OESA-2026-2929

Source
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2026-2929
Import Source
https://repo.openeuler.org/security/data/osv/OESA-2026-2929.json
JSON Data
https://api.osv.dev/v1/vulns/OESA-2026-2929
Upstream
Published
2026-07-09T12:52:22Z
Modified
2026-07-09T13:00:11.761366679Z
Summary
kernel security update
Details

The Linux Kernel, the operating system core itself.

Security Fix(es):

In the Linux kernel, the following vulnerability has been resolved:

ipc: limit next_id allocation to the valid ID range

The checkpoint/restore sysctl path can request the next SysV IPC id through ids->nextid. ipcidralloc() currently forwards that request to idralloc() with an open-ended upper bound.

If the valid tail of the SysV IPC id space is full, the allocation can spill beyond ipc_mni. The returned SysV IPC id still uses the normal index encoding, so later lookup and removal can target the wrong slot. This leaves the real IDR entry behind and breaks the IDR state for the object.

The bug is in ipcidralloc() in the checkpoint/restore path.

  1. ids->next_id is passed to:

    idralloc(&ids->ipcsidr, new, ipcidtoidx(next_id), 0, ...)

  2. The zero upper bound makes the allocation effectively open-ended. Once the valid SysV IPC tail is occupied, idralloc() can spill past ipcmni and allocate an entry beyond the valid IPC id range.

  3. The new object id is still encoded with the narrower SysV IPC index width:

    new->id = (new->seq << ipcmni_seq_shift()) + idx
    
  4. Later removal goes through ipc_rmid(), which uses:

    ipcid_to_idx(ipcp->id)
    

    That truncates the real IDR index. An object actually stored at a high index can then be removed as if it lived at a low in-range index.

  5. For shared memory, shm_destroy() frees the current object anyway, but the real high IDR slot is left behind as a dangling pointer.

  6. A subsequent walk of /proc/sysvipc/shm reaches the stale IDR entry and dereferences freed memory.

Prevent this by bounding the requested allocation to ipc_mni so the checkpoint/restore path fails once the valid range is exhausted.(CVE-2026-52923)

In the Linux kernel, the following vulnerability has been resolved:

RDMA/umem: Fix truncation for block sizes >= 4G

When the iommu is used the linearization of the mapping can give a single block that is very large split across multiple SG entries.

When _rdmablockiternext() reassembles the split SG entries it is overflowing the 32 bit stack values and computed the wrong DMA addresses for blocks after the truncation.

Use the right types to hold DMA addresses.(CVE-2026-53133)

In the Linux kernel, the following vulnerability has been resolved:

IB/isert: Reject login PDUs shorter than ISERHEADERSLEN

In drivers/infiniband/ulp/isert/ibisert.c, isertloginrecvdone() computes the login request payload length as wc->bytelen minus ISERHEADERSLEN with no lower bound, and loginreqlen is a signed int. A remote iSER initiator can post a login Send work request carrying fewer than ISERHEADERSLEN (76) bytes, so the subtraction underflows and loginreq_len becomes negative.

isertrxloginreq() then reads that negative length back into a signed int, takes size = min(rxbuflen, MAXKEYVALUEPAIRS), and because the min() is signed it keeps the negative value; the value is then passed as the memcpy() length and sign-extended to a multi-gigabyte sizet. The copy into the 8192-byte login->req_buf runs far out of bounds and faults, crashing the target node. The login phase precedes iSCSI authentication, so no credentials are required to reach this path.

Reject any login PDU shorter than ISERHEADERSLEN before the subtraction, mirroring the existing early return on a failed work completion, so loginreqlen can never go negative. The upper bound was already safe: a posted login buffer cannot deliver more than ISERRXPAYLOADSIZE, so the difference stays at or below MAXKEYVALUEPAIRS and the existing min() clamps it; only the missing lower bound needs to be added.(CVE-2026-53176)

In the Linux kernel, the following vulnerability has been resolved:

USB: serial: kl5kusb105: fix bulk-out buffer overflow

klsi105preparewritebuffer() is called by the generic write path with the bulk-out buffer and its size (bulkoutsize, 64 bytes). It stores a two-byte length header at the start of the buffer and copies the payload from the write fifo starting at buf + KLSIHDRLEN, but passes the full buffer size as the number of bytes to copy:

count = kfifooutlocked(&port->writefifo, buf + KLSIHDR_LEN, size, &port->lock);

When the fifo holds at least size bytes, size bytes are copied starting two bytes into the size-byte buffer, writing KLSIHDRLEN bytes past its end. Copy at most size - KLSIHDRLEN bytes instead, leaving room for the header as safe_serial already does.

