risk scenario: An application might first mmap address p1, then mremap to p2, followed by munmap(p1), and finally munmap(p2). Since the default mremap copies the original vma's vm_private_data (i.e., q) to the new vma, both munmap operations would trigger vma_close, causing q->qfr to be freed twice(qfr will be set to null here, so repeated release is ok). CVE-2026-23056 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23056.html CVE-2026-23056 https://bugzilla.suse.com/1257729 SUSE Bug 1257729 In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: Coalesce only linear skb vsock/virtio common tries to coalesce buffers in rx queue: if a linear skb (with a spare tail room) is followed by a small skb (length limited by GOOD_COPY_LEN = 128), an attempt is made to join them. Since the introduction of MSG_ZEROCOPY support, assumption that a small skb will always be linear is incorrect. In the zerocopy case, data is lost and the linear skb is appended with uninitialized kernel memory. Of all 3 supported virtio-based transports, only loopback-transport is affected. G2H virtio-transport rx queue operates on explicitly linear skbs; see virtio_vsock_alloc_linear_skb() in virtio_vsock_rx_fill(). H2G vhost-transport may allocate non-linear skbs, but only for sizes that are not considered for coalescence; see PAGE_ALLOC_COSTLY_ORDER in virtio_vsock_alloc_skb(). Ensure only linear skbs are coalesced. Note that skb_tailroom(last_skb) > 0 guarantees last_skb is linear. CVE-2026-23057 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23057.html CVE-2026-23057 https://bugzilla.suse.com/1257740 SUSE Bug 1257740 In the Linux kernel, the following vulnerability has been resolved: can: ems_usb: ems_usb_read_bulk_callback(): fix URB memory leak Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak"). In ems_usb_open(), the URBs for USB-in transfers are allocated, added to the dev->rx_submitted anchor and submitted. In the complete callback ems_usb_read_bulk_callback(), the URBs are processed and resubmitted. In ems_usb_close() the URBs are freed by calling usb_kill_anchored_urbs(&dev->rx_submitted). However, this does not take into account that the USB framework unanchors the URB before the complete function is called. This means that once an in-URB has been completed, it is no longer anchored and is ultimately not released in ems_usb_close(). Fix the memory leak by anchoring the URB in the ems_usb_read_bulk_callback() to the dev->rx_submitted anchor. CVE-2026-23058 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23058.html CVE-2026-23058 https://bugzilla.suse.com/1257739 SUSE Bug 1257739 In the Linux kernel, the following vulnerability has been resolved: crypto: authencesn - reject too-short AAD (assoclen<8) to match ESP/ESN spec authencesn assumes an ESP/ESN-formatted AAD. When assoclen is shorter than the minimum expected length, crypto_authenc_esn_decrypt() can advance past the end of the destination scatterlist and trigger a NULL pointer dereference in scatterwalk_map_and_copy(), leading to a kernel panic (DoS). Add a minimum AAD length check to fail fast on invalid inputs. CVE-2026-23060 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23060.html CVE-2026-23060 https://bugzilla.suse.com/1257735 SUSE Bug 1257735 In the Linux kernel, the following vulnerability has been resolved: can: kvaser_usb: kvaser_usb_read_bulk_callback(): fix URB memory leak Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak"). In kvaser_usb_set_{,data_}bittiming() -> kvaser_usb_setup_rx_urbs(), the URBs for USB-in transfers are allocated, added to the dev->rx_submitted anchor and submitted. In the complete callback kvaser_usb_read_bulk_callback(), the URBs are processed and resubmitted. In kvaser_usb_remove_interfaces() the URBs are freed by calling usb_kill_anchored_urbs(&dev->rx_submitted). However, this does not take into account that the USB framework unanchors the URB before the complete function is called. This means that once an in-URB has been completed, it is no longer anchored and is ultimately not released in usb_kill_anchored_urbs(). Fix the memory leak by anchoring the URB in the kvaser_usb_read_bulk_callback() to the dev->rx_submitted anchor. CVE-2026-23061 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23061.html CVE-2026-23061 https://bugzilla.suse.com/1257776 SUSE Bug 1257776 In the Linux kernel, the following vulnerability has been resolved: uacce: ensure safe queue release with state management Directly calling `put_queue` carries risks since it cannot guarantee that resources of `uacce_queue` have been fully released beforehand. So adding a `stop_queue` operation for the UACCE_CMD_PUT_Q command and leaving the `put_queue` operation to the final resource release ensures safety. Queue states are defined as follows: - UACCE_Q_ZOMBIE: Initial state - UACCE_Q_INIT: After opening `uacce` - UACCE_Q_STARTED: After `start` is issued via `ioctl` When executing `poweroff -f` in virt while accelerator are still working, `uacce_fops_release` and `uacce_remove` may execute concurrently. This can cause `uacce_put_queue` within `uacce_fops_release` to access a NULL `ops` pointer. Therefore, add state checks to prevent accessing freed pointers. CVE-2026-23063 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23063.html CVE-2026-23063 https://bugzilla.suse.com/1257722 SUSE Bug 1257722 In the Linux kernel, the following vulnerability has been resolved: net/sched: act_ife: avoid possible NULL deref tcf_ife_encode() must make sure ife_encode() does not return NULL. syzbot reported: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] RIP: 0010:ife_tlv_meta_encode+0x41/0xa0 net/ife/ife.c:166 CPU: 3 UID: 0 PID: 8990 Comm: syz.0.696 Not tainted syzkaller #0 PREEMPT(full) Call Trace: <TASK> ife_encode_meta_u32+0x153/0x180 net/sched/act_ife.c:101 tcf_ife_encode net/sched/act_ife.c:841 [inline] tcf_ife_act+0x1022/0x1de0 net/sched/act_ife.c:877 tc_act include/net/tc_wrapper.h:130 [inline] tcf_action_exec+0x1c0/0xa20 net/sched/act_api.c:1152 tcf_exts_exec include/net/pkt_cls.h:349 [inline] mall_classify+0x1a0/0x2a0 net/sched/cls_matchall.c:42 tc_classify include/net/tc_wrapper.h:197 [inline] __tcf_classify net/sched/cls_api.c:1764 [inline] tcf_classify+0x7f2/0x1380 net/sched/cls_api.c:1860 multiq_classify net/sched/sch_multiq.c:39 [inline] multiq_enqueue+0xe0/0x510 net/sched/sch_multiq.c:66 dev_qdisc_enqueue+0x45/0x250 net/core/dev.c:4147 __dev_xmit_skb net/core/dev.c:4262 [inline] __dev_queue_xmit+0x2998/0x46c0 net/core/dev.c:4798 CVE-2026-23064 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23064.html CVE-2026-23064 https://bugzilla.suse.com/1257765 SUSE Bug 1257765 In the Linux kernel, the following vulnerability has been resolved: spi: spi-sprd-adi: Fix double free in probe error path The driver currently uses spi_alloc_host() to allocate the controller but registers it using devm_spi_register_controller(). If devm_register_restart_handler() fails, the code jumps to the put_ctlr label and calls spi_controller_put(). However, since the controller was registered via a devm function, the device core will automatically call spi_controller_put() again when the probe fails. This results in a double-free of the spi_controller structure. Fix this by switching to devm_spi_alloc_host() and removing the manual spi_controller_put() call. CVE-2026-23068 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23068.html CVE-2026-23068 https://bugzilla.suse.com/1257805 SUSE Bug 1257805 In the Linux kernel, the following vulnerability has been resolved: regmap: Fix race condition in hwspinlock irqsave routine Previously, the address of the shared member '&map->spinlock_flags' was passed directly to 'hwspin_lock_timeout_irqsave'. This creates a race condition where multiple contexts contending for the lock could overwrite the shared flags variable, potentially corrupting the state for the current lock owner. Fix this by using a local stack variable 'flags' to store the IRQ state temporarily. CVE-2026-23071 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23071.html CVE-2026-23071 https://bugzilla.suse.com/1257706 SUSE Bug 1257706 In the Linux kernel, the following vulnerability has been resolved: wifi: rsi: Fix memory corruption due to not set vif driver data size The struct ieee80211_vif contains trailing space for vif driver data, when struct ieee80211_vif is allocated, the total memory size that is allocated is sizeof(struct ieee80211_vif) + size of vif driver data. The size of vif driver data is set by each WiFi driver as needed. The RSI911x driver does not set vif driver data size, no trailing space for vif driver data is therefore allocated past struct ieee80211_vif . The RSI911x driver does however use the vif driver data to store its vif driver data structure "struct vif_priv". An access to vif->drv_priv leads to access out of struct ieee80211_vif bounds and corruption of some memory. In case of the failure observed locally, rsi_mac80211_add_interface() would write struct vif_priv *vif_info = (struct vif_priv *)vif->drv_priv; vif_info->vap_id = vap_idx. This write corrupts struct fq_tin member struct list_head new_flows . The flow = list_first_entry(head, struct fq_flow, flowchain); in fq_tin_reset() then reports non-NULL bogus address, which when accessed causes a crash. The trigger is very simple, boot the machine with init=/bin/sh , mount devtmpfs, sysfs, procfs, and then do "ip link set wlan0 up", "sleep 1", "ip link set wlan0 down" and the crash occurs. Fix this by setting the correct size of vif driver data, which is the size of "struct vif_priv", so that memory is allocated and the driver can store its driver data in it, instead of corrupting memory around it. CVE-2026-23073 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23073.html CVE-2026-23073 https://bugzilla.suse.com/1257707 SUSE Bug 1257707 In the Linux kernel, the following vulnerability has been resolved: net/sched: Enforce that teql can only be used as root qdisc Design intent of teql is that it is only supposed to be used as root qdisc. We need to check for that constraint. Although not important, I will describe the scenario that unearthed this issue for the curious. GangMin Kim <km.kim1503@gmail.com> managed to concot a scenario as follows: ROOT qdisc 1:0 (QFQ) ├── class 1:1 (weight=15, lmax=16384) netem with delay 6.4s ── class 1:2 (weight=1, lmax=1514) teql GangMin sends a packet which is enqueued to 1:1 (netem). Any invocation of dequeue by QFQ from this class will not return a packet until after 6.4s. In the meantime, a second packet is sent and it lands on 1:2. teql's enqueue will return success and this will activate class 1:2. Main issue is that teql only updates the parent visible qlen (sch->q.qlen) at dequeue. Since QFQ will only call dequeue if peek succeeds (and teql's peek always returns NULL), dequeue will never be called and thus the qlen will remain as 0. With that in mind, when GangMin updates 1:2's lmax value, the qfq_change_class calls qfq_deact_rm_from_agg. Since the child qdisc's qlen was not incremented, qfq fails to deactivate the class, but still frees its pointers from the aggregate. So when the first packet is rescheduled after 6.4 seconds (netem's delay), a dangling pointer is accessed causing GangMin's causing a UAF. CVE-2026-23074 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23074.html CVE-2026-23074 https://bugzilla.suse.com/1257749 SUSE Bug 1257749 In the Linux kernel, the following vulnerability has been resolved: ALSA: ctxfi: Fix potential OOB access in audio mixer handling In the audio mixer handling code of ctxfi driver, the conf field is used as a kind of loop index, and it's referred in the index callbacks (amixer_index() and sum_index()). As spotted recently by fuzzers, the current code causes OOB access at those functions. | UBSAN: array-index-out-of-bounds in /build/reproducible-path/linux-6.17.8/sound/pci/ctxfi/ctamixer.c:347:48 | index 8 is out of range for type 'unsigned char [8]' After the analysis, the cause was found to be the lack of the proper (re-)initialization of conj field. This patch addresses those OOB accesses by adding the proper initializations of the loop indices. CVE-2026-23076 