OESA-2026-2871

Source
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2026-2871
Import Source
https://repo.openeuler.org/security/data/osv/OESA-2026-2871.json
JSON Data
https://api.osv.dev/v1/vulns/OESA-2026-2871
Upstream
Published
2026-07-06T06:31:31Z
Modified
2026-07-06T06:45:18.965190270Z
Summary
kernel security update
Details

The Linux Kernel, the operating system core itself.

Security Fix(es):

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nfconntrackexpect: use expect->helper

Use expect->helper in ctnetlink and /proc to dump the helper name. Using nfct_help() without holding a reference to the master conntrack is unsafe.

Use exp->master->helper in ctnetlink path if userspace does not provide an explicit helper when creating an expectation to retain the existing behaviour. The ctnetlink expectation path holds the reference on the master conntrack and nfconntrackexpect lock and the nfnetlink glue path refers to the master ct that is attached to the skb.(CVE-2026-31414)

In the Linux kernel, the following vulnerability has been resolved:

xfs: avoid dereferencing log items after push callbacks

After xfsaildpushitem() calls ioppush(), the log item may have been freed if the AIL lock was dropped during the push. Background inode reclaim or the dquot shrinker can free the log item while the AIL lock is not held, and the tracepoints in the switch statement dereference the log item after ioppush() returns.

Fix this by capturing the log item type, flags, and LSN before calling xfsaildpushitem(), and introducing a new xfsailpush_class trace event class that takes these pre-captured values and the ailp pointer instead of the log item pointer.(CVE-2026-31453)

In the Linux kernel, the following vulnerability has been resolved:

xfs: stop reclaim before pushing AIL during unmount

The unmount sequence in xfsunmountflush_inodes() pushed the AIL while background reclaim and inodegc are still running. This is broken independently of any use-after-free issues - background reclaim and inodegc should not be running while the AIL is being pushed during unmount, as inodegc can dirty and insert inodes into the AIL during the flush, and background reclaim can race to abort and free dirty inodes.

Reorder xfsunmountflushinodes() to stop inodegc and cancel background reclaim before pushing the AIL. Stop inodegc before cancelling mreclaimwork because the inodegc worker can re-queue mreclaimwork via xfsinodegcsetreclaimable.(CVE-2026-31455)

In the Linux kernel, the following vulnerability has been resolved:

fs/smb/client: fix out-of-bounds read in cifssanitizeprepath

When cifssanitizeprepath is called with an empty string or a string containing only delimiters (e.g., "/"), the current logic attempts to check *(cursor2 - 1) before cursor2 has advanced. This results in an out-of-bounds read.

This patch adds an early exit check after stripping prepended delimiters. If no path content remains, the function returns NULL.

The bug was identified via manual audit and verified using a standalone test case compiled with AddressSanitizer, which triggered a SEGV on affected inputs.(CVE-2026-43112)

In the Linux kernel, the following vulnerability has been resolved:

xfs: remove xfsattrleaf_hasname

The calling convention of xfsattrleafhasname() is problematic, because it returns a NULL buffer when xfsattr3leafread fails, a valid buffer when xfsattr3leaflookupint returns -ENOATTR or -EEXIST, and a non-NULL buffer pointer for an already released buffer when xfsattr3leaflookupint fails with other error values.

Fix this by simply open coding xfsattrleafhasname in the callers, so that the buffer release code is done by each caller of xfsattr3leafread.(CVE-2026-43153)

In the Linux kernel, the following vulnerability has been resolved:

xfs: fix freemap adjustments when adding xattrs to leaf blocks

xfs/592 and xfs/794 both trip this assertion in the leaf block freemap adjustment code after ~20 minutes of running on my test VMs:

ASSERT(ichdr->firstused >= ichdr->count * sizeof(xfsattrleafentryt) + xfsattr3leafhdrsize(leaf));

Upon enabling quite a lot more debugging code, I narrowed this down to fsstress trying to set a local extended attribute with namelen=3 and valuelen=71. This results in an entry size of 80 bytes.

