Security update for the Linux Kernel SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2026:0475-1 Final 1 1 2026-02-12T11:32:54Z current 2026-02-12T11:32:54Z 2026-02-12T11:32:54Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for the Linux Kernel The SUSE Linux Enterprise 15 SP3 kernel was updated to fix various security issues The following security issues were fixed: - CVE-2022-50697: mrp: introduce active flags to prevent UAF when applicant uninit (bsc#1255594). - CVE-2025-38129: page_pool: fix inconsistency for page_pool_ring_lock() (bsc#1245723). - CVE-2025-40139: net: ipv4: Consolidate ipv4_mtu and ip_dst_mtu_maybe_forward (bsc#1253409). - CVE-2025-68312: usbnet: Prevents free active kevent (bsc#1255171). - CVE-2025-71085: ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr() (bsc#1256623). - CVE-2025-71089: iommu: disable SVA when CONFIG_X86 is set (bsc#1256612). - CVE-2025-71112: net: hns3: add VLAN id validation before using (bsc#1256726). - CVE-2026-22999: net/sched: sch_qfq: do not free existing class in qfq_change_class() (bsc#1257236). - CVE-2026-23001: macvlan: Use 'hash' iterators to simplify code (bsc#1257232). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Container suse/sle-micro-rancher/5.2:latest-2026-475,SUSE-2026-475,SUSE-SUSE-MicroOS-5.2-2026-475 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2026/suse-su-20260475-1/ Link for SUSE-SU-2026:0475-1 https://lists.suse.com/pipermail/sle-security-updates/2026-February/024139.html E-Mail link for SUSE-SU-2026:0475-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1223007 SUSE Bug 1223007 https://bugzilla.suse.com/1235905 SUSE Bug 1235905 https://bugzilla.suse.com/1236104 SUSE Bug 1236104 https://bugzilla.suse.com/1237885 SUSE Bug 1237885 https://bugzilla.suse.com/1237906 SUSE Bug 1237906 https://bugzilla.suse.com/1238414 SUSE Bug 1238414 https://bugzilla.suse.com/1238754 SUSE Bug 1238754 https://bugzilla.suse.com/1238763 SUSE Bug 1238763 https://bugzilla.suse.com/1240284 SUSE Bug 1240284 https://bugzilla.suse.com/1244904 SUSE Bug 1244904 https://bugzilla.suse.com/1245110 SUSE Bug 1245110 https://bugzilla.suse.com/1245723 SUSE Bug 1245723 https://bugzilla.suse.com/1248306 SUSE Bug 1248306 https://bugzilla.suse.com/1248377 SUSE Bug 1248377 https://bugzilla.suse.com/1249699 SUSE Bug 1249699 https://bugzilla.suse.com/1249827 SUSE Bug 1249827 https://bugzilla.suse.com/1251201 SUSE Bug 1251201 https://bugzilla.suse.com/1253409 SUSE Bug 1253409 https://bugzilla.suse.com/1255171 SUSE Bug 1255171 https://bugzilla.suse.com/1255594 SUSE Bug 1255594 https://bugzilla.suse.com/1256612 SUSE Bug 1256612 https://bugzilla.suse.com/1256623 SUSE Bug 1256623 https://bugzilla.suse.com/1256726 SUSE Bug 1256726 https://bugzilla.suse.com/1256792 SUSE Bug 1256792 https://bugzilla.suse.com/1257232 SUSE Bug 1257232 https://bugzilla.suse.com/1257236 SUSE Bug 1257236 https://www.suse.com/security/cve/CVE-2022-49604/ SUSE CVE CVE-2022-49604 page https://www.suse.com/security/cve/CVE-2022-49943/ SUSE CVE CVE-2022-49943 page https://www.suse.com/security/cve/CVE-2022-49980/ SUSE CVE CVE-2022-49980 page https://www.suse.com/security/cve/CVE-2022-50329/ SUSE CVE CVE-2022-50329 page https://www.suse.com/security/cve/CVE-2022-50488/ SUSE CVE CVE-2022-50488 page https://www.suse.com/security/cve/CVE-2022-50697/ SUSE CVE CVE-2022-50697 page https://www.suse.com/security/cve/CVE-2023-52923/ SUSE CVE CVE-2023-52923 page https://www.suse.com/security/cve/CVE-2023-52983/ SUSE CVE CVE-2023-52983 page https://www.suse.com/security/cve/CVE-2023-53178/ SUSE CVE CVE-2023-53178 page https://www.suse.com/security/cve/CVE-2024-26832/ SUSE CVE CVE-2024-26832 page https://www.suse.com/security/cve/CVE-2024-54031/ SUSE CVE CVE-2024-54031 page https://www.suse.com/security/cve/CVE-2025-21760/ SUSE CVE CVE-2025-21760 page https://www.suse.com/security/cve/CVE-2025-21764/ SUSE CVE CVE-2025-21764 page https://www.suse.com/security/cve/CVE-2025-21765/ SUSE CVE CVE-2025-21765 page https://www.suse.com/security/cve/CVE-2025-21766/ SUSE CVE CVE-2025-21766 page https://www.suse.com/security/cve/CVE-2025-38129/ SUSE CVE CVE-2025-38129 page https://www.suse.com/security/cve/CVE-2025-38563/ SUSE CVE CVE-2025-38563 page https://www.suse.com/security/cve/CVE-2025-38565/ SUSE CVE CVE-2025-38565 page https://www.suse.com/security/cve/CVE-2025-40139/ SUSE CVE CVE-2025-40139 page https://www.suse.com/security/cve/CVE-2025-68312/ SUSE CVE CVE-2025-68312 page https://www.suse.com/security/cve/CVE-2025-71085/ SUSE CVE CVE-2025-71085 page https://www.suse.com/security/cve/CVE-2025-71089/ SUSE CVE CVE-2025-71089 page https://www.suse.com/security/cve/CVE-2025-71112/ SUSE CVE CVE-2025-71112 page https://www.suse.com/security/cve/CVE-2026-22999/ SUSE CVE CVE-2026-22999 page https://www.suse.com/security/cve/CVE-2026-23001/ SUSE CVE CVE-2026-23001 page Container suse/sle-micro-rancher/5.2:latest SUSE Linux Enterprise Micro 5.2 kernel-default-5.3.18-150300.59.235.1 cluster-md-kmp-64kb-5.3.18-150300.59.235.1 cluster-md-kmp-default-5.3.18-150300.59.235.1 cluster-md-kmp-preempt-5.3.18-150300.59.235.1 dlm-kmp-64kb-5.3.18-150300.59.235.1 dlm-kmp-default-5.3.18-150300.59.235.1 dlm-kmp-preempt-5.3.18-150300.59.235.1 dtb-al-5.3.18-150300.59.235.1 dtb-allwinner-5.3.18-150300.59.235.1 dtb-altera-5.3.18-150300.59.235.1 dtb-amd-5.3.18-150300.59.235.1 dtb-amlogic-5.3.18-150300.59.235.1 dtb-apm-5.3.18-150300.59.235.1 dtb-arm-5.3.18-150300.59.235.1 dtb-broadcom-5.3.18-150300.59.235.1 dtb-cavium-5.3.18-150300.59.235.1 dtb-exynos-5.3.18-150300.59.235.1 dtb-freescale-5.3.18-150300.59.235.1 dtb-hisilicon-5.3.18-150300.59.235.1 dtb-lg-5.3.18-150300.59.235.1 dtb-marvell-5.3.18-150300.59.235.1 dtb-mediatek-5.3.18-150300.59.235.1 dtb-nvidia-5.3.18-150300.59.235.1 dtb-qcom-5.3.18-150300.59.235.1 dtb-renesas-5.3.18-150300.59.235.1 