{"schema_version":"1.7.2","id":"OESA-2026-1861","modified":"2026-04-11T14:03:59Z","published":"2026-04-11T14:03:59Z","upstream":["CVE-2026-23268","CVE-2026-23290","CVE-2026-23364","CVE-2026-23401"],"summary":"kernel security update","details":"The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\napparmor: fix unprivileged local user can do privileged policy management\n\nAn unprivileged local user can load, replace, and remove profiles by\nopening the apparmorfs interfaces, via a confused deputy attack, by\npassing the opened fd to a privileged process, and getting the\nprivileged process to write to the interface.\n\nThis does require a privileged target that can be manipulated to do\nthe write for the unprivileged process, but once such access is\nachieved full policy management is possible and all the possible\nimplications that implies: removing confinement, DoS of system or\ntarget applications by denying all execution, by-passing the\nunprivileged user namespace restriction, to exploiting kernel bugs for\na local privilege escalation.\n\nThe policy management interface can not have its permissions simply\nchanged from 0666 to 0600 because non-root processes need to be able\nto load policy to different policy namespaces.\n\nInstead ensure the task writing the interface has privileges that\nare a subset of the task that opened the interface. This is already\ndone via policy for confined processes, but unconfined can delegate\naccess to the opened fd, by-passing the usual policy check.(CVE-2026-23268)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: pegasus: validate USB endpoints\n\nThe pegasus driver should validate that the device it is probing has the\nproper number and types of USB endpoints it is expecting before it binds\nto it.  If a malicious device were to not have the same urbs the driver\nwill crash later on when it blindly accesses these endpoints.(CVE-2026-23290)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: Compare MACs in constant time\n\nTo prevent timing attacks, MAC comparisons need to be constant-time.\nReplace the memcmp() with the correct function, crypto_memneq().(CVE-2026-23364)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTE\n\nWhen installing an emulated MMIO SPTE, do so *after* dropping/zapping the\nexisting SPTE (if it's shadow-present).  While commit a54aa15c6bda3 was\nright about it being impossible to convert a shadow-present SPTE to an\nMMIO SPTE due to a _guest_ write, it failed to account for writes to guest\nmemory that are outside the scope of KVM.\n\nE.g. if host userspace modifies a shadowed gPTE to switch from a memslot\nto emulted MMIO and then the guest hits a relevant page fault, KVM will\ninstall the MMIO SPTE without first zapping the shadow-present SPTE.\n\n  ------------[ cut here ]------------\n  is_shadow_present_pte(*sptep)\n  WARNING: arch/x86/kvm/mmu/mmu.c:484 at mark_mmio_spte+0xb2/0xc0 [kvm], CPU#0: vmx_ept_stale_r/4292\n  Modules linked in: kvm_intel kvm irqbypass\n  CPU: 0 UID: 1000 PID: 4292 Comm: vmx_ept_stale_r Not tainted 7.0.0-rc2-eafebd2d2ab0-sink-vm #319 PREEMPT\n  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\n  RIP: 0010:mark_mmio_spte+0xb2/0xc0 [kvm]\n  Call Trace:\n   <TASK>\n   mmu_set_spte+0x237/0x440 [kvm]\n   ept_page_fault+0x535/0x7f0 [kvm]\n   kvm_mmu_do_page_fault+0xee/0x1f0 [kvm]\n   kvm_mmu_page_fault+0x8d/0x620 [kvm]\n   vmx_handle_exit+0x18c/0x5a0 [kvm_intel]\n   kvm_arch_vcpu_ioctl_run+0xc55/0x1c20 [kvm]\n   kvm_vcpu_ioctl+0x2d5/0x980 [kvm]\n   __x64_sys_ioctl+0x8a/0xd0\n   do_syscall_64+0xb5/0x730\n   entry_SYSCALL_64_after_hwframe+0x4b/0x53\n  RIP: 0033:0x47fa3f\n   </TASK>\n  ---[ end trace 0000000000000000 ]---(CVE-2026-23401)","affected":[{"package":{"ecosystem":"openEuler:22.03-LTS-SP4","name":"kernel","purl":"pkg:rpm/openEuler/kernel&distro=openEuler-22.03-LTS-SP4"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.10.0-308.0.0.211.oe2203sp4"}]}],"ecosystem_specific":{"aarch64":["bpftool-5.10.0-308.0.0.211.oe2203sp4.aarch64.rpm","bpftool-debuginfo-5.10.0-308.0.0.211.oe2203sp4.aarch64.rpm","kernel-5.10.0-308.0.0.211.oe2203sp4.aarch64.rpm","kernel-debuginfo-5.10.0-308.0.0.211.oe2203sp4.aarch64.rpm","kernel-debugsource-5.10.0-308.0.0.211.oe2203sp4.aarch64.rpm","kernel-devel-5.10.0-308.0.0.211.oe2203sp4.aarch64.rpm","kernel-headers-5.10.0-308.0.0.211.oe2203sp4.aarch64.rpm","kernel-source-5.10.0-308.0.0.211.oe2203sp4.aarch64.rpm","kernel-tools-5.10.0-308.0.0.211.oe2203sp4.aarch64.rpm","kernel-tools-debuginfo-5.10.0-308.0.0.211.oe2203sp4.aarch64.rpm","kernel-tools-devel-5.10.0-308.0.0.211.oe2203sp4.aarch64.rpm","perf-5.10.0-308.0.0.211.oe2203sp4.aarch64.rpm","perf-debuginfo-5.10.0-308.0.0.211.oe2203sp4.aarch64.rpm","python3-perf-5.10.0-308.0.0.211.oe2203sp4.aarch64.rpm","python3-perf-debuginfo-5.10.0-308.0.0.211.oe2203sp4.aarch64.rpm"],"src":["kernel-5.10.0-308.0.0.211.oe2203sp4.src.rpm"],"x86_64":["bpftool-5.10.0-308.0.0.211.oe2203sp4.x86_64.rpm","bpftool-debuginfo-5.10.0-308.0.0.211.oe2203sp4.x86_64.rpm","kernel-5.10.0-308.0.0.211.oe2203sp4.x86_64.rpm","kernel-debuginfo-5.10.0-308.0.0.211.oe2203sp4.x86_64.rpm","kernel-debugsource-5.10.0-308.0.0.211.oe2203sp4.x86_64.rpm","kernel-devel-5.10.0-308.0.0.211.oe2203sp4.x86_64.rpm","kernel-headers-5.10.0-308.0.0.211.oe2203sp4.x86_64.rpm","kernel-source-5.10.0-308.0.0.211.oe2203sp4.x86_64.rpm","kernel-tools-5.10.0-308.0.0.211.oe2203sp4.x86_64.rpm","kernel-tools-debuginfo-5.10.0-308.0.0.211.oe2203sp4.x86_64.rpm","kernel-tools-devel-5.10.0-308.0.0.211.oe2203sp4.x86_64.rpm","perf-5.10.0-308.0.0.211.oe2203sp4.x86_64.rpm","perf-debuginfo-5.10.0-308.0.0.211.oe2203sp4.x86_64.rpm","python3-perf-5.10.0-308.0.0.211.oe2203sp4.x86_64.rpm","python3-perf-debuginfo-5.10.0-308.0.0.211.oe2203sp4.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1861"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23268"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23290"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23364"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23401"}],"database_specific":{"severity":"High"}}