At the start of xfsattr3leafaddwork, the freemap looks like this:

i 0 base 448 size 0 rhs 448 count 46 i 1 base 388 size 132 rhs 448 count 46 i 2 base 2120 size 4 rhs 448 count 46 firstused = 520

where "rhs" is the first byte past the end of the leaf entry array. This is inconsistent -- the entries array ends at byte 448, but freemap[1] says there's free space starting at byte 388!

By the end of the function, the freemap is in worse shape:

i 0 base 456 size 0 rhs 456 count 47 i 1 base 388 size 52 rhs 456 count 47 i 2 base 2120 size 4 rhs 456 count 47 firstused = 440

Important note: 388 is not aligned with the entries array element size of 8 bytes.

Based on the incorrect freemap, the name area starts at byte 440, which is below the end of the entries array! That's why the assertion triggers and the filesystem shuts down.

How did we end up here? First, recall from the previous patch that the freemap array in an xattr leaf block is not intended to be a comprehensive map of all free space in the leaf block. In other words, it's perfectly legal to have a leaf block with:

  • 376 bytes in use by the entries array
  • freemap[0] has [base = 376, size = 8]
  • freemap[1] has [base = 388, size = 1500]
  • the space between 376 and 388 is free, but the freemap stopped tracking that some time ago

If we add one xattr, the entries array grows to 384 bytes, and freemap[0] becomes [base = 384, size = 0]. So far, so good. But if we add a second xattr, the entries array grows to 392 bytes, and freemap[0] gets pushed up to [base = 392, size = 0]. This is bad, because freemap[1] hasn't been updated, and now the entries array and the free space claim the same space.

The fix here is to adjust all freemap entries so that none of them collide with the entries array. Note that this fix relies on commit 2a2b5932db6758 ("xfs: fix attr leaf header freemap.size underflow") and the previous patch that resets zero length freemap entries to have base = 0.(CVE-2026-43158)

In the Linux kernel, the following vulnerability has been resolved:

smb: client: require a full NFS mode SID before reading mode bits

parsedacl() treats an ACE SID matching sidunixNFSmode as an NFS mode SID and reads sid.sub_auth[2] to recover the mode bits.

That assumes the ACE carries three subauthorities, but comparesids() only compares min(a, b) subauthorities. A malicious server can return an ACE with numsubauth = 2 and subauth[] = {88, 3}, which still matches sidunixNFSmode and then drives the sub_auth[2] read four bytes past the end of the ACE.

Require numsubauth >= 3 before treating the ACE as an NFS mode SID. This keeps the fix local to the special-SID mode path without changing comparesids() semantics for the rest of cifsacl.(CVE-2026-43350)

In the Linux kernel, the following vulnerability has been resolved:

xfs: fix undersized liclogroundoff values

If the superblock doesn't list a log stripe unit, we set the incore log roundoff value to 512. This leads to corrupt logs and unmountable filesystems in generic/617 on a disk with 4k physical sectors...

XFS (sda1): Mounting V5 Filesystem ff3121ca-26e6-4b77-b742-aaff9a449e1c XFS (sda1): Torn write (CRC failure) detected at log block 0x318e. Truncating head block from 0x3197. XFS (sda1): failed to locate log tail XFS (sda1): log mount/recovery failed: error -74 XFS (sda1): log mount failed XFS (sda1): Mounting V5 Filesystem ff3121ca-26e6-4b77-b742-aaff9a449e1c XFS (sda1): Ending clean mount

...on the current xfsprogs for-next which has a broken mkfs. xfs_info shows this...