dtb-rockchip-5.3.18-150300.59.235.1 dtb-socionext-5.3.18-150300.59.235.1 dtb-sprd-5.3.18-150300.59.235.1 dtb-xilinx-5.3.18-150300.59.235.1 dtb-zte-5.3.18-150300.59.235.1 gfs2-kmp-64kb-5.3.18-150300.59.235.1 gfs2-kmp-default-5.3.18-150300.59.235.1 gfs2-kmp-preempt-5.3.18-150300.59.235.1 kernel-64kb-5.3.18-150300.59.235.1 kernel-64kb-devel-5.3.18-150300.59.235.1 kernel-64kb-extra-5.3.18-150300.59.235.1 kernel-64kb-optional-5.3.18-150300.59.235.1 kernel-default-base-5.3.18-150300.59.235.1.150300.18.140.1 kernel-default-base-rebuild-5.3.18-150300.59.235.1.150300.18.140.1 kernel-default-devel-5.3.18-150300.59.235.1 kernel-default-extra-5.3.18-150300.59.235.1 kernel-default-livepatch-5.3.18-150300.59.235.1 kernel-default-livepatch-devel-5.3.18-150300.59.235.1 kernel-default-optional-5.3.18-150300.59.235.1 kernel-devel-5.3.18-150300.59.235.1 kernel-docs-5.3.18-150300.59.235.1 kernel-docs-html-5.3.18-150300.59.235.1 kernel-kvmsmall-5.3.18-150300.59.235.1 kernel-kvmsmall-devel-5.3.18-150300.59.235.1 kernel-macros-5.3.18-150300.59.235.1 kernel-obs-build-5.3.18-150300.59.235.1 kernel-obs-qa-5.3.18-150300.59.235.1 kernel-preempt-5.3.18-150300.59.235.1 kernel-preempt-devel-5.3.18-150300.59.235.1 kernel-preempt-extra-5.3.18-150300.59.235.1 kernel-preempt-optional-5.3.18-150300.59.235.1 kernel-source-5.3.18-150300.59.235.1 kernel-source-vanilla-5.3.18-150300.59.235.1 kernel-syms-5.3.18-150300.59.235.1 kernel-zfcpdump-5.3.18-150300.59.235.1 kselftests-kmp-64kb-5.3.18-150300.59.235.1 kselftests-kmp-default-5.3.18-150300.59.235.1 kselftests-kmp-preempt-5.3.18-150300.59.235.1 ocfs2-kmp-64kb-5.3.18-150300.59.235.1 ocfs2-kmp-default-5.3.18-150300.59.235.1 ocfs2-kmp-preempt-5.3.18-150300.59.235.1 reiserfs-kmp-64kb-5.3.18-150300.59.235.1 reiserfs-kmp-default-5.3.18-150300.59.235.1 reiserfs-kmp-preempt-5.3.18-150300.59.235.1 kernel-default-5.3.18-150300.59.235.1 as a component of Container suse/sle-micro-rancher/5.2:latest kernel-default-5.3.18-150300.59.235.1 as a component of SUSE Linux Enterprise Micro 5.2 kernel-default-base-5.3.18-150300.59.235.1.150300.18.140.1 as a component of SUSE Linux Enterprise Micro 5.2 In the Linux kernel, the following vulnerability has been resolved: ip: Fix data-races around sysctl_ip_fwd_use_pmtu. While reading sysctl_ip_fwd_use_pmtu, it can be changed concurrently. Thus, we need to add READ_ONCE() to its readers. CVE-2022-49604 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.235.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.235.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.235.1.150300.18.140.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260475-1/ https://www.suse.com/security/cve/CVE-2022-49604.html CVE-2022-49604 https://bugzilla.suse.com/1238414 SUSE Bug 1238414 In the Linux kernel, the following vulnerability has been resolved: USB: gadget: Fix obscure lockdep violation for udc_mutex A recent commit expanding the scope of the udc_lock mutex in the gadget core managed to cause an obscure and slightly bizarre lockdep violation. In abbreviated form: ====================================================== WARNING: possible circular locking dependency detected 5.19.0-rc7+ #12510 Not tainted ------------------------------------------------------ udevadm/312 is trying to acquire lock: ffff80000aae1058 (udc_lock){+.+.}-{3:3}, at: usb_udc_uevent+0x54/0xe0 but task is already holding lock: ffff000002277548 (kn->active#4){++++}-{0:0}, at: kernfs_seq_start+0x34/0xe0 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #3 (kn->active#4){++++}-{0:0}: lock_acquire+0x68/0x84 __kernfs_remove+0x268/0x380 kernfs_remove_by_name_ns+0x58/0xac sysfs_remove_file_ns+0x18/0x24 device_del+0x15c/0x440 -> #2 (device_links_lock){+.+.}-{3:3}: lock_acquire+0x68/0x84 __mutex_lock+0x9c/0x430 mutex_lock_nested+0x38/0x64 device_link_remove+0x3c/0xa0 _regulator_put.part.0+0x168/0x190 regulator_put+0x3c/0x54 devm_regulator_release+0x14/0x20 -> #1 (regulator_list_mutex){+.+.}-{3:3}: lock_acquire+0x68/0x84 __mutex_lock+0x9c/0x430 mutex_lock_nested+0x38/0x64 regulator_lock_dependent+0x54/0x284 regulator_enable+0x34/0x80 phy_power_on+0x24/0x130 __dwc2_lowlevel_hw_enable+0x100/0x130 dwc2_lowlevel_hw_enable+0x18/0x40 dwc2_hsotg_udc_start+0x6c/0x2f0 gadget_bind_driver+0x124/0x1f4 -> #0 (udc_lock){+.+.}-{3:3}: __lock_acquire+0x1298/0x20cc lock_acquire.part.0+0xe0/0x230 lock_acquire+0x68/0x84 __mutex_lock+0x9c/0x430 mutex_lock_nested+0x38/0x64 usb_udc_uevent+0x54/0xe0 Evidently this was caused by the scope of udc_mutex being too large. The mutex is only meant to protect udc->driver along with a few other things. As far as I can tell, there's no reason for the mutex to be held while the gadget core calls a gadget driver's ->bind or ->unbind routine, or while a UDC is being started or stopped. (This accounts for link #1 in the chain above, where the mutex is held while the dwc2_hsotg_udc is started as part of driver probing.) Gadget drivers' ->disconnect callbacks are problematic. Even though usb_gadget_disconnect() will now acquire the udc_mutex, there's a window in usb_gadget_bind_driver() between the times when the mutex is released and the ->bind callback is invoked. If a disconnect occurred during that window, we could call the driver's ->disconnect routine before its ->bind routine. To prevent this from happening, it will be necessary to prevent a UDC from connecting while it has no gadget driver. This should be done already but it doesn't seem to be; currently usb_gadget_connect() has no check for this. Such a check will have to be added later. Some degree of mutual exclusion is required in soft_connect_store(), which can dereference udc->driver at arbitrary times since it is a sysfs callback. The solution here is to acquire the gadget's device lock rather than the udc_mutex. Since the driver core guarantees that the device lock is always held during driver binding and unbinding, this will make the accesses in soft_connect_store() mutually exclusive with any changes to udc->driver. Lastly, it turns out there is one place which should hold the udc_mutex but currently does not: The function_show() routine needs protection while it dereferences udc->driver. The missing lock and unlock calls are added. CVE-2022-49943 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.235.