An update for kernel is now available for openEuler-24.03-LTS-SP3 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2026-2419 Final 1.0 1.0 2026-05-22 Initial 2026-05-22 2026-05-22 openEuler SA Tool V1.0 2026-05-22 kernel security update An update for kernel is now available for openEuler-24.03-LTS-SP3 The Linux Kernel, the operating system core itself. Security Fix(es): In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access l2cap_information_rsp() checks that cmd_len covers the fixed l2cap_info_rsp header (type + result, 4 bytes) but then reads rsp->data without verifying that the payload is present: - L2CAP_IT_FEAT_MASK calls get_unaligned_le32(rsp->data), which reads 4 bytes past the header (needs cmd_len >= 8). - L2CAP_IT_FIXED_CHAN reads rsp->data[0], 1 byte past the header (needs cmd_len >= 5). A truncated L2CAP_INFO_RSP with result == L2CAP_IR_SUCCESS triggers an out-of-bounds read of adjacent skb data. Guard each data access with the required payload length check. If the payload is too short, skip the read and let the state machine complete with safe defaults (feat_mask and remote_fixed_chan remain zero from kzalloc), so the info timer cleanup and l2cap_conn_start() still run and the connection is not stalled.(CVE-2026-31393) In the Linux kernel, the following vulnerability has been resolved: ext4: reject mount if bigalloc with s_first_data_block != 0 bigalloc with s_first_data_block != 0 is not supported, reject mounting it.(CVE-2026-31447) In the Linux kernel, the following vulnerability has been resolved: HID: multitouch: Check to ensure report responses match the request It is possible for a malicious (or clumsy) device to respond to a specific report's feature request using a completely different report ID. This can cause confusion in the HID core resulting in nasty side-effects such as OOB writes. Add a check to ensure that the report ID in the response, matches the one that was requested. If it doesn't, omit reporting the raw event and return early.(CVE-2026-43047) In the Linux kernel, the following vulnerability has been resolved: HID: core: Mitigate potential OOB by removing bogus memset() The memset() in hid_report_raw_event() has the good intention of clearing out bogus data by zeroing the area from the end of the incoming data string to the assumed end of the buffer. However, as we have previously seen, doing so can easily result in OOB reads and writes in the subsequent thread of execution. The current suggestion from one of the HID maintainers is to remove the memset() and simply return if the incoming event buffer size is not large enough to fill the associated report. Suggested-by Benjamin Tissoires <(CVE-2026-43048) In the Linux kernel, there is a potential out-of-bounds access vulnerability in the ceph_handle_auth_reply() function of the libceph component. When processing messages of type CEPH_MSG_AUTH_REPLY, the value of the payload_len field is stored in a variable of type int. A value greater than INT_MAX leads to integer overflow and is interpreted as a negative value, which causes the pointer address to be decremented and subsequently accessed because ceph_decode_need() only checks that the memory access does not exceed the end address of the allocation. The vulnerability is fixed by changing the data type of payload_len to u32 and introducing additional sanity checks.(CVE-2026-43407) An update for kernel is now available for openEuler-20.03-LTS-SP4/openEuler-24.03-LTS-SP3/openEuler-22.03-LTS-SP3/openEuler-24.03-LTS-SP2. openEuler Security has rated this update as having a security impact of critical. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Critical kernel https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2419 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-31393 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-31447 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-43047 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-43048 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-43407 https://nvd.nist.gov/vuln/detail/CVE-2026-31393 https://nvd.nist.gov/vuln/detail/CVE-2026-31447 https://nvd.nist.gov/vuln/detail/CVE-2026-43047 https://nvd.nist.gov/vuln/detail/CVE-2026-43048 https://nvd.nist.gov/vuln/detail/CVE-2026-43407 openEuler-24.03-LTS-SP3 bpftool-6.6.0-145.3.12.142.oe2403sp3.aarch64.rpm bpftool-debuginfo-6.6.0-145.3.12.142.oe2403sp3.aarch64.rpm kernel-6.6.0-145.3.12.142.oe2403sp3.aarch64.rpm kernel-debuginfo-6.6.0-145.3.12.142.oe2403sp3.aarch64.rpm kernel-debugsource-6.6.0-145.3.12.142.oe2403sp3.aarch64.rpm kernel-devel-6.6.0-145.3.12.142.oe2403sp3.aarch64.rpm kernel-extra-modules-6.6.0-145.3.12.142.oe2403sp3.aarch64.rpm kernel-headers-6.6.0-145.3.12.142.oe2403sp3.aarch64.rpm kernel-source-6.6.0-145.3.12.142.oe2403sp3.aarch64.rpm kernel-tools-6.6.0-145.3.12.142.oe2403sp3.aarch64.rpm kernel-tools-debuginfo-6.6.0-145.3.12.142.oe2403sp3.aarch64.rpm kernel-tools-devel-6.6.0-145.3.12.142.oe2403sp3.aarch64.rpm perf-6.6.0-145.3.12.142.oe2403sp3.aarch64.rpm