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23076.html CVE-2026-23076 https://bugzilla.suse.com/1257788 SUSE Bug 1257788 In the Linux kernel, the following vulnerability has been resolved: ALSA: scarlett2: Fix buffer overflow in config retrieval The scarlett2_usb_get_config() function has a logic error in the endianness conversion code that can cause buffer overflows when count > 1. The code checks `if (size == 2)` where `size` is the total buffer size in bytes, then loops `count` times treating each element as u16 (2 bytes). This causes the loop to access `count * 2` bytes when the buffer only has `size` bytes allocated. Fix by checking the element size (config_item->size) instead of the total buffer size. This ensures the endianness conversion matches the actual element type. CVE-2026-23078 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23078.html CVE-2026-23078 https://bugzilla.suse.com/1257789 SUSE Bug 1257789 In the Linux kernel, the following vulnerability has been resolved: can: mcba_usb: mcba_usb_read_bulk_callback(): fix URB memory leak Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak"). In mcba_usb_probe() -> mcba_usb_start(), the URBs for USB-in transfers are allocated, added to the priv->rx_submitted anchor and submitted. In the complete callback mcba_usb_read_bulk_callback(), the URBs are processed and resubmitted. In mcba_usb_close() -> mcba_urb_unlink() the URBs are freed by calling usb_kill_anchored_urbs(&priv->rx_submitted). However, this does not take into account that the USB framework unanchors the URB before the complete function is called. This means that once an in-URB has been completed, it is no longer anchored and is ultimately not released in usb_kill_anchored_urbs(). Fix the memory leak by anchoring the URB in the mcba_usb_read_bulk_callback()to the priv->rx_submitted anchor. CVE-2026-23080 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23080.html CVE-2026-23080 https://bugzilla.suse.com/1257714 SUSE Bug 1257714 In the Linux kernel, the following vulnerability has been resolved: can: gs_usb: gs_usb_receive_bulk_callback(): unanchor URL on usb_submit_urb() error In commit 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak"), the URB was re-anchored before usb_submit_urb() in gs_usb_receive_bulk_callback() to prevent a leak of this URB during cleanup. However, this patch did not take into account that usb_submit_urb() could fail. The URB remains anchored and usb_kill_anchored_urbs(&parent->rx_submitted) in gs_can_close() loops infinitely since the anchor list never becomes empty. To fix the bug, unanchor the URB when an usb_submit_urb() error occurs, also print an info message. CVE-2026-23082 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23082.html CVE-2026-23082 https://bugzilla.suse.com/1257715 SUSE Bug 1257715 In the Linux kernel, the following vulnerability has been resolved: fou: Don't allow 0 for FOU_ATTR_IPPROTO. fou_udp_recv() has the same problem mentioned in the previous patch. If FOU_ATTR_IPPROTO is set to 0, skb is not freed by fou_udp_recv() nor "resubmit"-ted in ip_protocol_deliver_rcu(). Let's forbid 0 for FOU_ATTR_IPPROTO. CVE-2026-23083 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23083.html CVE-2026-23083 https://bugzilla.suse.com/1257745 SUSE Bug 1257745 In the Linux kernel, the following vulnerability has been resolved: be2net: Fix NULL pointer dereference in be_cmd_get_mac_from_list When the parameter pmac_id_valid argument of be_cmd_get_mac_from_list() is set to false, the driver may request the PMAC_ID from the firmware of the network card, and this function will store that PMAC_ID at the provided address pmac_id. This is the contract of this function. However, there is a location within the driver where both pmac_id_valid == false and pmac_id == NULL are being passed. This could result in dereferencing a NULL pointer. To resolve this issue, it is necessary to pass the address of a stub variable to the function. CVE-2026-23084 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23084.html CVE-2026-23084 https://bugzilla.suse.com/1257830 SUSE Bug 1257830 In the Linux kernel, the following vulnerability has been resolved: irqchip/gic-v3-its: Avoid truncating memory addresses On 32-bit machines with CONFIG_ARM_LPAE, it is possible for lowmem allocations to be backed by addresses physical memory above the 32-bit address limit, as found while experimenting with larger VMSPLIT configurations. This caused the qemu virt model to crash in the GICv3 driver, which allocates the 'itt' object using GFP_KERNEL. Since all memory below the 4GB physical address limit is in ZONE_DMA in this configuration, kmalloc() defaults to higher addresses for ZONE_NORMAL, and the ITS driver stores the physical address in a 32-bit 'unsigned long' variable. Change the itt_addr variable to the correct phys_addr_t type instead, along with all other variables in this driver that hold a physical address. The gicv5 driver correctly uses u64 variables, while all other irqchip drivers don't call virt_to_phys or similar interfaces. It's expected that other device drivers have similar issues, but fixing this one is sufficient for booting a virtio based guest. CVE-2026-23085 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23085.html CVE-2026-23085 https://bugzilla.suse.com/1257758 SUSE Bug 1257758 In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: cap TX credit to local buffer size The virtio transports derives its TX credit directly from peer_buf_alloc, which is set from the remote endpoint's SO_VM_SOCKETS_BUFFER_SIZE value. On the host side this means that the amount of data we are willing to queue for a connection is scaled by a guest-chosen buffer size, rather than the host's own vsock configuration. A malicious guest can advertise a large buffer and read slowly, causing the host to allocate a correspondingly large amount of sk_buff memory. The same thing would happen in the guest with a malicious host, since virtio transports share the same code base. Introduce a small helper, virtio_transport_tx_buf_size(), that returns min(peer_buf_alloc, buf_alloc), and use it wherever we consume peer_buf_alloc. This ensures the effective TX window is bounded by both the peer's advertised buffer and our own buf_alloc (already clamped to buffer_max_size via SO_VM_SOCKETS_BUFFER_MAX_SIZE), so a remote peer cannot force the other to queue more data than allowed by its own vsock settings. On an unpatched Ubuntu 22.04 host (~64 GiB RAM), running a PoC with 32 guest vsock connections advertising 2 GiB each and reading slowly drove Slab/SUnreclaim from ~0.5 GiB to ~57 GiB; the system only recovered after killing the QEMU process. That said, if QEMU memory is limited with cgroups, the maximum memory used will be limited. With this patch applied: Before: MemFree: ~61.6 GiB Slab: ~142 MiB SUnreclaim: ~117 MiB After 32 high-credit connections: MemFree: ~61.5 GiB Slab: ~178 MiB SUnreclaim: ~152 MiB Only ~35 MiB increase in Slab/SUnreclaim, no host OOM, and the guest remains responsive. Compatibility with non-virtio transports: - VMCI uses the AF_VSOCK buffer knobs to size its queue pairs per socket based on the local vsk->buffer_* values; the remote side cannot enlarge those queues beyond what the local endpoint configured. - Hyper-V's vsock transport uses fixed-size VMBus ring buffers and an MTU bound; there is no peer-controlled credit field comparable to peer_buf_alloc, and the remote endpoint cannot drive in-flight kernel memory above those ring sizes. - The loopback path reuses virtio_transport_common.c, so it naturally follows the same semantics as the virtio transport. This change is limited to virtio_transport_common.c and thus affects virtio-vsock, vhost-vsock, and loopback, bringing them in line with the "remote window intersected with local policy" behaviour that VMCI and Hyper-V already effectively have. [Stefano: small adjustments after changing the previous patch] [Stefano: tweak the commit message] CVE-2026-23086 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23086.html CVE-2026-23086 https://bugzilla.suse.com/1257757 SUSE Bug 1257757 In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix use-after-free in snd_usb_mixer_free() When snd_usb_create_mixer() fails, snd_usb_mixer_free() frees mixer->id_elems but the controls already added to the card still reference the freed memory. Later when snd_card_register() runs, the OSS mixer layer calls their callbacks and hits a use-after-free read. Call trace: get_ctl_value+0x63f/0x820 sound/usb/mixer.c:411 get_min_max_with_quirks.isra.0+0x240/0x1f40 sound/usb/mixer.c:1241 mixer_ctl_feature_info+0x26b/0x490 sound/usb/mixer.c:1381 snd_mixer_oss_build_test+0x174/0x3a0 sound/core/oss/mixer_oss.c:887 ... snd_card_register+0x4ed/0x6d0 sound/core/init.c:923 usb_audio_probe+0x5ef/0x2a90 sound/usb/card.c:1025 Fix by calling snd_ctl_remove() for all mixer controls before freeing id_elems. We save the next pointer first because snd_ctl_remove() frees the current element. CVE-2026-23089 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23089.html CVE-2026-23089 https://bugzilla.suse.com/1257790 SUSE Bug 1257790 In the Linux kernel, the following vulnerability has been resolved: slimbus: core: fix device reference leak on report present Slimbus devices can be allocated dynamically upon reception of report-present messages. Make sure to drop the reference taken when looking up already registered devices. Note that this requires taking an extra reference in case the device has not yet been registered and has to be allocated. CVE-2026-23090 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23090.html CVE-2026-23090 https://bugzilla.suse.com/1257759 SUSE Bug 1257759 In the Linux kernel, the following vulnerability has been resolved: intel_th: fix device leak on output open() Make sure to drop the reference taken when looking up the th device during output device open() on errors and on close(). Note that a recent commit fixed the leak in a couple of open() error paths but not all of them, and the reference is still leaking on successful open(). CVE-2026-23091 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23091.html CVE-2026-23091 https://bugzilla.suse.com/1257813 SUSE Bug 1257813 In the Linux kernel, the following vulnerability has been resolved: uacce: fix isolate sysfs check condition uacce supports the device isolation feature. If the driver implements the isolate_err_threshold_read and isolate_err_threshold_write callback functions, uacce will create sysfs files now. Users can read and configure the isolation policy through sysfs. Currently, sysfs files are created as long as either isolate_err_threshold_read or isolate_err_threshold_write callback functions are present. However, accessing a non-existent callback function may cause the system to crash. Therefore, intercept the creation of sysfs if neither read nor write exists; create sysfs if either is supported, but intercept unsupported operations at the call site. CVE-2026-23094 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23094.html CVE-2026-23094 https://bugzilla.suse.com/1257811 SUSE Bug 1257811 In the Linux kernel, the following vulnerability has been resolved: gue: Fix skb memleak with inner IP protocol 0. syzbot reported skb memleak below. [0] The repro generated a GUE packet with its inner protocol 0. gue_udp_recv() returns -guehdr->proto_ctype for "resubmit" in ip_protocol_deliver_rcu(), but this only works with non-zero protocol number. Let's drop such packets. Note that 0 is a valid number (IPv6 Hop-by-Hop Option). I think it is not practical to encap HOPOPT in GUE, so once someone starts to complain, we could pass down a resubmit flag pointer to distinguish two zeros from the upper layer: * no error * resubmit HOPOPT [0] BUG: memory leak unreferenced object 0xffff888109695a00 (size 240): comm "syz.0.17", pid 6088, jiffies 4294943096 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 40 c2 10 81 88 ff ff 00 00 00 00 00 00 00 00 .