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.235.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.235.1.150300.18.140.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260475-1/ https://www.suse.com/security/cve/CVE-2022-49943.html CVE-2022-49943 https://bugzilla.suse.com/1244904 SUSE Bug 1244904 In the Linux kernel, the following vulnerability has been resolved: USB: gadget: Fix use-after-free Read in usb_udc_uevent() The syzbot fuzzer found a race between uevent callbacks and gadget driver unregistration that can cause a use-after-free bug: --------------------------------------------------------------- BUG: KASAN: use-after-free in usb_udc_uevent+0x11f/0x130 drivers/usb/gadget/udc/core.c:1732 Read of size 8 at addr ffff888078ce2050 by task udevd/2968 CPU: 1 PID: 2968 Comm: udevd Not tainted 5.19.0-rc4-next-20220628-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/29/2022 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:317 [inline] print_report.cold+0x2ba/0x719 mm/kasan/report.c:433 kasan_report+0xbe/0x1f0 mm/kasan/report.c:495 usb_udc_uevent+0x11f/0x130 drivers/usb/gadget/udc/core.c:1732 dev_uevent+0x290/0x770 drivers/base/core.c:2424 --------------------------------------------------------------- The bug occurs because usb_udc_uevent() dereferences udc->driver but does so without acquiring the udc_lock mutex, which protects this field. If the gadget driver is unbound from the udc concurrently with uevent processing, the driver structure may be accessed after it has been deallocated. To prevent the race, we make sure that the routine holds the mutex around the racing accesses. CVE-2022-49980 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.235.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.235.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.235.1.150300.18.140.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260475-1/ https://www.suse.com/security/cve/CVE-2022-49980.html CVE-2022-49980 https://bugzilla.suse.com/1245110 SUSE Bug 1245110 https://bugzilla.suse.com/1245111 SUSE Bug 1245111 In the Linux kernel, the following vulnerability has been resolved: block, bfq: fix uaf for bfqq in bfq_exit_icq_bfqq Commit 64dc8c732f5c ("block, bfq: fix possible uaf for 'bfqq->bic'") will access 'bic->bfqq' in bic_set_bfqq(), however, bfq_exit_icq_bfqq() can free bfqq first, and then call bic_set_bfqq(), which will cause uaf. Fix the problem by moving bfq_exit_bfqq() behind bic_set_bfqq(). CVE-2022-50329 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.235.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.235.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.235.1.150300.18.140.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260475-1/ https://www.suse.com/security/cve/CVE-2022-50329.html CVE-2022-50329 https://bugzilla.suse.com/1249699 SUSE Bug 1249699 In the Linux kernel, the following vulnerability has been resolved: block, bfq: fix possible uaf for 'bfqq->bic' Our test report a uaf for 'bfqq->bic' in 5.10: ================================================================== BUG: KASAN: use-after-free in bfq_select_queue+0x378/0xa30 CPU: 6 PID: 2318352 Comm: fsstress Kdump: loaded Not tainted 5.10.0-60.18.0.50.h602.kasan.eulerosv2r11.x86_64 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58-20220320_160524-szxrtosci10000 04/01/2014 Call Trace: bfq_select_queue+0x378/0xa30 bfq_dispatch_request+0xe8/0x130 blk_mq_do_dispatch_sched+0x62/0xb0 __blk_mq_sched_dispatch_requests+0x215/0x2a0 blk_mq_sched_dispatch_requests+0x8f/0xd0 __blk_mq_run_hw_queue+0x98/0x180 __blk_mq_delay_run_hw_queue+0x22b/0x240 blk_mq_run_hw_queue+0xe3/0x190 blk_mq_sched_insert_requests+0x107/0x200 blk_mq_flush_plug_list+0x26e/0x3c0 blk_finish_plug+0x63/0x90 __iomap_dio_rw+0x7b5/0x910 iomap_dio_rw+0x36/0x80 ext4_dio_read_iter+0x146/0x190 [ext4] ext4_file_read_iter+0x1e2/0x230 [ext4] new_sync_read+0x29f/0x400 vfs_read+0x24e/0x2d0 ksys_read+0xd5/0x1b0 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x61/0xc6 Commit 3bc5e683c67d ("bfq: Split shared queues on move between cgroups") changes that move process to a new cgroup will allocate a new bfqq to use, however, the old bfqq and new bfqq can point to the same bic: 1) Initial state, two process with io in the same cgroup. Process 1 Process 2 (BIC1) (BIC2) | ^ | ^ | | | | V | V | bfqq1 bfqq2 2) bfqq1 is merged to bfqq2. Process 1 Process 2 (BIC1) (BIC2) | | \-------------\| V bfqq1 bfqq2(coop) 3) Process 1 exit, then issue new io(denoce IOA) from Process 2. (BIC2) | ^ | | V | bfqq2(coop) 4) Before IOA is completed, move Process 2 to another cgroup and issue io. Process 2 (BIC2) ^ |\--------------\ | V bfqq2 bfqq3 Now that BIC2 points to bfqq3, while bfqq2 and bfqq3 both point to BIC2. If all the requests are completed, and Process 2 exit, BIC2 will be freed while there is no guarantee that bfqq2 will be freed before BIC2. Fix the problem by clearing bfqq->bic while bfqq is detached from bic. CVE-2022-50488 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.235.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.235.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.235.1.150300.18.140.