SUSE-SU-2026:1078-1

The SUSE Linux Enterprise 12 SP5 kernel was updated to receive various security bugfixes.

The following security bugs were fixed:

• CVE-2022-50453: gpiolib: cdev: fix NULL-pointer dereferences (bsc#1250887).
• CVE-2023-53794: cifs: fix session state check in reconnect to avoid use-after-free issue (bsc#1255163).
• CVE-2023-53802: wifi: ath9k: htchst: free skb in ath9khtcrxmsg() if there is no callback function (bsc#1254725).
• CVE-2023-53808: wifi: mwifiex: fix memory leak in mwifiexhistogramread() (bsc#1254723).
• CVE-2023-53816: drm/amdkfd: fix potential kgd_mem UAFs (bsc#1254958).
• CVE-2023-53817: crypto: lib/mpi - avoid null pointer deref in mpicmpui() (bsc#1254992).
• CVE-2023-53827: Bluetooth: L2CAP: Fix use-after-free in l2capdisconnect{req,rsp} (bsc#1255049).
• CVE-2023-54184: scsi: target: iscsit: Free cmds before session free (bsc#1255991).
• CVE-2025-21738: ata: libata-sff: Ensure that we cannot write outside the allocated buffer (bsc#1238917).
• CVE-2025-22083: vhost-scsi: Fix handling of multiple calls to vhostscsiset_endpoint (bsc#1241414).
• CVE-2025-22125: md/raid1,raid10: do not ignore IO flags (bsc#1241596).
• CVE-2025-39748: bpf: Forget ranges when refining tnum after JSET (bsc#1249587).
• CVE-2025-39817: efivarfs: Fix slab-out-of-bounds in efivarfsdcompare (bsc#1249998).
• CVE-2025-39964: crypto: afalg - Disallow concurrent writes in afalg_sendmsg (bsc#1251966).
• CVE-2025-39998: scsi: target: targetcoreconfigfs: Add length check to avoid buffer overflow (bsc#1252073).
• CVE-2025-40099: cifs: parsedfsreferrals: prevent oob on malformed input (bsc#1252911).
• CVE-2025-40103: smb: client: Fix refcount leak for cifssbtlink (bsc#1252924).
• CVE-2025-40219: PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV (bsc#1254518).
• CVE-2025-40220: fuse: fix livelock in synchronous file put from fuseblk workers (bsc#1254520).
• CVE-2025-40242: gfs2: Fix unlikely race in gdlmputlock (bsc#1255075).
• CVE-2025-40342: nvme-fc: use lock accessing port_state and rport state (bsc#1255274).
• CVE-2025-68223: drm/radeon: delete radeonfenceprocess in is_signaled, no deadlock (bsc#1255357).
• CVE-2025-68234: scsi: imm: Fix use-after-free bug caused by unfinished delayed work (bsc#1255416).
• CVE-2025-68283: libceph: replace BUGON with bounds check for map->maxosd (bsc#1255379).
• CVE-2025-68285: libceph: fix potential use-after-free in havemonandosdmap() (bsc#1255401).
• CVE-2025-68287: usb: dwc3: Fix race condition between concurrent dwc3removerequests() call paths (bsc#1255152).
• CVE-2025-68295: smb: client: fix memory leak in cifsconstructtcon() (bsc#1255129).
• CVE-2025-68724: crypto: asymmetrickeys - prevent overflow in asymmetrickeygenerateid (bsc#1255550).
• CVE-2025-68818: scsi: qla2xxx: Perform lockless command completion in abort path (bsc#1256675).
• CVE-2025-71075: scsi: aic94xx: fix use-after-free in device removal path (bsc#1256629).
• CVE-2025-71104: KVM: x86: Fix VM hard lockup after prolonged inactivity with periodic HV timer (bsc#1256708).
• CVE-2025-71113: crypto: afalg - zero initialize memory allocated via sockkmalloc (bsc#1256716).
• CVE-2025-71116: libceph: make decode_pool() more resilient against corrupted osdmaps (bsc#1256744).
• CVE-2025-71131: crypto: seqiv - Do not use req->iv after cryptoaeadencrypt (bsc#1256742).
• CVE-2025-71183: btrfs: always detect conflicting inodes when logging inode refs (bsc#1257631).
• CVE-2025-71184: btrfs: fix NULL dereference on root when tracing inode eviction (bsc#1257635).