@.............. backtrace (crc a84b336f): kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline] slab_post_alloc_hook mm/slub.c:4958 [inline] slab_alloc_node mm/slub.c:5263 [inline] kmem_cache_alloc_noprof+0x3b4/0x590 mm/slub.c:5270 __build_skb+0x23/0x60 net/core/skbuff.c:474 build_skb+0x20/0x190 net/core/skbuff.c:490 __tun_build_skb drivers/net/tun.c:1541 [inline] tun_build_skb+0x4a1/0xa40 drivers/net/tun.c:1636 tun_get_user+0xc12/0x2030 drivers/net/tun.c:1770 tun_chr_write_iter+0x71/0x120 drivers/net/tun.c:1999 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x45d/0x710 fs/read_write.c:686 ksys_write+0xa7/0x170 fs/read_write.c:738 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f CVE-2026-23095 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23095.html CVE-2026-23095 https://bugzilla.suse.com/1257808 SUSE Bug 1257808 In the Linux kernel, the following vulnerability has been resolved: uacce: fix cdev handling in the cleanup path When cdev_device_add fails, it internally releases the cdev memory, and if cdev_device_del is then executed, it will cause a hang error. To fix it, we check the return value of cdev_device_add() and clear uacce->cdev to avoid calling cdev_device_del in the uacce_remove. CVE-2026-23096 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23096.html CVE-2026-23096 https://bugzilla.suse.com/1257809 SUSE Bug 1257809 In the Linux kernel, the following vulnerability has been resolved: bonding: limit BOND_MODE_8023AD to Ethernet devices BOND_MODE_8023AD makes sense for ARPHRD_ETHER only. syzbot reported: BUG: KASAN: global-out-of-bounds in __hw_addr_create net/core/dev_addr_lists.c:63 [inline] BUG: KASAN: global-out-of-bounds in __hw_addr_add_ex+0x25d/0x760 net/core/dev_addr_lists.c:118 Read of size 16 at addr ffffffff8bf94040 by task syz.1.3580/19497 CPU: 1 UID: 0 PID: 19497 Comm: syz.1.3580 Tainted: G L syzkaller #0 PREEMPT(full) Tainted: [L]=SOFTLOCKUP Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 Call Trace: <TASK> dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 check_region_inline mm/kasan/generic.c:-1 [inline] kasan_check_range+0x2b0/0x2c0 mm/kasan/generic.c:200 __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105 __hw_addr_create net/core/dev_addr_lists.c:63 [inline] __hw_addr_add_ex+0x25d/0x760 net/core/dev_addr_lists.c:118 __dev_mc_add net/core/dev_addr_lists.c:868 [inline] dev_mc_add+0xa1/0x120 net/core/dev_addr_lists.c:886 bond_enslave+0x2b8b/0x3ac0 drivers/net/bonding/bond_main.c:2180 do_set_master+0x533/0x6d0 net/core/rtnetlink.c:2963 do_setlink+0xcf0/0x41c0 net/core/rtnetlink.c:3165 rtnl_changelink net/core/rtnetlink.c:3776 [inline] __rtnl_newlink net/core/rtnetlink.c:3935 [inline] rtnl_newlink+0x161c/0x1c90 net/core/rtnetlink.c:4072 rtnetlink_rcv_msg+0x7cf/0xb70 net/core/rtnetlink.c:6958 netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2550 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x82f/0x9e0 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1894 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg+0x21c/0x270 net/socket.c:742 ____sys_sendmsg+0x505/0x820 net/socket.c:2592 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2646 __sys_sendmsg+0x164/0x220 net/socket.c:2678 do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline] __do_fast_syscall_32+0x1dc/0x560 arch/x86/entry/syscall_32.c:307 do_fast_syscall_32+0x34/0x80 arch/x86/entry/syscall_32.c:332 entry_SYSENTER_compat_after_hwframe+0x84/0x8e </TASK> The buggy address belongs to the variable: lacpdu_mcast_addr+0x0/0x40 CVE-2026-23099 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23099.html CVE-2026-23099 https://bugzilla.suse.com/1257816 SUSE Bug 1257816 In the Linux kernel, the following vulnerability has been resolved: leds: led-class: Only Add LED to leds_list when it is fully ready Before this change the LED was added to leds_list before led_init_core() gets called adding it the list before led_classdev.set_brightness_work gets initialized. This leaves a window where led_trigger_register() of a LED's default trigger will call led_trigger_set() which calls led_set_brightness() which in turn will end up queueing the *uninitialized* led_classdev.set_brightness_work. This race gets hit by the lenovo-thinkpad-t14s EC driver which registers 2 LEDs with a default trigger provided by snd_ctl_led.ko in quick succession. The first led_classdev_register() causes an async modprobe of snd_ctl_led to run and that async modprobe manages to exactly hit the window where the second LED is on the leds_list without led_init_core() being called for it, resulting in: ------------[ cut here ]------------ WARNING: CPU: 11 PID: 5608 at kernel/workqueue.c:4234 __flush_work+0x344/0x390 Hardware name: LENOVO 21N2S01F0B/21N2S01F0B, BIOS N42ET93W (2.23 ) 09/01/2025 ... Call trace: __flush_work+0x344/0x390 (P) flush_work+0x2c/0x50 led_trigger_set+0x1c8/0x340 led_trigger_register+0x17c/0x1c0 led_trigger_register_simple+0x84/0xe8 snd_ctl_led_init+0x40/0xf88 [snd_ctl_led] do_one_initcall+0x5c/0x318 do_init_module+0x9c/0x2b8 load_module+0x7e0/0x998 Close the race window by moving the adding of the LED to leds_list to after the led_init_core() call. CVE-2026-23101 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23101.html CVE-2026-23101 https://bugzilla.suse.com/1257768 SUSE Bug 1257768 In the Linux kernel, the following vulnerability has been resolved: arm64/fpsimd: signal: Fix restoration of SVE context When SME is supported, Restoring SVE signal context can go wrong in a few ways, including placing the task into an invalid state where the kernel may read from out-of-bounds memory (and may potentially take a fatal fault) and/or may kill the task with a SIGKILL. (1) Restoring a context with SVE_SIG_FLAG_SM set can place the task into an invalid state where SVCR.SM is set (and sve_state is non-NULL) but TIF_SME is clear, consequently resuting in out-of-bounds memory reads and/or killing the task with SIGKILL. This can only occur in unusual (but legitimate) cases where the SVE signal context has either been modified by userspace or was saved in the context of another task (e.g. as with CRIU), as otherwise the presence of an SVE signal context with SVE_SIG_FLAG_SM implies that TIF_SME is already set. While in this state, task_fpsimd_load() will NOT configure SMCR_ELx (leaving some arbitrary value configured in hardware) before restoring SVCR and attempting to restore the streaming mode SVE registers from memory via sve_load_state(). As the value of SMCR_ELx.LEN may be larger than the task's streaming SVE vector length, this may read memory outside of the task's allocated sve_state, reading unrelated data and/or triggering a fault. While this can result in secrets being loaded into streaming SVE registers, these values are never exposed. As TIF_SME is clear, fpsimd_bind_task_to_cpu() will configure CPACR_ELx.SMEN to trap EL0 accesses to streaming mode SVE registers, so these cannot be accessed directly at EL0. As fpsimd_save_user_state() verifies the live vector length before saving (S)SVE state to memory, no secret values can be saved back to memory (and hence cannot be observed via ptrace, signals, etc). When the live vector length doesn't match the expected vector length for the task, fpsimd_save_user_state() will send a fatal SIGKILL signal to the task. Hence the task may be killed after executing userspace for some period of time. (2) Restoring a context with SVE_SIG_FLAG_SM clear does not clear the task's SVCR.SM. If SVCR.SM was set prior to restoring the context, then the task will be left in streaming mode unexpectedly, and some register state will be combined inconsistently, though the task will be left in legitimate state from the kernel's PoV. This can only occur in unusual (but legitimate) cases where ptrace has been used to set SVCR.SM after entry to the sigreturn syscall, as syscall entry clears SVCR.SM. In these cases, the the provided SVE register data will be loaded into the task's sve_state using the non-streaming SVE vector length and the FPSIMD registers will be merged into this using the streaming SVE vector length. Fix (1) by setting TIF_SME when setting SVCR.SM. This also requires ensuring that the task's sme_state has been allocated, but as this could contain live ZA state, it should not be zeroed. Fix (2) by clearing SVCR.SM when restoring a SVE signal context with SVE_SIG_FLAG_SM clear. For consistency, I've pulled the manipulation of SVCR, TIF_SVE, TIF_SME, and fp_type earlier, immediately after the allocation of sve_state/sme_state, before the restore of the actual register state. This makes it easier to ensure that these are always modified consistently, even if a fault is taken while reading the register data from the signal context. I do not expect any software to depend on the exact state restored when a fault is taken while reading the context. CVE-2026-23102 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23102.html CVE-2026-23102 https://bugzilla.suse.com/1257772 SUSE Bug 1257772 In the Linux kernel, the following vulnerability has been resolved: ice: fix devlink reload call trace Commit 4da71a77fc3b ("ice: read internal temperature sensor") introduced internal temperature sensor reading via HWMON. ice_hwmon_init() was added to ice_init_feature() and ice_hwmon_exit() was added to ice_remove(). As a result if devlink reload is used to reinit the device and then the driver is removed, a call trace can occur. BUG: unable to handle page fault for address: ffffffffc0fd4b5d Call Trace: string+0x48/0xe0 vsnprintf+0x1f9/0x650 sprintf+0x62/0x80 name_show+0x1f/0x30 dev_attr_show+0x19/0x60 The call trace repeats approximately every 10 minutes when system monitoring tools (e.g., sadc) attempt to read the orphaned hwmon sysfs attributes that reference freed module memory. The sequence is: 1. Driver load, ice_hwmon_init() gets called from ice_init_feature() 2. Devlink reload down, flow does not call ice_remove() 3. Devlink reload up, ice_hwmon_init() gets called from ice_init_feature() resulting in a second instance 4. Driver unload, ice_hwmon_exit() called from ice_remove() leaving the first hwmon instance orphaned with dangling pointer Fix this by moving ice_hwmon_exit() from ice_remove() to ice_deinit_features() to ensure proper cleanup symmetry with ice_hwmon_init(). CVE-2026-23104 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23104.html CVE-2026-23104 https://bugzilla.suse.com/1257763 SUSE Bug 1257763 In the Linux kernel, the following vulnerability has been resolved: net/sched: qfq: Use cl_is_active to determine whether class is active in qfq_rm_from_ag This is more of a preventive patch to make the code more consistent and to prevent possible exploits that employ child qlen manipulations on qfq. use cl_is_active instead of relying on the child qdisc's qlen to determine class activation. CVE-2026-23105 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23105.html CVE-2026-23105 https://bugzilla.suse.com/1257775 SUSE Bug 1257775 In the Linux kernel, the following vulnerability has been resolved: arm64/fpsimd: signal: Allocate SSVE storage when restoring ZA The code to restore a ZA context doesn't attempt to allocate the task's sve_state before setting TIF_SME. Consequently, restoring a ZA context can place a task into an invalid state where TIF_SME is set but the task's sve_state is NULL. In legitimate but uncommon cases where the ZA signal context was NOT created by the kernel in the context of the same task (e.g. if the task is saved/restored with something like CRIU), we have no guarantee that sve_state had been allocated previously. In these cases, userspace can enter streaming mode without trapping while sve_state is NULL, causing a later NULL pointer dereference when the kernel attempts to store the register state: | # ./sigreturn-za | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 | Mem abort info: | ESR = 0x0000000096000046 | EC = 0x25: DABT (current EL), IL = 32 bits | SET = 0, FnV = 0 | EA = 0, S1PTW = 0 | FSC = 0x06: level 2 translation fault | Data abort info: | ISV = 0, ISS = 0x00000046, ISS2 = 0x00000000 | CM = 0, WnR = 1, TnD = 0, TagAccess = 0 | GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 | user pgtable: 4k pages, 52-bit VAs, pgdp=0000000101f47c00 | [0000000000000000] pgd=08000001021d8403, p4d=0800000102274403, pud=0800000102275403, pmd=0000000000000000 | Internal error: Oops: 0000000096000046 [#1] SMP | Modules linked in: | CPU: 0 UID: 0 PID: 