SUSE-SU-2026:2500-1
Vulnerability from csaf_suse - Published: 2026-06-22 20:04 - Updated: 2026-06-22 20:04Summary
Security update for the Linux Kernel RT (Live Patch 8 for SUSE Linux Enterprise 15 SP7)
Severity
Important
Notes
Title of the patch: Security update for the Linux Kernel RT (Live Patch 8 for SUSE Linux Enterprise 15 SP7)
Description of the patch:
This update for the SUSE Linux Enterprise Kernel 6.4.0-150700.7.28 fixes various security issues
The following security issues were fixed:
- CVE-2026-23278: netfilter: nf_tables: always walk all pending catchall elements (bsc#1260907).
- CVE-2026-31402: nfsd: fix heap overflow in NFSv4.0 LOCK replay cache (bsc#1261640).
- CVE-2026-31504: net: fix fanout UAF in packet_release() via NETDEV_UP race (bsc#1263088).
- CVE-2026-31694: fuse: reject oversized dirents in page cache (bsc#1263902).
- CVE-2026-43503: final dirty.frag related fixes (bsc#1266229).
- CVE-2026-46323: net: gro: don't merge zcopy skbs (bsc#1268282).
- net/sched: fix pedit partial COW leading to page cache (bsc#1267625).
Patchnames: SUSE-2026-2500,SUSE-SLE-Module-Live-Patching-15-SP7-2026-2500
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_28-rt-8-150700.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
8.2 (High)
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_28-rt-8-150700.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_28-rt-8-150700.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.8 (High)
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_28-rt-8-150700.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
8.8 (High)
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_28-rt-8-150700.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_28-rt-8-150700.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
37 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for the Linux Kernel RT (Live Patch 8 for SUSE Linux Enterprise 15 SP7)",
"title": "Title of the patch"
},
{
"category": "description",
"text": "\nThis update for the SUSE Linux Enterprise Kernel 6.4.0-150700.7.28 fixes various security issues\n\nThe following security issues were fixed:\n\n- CVE-2026-23278: netfilter: nf_tables: always walk all pending catchall elements (bsc#1260907).\n- CVE-2026-31402: nfsd: fix heap overflow in NFSv4.0 LOCK replay cache (bsc#1261640).\n- CVE-2026-31504: net: fix fanout UAF in packet_release() via NETDEV_UP race (bsc#1263088).\n- CVE-2026-31694: fuse: reject oversized dirents in page cache (bsc#1263902).\n- CVE-2026-43503: final dirty.frag related fixes (bsc#1266229).\n- CVE-2026-46323: net: gro: don\u0027t merge zcopy skbs (bsc#1268282).\n- net/sched: fix pedit partial COW leading to page cache (bsc#1267625).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2026-2500,SUSE-SLE-Module-Live-Patching-15-SP7-2026-2500",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_2500-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:2500-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20262500-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:2500-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2026-June/047463.html"
},
{
"category": "self",
"summary": "SUSE Bug 1260907",
"url": "https://bugzilla.suse.com/1260907"
},
{
"category": "self",
"summary": "SUSE Bug 1261640",
"url": "https://bugzilla.suse.com/1261640"
},
{
"category": "self",
"summary": "SUSE Bug 1263088",
"url": "https://bugzilla.suse.com/1263088"
},
{
"category": "self",
"summary": "SUSE Bug 1263902",
"url": "https://bugzilla.suse.com/1263902"
},
{
"category": "self",
"summary": "SUSE Bug 1266229",
"url": "https://bugzilla.suse.com/1266229"
},
{
"category": "self",
"summary": "SUSE Bug 1267625",
"url": "https://bugzilla.suse.com/1267625"
},
{
"category": "self",
"summary": "SUSE Bug 1268282",
"url": "https://bugzilla.suse.com/1268282"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-23278 page",
"url": "https://www.suse.com/security/cve/CVE-2026-23278/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-31402 page",
"url": "https://www.suse.com/security/cve/CVE-2026-31402/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-31504 page",
"url": "https://www.suse.com/security/cve/CVE-2026-31504/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-31694 page",
"url": "https://www.suse.com/security/cve/CVE-2026-31694/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-43503 page",
"url": "https://www.suse.com/security/cve/CVE-2026-43503/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-46323 page",
"url": "https://www.suse.com/security/cve/CVE-2026-46323/"
}
],
"title": "Security update for the Linux Kernel RT (Live Patch 8 for SUSE Linux Enterprise 15 SP7)",