Writing bulkoutsize or more bytes to the tty triggers a slab out-of-bounds write, observed with KASAN by emulating the device with dummy_hcd and raw-gadget:

BUG: KASAN: slab-out-of-bounds in kfifocopyout+0x83/0xc0 Write of size 64 at addr ffff888112c62202 by task python3 kfifocopyout klsi105preparewritebuffer [kl5kusb105] usbserialgenericwritestart [usbserial] Allocated by task 139: usbserialprobe [usbserial] The buggy address is located 2 bytes inside of allocated 64-byte region

The out-of-bounds write no longer occurs with this change applied.(CVE-2026-53194)

Database specific
{
    "severity": "High"
}
References

Affected packages

openEuler:20.03-LTS-SP4 / kernel

Package

Name
kernel
Purl
pkg:rpm/openEuler/kernel&distro=openEuler-20.03-LTS-SP4

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.19.90-2607.1.0.0379.oe2003sp4

Ecosystem specific

{
    "x86_64": [
        "bpftool-4.19.90-2607.1.0.0379.oe2003sp4.x86_64.rpm",
        "bpftool-debuginfo-4.19.90-2607.1.0.0379.oe2003sp4.x86_64.rpm",
        "kernel-4.19.90-2607.1.0.0379.oe2003sp4.x86_64.rpm",
        "kernel-debuginfo-4.19.90-2607.1.0.0379.oe2003sp4.x86_64.rpm",
        "kernel-debugsource-4.19.90-2607.1.0.0379.oe2003sp4.x86_64.rpm",
        "kernel-devel-4.19.90-2607.1.0.0379.oe2003sp4.x86_64.rpm",
        "kernel-source-4.19.90-2607.1.0.0379.oe2003sp4.x86_64.rpm",
        "kernel-tools-4.19.90-2607.1.0.0379.oe2003sp4.x86_64.rpm",
        "kernel-tools-debuginfo-4.19.90-2607.1.0.0379.oe2003sp4.x86_64.rpm",
        "kernel-tools-devel-4.19.90-2607.1.0.0379.oe2003sp4.x86_64.rpm",
        "perf-4.19.90-2607.1.0.0379.oe2003sp4.x86_64.rpm",
        "perf-debuginfo-4.19.90-2607.1.0.0379.oe2003sp4.x86_64.rpm",
        "python2-perf-4.19.90-2607.1.0.0379.oe2003sp4.x86_64.rpm",
        "python2-perf-debuginfo-4.19.90-2607.1.0.0379.oe2003sp4.x86_64.rpm",
        "python3-perf-4.19.90-2607.1.0.0379.oe2003sp4.x86_64.rpm",
        "python3-perf-debuginfo-4.19.90-2607.1.0.0379.oe2003sp4.x86_64.rpm"
    ],
    "aarch64": [
        "bpftool-4.19.90-2607.1.0.0379.oe2003sp4.aarch64.rpm",
        "bpftool-debuginfo-4.19.90-2607.1.0.0379.oe2003sp4.aarch64.rpm",
        "kernel-4.19.90-2607.1.0.0379.oe2003sp4.aarch64.rpm",
        "kernel-debuginfo-4.19.90-2607.1.0.0379.oe2003sp4.aarch64.rpm",
        "kernel-debugsource-4.19.90-2607.1.0.0379.oe2003sp4.aarch64.rpm",
        "kernel-devel-4.19.90-2607.1.0.0379.oe2003sp4.aarch64.rpm",
        "kernel-source-4.19.90-2607.1.0.0379.oe2003sp4.aarch64.rpm",
        "kernel-tools-4.19.90-2607.1.0.0379.oe2003sp4.aarch64.rpm",
        "kernel-tools-debuginfo-4.19.90-2607.1.0.0379.oe2003sp4.aarch64.rpm",
        "kernel-tools-devel-4.19.90-2607.1.0.0379.oe2003sp4.aarch64.rpm",
        "perf-4.19.90-2607.1.0.0379.oe2003sp4.aarch64.rpm",
        "perf-debuginfo-4.19.90-2607.1.0.0379.oe2003sp4.aarch64.rpm",
        "python2-perf-4.19.90-2607.1.0.0379.oe2003sp4.aarch64.rpm",
        "python2-perf-debuginfo-4.19.90-2607.1.0.0379.oe2003sp4.aarch64.rpm",
        "python3-perf-4.19.90-2607.1.0.0379.oe2003sp4.aarch64.rpm",
        "python3-perf-debuginfo-4.19.90-2607.1.0.0379.oe2003sp4.aarch64.rpm"
    ],
    "src": [
        "kernel-4.19.90-2607.1.0.0379.oe2003sp4.src.rpm"
    ]
}

Database specific

source
"https://repo.openeuler.org/security/data/osv/OESA-2026-2929.json"