153 Comm: sigreturn-za Not tainted 6.19.0-rc1 #1 PREEMPT | Hardware name: linux,dummy-virt (DT) | pstate: 214000c9 (nzCv daIF +PAN -UAO -TCO +DIT -SSBS BTYPE=--) | pc : sve_save_state+0x4/0xf0 | lr : fpsimd_save_user_state+0xb0/0x1c0 | sp : ffff80008070bcc0 | x29: ffff80008070bcc0 x28: fff00000c1ca4c40 x27: 63cfa172fb5cf658 | x26: fff00000c1ca5228 x25: 0000000000000000 x24: 0000000000000000 | x23: 0000000000000000 x22: fff00000c1ca4c40 x21: fff00000c1ca4c40 | x20: 0000000000000020 x19: fff00000ff6900f0 x18: 0000000000000000 | x17: fff05e8e0311f000 x16: 0000000000000000 x15: 028fca8f3bdaf21c | x14: 0000000000000212 x13: fff00000c0209f10 x12: 0000000000000020 | x11: 0000000000200b20 x10: 0000000000000000 x9 : fff00000ff69dcc0 | x8 : 00000000000003f2 x7 : 0000000000000001 x6 : fff00000c1ca5b48 | x5 : fff05e8e0311f000 x4 : 0000000008000000 x3 : 0000000000000000 | x2 : 0000000000000001 x1 : fff00000c1ca5970 x0 : 0000000000000440 | Call trace: | sve_save_state+0x4/0xf0 (P) | fpsimd_thread_switch+0x48/0x198 | __switch_to+0x20/0x1c0 | __schedule+0x36c/0xce0 | schedule+0x34/0x11c | exit_to_user_mode_loop+0x124/0x188 | el0_interrupt+0xc8/0xd8 | __el0_irq_handler_common+0x18/0x24 | el0t_64_irq_handler+0x10/0x1c | el0t_64_irq+0x198/0x19c | Code: 54000040 d51b4408 d65f03c0 d503245f (e5bb5800) | ---[ end trace 0000000000000000 ]--- Fix this by having restore_za_context() ensure that the task's sve_state is allocated, matching what we do when taking an SME trap. Any live SVE/SSVE state (which is restored earlier from a separate signal context) must be preserved, and hence this is not zeroed. CVE-2026-23107 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23107.html CVE-2026-23107 https://bugzilla.suse.com/1257762 SUSE Bug 1257762 In the Linux kernel, the following vulnerability has been resolved: can: usb_8dev: usb_8dev_read_bulk_callback(): fix URB memory leak Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak"). In usb_8dev_open() -> usb_8dev_start(), the URBs for USB-in transfers are allocated, added to the priv->rx_submitted anchor and submitted. In the complete callback usb_8dev_read_bulk_callback(), the URBs are processed and resubmitted. In usb_8dev_close() -> unlink_all_urbs() the URBs are freed by calling usb_kill_anchored_urbs(&priv->rx_submitted). However, this does not take into account that the USB framework unanchors the URB before the complete function is called. This means that once an in-URB has been completed, it is no longer anchored and is ultimately not released in usb_kill_anchored_urbs(). Fix the memory leak by anchoring the URB in the usb_8dev_read_bulk_callback() to the priv->rx_submitted anchor. CVE-2026-23108 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23108.html CVE-2026-23108 https://bugzilla.suse.com/1257770 SUSE Bug 1257770 In the Linux kernel, the following vulnerability has been resolved: scsi: core: Wake up the error handler when final completions race against each other The fragile ordering between marking commands completed or failed so that the error handler only wakes when the last running command completes or times out has race conditions. These race conditions can cause the SCSI layer to fail to wake the error handler, leaving I/O through the SCSI host stuck as the error state cannot advance. First, there is an memory ordering issue within scsi_dec_host_busy(). The write which clears SCMD_STATE_INFLIGHT may be reordered with reads counting in scsi_host_busy(). While the local CPU will see its own write, reordering can allow other CPUs in scsi_dec_host_busy() or scsi_eh_inc_host_failed() to see a raised busy count, causing no CPU to see a host busy equal to the host_failed count. This race condition can be prevented with a memory barrier on the error path to force the write to be visible before counting host busy commands. Second, there is a general ordering issue with scsi_eh_inc_host_failed(). By counting busy commands before incrementing host_failed, it can race with a final command in scsi_dec_host_busy(), such that scsi_dec_host_busy() does not see host_failed incremented but scsi_eh_inc_host_failed() counts busy commands before SCMD_STATE_INFLIGHT is cleared by scsi_dec_host_busy(), resulting in neither waking the error handler task. This needs the call to scsi_host_busy() to be moved after host_failed is incremented to close the race condition. CVE-2026-23110 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23110.html CVE-2026-23110 https://bugzilla.suse.com/1257761 SUSE Bug 1257761 In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate() nft_map_catchall_activate() has an inverted element activity check compared to its non-catchall counterpart nft_mapelem_activate() and compared to what is logically required. nft_map_catchall_activate() is called from the abort path to re-activate catchall map elements that were deactivated during a failed transaction. It should skip elements that are already active (they don't need re-activation) and process elements that are inactive (they need to be restored). Instead, the current code does the opposite: it skips inactive elements and processes active ones. Compare the non-catchall activate callback, which is correct: nft_mapelem_activate(): if (nft_set_elem_active(ext, iter->genmask)) return 0; /* skip active, process inactive */ With the buggy catchall version: nft_map_catchall_activate(): if (!nft_set_elem_active(ext, genmask)) continue; /* skip inactive, process active */ The consequence is that when a DELSET operation is aborted, nft_setelem_data_activate() is never called for the catchall element. For NFT_GOTO verdict elements, this means nft_data_hold() is never called to restore the chain->use reference count. Each abort cycle permanently decrements chain->use. Once chain->use reaches zero, DELCHAIN succeeds and frees the chain while catchall verdict elements still reference it, resulting in a use-after-free. This is exploitable for local privilege escalation from an unprivileged user via user namespaces + nftables on distributions that enable CONFIG_USER_NS and CONFIG_NF_TABLES. Fix by removing the negation so the check matches nft_mapelem_activate(): skip active elements, process inactive ones. CVE-2026-23111 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23111.html CVE-2026-23111 https://bugzilla.suse.com/1258181 SUSE Bug 1258181 https://bugzilla.suse.com/1258183 SUSE Bug 1258183 In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec nvmet_tcp_build_pdu_iovec() could walk past cmd->req.sg when a PDU length or offset exceeds sg_cnt and then use bogus sg->length/offset values, leading to _copy_to_iter() GPF/KASAN. Guard sg_idx, remaining entries, and sg->length/offset before building the bvec. CVE-2026-23112 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23112.html CVE-2026-23112 https://bugzilla.suse.com/1258184 SUSE Bug 1258184 In the Linux kernel, the following vulnerability has been resolved: io_uring/io-wq: check IO_WQ_BIT_EXIT inside work run loop Currently this is checked before running the pending work. Normally this is quite fine, as work items either end up blocking (which will create a new worker for other items), or they complete fairly quickly. But syzbot reports an issue where io-wq takes seemingly forever to exit, and with a bit of debugging, this turns out to be because it queues a bunch of big (2GB - 4096b) reads with a /dev/msr* file. Since this file type doesn't support ->read_iter(), loop_rw_iter() ends up handling them. Each read returns 16MB of data read, which takes 20 (!!) seconds. With a bunch of these pending, processing the whole chain can take a long time. Easily longer than the syzbot uninterruptible sleep timeout of 140 seconds. This then triggers a complaint off the io-wq exit path: INFO: task syz.4.135:6326 blocked for more than 143 seconds. Not tainted syzkaller #0 Blocked by coredump. "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz.4.135 state:D stack:26824 pid:6326 tgid:6324 ppid:5957 task_flags:0x400548 flags:0x00080000 Call Trace: <TASK> context_switch kernel/sched/core.c:5256 [inline] __schedule+0x1139/0x6150 kernel/sched/core.c:6863 __schedule_loop kernel/sched/core.c:6945 [inline] schedule+0xe7/0x3a0 kernel/sched/core.c:6960 schedule_timeout+0x257/0x290 kernel/time/sleep_timeout.c:75 do_wait_for_common kernel/sched/completion.c:100 [inline] __wait_for_common+0x2fc/0x4e0 kernel/sched/completion.c:121 io_wq_exit_workers io_uring/io-wq.c:1328 [inline] io_wq_put_and_exit+0x271/0x8a0 io_uring/io-wq.c:1356 io_uring_clean_tctx+0x10d/0x190 io_uring/tctx.c:203 io_uring_cancel_generic+0x69c/0x9a0 io_uring/cancel.c:651 io_uring_files_cancel include/linux/io_uring.h:19 [inline] do_exit+0x2ce/0x2bd0 kernel/exit.c:911 do_group_exit+0xd3/0x2a0 kernel/exit.c:1112 get_signal+0x2671/0x26d0 kernel/signal.c:3034 arch_do_signal_or_restart+0x8f/0x7e0 arch/x86/kernel/signal.c:337 __exit_to_user_mode_loop kernel/entry/common.c:41 [inline] exit_to_user_mode_loop+0x8c/0x540 kernel/entry/common.c:75 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline] syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline] syscall_exit_to_user_mode_work include/linux/entry-common.h:159 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:194 [inline] do_syscall_64+0x4ee/0xf80 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fa02738f749 RSP: 002b:00007fa0281ae0e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca RAX: fffffffffffffe00 RBX: 00007fa0275e6098 RCX: 00007fa02738f749 RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007fa0275e6098 RBP: 00007fa0275e6090 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fa0275e6128 R14: 00007fff14e4fcb0 R15: 00007fff14e4fd98 There's really nothing wrong here, outside of processing these reads will take a LONG time. However, we can speed up the exit by checking the IO_WQ_BIT_EXIT inside the io_worker_handle_work() loop, as syzbot will exit the ring after queueing up all of these reads. Then once the first item is processed, io-wq will simply cancel the rest. That should avoid syzbot running into this complaint again. CVE-2026-23113 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23113.html CVE-2026-23113 https://bugzilla.suse.com/1258278 SUSE Bug 1258278 In the Linux kernel, the following vulnerability has been resolved: pmdomain: imx8m-blk-ctrl: Remove separate rst and clk mask for 8mq vpu For i.MX8MQ platform, the ADB in the VPUMIX domain has no separate reset and clock enable bits, but is ungated and reset together with the VPUs. So we can't reset G1 or G2 separately, it may led to the system hang. Remove rst_mask and clk_mask of imx8mq_vpu_blk_ctl_domain_data. Let imx8mq_vpu_power_notifier() do really vpu reset. CVE-2026-23116 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23116.html CVE-2026-23116 https://bugzilla.suse.com/1258277 SUSE Bug 1258277 In the Linux kernel, the following vulnerability has been resolved: bonding: provide a net pointer to __skb_flow_dissect() After 3cbf4ffba5ee ("net: plumb network namespace into __skb_flow_dissect") we have to provide a net pointer to __skb_flow_dissect(), either via skb->dev, skb->sk, or a user provided pointer. In the following case, syzbot was able to cook a bare skb. WARNING: net/core/flow_dissector.c:1131 at __skb_flow_dissect+0xb57/0x68b0 net/core/flow_dissector.c:1131, CPU#1: syz.2.1418/11053 Call Trace: <TASK> bond_flow_dissect drivers/net/bonding/bond_main.c:4093 [inline] __bond_xmit_hash+0x2d7/0xba0 drivers/net/bonding/bond_main.c:4157 bond_xmit_hash_xdp drivers/net/bonding/bond_main.c:4208 [inline] bond_xdp_xmit_3ad_xor_slave_get drivers/net/bonding/bond_main.c:5139 [inline] bond_xdp_get_xmit_slave+0x1fd/0x710 drivers/net/bonding/bond_main.c:5515 xdp_master_redirect+0x13f/0x2c0 net/core/filter.c:4388 bpf_prog_run_xdp include/net/xdp.h:700 [inline] bpf_test_run+0x6b2/0x7d0 net/bpf/test_run.c:421 bpf_prog_test_run_xdp+0x795/0x10e0 net/bpf/test_run.c:1390 bpf_prog_test_run+0x2c7/0x340 kernel/bpf/syscall.c:4703 __sys_bpf+0x562/0x860 kernel/bpf/syscall.c:6182 __do_sys_bpf kernel/bpf/syscall.c:6274 [inline] __se_sys_bpf kernel/bpf/syscall.c:6272 [inline] __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:6272 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xec/0xf80 