• CVE-2025-71194: btrfs: fix deadlock in waitcurrenttrans() due to ignored transaction type (bsc#1257687).
• CVE-2025-71224: wifi: mac80211: ocb: skip rxnosta when interface is not joined (bsc#1258824).
• CVE-2025-71236: scsi: qla2xxx: Validate sp before freeing associated memory (bsc#1258442).
• CVE-2026-22991: libceph: make freechoosearg_map() resilient to partial allocation (bsc#1257220).
• CVE-2026-22998: nvme-tcp: fix NULL pointer dereferences in nvmettcpbuildpduiovec (bsc#1257209).
• CVE-2026-23004: dst: fix races in rt6uncachedlistdel() and rtdeluncachedlist() (bsc#1257231).
• CVE-2026-23054: net: hv_netvsc: reject RSS hash key programming without RX indirection table (bsc#1257732).
• CVE-2026-23060: crypto: authencesn - reject too-short AAD (assoclen<8) to match ESP/ESN spec (bsc#1257735).
• CVE-2026-23064: net/sched: act_ife: avoid possible NULL deref (bsc#1257765).
• CVE-2026-23069: vsock/virtio: fix potential underflow in virtiotransportget_credit() (bsc#1257755).
• CVE-2026-23074: net/sched: Enforce that teql can only be used as root qdisc (bsc#1257749).
• CVE-2026-23083: fou: Don't allow 0 for FOUATTRIPPROTO (bsc#1257745).
• CVE-2026-23084: be2net: Fix NULL pointer dereference in becmdgetmacfrom_list (bsc#1257830).
• CVE-2026-23085: irqchip/gic-v3-its: Avoid truncating memory addresses (bsc#1257758).
• CVE-2026-23086: vsock/virtio: cap TX credit to local buffer size (bsc#1257757).
• CVE-2026-23089: ALSA: usb-audio: Fix use-after-free in sndusbmixer_free() (bsc#1257790).
• CVE-2026-23095: gue: Fix skb memleak with inner IP protocol 0 (bsc#1257808).
• CVE-2026-23099: bonding: limit BONDMODE8023AD to Ethernet devices (bsc#1257816).
• CVE-2026-23105: net/sched: qfq: Use clisactive to determine whether class is active in qfqrmfrom_ag (bsc#1257775).
• CVE-2026-23112: nvmet-tcp: add bounds checks in nvmettcpbuildpduiovec (bsc#1258184).
• CVE-2026-23125: sctp: move SCTPCMDASSOCSHKEY right after SCTPCMDPEERINIT (bsc#1258293).
• CVE-2026-23141: btrfs: send: check for inline extents in rangeisholeinparent() (bsc#1258377).
• CVE-2026-23191: ALSA: aloop: Fix racy access at PCM trigger (bsc#1258395).
• CVE-2026-23198: KVM: Don't clobber irqfd routing type when deassigning irqfd (bsc#1258321).
• CVE-2026-23204: net/sched: clsu32: use skbheaderpointercareful() (bsc#1258340).
• CVE-2026-23208: ALSA: usb-audio: Prevent excessive number of frames (bsc#1258468).
• CVE-2026-23209: macvlan: fix error recovery in macvlancommonnewlink() (bsc#1258518).
• CVE-2026-23268: apparmor: fix unprivileged local user can do privileged policy management (bsc#1258850).
• CVE-2026-23269: apparmor: validate DFA start states are in bounds in unpack_pdb (bsc#1259857).

The following non-security bugs were fixed:

• apparmor: Fix double free of nsname in aareplace_profiles() (bsc#1258849).
• apparmor: fix memory leak in verify_header (bsc#1258849).
• apparmor: fix unprivileged local user can do privileged policy management (bsc#1258849).
• apparmor: fix: limit the number of levels of policy namespaces (bsc#1258849).
• apparmor: replace recursive profile removal with iterative approach (bsc#1258849).
• apparmor: validate DFA start states are in bounds in unpack_pdb (bsc#1258849).
• drm/mgag200: fix mgag200bmcstop_scanout() (bsc#1258153 bsc#1258226)
• md/raid1,raid10: do not handle IO error for REQRAHEAD and REQNOWAIT (git-fixes).
• md/raid1,raid10: strip REQ_NOWAIT from member bios (git-fixes).
• net/mlx5: Ensure fw pages are always allocated on same NUMA (git-fixes).
• usb: storage: Fix memory leak in USB bulk transport (bsc#1257949).