meta-data=/dev/sda1 isize=512 agcount=4, agsize=644992 blks = sectsz=4096 attr=2, projid32bit=1 = crc=1 finobt=1, sparse=1, rmapbt=1 = reflink=1 bigtime=1 inobtcount=1 nrext64=1 = exchange=1 metadir=1 data = bsize=4096 blocks=2579968, imaxpct=25 = sunit=0 swidth=0 blks naming =version 2 bsize=4096 ascii-ci=0, ftype=1, parent=1 log =internal log bsize=4096 blocks=16384, version=2 = sectsz=4096 sunit=0 blks, lazy-count=1 realtime =none extsz=4096 blocks=0, rtextents=0 = rgcount=0 rgsize=268435456 extents = zoned=0 start=0 reserved=0

...observe that the log section has sectsz=4096 sunit=0, which means that the roundoff factor is 512, not 4096 as you'd expect. We should fix mkfs not to generate broken filesystems, but anyone can fuzz the ondisk superblock so we should be more cautious. I think the inadequate logic predates commit a6a65fef5ef8d0, but that's clearly going to require a different backport.(CVE-2026-43365)

In the Linux kernel, the following vulnerability has been resolved:

nvmet-tcp: fix race between ICReq handling and queue teardown

nvmettcphandle_icreq() updates queue->state after sending an Initialization Connection Response (ICResp), but it does so without serializing against target-side queue teardown.

If an NVMe/TCP host sends an Initialization Connection Request (ICReq) and immediately closes the connection, target-side teardown may start in softirq context before iowork drains the already buffered ICReq. In that case, nvmettcpschedulereleasequeue() sets queue->state to NVMETTCPQDISCONNECTING and drops the queue reference under state_lock.

If iowork later processes that ICReq, nvmettcphandleicreq() can still overwrite the state back to NVMETTCPQLIVE. That defeats the DISCONNECTING-state guard in nvmettcpschedulereleasequeue() and allows a later socket state change to re-enter teardown and issue a second krefput() on an already released queue.

The ICResp send failure path has the same problem. If teardown has already moved the queue to DISCONNECTING, a send error can still overwrite the state with NVMETTCPQ_FAILED, again reopening the window for a second teardown path to drop the queue reference.

Fix this by serializing both post-send state transitions with state_lock and bailing out if teardown has already started.

Use -ESHUTDOWN as an internal sentinel for that bail-out path rather than propagating it as a transport error like -ECONNRESET. Keep nvmettcpsocketerror() setting rcvstate to NVMETTCPRECV_ERR before honoring that sentinel so receive-side parsing stays quiesced until the existing release path completes.(CVE-2026-46135)

In the Linux kernel, the following vulnerability has been resolved:

scsi: target: configfs: Bound snprintf() return in tgptgpmembersshow()

targettgptgpmembersshow() formats LUN paths with snprintf() into a 256-byte stack buffer, then will memcpy() curlen bytes from that buffer. snprintf() returns the length the output would have had, which can exceed the buffer size when the fabric WWN is long because iSCSI IQN names can be up to 223 bytes. The check at the memcpy() site only guards the destination page write, not the source read, so memcpy() will read past the stack buffer and copy adjacent stack contents to the sysfs reader, which when CONFIGFORTIFYSOURCE is enabled, fortify_panic() will be triggered.

Commit 27e06650a5ea ("scsi: target: targetcoreconfigfs: Add length check to avoid buffer overflow") added the same bound to the targetlugpmembersshow() but the tgptgp variant was missed so resolve that here.(CVE-2026-46149)

In the Linux kernel, the following vulnerability has been resolved:

sctp: revalidate list cursor after sctpsendmsgtoasoc() in SCTPSENDALL

The SCTPSENDALL path in sctpsendmsg() iterates ep->asocs with listforeachentrysafe(), which caches the next entry in @tmp before the loop body runs. The body calls sctpsendmsgtoasoc(), which may drop the socket lock inside sctpwaitforsndbuf().