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260475-1/ https://www.suse.com/security/cve/CVE-2022-50488.html CVE-2022-50488 https://bugzilla.suse.com/1251201 SUSE Bug 1251201 https://bugzilla.suse.com/1251204 SUSE Bug 1251204 In the Linux kernel, the following vulnerability has been resolved: mrp: introduce active flags to prevent UAF when applicant uninit The caller of del_timer_sync must prevent restarting of the timer, If we have no this synchronization, there is a small probability that the cancellation will not be successful. And syzbot report the fellowing crash: ================================================================== BUG: KASAN: use-after-free in hlist_add_head include/linux/list.h:929 [inline] BUG: KASAN: use-after-free in enqueue_timer+0x18/0xa4 kernel/time/timer.c:605 Write at addr f9ff000024df6058 by task syz-fuzzer/2256 Pointer tag: [f9], memory tag: [fe] CPU: 1 PID: 2256 Comm: syz-fuzzer Not tainted 6.1.0-rc5-syzkaller-00008- ge01d50cbd6ee #0 Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace.part.0+0xe0/0xf0 arch/arm64/kernel/stacktrace.c:156 dump_backtrace arch/arm64/kernel/stacktrace.c:162 [inline] show_stack+0x18/0x40 arch/arm64/kernel/stacktrace.c:163 __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x68/0x84 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:284 [inline] print_report+0x1a8/0x4a0 mm/kasan/report.c:395 kasan_report+0x94/0xb4 mm/kasan/report.c:495 __do_kernel_fault+0x164/0x1e0 arch/arm64/mm/fault.c:320 do_bad_area arch/arm64/mm/fault.c:473 [inline] do_tag_check_fault+0x78/0x8c arch/arm64/mm/fault.c:749 do_mem_abort+0x44/0x94 arch/arm64/mm/fault.c:825 el1_abort+0x40/0x60 arch/arm64/kernel/entry-common.c:367 el1h_64_sync_handler+0xd8/0xe4 arch/arm64/kernel/entry-common.c:427 el1h_64_sync+0x64/0x68 arch/arm64/kernel/entry.S:576 hlist_add_head include/linux/list.h:929 [inline] enqueue_timer+0x18/0xa4 kernel/time/timer.c:605 mod_timer+0x14/0x20 kernel/time/timer.c:1161 mrp_periodic_timer_arm net/802/mrp.c:614 [inline] mrp_periodic_timer+0xa0/0xc0 net/802/mrp.c:627 call_timer_fn.constprop.0+0x24/0x80 kernel/time/timer.c:1474 expire_timers+0x98/0xc4 kernel/time/timer.c:1519 To fix it, we can introduce a new active flags to make sure the timer will not restart. CVE-2022-50697 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.235.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.235.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.235.1.150300.18.140.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260475-1/ https://www.suse.com/security/cve/CVE-2022-50697.html CVE-2022-50697 https://bugzilla.suse.com/1255594 SUSE Bug 1255594 https://bugzilla.suse.com/1255595 SUSE Bug 1255595 In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: adapt set backend to use GC transaction API Use the GC transaction API to replace the old and buggy gc API and the busy mark approach. No set elements are removed from async garbage collection anymore, instead the _DEAD bit is set on so the set element is not visible from lookup path anymore. Async GC enqueues transaction work that might be aborted and retried later. rbtree and pipapo set backends does not set on the _DEAD bit from the sync GC path since this runs in control plane path where mutex is held. In this case, set elements are deactivated, removed and then released via RCU callback, sync GC never fails. CVE-2023-52923 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.235.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.235.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.235.1.150300.18.140.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260475-1/ https://www.suse.com/security/cve/CVE-2023-52923.html CVE-2023-52923 https://bugzilla.suse.com/1236104 SUSE Bug 1236104 In the Linux kernel, the following vulnerability has been resolved: block, bfq: fix uaf for bfqq in bic_set_bfqq() After commit 64dc8c732f5c ("block, bfq: fix possible uaf for 'bfqq->bic'"), bic->bfqq will be accessed in bic_set_bfqq(), however, in some context bic->bfqq will be freed, and bic_set_bfqq() is called with the freed bic->bfqq. Fix the problem by always freeing bfqq after bic_set_bfqq(). CVE-2023-52983 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.235.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.235.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.235.1.150300.18.140.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260475-1/ https://www.suse.com/security/cve/CVE-2023-52983.html CVE-2023-52983 https://bugzilla.suse.com/1240284 SUSE Bug 1240284 In the Linux kernel, the following vulnerability has been resolved: mm: fix zswap writeback race condition The zswap writeback mechanism can cause a race condition resulting in memory corruption, where a swapped out page gets swapped in with data that was written to a different page. The race unfolds like this: 1. a page with data A and swap offset X is stored in zswap 2. page A is removed off the LRU by zpool driver for writeback in zswap-shrink work, data for A is mapped by zpool driver 3. user space program faults and invalidates page entry A, offset X is considered free 4. kswapd stores page B at offset X in zswap (zswap could also be full, if so, page B would then be IOed to X, then skip step 5.) 5. entry A is replaced by B in tree->rbroot, this doesn't affect the local reference held by zswap-shrink work 6. zswap-shrink work writes back A at X, and frees zswap entry A 7. swapin of slot X brings A in memory instead of B The fix: Once the swap page cache has been allocated (case ZSWAP_SWAPCACHE_NEW), zswap-shrink work just checks that the local zswap_entry reference is still the same as the one in the tree. If it's not the same it means that it's either been invalidated or replaced, in both cases the writeback is aborted because the local entry contains stale data. Reproducer: I originally found this by running `stress` overnight to validate my work on the zswap writeback mechanism, it manifested after hours on my test machine. The key to make it happen is having zswap writebacks, so whatever setup pumps /sys/kernel/debug/zswap/written_back_pages should do the trick. In order to reproduce this faster on a vm, I setup a system with ~100M of available memory and a 500M swap file, then running `stress --vm 1 --vm-bytes 300000000 --vm-stride 4000` makes it happen in matter of tens of minutes. One can speed things up even more by swinging /sys/module/zswap/parameters/max_pool_percent up and down between, say, 20 and 1; this makes it reproduce in tens of seconds. It's crucial to set `--vm-stride` to something other than 4096 otherwise `stress` won't realize that memory has been corrupted because all pages would have the same data. CVE-2023-53178 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.235.