arch/x86/entry/syscall_64.c:94 CVE-2026-23119 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23119.html CVE-2026-23119 https://bugzilla.suse.com/1258273 SUSE Bug 1258273 In the Linux kernel, the following vulnerability has been resolved: mISDN: annotate data-race around dev->work dev->work can re read locklessly in mISDN_read() and mISDN_poll(). Add READ_ONCE()/WRITE_ONCE() annotations. BUG: KCSAN: data-race in mISDN_ioctl / mISDN_read write to 0xffff88812d848280 of 4 bytes by task 10864 on cpu 1: misdn_add_timer drivers/isdn/mISDN/timerdev.c:175 [inline] mISDN_ioctl+0x2fb/0x550 drivers/isdn/mISDN/timerdev.c:233 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl+0xce/0x140 fs/ioctl.c:583 __x64_sys_ioctl+0x43/0x50 fs/ioctl.c:583 x64_sys_call+0x14b0/0x3000 arch/x86/include/generated/asm/syscalls_64.h:17 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xd8/0x2c0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f read to 0xffff88812d848280 of 4 bytes by task 10857 on cpu 0: mISDN_read+0x1f2/0x470 drivers/isdn/mISDN/timerdev.c:112 do_loop_readv_writev fs/read_write.c:847 [inline] vfs_readv+0x3fb/0x690 fs/read_write.c:1020 do_readv+0xe7/0x210 fs/read_write.c:1080 __do_sys_readv fs/read_write.c:1165 [inline] __se_sys_readv fs/read_write.c:1162 [inline] __x64_sys_readv+0x45/0x50 fs/read_write.c:1162 x64_sys_call+0x2831/0x3000 arch/x86/include/generated/asm/syscalls_64.h:20 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xd8/0x2c0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f value changed: 0x00000000 -> 0x00000001 CVE-2026-23121 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23121.html CVE-2026-23121 https://bugzilla.suse.com/1258309 SUSE Bug 1258309 https://bugzilla.suse.com/1259135 SUSE Bug 1259135 In the Linux kernel, the following vulnerability has been resolved: dpll: Prevent duplicate registrations Modify the internal registration helpers dpll_xa_ref_{dpll,pin}_add() to reject duplicate registration attempts. Previously, if a caller attempted to register the same pin multiple times (with the same ops, priv, and cookie) on the same device, the core silently increments the reference count and return success. This behavior is incorrect because if the caller makes these duplicate registrations then for the first one dpll_pin_registration is allocated and for others the associated dpll_pin_ref.refcount is incremented. During the first unregistration the associated dpll_pin_registration is freed and for others WARN is fired. Fix this by updating the logic to return `-EEXIST` if a matching registration is found to enforce a strict "register once" policy. CVE-2026-23129 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23129.html CVE-2026-23129 https://bugzilla.suse.com/1258299 SUSE Bug 1258299 In the Linux kernel, the following vulnerability has been resolved: wifi: ath10k: fix dma_free_coherent() pointer dma_alloc_coherent() allocates a DMA mapped buffer and stores the addresses in XXX_unaligned fields. Those should be reused when freeing the buffer rather than the aligned addresses. CVE-2026-23133 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23133.html CVE-2026-23133 https://bugzilla.suse.com/1258249 SUSE Bug 1258249 In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix dma_free_coherent() pointer dma_alloc_coherent() allocates a DMA mapped buffer and stores the addresses in XXX_unaligned fields. Those should be reused when freeing the buffer rather than the aligned addresses. CVE-2026-23135 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23135.html CVE-2026-23135 https://bugzilla.suse.com/1258245 SUSE Bug 1258245 In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conncount: update last_gc only when GC has been performed Currently last_gc is being updated everytime a new connection is tracked, that means that it is updated even if a GC wasn't performed. With a sufficiently high packet rate, it is possible to always bypass the GC, causing the list to grow infinitely. Update the last_gc value only when a GC has been actually performed. CVE-2026-23139 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23139.html CVE-2026-23139 https://bugzilla.suse.com/1258304 SUSE Bug 1258304 In the Linux kernel, the following vulnerability has been resolved: btrfs: send: check for inline extents in range_is_hole_in_parent() Before accessing the disk_bytenr field of a file extent item we need to check if we are dealing with an inline extent. This is because for inline extents their data starts at the offset of the disk_bytenr field. So accessing the disk_bytenr means we are accessing inline data or in case the inline data is less than 8 bytes we can actually cause an invalid memory access if this inline extent item is the first item in the leaf or access metadata from other items. CVE-2026-23141 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23141.html CVE-2026-23141 https://bugzilla.suse.com/1258377 SUSE Bug 1258377 In the Linux kernel, the following vulnerability has been resolved: ext4: fix iloc.bh leak in ext4_xattr_inode_update_ref The error branch for ext4_xattr_inode_update_ref forget to release the refcount for iloc.bh. Find this when review code. CVE-2026-23145 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23145.html CVE-2026-23145 https://bugzilla.suse.com/1258326 SUSE Bug 1258326 In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_uart: fix null-ptr-deref in hci_uart_write_work hci_uart_set_proto() sets HCI_UART_PROTO_INIT before calling hci_uart_register_dev(), which calls proto->open() to initialize hu->priv. However, if a TTY write wakeup occurs during this window, hci_uart_tx_wakeup() may schedule write_work before hu->priv is initialized, leading to a NULL pointer dereference in hci_uart_write_work() when proto->dequeue() accesses hu->priv. The race condition is: CPU0 CPU1 ---- ---- hci_uart_set_proto() set_bit(HCI_UART_PROTO_INIT) hci_uart_register_dev() tty write wakeup hci_uart_tty_wakeup() hci_uart_tx_wakeup() schedule_work(&hu->write_work) proto->open(hu) // initializes hu->priv hci_uart_write_work() hci_uart_dequeue() proto->dequeue(hu) // accesses hu->priv (NULL!) Fix this by moving set_bit(HCI_UART_PROTO_INIT) after proto->open() succeeds, ensuring hu->priv is initialized before any work can be scheduled. CVE-2026-23146 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23146.html CVE-2026-23146 https://bugzilla.suse.com/1258234 SUSE Bug 1258234 In the Linux kernel, the following vulnerability has been resolved: nfc: llcp: Fix memleak in nfc_llcp_send_ui_frame(). syzbot reported various memory leaks related to NFC, struct nfc_llcp_sock, sk_buff, nfc_dev, etc. [0] The leading log hinted that nfc_llcp_send_ui_frame() failed to allocate skb due to sock_error(sk) being -ENXIO. ENXIO is set by nfc_llcp_socket_release() when struct nfc_llcp_local is destroyed by local_cleanup(). The problem is that there is no synchronisation between nfc_llcp_send_ui_frame() and local_cleanup(), and skb could be put into local->tx_queue after it was purged in local_cleanup(): CPU1 CPU2 ---- ---- nfc_llcp_send_ui_frame() local_cleanup() |- do { ' |- pdu = nfc_alloc_send_skb(..., &err) | . | |- nfc_llcp_socket_release(local, false, ENXIO); | |- skb_queue_purge(&local->tx_queue); | | ' | |- skb_queue_tail(&local->tx_queue, pdu); | ... | |- pdu = nfc_alloc_send_skb(..., &err) | ^._________________________________.' local_cleanup() is called for struct nfc_llcp_local only after nfc_llcp_remove_local() unlinks it from llcp_devices. If we hold local->tx_queue.lock then, we can synchronise the thread and nfc_llcp_send_ui_frame(). Let's do that and check list_empty(&local->list) before queuing skb to local->tx_queue in nfc_llcp_send_ui_frame(). [0]: [ 56.074943][ T6096] llcp: nfc_llcp_send_ui_frame: Could not allocate PDU (error=-6) [ 64.318868][ T5813] kmemleak: 6 new suspected memory leaks (see /sys/kernel/debug/kmemleak) BUG: memory leak unreferenced object 0xffff8881272f6800 (size 1024): comm "syz.0.17", pid 6096, jiffies 4294942766 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 27 00 03 40 00 00 00 00 00 00 00 00 00 00 00 00 '..@............ backtrace (crc da58d84d): kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline] slab_post_alloc_hook mm/slub.c:4979 [inline] slab_alloc_node mm/slub.c:5284 [inline] __do_kmalloc_node mm/slub.c:5645 [inline] __kmalloc_noprof+0x3e3/0x6b0 mm/slub.c:5658 kmalloc_noprof include/linux/slab.h:961 [inline] sk_prot_alloc+0x11a/0x1b0 net/core/sock.c:2239 sk_alloc+0x36/0x360 net/core/sock.c:2295 nfc_llcp_sock_alloc+0x37/0x130 net/nfc/llcp_sock.c:979 llcp_sock_create+0x71/0xd0 net/nfc/llcp_sock.c:1044 nfc_sock_create+0xc9/0xf0 net/nfc/af_nfc.c:31 __sock_create+0x1a9/0x340 net/socket.c:1605 sock_create net/socket.c:1663 [inline] __sys_socket_create net/socket.c:1700 [inline] __sys_socket+0xb9/0x1a0 net/socket.c:1747 __do_sys_socket net/socket.c:1761 [inline] __se_sys_socket net/socket.c:1759 [inline] __x64_sys_socket+0x1b/0x30 net/socket.c:1759 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f BUG: memory leak unreferenced object 0xffff88810fbd9800 (size 240): comm "syz.0.17", pid 6096, jiffies 4294942850 hex dump (first 32 bytes): 68 f0 ff 08 81 88 ff ff 68 f0 ff 08 81 88 ff ff h.......h....... 00 00 00 00 00 00 00 00 00 68 2f 27 81 88 ff ff .........h/'.... backtrace (crc 6cc652b1): kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline] slab_post_alloc_hook mm/slub.c:4979 [inline] slab_alloc_node mm/slub.c:5284 [inline] kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5336 __alloc_skb+0x203/0x240 net/core/skbuff.c:660 alloc_skb include/linux/skbuff.h:1383 [inline] alloc_skb_with_frags+0x69/0x3f0 net/core/sk ---truncated--- CVE-2026-23150 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23150.html CVE-2026-23150 https://bugzilla.suse.com/1258354 SUSE Bug 1258354 In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix memory leak in set_ssp_complete Fix memory leak in set_ssp_complete() where mgmt_pending_cmd structures are not freed after being removed from the pending list. Commit 302a1f674c00 ("Bluetooth: MGMT: Fix possible UAFs") replaced mgmt_pending_foreach() calls with individual command handling but missed adding mgmt_pending_free() calls in both error and success paths of set_ssp_complete(). Other completion functions like set_le_complete() were fixed correctly in the same commit. This causes a memory leak of the mgmt_pending_cmd structure and its associated parameter data for each SSP command that completes. Add the missing mgmt_pending_free(cmd) calls in both code paths to fix the memory leak. Also fix the same issue in set_advertising_complete(). CVE-2026-23151 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23151.html CVE-2026-23151 https://bugzilla.suse.com/1258237 SUSE Bug 1258237 In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: correctly decode TTLM with default link map TID-To-Link Mapping (TTLM) elements do not contain any link mapping presence indicator if a default mapping is used and parsing needs to be skipped. Note that access points should not explicitly report an advertised TTLM with a default mapping as that is the implied mapping if the element is not included, this is even the case when switching back to the default mapping. However, mac80211 would incorrectly parse the frame and would also read one byte beyond the end of the element. CVE-2026-23152 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23152.html CVE-2026-23152 https://bugzilla.suse.com/1258252 SUSE Bug 1258252 In the Linux kernel, the following vulnerability has been resolved: can: gs_usb: gs_usb_receive_bulk_callback(): fix error message Sinc commit 79a6d1bfe114 ("can: gs_usb: gs_usb_receive_bulk_callback(): unanchor URL on usb_submit_urb() error") a failing resubmit URB will print an info message. In the case of a short read where netdev has not yet been assigned, initialize as NULL to avoid dereferencing an undefined value. Also report the error value of the failed resubmit. CVE-2026-23155 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23155.html CVE-2026-23155 https://bugzilla.suse.com/1258313 SUSE Bug 1258313 https://bugzilla.suse.com/1258315 SUSE Bug 1258315 In the Linux kernel, the