While the lock is dropped, another thread can SCTPSOCKOPTPEELOFF the association cached in @tmp, migrating it to a new endpoint via sctpsockmigrate() (listdelinit() + listaddtail() to newep->asocs), and optionally close the new socket which frees the association via kfree_rcu(). The cached @tmp can also be freed by a network ABORT for that association, processed in softirq while the lock is dropped.

sctpwaitforsndbuf() revalidates @asoc (the current entry) on re-lock via the "sk != asoc->base.sk" and "asoc->base.dead" checks, but nothing revalidates @tmp. After a successful return, the iterator advances to the stale @tmp, yielding either a use-after-free (if the peeled socket was closed) or a list-walk onto the new endpoint's list head (type confusion of &newep->asocs as a struct sctpassociation *).

Both are reachable from CapEff=0; the type-confusion path gives controlled indirect call via the outqueue.sched->init_sid pointer.

Fix by re-deriving @tmp from @asoc after sctpsendmsgtoasoc() returns. @asoc is known to still be on ep->asocs at that point: the only callers that listdel an association from ep->asocs are sctpassociationfree() (which sets asoc->base.dead) and sctpassocmigrate() (which changes asoc->base.sk), and sctpwaitfor_sndbuf() checks both under the lock before any successful return; a tripped check propagates as err < 0 and the loop bails before the re-derive.

The SCTPABORT path in sctpsendmsgchecksflags() returns 0 and the loop hits 'continue' before sctpsendmsgtoasoc() is ever called, so the @tmp cached by listforeachentry_safe() still covers the lock-held free that ba59fb027307 ("sctp: walk the list of asoc safely") was added for.(CVE-2026-46227)

In the Linux kernel, the following vulnerability has been resolved:

fs/fcntl: fix SOFTIRQ-unsafe lock order in fasync signaling

A SOFTIRQ-safe to SOFTIRQ-unsafe lock order deadlock can occur in sendsigio() and sendsigurg() when a process group receives a signal.

When FASYNC is configured for a process group (PIDTYPEPGID), both functions use readlock(&tasklistlock) to traverse the task list. However, they are frequently called from softirq context: - sendsigio() via inputinjectevent -> killfasync - sendsigurg() via tcpcheckurg -> sksendsigurg (NETRXSOFTIRQ)

The deadlock is caused by the rwlock writer fairness mechanism: 1. CPU 0 (process context) holds readlock(&tasklistlock) in dowait(). 2. CPU 1 (process context) attempts writelock(&tasklistlock) in fork() or exit() and spins, which blocks all new readers. 3. CPU 0 is interrupted by a softirq (e.g., TCP URG packet reception). 4. The softirq calls sendsigurg() and attempts to acquire readlock(&tasklistlock), deadlocking because CPU 1 is waiting.

Since PID hashing and doeachpidtask() traversals are already RCU-protected, the readlock on tasklistlock is no longer strictly required for safe traversal. Fix this by replacing tasklistlock with rcureadlock(), aligning the process group signaling path with the single-PID path. This also mitigates a potential remote denial of service vector via TCP URG packets.

Lockdep splat:

WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected [...] Chain exists of: &dev->eventlock --> &fowner->lock --> tasklist_lock

Possible interrupt unsafe locking scenario: CPU0 CPU1 ---- ---- lock(tasklistlock); localirqdisable(); lock(&dev->eventlock); lock(&fowner->lock); <Interrupt> lock(&dev->eventlock);

*** DEADLOCK ***(CVE-2026-52946)

In the Linux kernel, the following vulnerability has been resolved:

HID: usbhid: fix deadlock in hidpostreset()

You can build a USB device that includes a HID component and a storage or UAS component. The components can be reset only together. That means that hidprereset() and hidpostreset() are in the block IO error handling. Hence no memory allocation used in them may do block IO because the IO can deadlock on the mutex held while resetting a device and calling the interface drivers. Use GFP_NOIO for all allocations in them.(CVE-2026-53037)

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: l2cap: Add missing chan lock in l2capecredreconf_rsp

l2capecredreconfrsp() calls l2capchandel() without holding l2capchanlock(). Every other l2capchan_del() caller in the file acquires the lock first. A remote BLE device can send a crafted L2CAP ECRED reconfiguration response to corrupt the channel list while another thread is iterating it.