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.235.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.235.1.150300.18.140.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260475-1/ https://www.suse.com/security/cve/CVE-2023-53178.html CVE-2023-53178 https://bugzilla.suse.com/1249827 SUSE Bug 1249827 In the Linux kernel, the following vulnerability has been resolved: mm: zswap: fix missing folio cleanup in writeback race path In zswap_writeback_entry(), after we get a folio from __read_swap_cache_async(), we grab the tree lock again to check that the swap entry was not invalidated and recycled. If it was, we delete the folio we just added to the swap cache and exit. However, __read_swap_cache_async() returns the folio locked when it is newly allocated, which is always true for this path, and the folio is ref'd. Make sure to unlock and put the folio before returning. This was discovered by code inspection, probably because this path handles a race condition that should not happen often, and the bug would not crash the system, it will only strand the folio indefinitely. CVE-2024-26832 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.235.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.235.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.235.1.150300.18.140.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260475-1/ https://www.suse.com/security/cve/CVE-2024-26832.html CVE-2024-26832 https://bugzilla.suse.com/1223007 SUSE Bug 1223007 In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_hash: unaligned atomic read on struct nft_set_ext Access to genmask field in struct nft_set_ext results in unaligned atomic read: [ 72.130109] Unable to handle kernel paging request at virtual address ffff0000c2bb708c [ 72.131036] Mem abort info: [ 72.131213] ESR = 0x0000000096000021 [ 72.131446] EC = 0x25: DABT (current EL), IL = 32 bits [ 72.132209] SET = 0, FnV = 0 [ 72.133216] EA = 0, S1PTW = 0 [ 72.134080] FSC = 0x21: alignment fault [ 72.135593] Data abort info: [ 72.137194] ISV = 0, ISS = 0x00000021, ISS2 = 0x00000000 [ 72.142351] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 72.145989] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 72.150115] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000237d27000 [ 72.154893] [ffff0000c2bb708c] pgd=0000000000000000, p4d=180000023ffff403, pud=180000023f84b403, pmd=180000023f835403, +pte=0068000102bb7707 [ 72.163021] Internal error: Oops: 0000000096000021 [#1] SMP [...] [ 72.170041] CPU: 7 UID: 0 PID: 54 Comm: kworker/7:0 Tainted: G E 6.13.0-rc3+ #2 [ 72.170509] Tainted: [E]=UNSIGNED_MODULE [ 72.170720] Hardware name: QEMU QEMU Virtual Machine, BIOS edk2-stable202302-for-qemu 03/01/2023 [ 72.171192] Workqueue: events_power_efficient nft_rhash_gc [nf_tables] [ 72.171552] pstate: 21400005 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 72.171915] pc : nft_rhash_gc+0x200/0x2d8 [nf_tables] [ 72.172166] lr : nft_rhash_gc+0x128/0x2d8 [nf_tables] [ 72.172546] sp : ffff800081f2bce0 [ 72.172724] x29: ffff800081f2bd40 x28: ffff0000c2bb708c x27: 0000000000000038 [ 72.173078] x26: ffff0000c6780ef0 x25: ffff0000c643df00 x24: ffff0000c6778f78 [ 72.173431] x23: 000000000000001a x22: ffff0000c4b1f000 x21: ffff0000c6780f78 [ 72.173782] x20: ffff0000c2bb70dc x19: ffff0000c2bb7080 x18: 0000000000000000 [ 72.174135] x17: ffff0000c0a4e1c0 x16: 0000000000003000 x15: 0000ac26d173b978 [ 72.174485] x14: ffffffffffffffff x13: 0000000000000030 x12: ffff0000c6780ef0 [ 72.174841] x11: 0000000000000000 x10: ffff800081f2bcf8 x9 : ffff0000c3000000 [ 72.175193] x8 : 00000000000004be x7 : 0000000000000000 x6 : 0000000000000000 [ 72.175544] x5 : 0000000000000040 x4 : ffff0000c3000010 x3 : 0000000000000000 [ 72.175871] x2 : 0000000000003a98 x1 : ffff0000c2bb708c x0 : 0000000000000004 [ 72.176207] Call trace: [ 72.176316] nft_rhash_gc+0x200/0x2d8 [nf_tables] (P) [ 72.176653] process_one_work+0x178/0x3d0 [ 72.176831] worker_thread+0x200/0x3f0 [ 72.176995] kthread+0xe8/0xf8 [ 72.177130] ret_from_fork+0x10/0x20 [ 72.177289] Code: 54fff984 d503201f d2800080 91003261 (f820303f) [ 72.177557] ---[ end trace 0000000000000000 ]--- Align struct nft_set_ext to word size to address this and documentation it. pahole reports that this increases the size of elements for rhash and pipapo in 8 bytes on x86_64. CVE-2024-54031 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.235.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.235.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.235.1.150300.18.140.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260475-1/ https://www.suse.com/security/cve/CVE-2024-54031.html CVE-2024-54031 https://bugzilla.suse.com/1235905 SUSE Bug 1235905 In the Linux kernel, the following vulnerability has been resolved: ndisc: extend RCU protection in ndisc_send_skb() ndisc_send_skb() can be called without RTNL or RCU held. Acquire rcu_read_lock() earlier, so that we can use dev_net_rcu() and avoid a potential UAF. CVE-2025-21760 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.235.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.235.