"tracking": {
"current_release_date": "2026-06-22T20:04:09Z",
"generator": {
"date": "2026-06-22T20:04:09Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:2500-1",
"initial_release_date": "2026-06-22T20:04:09Z",
"revision_history": [
{
"date": "2026-06-22T20:04:09Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "kernel-livepatch-6_4_0-150700_7_28-rt-8-150700.2.1.x86_64",
"product": {
"name": "kernel-livepatch-6_4_0-150700_7_28-rt-8-150700.2.1.x86_64",
"product_id": "kernel-livepatch-6_4_0-150700_7_28-rt-8-150700.2.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Live Patching 15 SP7",
"product": {
"name": "SUSE Linux Enterprise Live Patching 15 SP7",
"product_id": "SUSE Linux Enterprise Live Patching 15 SP7",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-live-patching:15:sp7"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "kernel-livepatch-6_4_0-150700_7_28-rt-8-150700.2.1.x86_64 as component of SUSE Linux Enterprise Live Patching 15 SP7",
"product_id": "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_28-rt-8-150700.2.1.x86_64"
},
"product_reference": "kernel-livepatch-6_4_0-150700_7_28-rt-8-150700.2.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Live Patching 15 SP7"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-23278",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-23278"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: always walk all pending catchall elements\n\nDuring transaction processing we might have more than one catchall element:\n1 live catchall element and 1 pending element that is coming as part of the\nnew batch.\n\nIf the map holding the catchall elements is also going away, its\nrequired to toggle all catchall elements and not just the first viable\ncandidate.\n\nOtherwise, we get:\n WARNING: ./include/net/netfilter/nf_tables.h:1281 at nft_data_release+0xb7/0xe0 [nf_tables], CPU#2: nft/1404\n RIP: 0010:nft_data_release+0xb7/0xe0 [nf_tables]\n [..]\n __nft_set_elem_destroy+0x106/0x380 [nf_tables]\n nf_tables_abort_release+0x348/0x8d0 [nf_tables]\n nf_tables_abort+0xcf2/0x3ac0 [nf_tables]\n nfnetlink_rcv_batch+0x9c9/0x20e0 [..]",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_28-rt-8-150700.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-23278",
"url": "https://www.suse.com/security/cve/CVE-2026-23278"
},
{
"category": "external",
"summary": "SUSE Bug 1259998 for CVE-2026-23278",
"url": "https://bugzilla.suse.com/1259998"
},
{
"category": "external",
"summary": "SUSE Bug 1260907 for CVE-2026-23278",
"url": "https://bugzilla.suse.com/1260907"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_28-rt-8-150700.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_28-rt-8-150700.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-22T20:04:09Z",
"details": "important"
}
],
"title": "CVE-2026-23278"
},
{
"cve": "CVE-2026-31402",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-31402"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: fix heap overflow in NFSv4.0 LOCK replay cache\n\nThe NFSv4.0 replay cache uses a fixed 112-byte inline buffer\n(rp_ibuf[NFSD4_REPLAY_ISIZE]) to store encoded operation responses.\nThis size was calculated based on OPEN responses and does not account\nfor LOCK denied responses, which include the conflicting lock owner as\na variable-length field up to 1024 bytes (NFS4_OPAQUE_LIMIT).\n\nWhen a LOCK operation is denied due to a conflict with an existing lock\nthat has a large owner, nfsd4_encode_operation() copies the full encoded\nresponse into the undersized replay buffer via read_bytes_from_xdr_buf()\nwith no bounds check. This results in a slab-out-of-bounds write of up\nto 944 bytes past the end of the buffer, corrupting adjacent heap memory.\n\nThis can be triggered remotely by an unauthenticated attacker with two\ncooperating NFSv4.0 clients: one sets a lock with a large owner string,\nthen the other requests a conflicting lock to provoke the denial.\n\nWe could fix this by increasing NFSD4_REPLAY_ISIZE to allow for a full\nopaque, but that would increase the size of every stateowner, when most\nlockowners are not that large.\n\nInstead, fix this by checking the encoded response length against\nNFSD4_REPLAY_ISIZE before copying into the replay buffer. If the\nresponse is too large, set rp_buflen to 0 to skip caching the replay\npayload. The status is still cached, and the client already received the\ncorrect response on the original request.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_28-rt-8-150700.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-31402",
"url": "https://www.suse.com/security/cve/CVE-2026-31402"
},
{