following vulnerability has been resolved: efivarfs: fix error propagation in efivar_entry_get() efivar_entry_get() always returns success even if the underlying __efivar_entry_get() fails, masking errors. This may result in uninitialized heap memory being copied to userspace in the efivarfs_file_read() path. Fix it by returning the error from __efivar_entry_get(). CVE-2026-23156 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23156.html CVE-2026-23156 https://bugzilla.suse.com/1258317 SUSE Bug 1258317 In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix NULL pointer dereference in amdgpu_gmc_filter_faults_remove On APUs such as Raven and Renoir (GC 9.1.0, 9.2.2, 9.3.0), the ih1 and ih2 interrupt ring buffers are not initialized. This is by design, as these secondary IH rings are only available on discrete GPUs. See vega10_ih_sw_init() which explicitly skips ih1/ih2 initialization when AMD_IS_APU is set. However, amdgpu_gmc_filter_faults_remove() unconditionally uses ih1 to get the timestamp of the last interrupt entry. When retry faults are enabled on APUs (noretry=0), this function is called from the SVM page fault recovery path, resulting in a NULL pointer dereference when amdgpu_ih_decode_iv_ts_helper() attempts to access ih->ring[]. The crash manifests as: BUG: kernel NULL pointer dereference, address: 0000000000000004 RIP: 0010:amdgpu_ih_decode_iv_ts_helper+0x22/0x40 [amdgpu] Call Trace: amdgpu_gmc_filter_faults_remove+0x60/0x130 [amdgpu] svm_range_restore_pages+0xae5/0x11c0 [amdgpu] amdgpu_vm_handle_fault+0xc8/0x340 [amdgpu] gmc_v9_0_process_interrupt+0x191/0x220 [amdgpu] amdgpu_irq_dispatch+0xed/0x2c0 [amdgpu] amdgpu_ih_process+0x84/0x100 [amdgpu] This issue was exposed by commit 1446226d32a4 ("drm/amdgpu: Remove GC HW IP 9.3.0 from noretry=1") which changed the default for Renoir APU from noretry=1 to noretry=0, enabling retry fault handling and thus exercising the buggy code path. Fix this by adding a check for ih1.ring_size before attempting to use it. Also restore the soft_ih support from commit dd299441654f ("drm/amdgpu: Rework retry fault removal"). This is needed if the hardware doesn't support secondary HW IH rings. v2: additional updates (Alex) (cherry picked from commit 6ce8d536c80aa1f059e82184f0d1994436b1d526) CVE-2026-23163 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23163.html CVE-2026-23163 https://bugzilla.suse.com/1258544 SUSE Bug 1258544 In the Linux kernel, the following vulnerability has been resolved: ice: Fix NULL pointer dereference in ice_vsi_set_napi_queues Add NULL pointer checks in ice_vsi_set_napi_queues() to prevent crashes during resume from suspend when rings[q_idx]->q_vector is NULL. Tested adaptor: 60:00.0 Ethernet controller [0200]: Intel Corporation Ethernet Controller E810-XXV for SFP [8086:159b] (rev 02) Subsystem: Intel Corporation Ethernet Network Adapter E810-XXV-2 [8086:4003] SR-IOV state: both disabled and enabled can reproduce this issue. kernel version: v6.18 Reproduce steps: Boot up and execute suspend like systemctl suspend or rtcwake. Log: <1>[ 231.443607] BUG: kernel NULL pointer dereference, address: 0000000000000040 <1>[ 231.444052] #PF: supervisor read access in kernel mode <1>[ 231.444484] #PF: error_code(0x0000) - not-present page <6>[ 231.444913] PGD 0 P4D 0 <4>[ 231.445342] Oops: Oops: 0000 [#1] SMP NOPTI <4>[ 231.446635] RIP: 0010:netif_queue_set_napi+0xa/0x170 <4>[ 231.447067] Code: 31 f6 31 ff c3 cc cc cc cc 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 48 85 c9 74 0b <48> 83 79 30 00 0f 84 39 01 00 00 55 41 89 d1 49 89 f8 89 f2 48 89 <4>[ 231.447513] RSP: 0018:ffffcc780fc078c0 EFLAGS: 00010202 <4>[ 231.447961] RAX: ffff8b848ca30400 RBX: ffff8b848caf2028 RCX: 0000000000000010 <4>[ 231.448443] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8b848dbd4000 <4>[ 231.448896] RBP: ffffcc780fc078e8 R08: 0000000000000000 R09: 0000000000000000 <4>[ 231.449345] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001 <4>[ 231.449817] R13: ffff8b848dbd4000 R14: ffff8b84833390c8 R15: 0000000000000000 <4>[ 231.450265] FS: 00007c7b29e9d740(0000) GS:ffff8b8c068e2000(0000) knlGS:0000000000000000 <4>[ 231.450715] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 <4>[ 231.451179] CR2: 0000000000000040 CR3: 000000030626f004 CR4: 0000000000f72ef0 <4>[ 231.451629] PKRU: 55555554 <4>[ 231.452076] Call Trace: <4>[ 231.452549] <TASK> <4>[ 231.452996] ? ice_vsi_set_napi_queues+0x4d/0x110 [ice] <4>[ 231.453482] ice_resume+0xfd/0x220 [ice] <4>[ 231.453977] ? __pfx_pci_pm_resume+0x10/0x10 <4>[ 231.454425] pci_pm_resume+0x8c/0x140 <4>[ 231.454872] ? __pfx_pci_pm_resume+0x10/0x10 <4>[ 231.455347] dpm_run_callback+0x5f/0x160 <4>[ 231.455796] ? dpm_wait_for_superior+0x107/0x170 <4>[ 231.456244] device_resume+0x177/0x270 <4>[ 231.456708] dpm_resume+0x209/0x2f0 <4>[ 231.457151] dpm_resume_end+0x15/0x30 <4>[ 231.457596] suspend_devices_and_enter+0x1da/0x2b0 <4>[ 231.458054] enter_state+0x10e/0x570 Add defensive checks for both the ring pointer and its q_vector before dereferencing, allowing the system to resume successfully even when q_vectors are unmapped. CVE-2026-23166 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23166.html CVE-2026-23166 https://bugzilla.suse.com/1258272 SUSE Bug 1258272 In the Linux kernel, the following vulnerability has been resolved: nfc: nci: Fix race between rfkill and nci_unregister_device(). syzbot reported the splat below [0] without a repro. It indicates that struct nci_dev.cmd_wq had been destroyed before nci_close_device() was called via rfkill. nci_dev.cmd_wq is only destroyed in nci_unregister_device(), which (I think) was called from virtual_ncidev_close() when syzbot close()d an fd of virtual_ncidev. The problem is that nci_unregister_device() destroys nci_dev.cmd_wq first and then calls nfc_unregister_device(), which removes the device from rfkill by rfkill_unregister(). So, the device is still visible via rfkill even after nci_dev.cmd_wq is destroyed. Let's unregister the device from rfkill first in nci_unregister_device(). Note that we cannot call nfc_unregister_device() before nci_close_device() because 1) nfc_unregister_device() calls device_del() which frees all memory allocated by devm_kzalloc() and linked to ndev->conn_info_list 2) nci_rx_work() could try to queue nci_conn_info to ndev->conn_info_list which could be leaked Thus, nfc_unregister_device() is split into two functions so we can remove rfkill interfaces only before nci_close_device(). [0]: DEBUG_LOCKS_WARN_ON(1) WARNING: kernel/locking/lockdep.c:238 at hlock_class kernel/locking/lockdep.c:238 [inline], CPU#0: syz.0.8675/6349 WARNING: kernel/locking/lockdep.c:238 at check_wait_context kernel/locking/lockdep.c:4854 [inline], CPU#0: syz.0.8675/6349 WARNING: kernel/locking/lockdep.c:238 at __lock_acquire+0x39d/0x2cf0 kernel/locking/lockdep.c:5187, CPU#0: syz.0.8675/6349 Modules linked in: CPU: 0 UID: 0 PID: 6349 Comm: syz.0.8675 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/13/2026 RIP: 0010:hlock_class kernel/locking/lockdep.c:238 [inline] RIP: 0010:check_wait_context kernel/locking/lockdep.c:4854 [inline] RIP: 0010:__lock_acquire+0x3a4/0x2cf0 kernel/locking/lockdep.c:5187 Code: 18 00 4c 8b 74 24 08 75 27 90 e8 17 f2 fc 02 85 c0 74 1c 83 3d 50 e0 4e 0e 00 75 13 48 8d 3d 43 f7 51 0e 48 c7 c6 8b 3a de 8d <67> 48 0f b9 3a 90 31 c0 0f b6 98 c4 00 00 00 41 8b 45 20 25 ff 1f RSP: 0018:ffffc9000c767680 EFLAGS: 00010046 RAX: 0000000000000001 RBX: 0000000000040000 RCX: 0000000000080000 RDX: ffffc90013080000 RSI: ffffffff8dde3a8b RDI: ffffffff8ff24ca0 RBP: 0000000000000003 R08: ffffffff8fef35a3 R09: 1ffffffff1fde6b4 R10: dffffc0000000000 R11: fffffbfff1fde6b5 R12: 00000000000012a2 R13: ffff888030338ba8 R14: ffff888030338000 R15: ffff888030338b30 FS: 00007fa5995f66c0(0000) GS:ffff8881256f8000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f7e72f842d0 CR3: 00000000485a0000 CR4: 00000000003526f0 Call Trace: <TASK> lock_acquire+0x106/0x330 kernel/locking/lockdep.c:5868 touch_wq_lockdep_map+0xcb/0x180 kernel/workqueue.c:3940 __flush_workqueue+0x14b/0x14f0 kernel/workqueue.c:3982 nci_close_device+0x302/0x630 net/nfc/nci/core.c:567 nci_dev_down+0x3b/0x50 net/nfc/nci/core.c:639 nfc_dev_down+0x152/0x290 net/nfc/core.c:161 nfc_rfkill_set_block+0x2d/0x100 net/nfc/core.c:179 rfkill_set_block+0x1d2/0x440 net/rfkill/core.c:346 rfkill_fop_write+0x461/0x5a0 net/rfkill/core.c:1301 vfs_write+0x29a/0xb90 fs/read_write.c:684 ksys_write+0x150/0x270 fs/read_write.c:738 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fa59b39acb9 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fa5995f6028 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007fa59b615fa0 RCX: 00007fa59b39acb9 RDX: 0000000000000008 RSI: 0000200000000080 RDI: 0000000000000007 RBP: 00007fa59b408bf7 R08: ---truncated--- CVE-2026-23167 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23167.html CVE-2026-23167 https://bugzilla.suse.com/1258374 SUSE Bug 1258374 In the Linux kernel, the following vulnerability has been resolved: drm/imx/tve: fix probe device leak Make sure to drop the reference taken to the DDC device during probe on probe failure (e.g. probe deferral) and on driver unbind. CVE-2026-23170 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23170.html CVE-2026-23170 https://bugzilla.suse.com/1258379 SUSE Bug 1258379 In the Linux kernel, the following vulnerability has been resolved: bonding: fix use-after-free due to enslave fail after slave array update Fix a use-after-free which happens due to enslave failure after the new slave has been added to the array. Since the new slave can be used for Tx immediately, we can use it after it has been freed by the enslave error cleanup path which frees the allocated slave memory. Slave update array is supposed to be called last when further enslave failures are not expected. Move it after xdp setup to avoid any problems. It is very easy to reproduce the problem with a simple xdp_pass prog: ip l add bond1 type bond mode balance-xor ip l set bond1 up ip l set dev bond1 xdp object xdp_pass.o sec xdp_pass ip l add dumdum type dummy Then run in parallel: while :; do ip l set dumdum master bond1 1>/dev/null 2>&1; done; mausezahn bond1 -a own -b rand -A rand -B 1.1.1.1 -c 0 -t tcp "dp=1-1023, flags=syn" The crash happens almost immediately: [ 605.602850] Oops: general protection fault, probably for non-canonical address 0xe0e6fc2460000137: 0000 [#1] SMP KASAN NOPTI [ 605.602916] KASAN: maybe wild-memory-access in range [0x07380123000009b8-0x07380123000009bf] [ 605.602946] CPU: 0 UID: 0 PID: 2445 Comm: mausezahn Kdump: loaded Tainted: G B 6.19.0-rc6+ #21 PREEMPT(voluntary) [ 605.602979] Tainted: [B]=BAD_PAGE [ 605.602998] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 605.603032] RIP: 0010:netdev_core_pick_tx+0xcd/0x210 [ 605.603063] Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 3e 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 6b 08 49 8d 7d 30 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 25 01 00 00 49 8b 45 30 4c 89 e2 48 89 ee 48 89 [ 605.603111] RSP: 0018:ffff88817b9af348 EFLAGS: 00010213 [ 605.603145] RAX: dffffc0000000000 RBX: ffff88817d28b420 RCX: 0000000000000000 [ 605.603172] RDX: 00e7002460000137 RSI: 0000000000000008 RDI: 07380123000009be [ 605.603199] RBP: ffff88817b541a00 R08: 0000000000000001 R09: fffffbfff3ed8c0c [ 605.603226] R10: ffffffff9f6c6067 R11: 0000000000000001 R12: 0000000000000000 [ 605.603253] R13: 073801230000098e R14: ffff88817d28b448 R15: ffff88817b541a84 [ 605.603286] FS: 00007f6570ef67c0(0000) GS:ffff888221dfa000(0000) knlGS:0000000000000000 [ 605.603319] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 605.603343] CR2: 00007f65712fae40 CR3: 000000011371b000 CR4: 0000000000350ef0 [ 605.603373] Call Trace: [ 605.603392] <TASK> [ 605.603410] __dev_queue_xmit+0x448/0x32a0 [ 605.603434] ? __pfx_vprintk_emit+0x10/0x10 [ 605.603461] ? __pfx_vprintk_emit+0x10/0x10 [ 605.603484] ? __pfx___dev_queue_xmit+0x10/0x10 [ 605.603507] ? bond_start_xmit+0xbfb/0xc20 [bonding] [ 605.603546] ? _printk+0xcb/0x100 [ 605.603566] ? __pfx__printk+0x10/0x10 [ 605.603589] ? bond_start_xmit+0xbfb/0xc20 [bonding] [ 605.603627] ? add_taint+0x5e/0x70 [ 605.603648] ? add_taint+0x2a/0x70 [ 605.603670] ? end_report.cold+0x51/0x75 [ 605.603693] ? bond_start_xmit+0xbfb/0xc20 [bonding] [ 605.603731] bond_start_xmit+0x623/0xc20 [bonding] CVE-2026-23171 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23171.html CVE-2026-23171 https://bugzilla.suse.com/1258349 SUSE Bug 1258349 In the Linux kernel, the following vulnerability has been resolved: net: wwan: t7xx: fix potential skb->frags overflow in RX path When receiving data in the DPMAIF RX path, the t7xx_dpmaif_set_frag_to_skb() function adds page fragments to an skb without checking if the number of fragments has exceeded MAX_SKB_FRAGS. This could lead to a buffer overflow in skb_shinfo(skb)->frags[] array, corrupting adjacent memory and potentially causing kernel crashes or other undefined behavior. This issue was identified through static code analysis by comparing with a similar vulnerability fixed in the mt76 driver commit b102f0c522cf ("mt76: fix array overflow on receiving too many fragments for a packet"). The vulnerability could be triggered if the modem firmware sends packets with excessive fragments. While under normal protocol conditions (MTU 3080 bytes, BAT buffer 3584 bytes), a single packet should not require additional fragments, the kernel should not blindly trust firmware behavior. Malicious, buggy, or compromised firmware could potentially craft packets with more fragments than the kernel expects. Fix this by adding a bounds check before calling skb_add_rx_frag() to ensure nr_frags does not exceed MAX_SKB_FRAGS. The check must be performed before unmapping to avoid a page leak and double DMA unmap during device teardown. CVE-2026-23172 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23172.html CVE-2026-23172 https://bugzilla.suse.com/1258519 SUSE Bug 1258519 In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: TC, delete flows only for existing peers When deleting TC steering flows, iterate only over actual devcom peers instead of assuming all possible ports exist. This avoids touching non-existent peers and ensures cleanup is limited to devices the driver is currently connected to. BUG: kernel NULL pointer dereference, address: 0000000000000008 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 133c8a067 P4D 0 Oops: Oops: 0002 [#1] SMP CPU: 19 UID: 0 PID: 2169 Comm: tc Not tainted 6.18.0+ #156 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:mlx5e_tc_del_fdb_peers_flow+0xbe/0x200 [mlx5_core] Code: 00 00 a8 08 74 a8 49 8b 46 18 f6 c4 02 74 9f 4c 8d bf a0 12 00 00 4c 89 ff e8 0e e7 96 e1 49 8b 44 24 08 49 8b 0c 24 4c 89 ff <48> 89 41 08 48 89 08 49 89 2c 24 49 89 5c 24 08 e8 7d ce 96 e1 49 RSP: 0018:ff11000143867528 EFLAGS: 00010246 RAX: 0000000000000000 RBX: dead000000000122 RCX: 0000000000000000 RDX: ff11000143691580 RSI: ff110001026e5000 RDI: ff11000106f3d2a0 RBP: dead000000000100 R08: 00000000000003fd R09: 0000000000000002 R10: ff11000101c75690 R11: ff1100085faea178 R12: ff11000115f0ae78 R13: 0000000000000000 R14: ff11000115f0a800 R15: ff11000106f3d2a0 FS: 00007f35236bf740(0000) GS:ff110008dc809000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000008 CR3: 0000000157a01001 CR4: 0000000000373eb0 Call Trace: <TASK> mlx5e_tc_del_flow+0x46/0x270 [mlx5_core] mlx5e_flow_put+0x25/0x50 [mlx5_core] mlx5e_delete_flower+0x2a6/0x3e0 [mlx5_core] tc_setup_cb_reoffload+0x20/0x80 fl_reoffload+0x26f/0x2f0 [cls_flower] ? mlx5e_tc_reoffload_flows_work+0xc0/0xc0 [mlx5_core] ? mlx5e_tc_reoffload_flows_work+0xc0/0xc0 [mlx5_core] tcf_block_playback_offloads+0x9e/0x1c0 tcf_block_unbind+0x7b/0xd0 tcf_block_setup+0x186/0x1d0 tcf_block_offload_cmd.isra.0+0xef/0x130 tcf_block_offload_unbind+0x43/0x70 __tcf_block_put+0x85/0x160 ingress_destroy+0x32/0x110 [sch_ingress] __qdisc_destroy+0x44/0x100 qdisc_graft+0x22b/0x610 tc_get_qdisc+0x183/0x4d0 rtnetlink_rcv_msg+0x2d7/0x3d0 ? rtnl_calcit.isra.0+0x100/0x100 netlink_rcv_skb+0x53/0x100 netlink_unicast+0x249/0x320 ? __alloc_skb+0x102/0x1f0 netlink_sendmsg+0x1e3/0x420 __sock_sendmsg+0x38/0x60 ____sys_sendmsg+0x1ef/0x230 ? copy_msghdr_from_user+0x6c/0xa0 ___sys_sendmsg+0x7f/0xc0 ? ___sys_recvmsg+0x8a/0xc0 ? __sys_sendto+0x119/0x180 __sys_sendmsg+0x61/0xb0 do_syscall_64+0x55/0x640 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7f35238bb764 Code: 15 b9 86 0c 00 f7 d8 64 89 02 b8 ff ff ff ff eb bf 0f 1f 44 00 00 f3 0f 1e fa 80 3d e5 08 0d 00 00 74 13 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 4c c3 0f 1f 00 55 48 89 e5 48 83 ec 20 89 55 RSP: 002b:00007ffed4c35638 EFLAGS: 00000202 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 000055a2efcc75e0 RCX: 00007f35238bb764 RDX: 0000000000000000 RSI: 00007ffed4c356a0 RDI: 0000000000000003 RBP: 00007ffed4c35710 R08: 0000000000000010 R09: 00007f3523984b20 R10: 0000000000000004 R11: 0000000000000202 R12: 00007ffed4c35790 R13: 000000006947df8f R14: 000055a2efcc75e0 R15: 00007ffed4c35780 CVE-2026-23173 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23173.html CVE-2026-23173 https://bugzilla.suse.com/1258520 SUSE Bug 1258520 In the Linux kernel, the following vulnerability has been resolved: platform/x86: toshiba_haps: Fix memory leaks in add/remove routines toshiba_haps_add() leaks the haps object allocated by it if it returns an error after allocating that object successfully. toshiba_haps_remove() does not free the object pointed to by toshiba_haps before clearing that pointer, so it becomes unreachable allocated memory. Address these memory leaks by using devm_kzalloc() for allocating the memory in question. CVE-2026-23176 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23176.html CVE-2026-23176 https://bugzilla.suse.com/1258256 SUSE Bug 1258256 In the Linux kernel, the following vulnerability has been resolved: HID: i2c-hid: fix potential buffer overflow in i2c_hid_get_report() `i2c_hid_xfer` is used to read `recv_len + sizeof(__le16)` bytes of data into `ihid->rawbuf`. The former can come from the userspace in the hidraw driver and is only bounded by HID_MAX_BUFFER_SIZE(16384) by default (unless we also set `max_buffer_size` field of `struct hid_ll_driver` which we do not). The latter has size determined at runtime by the maximum size of different report types you could receive on any particular device and can be a much smaller value. Fix this by truncating `recv_len` to `ihid->bufsize - sizeof(__le16)`. The impact is low since access to hidraw devices requires root. CVE-2026-23178 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23178.html CVE-2026-23178 https://bugzilla.suse.com/1258358 SUSE Bug 1258358 In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: fixup hang in nvmet_tcp_listen_data_ready() When the socket is closed while in TCP_LISTEN a callback is run to flush all outstanding packets, which in turns calls nvmet_tcp_listen_data_ready() with the sk_callback_lock held. So we need to check if we are in TCP_LISTEN before attempting to get the sk_callback_lock() to avoid a deadlock. CVE-2026-23179 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23179.html CVE-2026-23179 https://bugzilla.suse.com/1258394 SUSE Bug 1258394 In the Linux kernel, the following vulnerability has been resolved: spi: tegra: Fix a memory leak in tegra_slink_probe() In tegra_slink_probe(), when platform_get_irq() fails, it directly returns from the function with an error code, which causes a memory leak. Replace it with a goto label to ensure proper cleanup. CVE-2026-23182 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23182.html CVE-2026-23182 https://bugzilla.suse.com/1258259 SUSE Bug 1258259 In the Linux kernel, the following vulnerability has been resolved: ASoC: amd: fix memory leak in acp3x pdm dma ops CVE-2026-23190 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23190.html CVE-2026-23190 https://bugzilla.suse.com/1258397 SUSE Bug 1258397 In the Linux kernel, the following vulnerability has been resolved: ALSA: aloop: Fix racy access at PCM trigger The PCM trigger callback of aloop driver tries to check the PCM state and stop the stream of the tied substream in the corresponding cable. Since both check and stop operations are performed outside the cable lock, this may result in UAF when a program attempts to trigger frequently while opening/closing the tied stream, as spotted by fuzzers. For addressing the UAF, this patch changes two things: - It covers the most of code in loopback_check_format() with cable->lock spinlock, and add the proper NULL checks. This avoids already some racy accesses. - In addition, now we try to check the state of the capture PCM stream that may be stopped in this function, which was the major pain point leading to UAF. CVE-2026-23191 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23191.html CVE-2026-23191 https://bugzilla.suse.com/1258395 SUSE Bug 1258395 https://bugzilla.suse.com/1258396 SUSE Bug 1258396 In the Linux kernel, the following vulnerability has been resolved: KVM: Don't clobber irqfd routing type when deassigning irqfd When deassigning a KVM_IRQFD, don't clobber the irqfd's copy of the IRQ's routing entry as doing so breaks kvm_arch_irq_bypass_del_producer() on x86 and arm64, which explicitly look for KVM_IRQ_ROUTING_MSI. Instead, to handle a concurrent routing update, verify that the irqfd is still active before consuming the routing information. As evidenced by the x86 and arm64 bugs, and another bug in kvm_arch_update_irqfd_routing() (see below), clobbering the entry type without notifying arch code is surprising and error prone. As a bonus, checking that the irqfd is active provides a convenient location for documenting _why_ KVM must not consume the routing entry for an irqfd that is in the process of being deassigned: once the irqfd is deleted from the list (which happens *before* the eventfd is detached), it will no longer receive updates via kvm_irq_routing_update(), and so KVM could deliver an event using stale routing information (relative to KVM_SET_GSI_ROUTING returning to userspace). As an even better bonus, explicitly checking for the irqfd being active fixes a similar bug to the one the clobbering is trying to prevent: if an irqfd is deactivated, and then its routing is changed, kvm_irq_routing_update() won't invoke kvm_arch_update_irqfd_routing() (because the irqfd isn't in the list). And so if the irqfd is in bypass mode, IRQs will continue to be posted using the old routing information. As for kvm_arch_irq_bypass_del_producer(), clobbering the routing type results in KVM incorrectly keeping the IRQ in bypass mode, which is especially problematic on AMD as KVM tracks IRQs that are being posted to a vCPU in a list whose lifetime is tied to the irqfd. Without the help of KASAN to detect use-after-free, the most common sympton on AMD is a NULL pointer deref in amd_iommu_update_ga() due to the memory for irqfd structure being re-allocated and zeroed, resulting in irqfd->irq_bypass_data being NULL when read by avic_update_iommu_vcpu_affinity(): BUG: kernel NULL pointer dereference, address: 0000000000000018 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 40cf2b9067 P4D 40cf2b9067 PUD 408362a067 PMD 0 Oops: Oops: 0000 [#1] SMP CPU: 6 UID: 0 PID: 40383 Comm: vfio_irq_test Tainted: G U W O 6.19.0-smp--5dddc257e6b2-irqfd #31 NONE Tainted: [U]=USER, [W]=WARN, [O]=OOT_MODULE Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 34.78.2-0 09/05/2025 RIP: 0010:amd_iommu_update_ga+0x19/0xe0 Call Trace: <TASK> avic_update_iommu_vcpu_affinity+0x3d/0x90 [kvm_amd] __avic_vcpu_load+0xf4/0x130 [kvm_amd] kvm_arch_vcpu_load+0x89/0x210 [kvm] vcpu_load+0x30/0x40 [kvm] kvm_arch_vcpu_ioctl_run+0x45/0x620 [kvm] kvm_vcpu_ioctl+0x571/0x6a0 [kvm] __se_sys_ioctl+0x6d/0xb0 do_syscall_64+0x6f/0x9d0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x46893b </TASK> ---[ end trace 0000000000000000 ]--- If AVIC is inhibited when the irfd is deassigned, the bug will manifest as list corruption, e.g. on the next irqfd assignment. list_add corruption. next->prev should be prev (ffff8d474d5cd588), but was 0000000000000000. (next=ffff8d8658f86530). ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:31! Oops: invalid opcode: 0000 [#1] SMP CPU: 128 UID: 0 PID: 80818 Comm: vfio_irq_test Tainted: G U W O 6.19.0-smp--f19dc4d680ba-irqfd #28 NONE Tainted: [U]=USER, [W]=WARN, [O]=OOT_MODULE Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 34.78.2-0 09/05/2025 RIP: 0010:__list_add_valid_or_report+0x97/0xc0 Call Trace: <TASK> avic_pi_update_irte+0x28e/0x2b0 [kvm_amd] kvm_pi_update_irte+0xbf/0x190 [kvm] kvm_arch_irq_bypass_add_producer+0x72/0x90 [kvm] irq_bypass_register_consumer+0xcd/0x170 [irqbypa ---truncated--- CVE-2026-23198 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23198.html CVE-2026-23198 https://bugzilla.suse.com/1258321 SUSE Bug 1258321 In the Linux kernel, the following vulnerability has been resolved: spi: tegra210-quad: Protect curr_xfer in tegra_qspi_combined_seq_xfer The curr_xfer field is read by the IRQ handler without holding the lock to check if a transfer is in progress. When clearing curr_xfer in the combined sequence transfer loop, protect it with the spinlock to prevent a race with the interrupt handler. Protect the curr_xfer clearing at the exit path of tegra_qspi_combined_seq_xfer() with the spinlock to prevent a race with the interrupt handler that reads this field. Without this protection, the IRQ handler could read a partially updated curr_xfer value, leading to NULL pointer dereference or use-after-free. CVE-2026-23202 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23202.html CVE-2026-23202 https://bugzilla.suse.com/1258338 SUSE Bug 1258338 In the Linux kernel, the following vulnerability has been resolved: spi: tegra210-quad: Protect curr_xfer check in IRQ handler Now that all other accesses to curr_xfer are done under the lock, protect the curr_xfer NULL check in tegra_qspi_isr_thread() with the spinlock. Without this protection, the following race can occur: CPU0 (ISR thread) CPU1 (timeout path) ---------------- ------------------- if (!tqspi->curr_xfer) // sees non-NULL spin_lock() tqspi->curr_xfer = NULL spin_unlock() handle_*_xfer() spin_lock() t = tqspi->curr_xfer // NULL! ... t->len ... // NULL dereference! With this patch, all curr_xfer accesses are now properly synchronized. Although all accesses to curr_xfer are done under the lock, in tegra_qspi_isr_thread() it checks for NULL, releases the lock and reacquires it later in handle_cpu_based_xfer()/handle_dma_based_xfer(). There is a potential for an update in between, which could cause a NULL pointer dereference. To handle this, add a NULL check inside the handlers after acquiring the lock. This ensures that if the timeout path has already cleared curr_xfer, the handler will safely return without dereferencing the NULL pointer. CVE-2026-23207 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23207.html CVE-2026-23207 https://bugzilla.suse.com/1258524 SUSE Bug 1258524 In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Prevent excessive number of frames In this case, the user constructed the parameters with maxpacksize 40 for rate 22050 / pps 1000, and packsize[0] 22 packsize[1] 23. The buffer size for each data URB is maxpacksize * packets, which in this example is 40 * 6 = 240; When the user performs a write operation to send audio data into the ALSA PCM playback stream, the calculated number of frames is packsize[0] * packets = 264, which exceeds the allocated URB buffer size, triggering the out-of-bounds (OOB) issue reported by syzbot [1]. Added a check for the number of single data URB frames when calculating the number of frames to prevent [1]. [1] BUG: KASAN: slab-out-of-bounds in copy_to_urb+0x261/0x460 sound/usb/pcm.c:1487 Write of size 264 at addr ffff88804337e800 by task syz.0.17/5506 Call Trace: copy_to_urb+0x261/0x460 sound/usb/pcm.c:1487 prepare_playback_urb+0x953/0x13d0 sound/usb/pcm.c:1611 prepare_outbound_urb+0x377/0xc50 sound/usb/endpoint.c:333 CVE-2026-23208 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23208.html CVE-2026-23208 https://bugzilla.suse.com/1258468 SUSE Bug 1258468 In the Linux kernel, the following vulnerability has been resolved: macvlan: fix error recovery in macvlan_common_newlink() valis provided a nice repro to crash the kernel: ip link add p1 type veth peer p2 ip link set address 00:00:00:00:00:20 dev p1 ip link set up dev p1 ip link set up dev p2 ip link add mv0 link p2 type macvlan mode source ip link add invalid% link p2 type macvlan mode source macaddr add 00:00:00:00:00:20 ping -c1 -I p1 1.2.3.4 He also gave a very detailed analysis: <quote valis> The issue is triggered when a new macvlan link is created with MACVLAN_MODE_SOURCE mode and MACVLAN_MACADDR_ADD (or MACVLAN_MACADDR_SET) parameter, lower device already has a macvlan port and register_netdevice() called from macvlan_common_newlink() fails (e.g. because of the invalid link name). In this case macvlan_hash_add_source is called from macvlan_change_sources() / macvlan_common_newlink(): This adds a reference to vlan to the port's vlan_source_hash using macvlan_source_entry. vlan is a pointer to the priv data of the link that is being created. When register_netdevice() fails, the error is returned from macvlan_newlink() to rtnl_newlink_create(): if (ops->newlink) err = ops->newlink(dev, &params, extack); else err = register_netdevice(dev); if (err < 0) { free_netdev(dev); goto out; } and free_netdev() is called, causing a kvfree() on the struct net_device that is still referenced in the source entry attached to the lower device's macvlan port. Now all packets sent on the macvlan port with a matching source mac address will trigger a use-after-free in macvlan_forward_source(). </quote valis> With all that, my fix is to make sure we call macvlan_flush_sources() regardless of @create value whenever "goto destroy_macvlan_port;" path is taken. Many thanks to valis for following up on this issue. CVE-2026-23209 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23209.html CVE-2026-23209 https://bugzilla.suse.com/1258518 SUSE Bug 1258518 https://bugzilla.suse.com/1258784 SUSE Bug 1258784 In the Linux kernel, the following vulnerability has been resolved: drm/amd/pm: Disable MMIO access during SMU Mode 1 reset During Mode 1 reset, the ASIC undergoes a reset cycle and becomes temporarily inaccessible via PCIe. Any attempt to access MMIO registers during this window (e.g., from interrupt handlers or other driver threads) can result in uncompleted PCIe transactions, leading to NMI panics or system hangs. To prevent this, set the `no_hw_access` flag to true immediately after triggering the reset. This signals other driver components to skip register accesses while the device is offline. A memory barrier `smp_mb()` is added to ensure the flag update is globally visible to all cores before the driver enters the sleep/wait state. (cherry picked from commit 7edb503fe4b6d67f47d8bb0dfafb8e699bb0f8a4) CVE-2026-23213 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23213.html CVE-2026-23213 https://bugzilla.suse.com/1258465 SUSE Bug 1258465 In the Linux kernel, the following vulnerability has been resolved: btrfs: reject new transactions if the fs is fully read-only [BUG] There is a bug report where a heavily fuzzed fs is mounted with all rescue mount options, which leads to the following warnings during unmount: BTRFS: Transaction aborted (error -22) Modules linked in: CPU: 0 UID: 0 PID: 9758 Comm: repro.out Not tainted 6.19.0-rc5-00002-gb71e635feefc #7 PREEMPT(full) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:find_free_extent_update_loop fs/btrfs/extent-tree.c:4208 [inline] RIP: 0010:find_free_extent+0x52f0/0x5d20 fs/btrfs/extent-tree.c:4611 Call Trace: <TASK> btrfs_reserve_extent+0x2cd/0x790 fs/btrfs/extent-tree.c:4705 btrfs_alloc_tree_block+0x1e1/0x10e0 fs/btrfs/extent-tree.c:5157 btrfs_force_cow_block+0x578/0x2410 fs/btrfs/ctree.c:517 btrfs_cow_block+0x3c4/0xa80 fs/btrfs/ctree.c:708 btrfs_search_slot+0xcad/0x2b50 fs/btrfs/ctree.c:2130 btrfs_truncate_inode_items+0x45d/0x2350 fs/btrfs/inode-item.c:499 btrfs_evict_inode+0x923/0xe70 fs/btrfs/inode.c:5628 evict+0x5f4/0xae0 fs/inode.c:837 __dentry_kill+0x209/0x660 fs/dcache.c:670 finish_dput+0xc9/0x480 fs/dcache.c:879 shrink_dcache_for_umount+0xa0/0x170 fs/dcache.c:1661 generic_shutdown_super+0x67/0x2c0 fs/super.c:621 kill_anon_super+0x3b/0x70 fs/super.c:1289 btrfs_kill_super+0x41/0x50 fs/btrfs/super.c:2127 deactivate_locked_super+0xbc/0x130 fs/super.c:474 cleanup_mnt+0x425/0x4c0 fs/namespace.c:1318 task_work_run+0x1d4/0x260 kernel/task_work.c:233 exit_task_work include/linux/task_work.h:40 [inline] do_exit+0x694/0x22f0 kernel/exit.c:971 do_group_exit+0x21c/0x2d0 kernel/exit.c:1112 __do_sys_exit_group kernel/exit.c:1123 [inline] __se_sys_exit_group kernel/exit.c:1121 [inline] __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1121 x64_sys_call+0x2210/0x2210 arch/x86/include/generated/asm/syscalls_64.h:232 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xe8/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x44f639 Code: Unable to access opcode bytes at 0x44f60f. RSP: 002b:00007ffc15c4e088 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 00000000004c32f0 RCX: 000000000044f639 RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001 RBP: 0000000000000001 R08: ffffffffffffffc0 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004c32f0 R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 </TASK> Since rescue mount options will mark the full fs read-only, there should be no new transaction triggered. But during unmount we will evict all inodes, which can trigger a new transaction, and triggers warnings on a heavily corrupted fs. [CAUSE] Btrfs allows new transaction even on a read-only fs, this is to allow log replay happen even on read-only mounts, just like what ext4/xfs do. However with rescue mount options, the fs is fully read-only and cannot be remounted read-write, thus in that case we should also reject any new transactions. [FIX] If we find the fs has rescue mount options, we should treat the fs as error, so that no new transaction can be started. CVE-2026-23214 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23214.html CVE-2026-23214 https://bugzilla.suse.com/1258464 SUSE Bug 1258464 In the Linux kernel, the following vulnerability has been resolved: bus: fsl-mc: fix use-after-free in driver_override_show() The driver_override_show() function reads the driver_override string without holding the device_lock. However, driver_override_store() uses driver_set_override(), which modifies and frees the string while holding the device_lock. This can result in a concurrent use-after-free if the string is freed by the store function while being read by the show function. Fix this by holding the device_lock around the read operation. CVE-2026-23221 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23221.html CVE-2026-23221 https://bugzilla.suse.com/1258660 SUSE Bug 1258660 In the Linux kernel, the following vulnerability has been resolved: crypto: omap - Allocate OMAP_CRYPTO_FORCE_COPY scatterlists correctly The existing allocation of scatterlists in omap_crypto_copy_sg_lists() was allocating an array of scatterlist pointers, not scatterlist objects, resulting in a 4x too small allocation. Use sizeof(*new_sg) to get the correct object size. CVE-2026-23222 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23222.html CVE-2026-23222 https://bugzilla.suse.com/1258484 SUSE Bug 1258484 In the Linux kernel, the following vulnerability has been resolved: crypto: virtio - Add spinlock protection with virtqueue notification When VM boots with one virtio-crypto PCI device and builtin backend, run openssl benchmark command with multiple processes, such as openssl speed -evp aes-128-cbc -engine afalg -seconds 10 -multi 32 openssl processes will hangup and there is error reported like this: virtio_crypto virtio0: dataq.0:id 3 is not a head! It seems that the data virtqueue need protection when it is handled for virtio done notification. If the spinlock protection is added in virtcrypto_done_task(), openssl benchmark with multiple processes works well. CVE-2026-23229 SUSE Linux Micro 6.1:kernel-default-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-40.1.21.17 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-40.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-40.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620667-1/ https://www.suse.com/security/cve/CVE-2026-23229.html CVE-2026-23229 https://bugzilla.suse.com/1258429 SUSE Bug 1258429