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.235.1.150300.18.140.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260475-1/ https://www.suse.com/security/cve/CVE-2025-21760.html CVE-2025-21760 https://bugzilla.suse.com/1238763 SUSE Bug 1238763 In the Linux kernel, the following vulnerability has been resolved: ndisc: use RCU protection in ndisc_alloc_skb() ndisc_alloc_skb() can be called without RTNL or RCU being held. Add RCU protection to avoid possible UAF. CVE-2025-21764 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.235.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.235.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.235.1.150300.18.140.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260475-1/ https://www.suse.com/security/cve/CVE-2025-21764.html CVE-2025-21764 https://bugzilla.suse.com/1237885 SUSE Bug 1237885 In the Linux kernel, the following vulnerability has been resolved: ipv6: use RCU protection in ip6_default_advmss() ip6_default_advmss() needs rcu protection to make sure the net structure it reads does not disappear. CVE-2025-21765 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.235.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.235.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.235.1.150300.18.140.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260475-1/ https://www.suse.com/security/cve/CVE-2025-21765.html CVE-2025-21765 https://bugzilla.suse.com/1237906 SUSE Bug 1237906 In the Linux kernel, the following vulnerability has been resolved: ipv4: use RCU protection in __ip_rt_update_pmtu() __ip_rt_update_pmtu() must use RCU protection to make sure the net structure it reads does not disappear. CVE-2025-21766 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.235.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.235.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.235.1.150300.18.140.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260475-1/ https://www.suse.com/security/cve/CVE-2025-21766.html CVE-2025-21766 https://bugzilla.suse.com/1238754 SUSE Bug 1238754 In the Linux kernel, the following vulnerability has been resolved: page_pool: Fix use-after-free in page_pool_recycle_in_ring syzbot reported a uaf in page_pool_recycle_in_ring: BUG: KASAN: slab-use-after-free in lock_release+0x151/0xa30 kernel/locking/lockdep.c:5862 Read of size 8 at addr ffff8880286045a0 by task syz.0.284/6943 CPU: 0 UID: 0 PID: 6943 Comm: syz.0.284 Not tainted 6.13.0-rc3-syzkaller-gdfa94ce54f41 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x169/0x550 mm/kasan/report.c:489 kasan_report+0x143/0x180 mm/kasan/report.c:602 lock_release+0x151/0xa30 kernel/locking/lockdep.c:5862 __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:165 [inline] _raw_spin_unlock_bh+0x1b/0x40 kernel/locking/spinlock.c:210 spin_unlock_bh include/linux/spinlock.h:396 [inline] ptr_ring_produce_bh include/linux/ptr_ring.h:164 [inline] page_pool_recycle_in_ring net/core/page_pool.c:707 [inline] page_pool_put_unrefed_netmem+0x748/0xb00 net/core/page_pool.c:826 page_pool_put_netmem include/net/page_pool/helpers.h:323 [inline] page_pool_put_full_netmem include/net/page_pool/helpers.h:353 [inline] napi_pp_put_page+0x149/0x2b0 net/core/skbuff.c:1036 skb_pp_recycle net/core/skbuff.c:1047 [inline] skb_free_head net/core/skbuff.c:1094 [inline] skb_release_data+0x6c4/0x8a0 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x1c9/0x380 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1263 [inline] __skb_queue_purge_reason include/linux/skbuff.h:3343 [inline] root cause is: page_pool_recycle_in_ring ptr_ring_produce spin_lock(&r->producer_lock); WRITE_ONCE(r->queue[r->producer++], ptr) //recycle last page to pool page_pool_release page_pool_scrub page_pool_empty_ring ptr_ring_consume page_pool_return_page //release all page __page_pool_destroy free_percpu(pool->recycle_stats); free(pool) //free spin_unlock(&r->producer_lock); //pool->ring uaf read recycle_stat_inc(pool, ring); page_pool can be free while page pool recycle the last page in ring. Add producer-lock barrier to page_pool_release to prevent the page pool from being free before all pages have been recycled. recycle_stat_inc() is empty when CONFIG_PAGE_POOL_STATS is not enabled, which will trigger Wempty-body build warning. Add definition for pool stat macro to fix warning. CVE-2025-38129 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.235.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.235.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.235.1.150300.18.140.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260475-1/ https://www.suse.com/security/cve/CVE-2025-38129.html CVE-2025-38129 https://bugzilla.suse.com/1245723 SUSE Bug 1245723 https://bugzilla.suse.com/1258139 SUSE Bug 1258139 In the Linux kernel, the following vulnerability has been resolved: perf/core: Prevent VMA split of buffer mappings The perf mmap code is careful about mmap()'ing the user page with the ringbuffer and additionally the auxiliary buffer, when the event supports it. Once the first mapping is established, subsequent mapping have to use the same offset and the same size in both cases. The reference counting for the ringbuffer and the auxiliary buffer depends on this being correct. Though perf does not prevent that a related mapping is split via mmap(2), munmap(2) or mremap(2). A split of a VMA results in perf_mmap_open() calls, which take reference counts, but then the subsequent perf_mmap_close() calls are not longer fulfilling the offset and size checks. This leads to reference count leaks. As perf already has the requirement for subsequent mappings to match the initial mapping, the obvious consequence is that VMA splits, caused by resizing of a mapping or partial unmapping, have to be prevented. Implement the vm_operations_struct::may_split() callback and return unconditionally -EINVAL. That ensures that the mapping offsets and sizes cannot be changed after the fact. Remapping to a different fixed address with the same size is still possible as it takes the references for the new mapping and drops those of the old mapping. CVE-2025-38563 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.235.