"category": "external",
"summary": "SUSE Bug 1261638 for CVE-2026-31402",
"url": "https://bugzilla.suse.com/1261638"
},
{
"category": "external",
"summary": "SUSE Bug 1261640 for CVE-2026-31402",
"url": "https://bugzilla.suse.com/1261640"
},
{
"category": "external",
"summary": "SUSE Bug 1265160 for CVE-2026-31402",
"url": "https://bugzilla.suse.com/1265160"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_28-rt-8-150700.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_28-rt-8-150700.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-22T20:04:09Z",
"details": "important"
}
],
"title": "CVE-2026-31402"
},
{
"cve": "CVE-2026-31504",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-31504"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix fanout UAF in packet_release() via NETDEV_UP race\n\n`packet_release()` has a race window where `NETDEV_UP` can re-register a\nsocket into a fanout group\u0027s `arr[]` array. The re-registration is not\ncleaned up by `fanout_release()`, leaving a dangling pointer in the fanout\narray.\n`packet_release()` does NOT zero `po-\u003enum` in its `bind_lock` section.\nAfter releasing `bind_lock`, `po-\u003enum` is still non-zero and `po-\u003eifindex`\nstill matches the bound device. A concurrent `packet_notifier(NETDEV_UP)`\nthat already found the socket in `sklist` can re-register the hook.\nFor fanout sockets, this re-registration calls `__fanout_link(sk, po)`\nwhich adds the socket back into `f-\u003earr[]` and increments `f-\u003enum_members`,\nbut does NOT increment `f-\u003esk_ref`.\n\nThe fix sets `po-\u003enum` to zero in `packet_release` while `bind_lock` is\nheld to prevent NETDEV_UP from linking, preventing the race window.\n\nThis bug was found following an additional audit with Claude Code based\non CVE-2025-38617.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_28-rt-8-150700.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-31504",
"url": "https://www.suse.com/security/cve/CVE-2026-31504"
},
{
"category": "external",
"summary": "SUSE Bug 1263085 for CVE-2026-31504",
"url": "https://bugzilla.suse.com/1263085"
},
{
"category": "external",
"summary": "SUSE Bug 1263088 for CVE-2026-31504",
"url": "https://bugzilla.suse.com/1263088"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_28-rt-8-150700.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_28-rt-8-150700.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-22T20:04:09Z",
"details": "important"
}
],
"title": "CVE-2026-31504"
},
{
"cve": "CVE-2026-31694",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-31694"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nfuse: reject oversized dirents in page cache\n\nfuse_add_dirent_to_cache() computes a serialized dirent size from the\nserver-controlled namelen field and copies the dirent into a single\npage-cache page. The existing logic only checks whether the dirent fits\nin the remaining space of the current page and advances to a fresh page\nif not. It never checks whether the dirent itself exceeds PAGE_SIZE.\n\nAs a result, a malicious FUSE server can return a dirent with\nnamelen=4095, producing a serialized record size of 4120 bytes. On 4 KiB\npage systems this causes memcpy() to overflow the cache page by 24 bytes\ninto the following kernel page.\n\nReject dirents that cannot fit in a single page before copying them into\nthe readdir cache.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_28-rt-8-150700.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-31694",
"url": "https://www.suse.com/security/cve/CVE-2026-31694"
},
{
"category": "external",
"summary": "SUSE Bug 1263901 for CVE-2026-31694",
"url": "https://bugzilla.suse.com/1263901"
},
{
"category": "external",
"summary": "SUSE Bug 1263902 for CVE-2026-31694",
"url": "https://bugzilla.suse.com/1263902"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_28-rt-8-150700.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_28-rt-8-150700.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-22T20:04:09Z",
"details": "important"
}
],
"title": "CVE-2026-31694"
},
{