perf-debuginfo-6.6.0-145.3.12.142.oe2403sp3.aarch64.rpm python3-perf-6.6.0-145.3.12.142.oe2403sp3.aarch64.rpm python3-perf-debuginfo-6.6.0-145.3.12.142.oe2403sp3.aarch64.rpm bpftool-6.6.0-145.3.12.142.oe2403sp3.x86_64.rpm bpftool-debuginfo-6.6.0-145.3.12.142.oe2403sp3.x86_64.rpm kernel-6.6.0-145.3.12.142.oe2403sp3.x86_64.rpm kernel-debuginfo-6.6.0-145.3.12.142.oe2403sp3.x86_64.rpm kernel-debugsource-6.6.0-145.3.12.142.oe2403sp3.x86_64.rpm kernel-devel-6.6.0-145.3.12.142.oe2403sp3.x86_64.rpm kernel-extra-modules-6.6.0-145.3.12.142.oe2403sp3.x86_64.rpm kernel-headers-6.6.0-145.3.12.142.oe2403sp3.x86_64.rpm kernel-source-6.6.0-145.3.12.142.oe2403sp3.x86_64.rpm kernel-tools-6.6.0-145.3.12.142.oe2403sp3.x86_64.rpm kernel-tools-debuginfo-6.6.0-145.3.12.142.oe2403sp3.x86_64.rpm kernel-tools-devel-6.6.0-145.3.12.142.oe2403sp3.x86_64.rpm perf-6.6.0-145.3.12.142.oe2403sp3.x86_64.rpm perf-debuginfo-6.6.0-145.3.12.142.oe2403sp3.x86_64.rpm python3-perf-6.6.0-145.3.12.142.oe2403sp3.x86_64.rpm python3-perf-debuginfo-6.6.0-145.3.12.142.oe2403sp3.x86_64.rpm kernel-6.6.0-145.3.12.142.oe2403sp3.src.rpm In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access l2cap_information_rsp() checks that cmd_len covers the fixed l2cap_info_rsp header (type + result, 4 bytes) but then reads rsp->data without verifying that the payload is present: - L2CAP_IT_FEAT_MASK calls get_unaligned_le32(rsp->data), which reads 4 bytes past the header (needs cmd_len >= 8). - L2CAP_IT_FIXED_CHAN reads rsp->data[0], 1 byte past the header (needs cmd_len >= 5). A truncated L2CAP_INFO_RSP with result == L2CAP_IR_SUCCESS triggers an out-of-bounds read of adjacent skb data. Guard each data access with the required payload length check. If the payload is too short, skip the read and let the state machine complete with safe defaults (feat_mask and remote_fixed_chan remain zero from kzalloc), so the info timer cleanup and l2cap_conn_start() still run and the connection is not stalled. 2026-05-22 CVE-2026-31393 openEuler-24.03-LTS-SP3 High 8.1 AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H kernel security update 2026-05-22 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2419 In the Linux kernel, the following vulnerability has been resolved: ext4: reject mount if bigalloc with s_first_data_block != 0 bigalloc with s_first_data_block != 0 is not supported, reject mounting it. 2026-05-22 CVE-2026-31447 openEuler-24.03-LTS-SP3 High 7.8 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H kernel security update 2026-05-22 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2419 In the Linux kernel, the following vulnerability has been resolved: HID: multitouch: Check to ensure report responses match the request It is possible for a malicious (or clumsy) device to respond to a specific report's feature request using a completely different report ID. This can cause confusion in the HID core resulting in nasty side-effects such as OOB writes. Add a check to ensure that the report ID in the response, matches the one that was requested. If it doesn't, omit reporting the raw event and return early. 2026-05-22 CVE-2026-43047 openEuler-24.03-LTS-SP3 High 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H kernel security update 2026-05-22 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2419 In the Linux kernel, the following vulnerability has been resolved: HID: core: Mitigate potential OOB by removing bogus memset() The memset() in hid_report_raw_event() has the good intention of clearing out bogus data by zeroing the area from the end of the incoming data string to the assumed end of the buffer. However, as we have previously seen, doing so can easily result in OOB reads and writes in the subsequent thread of execution. The current suggestion from one of the HID maintainers is to remove the memset() and simply return if the incoming event buffer size is not large enough to fill the associated report. Suggested-by Benjamin Tissoires < 2026-05-22 CVE-2026-43048 openEuler-24.03-LTS-SP3 High 8.8 AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H kernel security update 2026-05-22 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2419 In the Linux kernel, there is a potential out-of-bounds access vulnerability in the ceph_handle_auth_reply() function of the libceph component. When processing messages of type CEPH_MSG_AUTH_REPLY, the value of the payload_len field is stored in a variable of type int. A value greater than INT_MAX leads to integer overflow and is interpreted as a negative value, which causes the pointer address to be decremented and subsequently accessed because ceph_decode_need() only checks that the memory access does not exceed the end address of the allocation. The vulnerability is fixed by changing the data type of payload_len to u32 and introducing additional sanity checks. 2026-05-22 CVE-2026-43407 openEuler-24.03-LTS-SP3 Critical 9.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H kernel security update 2026-05-22 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2419