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.235.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.235.1.150300.18.140.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260475-1/ https://www.suse.com/security/cve/CVE-2025-38563.html CVE-2025-38563 https://bugzilla.suse.com/1248306 SUSE Bug 1248306 https://bugzilla.suse.com/1248307 SUSE Bug 1248307 In the Linux kernel, the following vulnerability has been resolved: perf/core: Exit early on perf_mmap() fail When perf_mmap() fails to allocate a buffer, it still invokes the event_mapped() callback of the related event. On X86 this might increase the perf_rdpmc_allowed reference counter. But nothing undoes this as perf_mmap_close() is never called in this case, which causes another reference count leak. Return early on failure to prevent that. CVE-2025-38565 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.235.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.235.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.235.1.150300.18.140.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260475-1/ https://www.suse.com/security/cve/CVE-2025-38565.html CVE-2025-38565 https://bugzilla.suse.com/1248377 SUSE Bug 1248377 In the Linux kernel, the following vulnerability has been resolved: smc: Use __sk_dst_get() and dst_dev_rcu() in in smc_clc_prfx_set(). smc_clc_prfx_set() is called during connect() and not under RCU nor RTNL. Using sk_dst_get(sk)->dev could trigger UAF. Let's use __sk_dst_get() and dev_dst_rcu() under rcu_read_lock() after kernel_getsockname(). Note that the returned value of smc_clc_prfx_set() is not used in the caller. While at it, we change the 1st arg of smc_clc_prfx_set[46]_rcu() not to touch dst there. CVE-2025-40139 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.235.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.235.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.235.1.150300.18.140.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260475-1/ https://www.suse.com/security/cve/CVE-2025-40139.html CVE-2025-40139 https://bugzilla.suse.com/1253409 SUSE Bug 1253409 https://bugzilla.suse.com/1253411 SUSE Bug 1253411 In the Linux kernel, the following vulnerability has been resolved: usbnet: Prevents free active kevent The root cause of this issue are: 1. When probing the usbnet device, executing usbnet_link_change(dev, 0, 0); put the kevent work in global workqueue. However, the kevent has not yet been scheduled when the usbnet device is unregistered. Therefore, executing free_netdev() results in the "free active object (kevent)" error reported here. 2. Another factor is that when calling usbnet_disconnect()->unregister_netdev(), if the usbnet device is up, ndo_stop() is executed to cancel the kevent. However, because the device is not up, ndo_stop() is not executed. The solution to this problem is to cancel the kevent before executing free_netdev(). CVE-2025-68312 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.235.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.235.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.235.1.150300.18.140.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260475-1/ https://www.suse.com/security/cve/CVE-2025-68312.html CVE-2025-68312 https://bugzilla.suse.com/1255171 SUSE Bug 1255171 In the Linux kernel, the following vulnerability has been resolved: ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr() There exists a kernel oops caused by a BUG_ON(nhead < 0) at net/core/skbuff.c:2232 in pskb_expand_head(). This bug is triggered as part of the calipso_skbuff_setattr() routine when skb_cow() is passed headroom > INT_MAX (i.e. (int)(skb_headroom(skb) + len_delta) < 0). The root cause of the bug is due to an implicit integer cast in __skb_cow(). The check (headroom > skb_headroom(skb)) is meant to ensure that delta = headroom - skb_headroom(skb) is never negative, otherwise we will trigger a BUG_ON in pskb_expand_head(). However, if headroom > INT_MAX and delta <= -NET_SKB_PAD, the check passes, delta becomes negative, and pskb_expand_head() is passed a negative value for nhead. Fix the trigger condition in calipso_skbuff_setattr(). Avoid passing "negative" headroom sizes to skb_cow() within calipso_skbuff_setattr() by only using skb_cow() to grow headroom. PoC: Using `netlabelctl` tool: netlabelctl map del default netlabelctl calipso add pass doi:7 netlabelctl map add default address:0::1/128 protocol:calipso,7 Then run the following PoC: int fd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP); // setup msghdr int cmsg_size = 2; int cmsg_len = 0x60; struct msghdr msg; struct sockaddr_in6 dest_addr; struct cmsghdr * cmsg = (struct cmsghdr *) calloc(1, sizeof(struct cmsghdr) + cmsg_len); msg.msg_name = &dest_addr; msg.msg_namelen = sizeof(dest_addr); msg.msg_iov = NULL; msg.msg_iovlen = 0; msg.msg_control = cmsg; msg.msg_controllen = cmsg_len; msg.msg_flags = 0; // setup sockaddr dest_addr.sin6_family = AF_INET6; dest_addr.sin6_port = htons(31337); dest_addr.sin6_flowinfo = htonl(31337); dest_addr.sin6_addr = in6addr_loopback; dest_addr.sin6_scope_id = 31337; // setup cmsghdr cmsg->cmsg_len = cmsg_len; cmsg->cmsg_level = IPPROTO_IPV6; cmsg->cmsg_type = IPV6_HOPOPTS; char * hop_hdr = (char *)cmsg + sizeof(struct cmsghdr); hop_hdr[1] = 0x9; //set hop size - (0x9 + 1) * 8 = 80 sendmsg(fd, &msg, 0); CVE-2025-71085 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.235.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.235.