Add l2capchanhold() and l2capchanlock() before l2capchandel(), and l2capchanunlock() and l2capchanput() after, matching the pattern used in l2capecredconnrsp() and l2capconn_del().(CVE-2026-53071)

Database specific
{
    "severity": "Critical"
}
References

Affected packages

openEuler:22.03-LTS-SP4 / kernel

Package

Name
kernel
Purl
pkg:rpm/openEuler/kernel&distro=openEuler-22.03-LTS-SP4

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.0-321.0.0.223.oe2203sp4

Ecosystem specific

{
    "aarch64": [
        "bpftool-5.10.0-321.0.0.223.oe2203sp4.aarch64.rpm",
        "bpftool-debuginfo-5.10.0-321.0.0.223.oe2203sp4.aarch64.rpm",
        "kernel-5.10.0-321.0.0.223.oe2203sp4.aarch64.rpm",
        "kernel-debuginfo-5.10.0-321.0.0.223.oe2203sp4.aarch64.rpm",
        "kernel-debugsource-5.10.0-321.0.0.223.oe2203sp4.aarch64.rpm",
        "kernel-devel-5.10.0-321.0.0.223.oe2203sp4.aarch64.rpm",
        "kernel-headers-5.10.0-321.0.0.223.oe2203sp4.aarch64.rpm",
        "kernel-source-5.10.0-321.0.0.223.oe2203sp4.aarch64.rpm",
        "kernel-tools-5.10.0-321.0.0.223.oe2203sp4.aarch64.rpm",
        "kernel-tools-debuginfo-5.10.0-321.0.0.223.oe2203sp4.aarch64.rpm",
        "kernel-tools-devel-5.10.0-321.0.0.223.oe2203sp4.aarch64.rpm",
        "perf-5.10.0-321.0.0.223.oe2203sp4.aarch64.rpm",
        "perf-debuginfo-5.10.0-321.0.0.223.oe2203sp4.aarch64.rpm",
        "python3-perf-5.10.0-321.0.0.223.oe2203sp4.aarch64.rpm",
        "python3-perf-debuginfo-5.10.0-321.0.0.223.oe2203sp4.aarch64.rpm"
    ],
    "src": [
        "kernel-5.10.0-321.0.0.223.oe2203sp4.src.rpm"
    ],
    "x86_64": [
        "bpftool-5.10.0-321.0.0.223.oe2203sp4.x86_64.rpm",
        "bpftool-debuginfo-5.10.0-321.0.0.223.oe2203sp4.x86_64.rpm",
        "kernel-5.10.0-321.0.0.223.oe2203sp4.x86_64.rpm",
        "kernel-debuginfo-5.10.0-321.0.0.223.oe2203sp4.x86_64.rpm",
        "kernel-debugsource-5.10.0-321.0.0.223.oe2203sp4.x86_64.rpm",
        "kernel-devel-5.10.0-321.0.0.223.oe2203sp4.x86_64.rpm",
        "kernel-headers-5.10.0-321.0.0.223.oe2203sp4.x86_64.rpm",
        "kernel-source-5.10.0-321.0.0.223.oe2203sp4.x86_64.rpm",
        "kernel-tools-5.10.0-321.0.0.223.oe2203sp4.x86_64.rpm",
        "kernel-tools-debuginfo-5.10.0-321.0.0.223.oe2203sp4.x86_64.rpm",
        "kernel-tools-devel-5.10.0-321.0.0.223.oe2203sp4.x86_64.rpm",
        "perf-5.10.0-321.0.0.223.oe2203sp4.x86_64.rpm",
        "perf-debuginfo-5.10.0-321.0.0.223.oe2203sp4.x86_64.rpm",
        "python3-perf-5.10.0-321.0.0.223.oe2203sp4.x86_64.rpm",
        "python3-perf-debuginfo-5.10.0-321.0.0.223.oe2203sp4.x86_64.rpm"
    ]
}

Database specific

source
"https://repo.openeuler.org/security/data/osv/OESA-2026-2871.json"