"cve": "CVE-2026-43503",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-43503"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: skbuff: propagate shared-frag marker through frag-transfer helpers\n\nTwo frag-transfer helpers (__pskb_copy_fclone() and skb_shift()) fail\nto propagate the SKBFL_SHARED_FRAG bit in skb_shinfo()-\u003eflags when\nmoving frags from source to destination. __pskb_copy_fclone() defers\nthe rest of the shinfo metadata to skb_copy_header() after copying\nfrag descriptors, but that helper only carries over gso_{size,segs,\ntype} and never touches skb_shinfo()-\u003eflags; skb_shift() moves frag\ndescriptors directly and leaves flags untouched. As a result, the\ndestination skb keeps a reference to the same externally-owned or\npage-cache-backed pages while reporting skb_has_shared_frag() as\nfalse.\n\nThe mismatch is harmful in any in-place writer that uses\nskb_has_shared_frag() to decide whether shared pages must be detoured\nthrough skb_cow_data(). ESP input is one such writer (esp4.c,\nesp6.c), and a single nft \u0027dup to \u003clocal\u003e\u0027 rule -- or any other\nnf_dup_ipv4() / xt_TEE caller -- is enough to land a pskb_copy()\u0027d\nskb in esp_input() with the marker stripped, letting an unprivileged\nuser write into the page cache of a root-owned read-only file via\nauthencesn-ESN stray writes.\n\nSet SKBFL_SHARED_FRAG on the destination whenever frag descriptors\nwere actually moved from the source. skb_copy() and skb_copy_expand()\nshare skb_copy_header() too but linearize all paged data into freshly\nallocated head storage and emerge with nr_frags == 0, so\nskb_has_shared_frag() returns false on its own; they need no change.\n\nThe same omission exists in skb_gro_receive() and skb_gro_receive_list().\nThe former moves the incoming skb\u0027s frag descriptors into the\naccumulator\u0027s last sub-skb via two paths (a direct frag-move loop and\nthe head_frag + memcpy path); the latter chains the incoming skb whole\nonto p\u0027s frag_list. Downstream skb_segment() reads only\nskb_shinfo(p)-\u003eflags, and skb_segment_list() reuses each sub-skb\u0027s\nshinfo as the nskb -- both p and lp must carry the marker.\n\nThe same omission also exists in tcp_clone_payload(), which builds an\nMTU probe skb by moving frag descriptors from skbs on sk_write_queue\ninto a freshly allocated nskb. The helper falls into the same family\nand warrants the same fix for consistency; no TCP TX-side in-place\nwriter is currently known to reach a user page through this gap, but\na future consumer depending on the marker would regress silently.\n\nThe same omission exists in skb_segment(): the per-iteration flag\nmerge takes only head_skb\u0027s flag, and the inner switch that rebinds\nfrag_skb to list_skb on head_skb-frags exhaustion does not fold the\nnew frag_skb\u0027s flag into nskb. Fold frag_skb\u0027s flag at both sites\nso segments drawing frags from frag_list members carry the marker.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_28-rt-8-150700.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-43503",
"url": "https://www.suse.com/security/cve/CVE-2026-43503"
},
{
"category": "external",
"summary": "SUSE Bug 1265209 for CVE-2026-43503",
"url": "https://bugzilla.suse.com/1265209"
},
{
"category": "external",
"summary": "SUSE Bug 1265960 for CVE-2026-43503",
"url": "https://bugzilla.suse.com/1265960"
},
{
"category": "external",
"summary": "SUSE Bug 1266229 for CVE-2026-43503",
"url": "https://bugzilla.suse.com/1266229"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_28-rt-8-150700.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_28-rt-8-150700.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-22T20:04:09Z",
"details": "important"
}
],
"title": "CVE-2026-43503"
},
{
"cve": "CVE-2026-46323",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-46323"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: gro: don\u0027t merge zcopy skbs\n\nskb_gro_receive() can currently copy frags between the source and GRO\nskb, without checking the zerocopy status, and in particular the\nSKBFL_MANAGED_FRAG_REFS flag.\n\nWhen SKBFL_MANAGED_FRAG_REFS is set, the skb doesn\u0027t hold a reference\non the pages in shinfo-\u003efrags. Appending those frags to another skb\u0027s\nfrags without fixing up the page refcount can lead to UAF.\n\nWhen either the last skb in the GRO chain (the one we would append\nfrags to) or the source skb is zerocopy, don\u0027t merge the skbs.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_28-rt-8-150700.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-46323",
"url": "https://www.suse.com/security/cve/CVE-2026-46323"
},
{
"category": "external",
"summary": "SUSE Bug 1268029 for CVE-2026-46323",
"url": "https://bugzilla.suse.com/1268029"
},
{
"category": "external",
"summary": "SUSE Bug 1268282 for CVE-2026-46323",
"url": "https://bugzilla.suse.com/1268282"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_28-rt-8-150700.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_28-rt-8-150700.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-22T20:04:09Z",
"details": "important"
}
],
"title": "CVE-2026-46323"
}
]
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…