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.235.1.150300.18.140.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260475-1/ https://www.suse.com/security/cve/CVE-2025-71085.html CVE-2025-71085 https://bugzilla.suse.com/1256623 SUSE Bug 1256623 https://bugzilla.suse.com/1256624 SUSE Bug 1256624 In the Linux kernel, the following vulnerability has been resolved: iommu: disable SVA when CONFIG_X86 is set Patch series "Fix stale IOTLB entries for kernel address space", v7. This proposes a fix for a security vulnerability related to IOMMU Shared Virtual Addressing (SVA). In an SVA context, an IOMMU can cache kernel page table entries. When a kernel page table page is freed and reallocated for another purpose, the IOMMU might still hold stale, incorrect entries. This can be exploited to cause a use-after-free or write-after-free condition, potentially leading to privilege escalation or data corruption. This solution introduces a deferred freeing mechanism for kernel page table pages, which provides a safe window to notify the IOMMU to invalidate its caches before the page is reused. This patch (of 8): In the IOMMU Shared Virtual Addressing (SVA) context, the IOMMU hardware shares and walks the CPU's page tables. The x86 architecture maps the kernel's virtual address space into the upper portion of every process's page table. Consequently, in an SVA context, the IOMMU hardware can walk and cache kernel page table entries. The Linux kernel currently lacks a notification mechanism for kernel page table changes, specifically when page table pages are freed and reused. The IOMMU driver is only notified of changes to user virtual address mappings. This can cause the IOMMU's internal caches to retain stale entries for kernel VA. Use-After-Free (UAF) and Write-After-Free (WAF) conditions arise when kernel page table pages are freed and later reallocated. The IOMMU could misinterpret the new data as valid page table entries. The IOMMU might then walk into attacker-controlled memory, leading to arbitrary physical memory DMA access or privilege escalation. This is also a Write-After-Free issue, as the IOMMU will potentially continue to write Accessed and Dirty bits to the freed memory while attempting to walk the stale page tables. Currently, SVA contexts are unprivileged and cannot access kernel mappings. However, the IOMMU will still walk kernel-only page tables all the way down to the leaf entries, where it realizes the mapping is for the kernel and errors out. This means the IOMMU still caches these intermediate page table entries, making the described vulnerability a real concern. Disable SVA on x86 architecture until the IOMMU can receive notification to flush the paging cache before freeing the CPU kernel page table pages. CVE-2025-71089 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.235.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.235.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.235.1.150300.18.140.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260475-1/ https://www.suse.com/security/cve/CVE-2025-71089.html CVE-2025-71089 https://bugzilla.suse.com/1256612 SUSE Bug 1256612 https://bugzilla.suse.com/1256615 SUSE Bug 1256615 In the Linux kernel, the following vulnerability has been resolved: net: hns3: add VLAN id validation before using Currently, the VLAN id may be used without validation when receive a VLAN configuration mailbox from VF. The length of vlan_del_fail_bmap is BITS_TO_LONGS(VLAN_N_VID). It may cause out-of-bounds memory access once the VLAN id is bigger than or equal to VLAN_N_VID. Therefore, VLAN id needs to be checked to ensure it is within the range of VLAN_N_VID. CVE-2025-71112 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.235.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.235.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.235.1.150300.18.140.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260475-1/ https://www.suse.com/security/cve/CVE-2025-71112.html CVE-2025-71112 https://bugzilla.suse.com/1256726 SUSE Bug 1256726 https://bugzilla.suse.com/1256727 SUSE Bug 1256727 In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_qfq: do not free existing class in qfq_change_class() Fixes qfq_change_class() error case. cl->qdisc and cl should only be freed if a new class and qdisc were allocated, or we risk various UAF. CVE-2026-22999 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.235.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.235.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.235.1.150300.18.140.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260475-1/ https://www.suse.com/security/cve/CVE-2026-22999.html CVE-2026-22999 https://bugzilla.suse.com/1257236 SUSE Bug 1257236 https://bugzilla.suse.com/1257238 SUSE Bug 1257238 In the Linux kernel, the following vulnerability has been resolved: macvlan: fix possible UAF in macvlan_forward_source() Add RCU protection on (struct macvlan_source_entry)->vlan. Whenever macvlan_hash_del_source() is called, we must clear entry->vlan pointer before RCU grace period starts. This allows macvlan_forward_source() to skip over entries queued for freeing. Note that macvlan_dev are already RCU protected, as they are embedded in a standard netdev (netdev_priv(ndev)). https: //lore.kernel.org/netdev/695fb1e8.050a0220.1c677c.039f.GAE@google.com/T/#u CVE-2026-23001 Container suse/sle-micro-rancher/5.2:latest:kernel-default-5.3.18-150300.59.235.1 SUSE Linux Enterprise Micro 5.2:kernel-default-5.3.18-150300.59.235.1 SUSE Linux Enterprise Micro 5.2:kernel-default-base-5.3.18-150300.59.235.1.150300.18.140.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260475-1/ https://www.suse.com/security/cve/CVE-2026-23001.html CVE-2026-23001 https://bugzilla.suse.com/1257232 SUSE Bug 1257232 https://bugzilla.suse.com/1257233 SUSE Bug 1257233